Slashdot Mirror

Repeat after me:
UAC is NOT a security feature!

It was added to software developers do the right thing, i.e. not require administrative privileges unless absolutely needed.

http://www.networkworld.com/news/2007/021407-microsoft-uac-not-a-security.html

And this coming from a website that actually writes articles about the results of Slashdot polls.

Do not feed the trolls... do not feed the trolls... do not feed the trolls...

"Our own research, however, has concluded that open source software exposes users to significant and unnecessary business risk, as the security is often overlooked, making users more vulnerable to security breaches,"

"That's not to say that commercial software isn't without risks, but any flaws on commercial applications tend to get patched a lot faster than on open source, as the vendors producing the software have a lot more to lose than an open source programmer,"

"New variant of Conficker worm circulates"

...when MS is sued over Vista R & D by the shareholders.

Am I going to be able to use the WebOS when there's no wireless data connectivity? I don't think so.

According to TFA:

According to Palm's website and some early development partners, webOS supports HTML5, enabling a local data store, so applications and data are available offline, and a file system.

And the palm developer site:

Leverage the local storage capabilities of HTML5 so that data is available even when users are offline

I'm sure Palm intends WebOS to still work when there is no connectivity. Whether or not they implement this properly is another question, of course. Can anyone comment on how well the "local storage capabilities of HTML5" work?

Who told you that OSS is less safe than closed sourceWho told you that OSS is less safe than closed source?

A representative of a company who wants to sell!

MS is known to have used a business tactics known as Fear, Uncertainty and Disorientation

Facts are:

MS source code can be obtained by Hackers/Crackers through illegitimate channels - the availability of source code is not an argument.

Thousands of experts monitor OSS source code and vulnerabilities are discussed in the open. Hackers recognizing vulnerabilities in MS source code are not to publish it, but to write exploits!

Number of successful attacks on MS and other closed source products in comparison to OSS products speaks for itself.

Average workload consumed per machine for remedy of exploitation coed ( malware removal ) was per Windows machines 20 manhours, for Linux machines 0.01 hours at a company running 5000 PCs

You can offer security tests and penetration tests to your costumer !

The largest institutions and companies where security is an issue use Linux

• DoDs http://www.desktoplinux.com/news/NS3846976086.html http://www.forbes.com/2003/06/20/cz_eb_0620linux.html
• NSAs even created SE linux http://www.nsa.gov/research/selinux/
• IBM - you know IBM?
• DHS http://searchdns.netcraft.com/?position=limited&host=dhs.gov
• FBI http://searchdns.netcraft.com/?restriction=site+contains&host=fbi.gov&lookup=wait..&position=limited
• Navy http://searchdns.netcraft.com/?restriction=site+contains&host=navy.mil&lookup=wait..&position=limited
• Air Force http://searchdns.netcraft.com/?restriction=site+contains&host=airforce.com&lookup=wait..&position=limited
• Amazon http://news.cnet.com/2100-1001-275155.html
• Google just google Google about use of Linux

• Contraindications - or failures of MS installations in the media:

• French http://economictimes.indiatimes.com/Infotech/Computer_virus_grounds_French_fighter_planes/articleshow/4094774.cms
• British http://www.theregister.co.uk/2009/01/15/royal_navy_email_virus_outage/
• US http://www.networkworld.com/community/node/38384

First, net neutrility has to do with the content providers (Google, Slashdot, etc) paying the ISP's to get their traffic prioritized (or, more accurately, not throttled). The problem with this (besides the obvious double billing, greed, etc), is ISP's can use this to muscle their competition by deprioritizing their traffic, while keeping their own identical service at a higher quality. Comcast is in trouble for doing this to VOIP right now. Even after the FCC ruled against them for improperly throttling traffic before.

Second, free market principles only work where there is competition. There is essentially no competition among ISP's due to a high barrier of entry into the market.

Point your client to this article.

Once they've read it they might be willing to ask their MS reps why their company would invest 100 million bucks in a venture where they're actively SUPPORTING migration to OSS products.

I'd LOVE to hear the rep's answer to that.

What is the #1 website on the planet today? Answer: google. How many machines does google have to support it's busines? Answer: tens of thousands. What operating system does google use? Answer: Linux. How many times has google been hacked in its 11 year history? Answer: Anybody, anybody? What is the #1 desktop operating system today? Answer: Microsoft. How many worms, trojans, viruses, etc. are there for Microsoft OSes? Answer: > 100,000 (source: pick you're favorite anti-virus company counting scheme.) How many times have businesses been hosed by using Microsoft software? Answer: Too many to count. The latest blunder today? The French navy. Reference: http://www.networkworld.com/news/2009/020909-conficker-worm-sinks-french-navy.html Now for the last and most important question: What does Microsoft think that it knows about security that Gooogle doesn't? Because comparing their security track records, it's not obvious to me that Microsoft knows anything about security. --Johnny says when in doubt just ask Google.

1998 called, it wants its anti-open-source arguments back.

Glad I saw your post while I still my other tab open. In case anyone's wondering, he's talking about this story:

Google Execs Being Tried In Italy Over User's "Cruelty" Video
Posted by timothy on Tuesday February 03, @10:12AM
from the what-have-the-googlers-ever-done-for-us? dept.
netbuzz writes "Italian officials this morning have begun prosecuting four Google executives over their roles -- which were essentially non-existent -- in the posting of a video that depicted cruelty toward a disabled child. "It's akin to prosecuting mail service employees for hate speech letters sent in the post," the spokeswoman said in an e-mail. "Seeking to hold neutral platforms liable for content posted on them is a direct attack on a free, open Internet."

Glad I saw your post while I still my other tab open. In case anyone's wondering, he's talking about this story:

Google Execs Being Tried In Italy Over User's "Cruelty" Video
Posted by timothy on Tuesday February 03, @10:12AM
from the what-have-the-googlers-ever-done-for-us? dept.
netbuzz writes "Italian officials this morning have begun prosecuting four Google executives over their roles -- which were essentially non-existent -- in the posting of a video that depicted cruelty toward a disabled child. "It's akin to prosecuting mail service employees for hate speech letters sent in the post," the spokeswoman said in an e-mail. "Seeking to hold neutral platforms liable for content posted on them is a direct attack on a free, open Internet."

Well, this article sums up things quite well.

http://www.networkworld.com/community/node/37956

Upgrade from Vista? Maybe.
From XP? Nope
Beats Mac? Nope

W7 will sell big on OEM boxen. Period.

Spam being illegal certainly has curbed its proliferation - NOT !

All kidding aside, I think you're wrong about that.

http://edge.networkworld.com/community/node/36965

LoL, you are talking about how they used a Monster cable and checked performance/clarity and then used a hanger and got the same result? :)

Not just Monster. Check out this $499 wonder from Denon

This site has been blocked and the attempted access has been logged by the SonicWALL Content Filtering Service.

http://www.networkworld.com/news/2009/011309-zero-day-worm.html?hpg1=bn

Reason for restriction: Forbidden Category "Adult Entertainment"

Way to go, Cheetancheri.

And doesn't Reykjavik have Fiber Optics networking into each and every home?

http://www.networkworld.com/research/2004/0607iceland.html

I doubt it. Cisco is not comparable to Microsoft in terms of market leverage. There are several sites that cite numbers far less that what M$ enjoys:

http://blog.tmcnet.com/the-hyperconnected-enterprise/business-aspects/cisco-just-at-37-market-share-in-ethernet-switching.asp

http://www.networkworld.com/community/node/22780

Also, while Microsoft is dominant at home and on workstations(as well as in the Enterprise), Cisco is primarily used in medium-large businesses. Therefore it's visibility is far less that what Microsoft has. Cisco may be a household name for anyone in the IT field, but Microsoft is a household name period.

If they stopped making blade switches for HP, IBM, and Dell, they would be shooting themselves in the foot. My company saved about $60,000 by using HP switches with our HP blades rather than Cisco switches. Do you really think people would complain much if the Cisco offering disappeared? Furthermore, do you think I'm going to switch to more expensive, untested Cisco blades when I already have something that works?

Cisco needs to tread carefully. Their marketshare has been eroded by high-quality, lower cost options from Nortel, HP, and Juniper. Expanding into new markets while their primary bread-winner is getting hammered is not smart business.

The article on one page

Download video (9.8meg).

So buy it with Windows and get your refund.

Consider the refund as a payment by Microsoft for you installing Linux.

Nice. But many times the OEM will try to badger you into signing an NDA, which is one reason you don't see any magazine columns dedicated to getting Windows Refunds. Another thing is that MS has adapted.

Earlier Windows Refunds were possible, because the end-user got a screen with the choice to reject or accept the bend-you-over-the-desk EULA. From there it was a simple, though tedious, matter of documenting the rejection and following all the steps. Now, the OEMs often start up the computer and 'accept' all the licensing conditions in advance, eliminating specifically that path.

So, what now is the correct procedure for getting a Windows refund where the OEM has pre-installed and pre-accepted MS Vista?

So buy it with Windows and get your refund.

Consider the refund as a payment by Microsoft for you installing Linux.

NAT is not a permanent solution

Nice try but pure fabrication. NAT, aka private address space, is not going away. Telcos/ILECs blocked NAT when IPv6 was being developed and have since then spent a lot on marketing IPv6 without NAT/rfc1918 as a solution too all our problems. In so doing they have delayed the adoption of IPv6 by many years. How much longer will their transparent opposition to IPv6 NAT delay the inevitable? That is the question. No, we are not going to assign public IP addresses to every network-enabled computer and other device. And no, we are not going to implement IPv6 until NAT is fully supported. This is the reality that those who claim, falsely, that NAT is not a solution, are trying to ignore.

Sadly, due to telco/ILEC influence there is not likely to be a single IPv6 NAT implement for several years. When it does happen, and it will, there is likely to have already been multiple IPv6 NAT implementations which network programmers will have a hard time reconciling. The problem is vendor lock-in, which astroturfing ILECs cannot achieve without blocking NAT, and in the process 'owning' all of your IP-enabled devices.

See also
  http://www.networkworld.com/news/2008/072109-nat-housley-qna.html
  http://www.techworld.com/networking/features/index.cfm?featureid=4167
  http://archives.devshed.com/forums/networking-100/security-gain-from-nat-top-5t-2323463.html

for those that don't want to click every 4 sentences.

Ha ha ha...
http://www.microsoft.com/technet/security/bulletin/MS07-066.mspx/ ,
http://www.pcmag.com/article2/0,4149,533801,00.asp/ ,
http://support.microsoft.com/support/kb/articles/q231/3/68.asp/ ,
http://www.microsoft.com/downloads/details.aspx?FamilyId=E877D9C1-3E7C-4551-A899-C3FCC5175BB6&displaylang=en/ ,
http://www.networkworld.com/news/2002/0909cryptoapi.html/ ,
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx/ and finally http://www.usatoday.com/tech/news/computersecurity/2003-07-16-microsoft-hole_x.htm/
I can go on, but i gotta get back to work...
Let me know if you need more proof.
Or better yet, put your virgin XP SP2 on 'net... the best example is by doing!

* Making hostile traffic inoperable on Air Force networks.

* Locating and identifying once-anonymous hackers.

* Enabling Air Force servers to evade or dodge electronic attacks, somehow.

Use PKI over VPN to carry all Air Force traffic and reject everything else. The VPN solution would run on customized hardened nodes spread across the globe. These would provide multiple redundant paths and the ability to reject 'electronic attacks', 'hostile traffic' and 'anonymous hackers' ...

"It's not like they come here and take bankers job, or tech jobs."

Take your racist, bigotted crap out of here.

Hence, selling the disk, which enables someone else to listen to the music, is copyright infringement according to the RIAA.

Do you have a link for that? First Sale Doctrine states you can resell CDs. In fact, this right was recently upheld for "promotional" CDs that were given away but not sold.

Just to clarify - OFDM is the modulation method used to convery data. Modulation methodology doesnt really tell you much about bandwidth and data rate, since a communication channel design can trade these properties off in an interactive manner when the design standard is defined.

The good news is that WiMax is designed to do data over long distance (measured in Km's) rather than the the duct tape installations of WiFi, which was never supposed to be used for distance data communication. Some of the crazy WiFi installations that are out there are 5 star silly, trying to do things that WiFi systems were never designed to do.

Some useful links:
http://en.wikipedia.org/wiki/Wimax
http://www.wimaxforum.org/
http://www.wimax.com/
http://www.networkworld.com/topics/wimax.html

If you want to get into the nitty gritty of the details, the IEEE has the 802.16 standards for all the details as well.
The good news is that this time around it actualy seems to be happening. It's out there in a big way (read some of the deployments in the above links) but not widespread yet.

has come under media criticism

Anonymous critics can say whatever they want, so it's pretty meaningless.

You didn't provide a reference, so I can't specifically refute this. However, the original story here:

http://www.networkworld.com/community/node/32838

says "does appear to indicate that she has been using it for both private and official business".

"appear to indicate" is a much weaker statement than the declaration to which I was responding.

If Microsoft can get OOXML to become an ISO standard, I imagine that the US can pretty much get IETF to do whatever it wants.

Let's not forget that the current IETF chair is partially funded by the NSA, so they certainly have the power of the purse.

Yes, if the council screws up maintenance, they can just sell it on to somebody who can handle it.

I think there's a network admin in San Francisco that can handle this...

As it turns out, the speed that you are likely to actually experience in the US is directly related to the population density of your region. In fact - we found a direct mathematical correlation: http://www.networkworld.com/community/node/31730

Just how old is the current system? DOS era computing? CTOS? ENIAC?

The FAA's flight plan system uses two Philips DS714 computers. Network World ran an article in 2005 when the FAA announced that they'd be replacing them with two Stratus ftServer boxes. It's not difficult to imagine that they haven't come close to that goal yet.

If you want to see how creaky the DS714s are, take a look here.

Yup, it has happened again, although VeriSign may or may not have been the negligent CA involved. Someone recently managed to get an SSL cert for login.live.com.

Because then you don't have to get the user to do anything but look at a webpage? And I apologize if i didn't pick the best examples,I just grabbed two out of the 702,000 hits I got in Google for "JavaScript Firefox Exploit". I'm sure if you put that into Google you can find much better examples.

Let us be honest here,and while I admit I'm no security expert by any stretch of the imagination,I have been building and locking down Windows boxes since the days of DOS 4 and Win3.x. So I have had experience in fixing them and trying to keep them from getting hacked. My question is this: Who thought it would be a wonderful idea to run code straight from a website? I mean when you think about it,and get past all the "Web 2.0" buzz,it seems more than a little crazy. Just as I said when ActiveX came out "This is a bad idea" and it turned out to be. Why? Because there is a hell of a lot more bad guys in the world,and the number keeps growing every day. I watched as malware went from a troll toy "I'm in ur computer erasing all ur files" kind of crap to a multi billion dollar identity theft and spam botnet business. With that kind of money on the line it is no wonder JavaScript has become so dangerous.

But please,don't believe me,just do some reading yourself. Just typing "JavaScript Exploit" into Google,the first five hits had a JavaSript exploit for iPhone,one for Adobe Acrobat,one for IE with ActiveX,and finally,since I mentioned "Web 2.0" one for AJAX apps. The simple fact is that JavaScript gives the malware writers a common target. They don't know if you are running IE,FF,or a smaller browser like Kmeleon. They don't know if you have REAL player,or iTunes. But they know that there is one place where their code will run almost every time,and that is JavaScript. If we are really going to push this "cloud computing" idea,and ramp up use of JavaScript,then we need to find ways to make it safer to run. Because in it's current incarnation I have found my customers rates of infection go down by nearly 80% by simply killing JavaScript with Noscript. But as always this is my 02c based on what I'm seeing here in userland,YMMV

The powers-that-be have finally admitted that DJB is right, and interoperability is a problem and are looking at defining an IPV6 version of NAT. See http://www.networkworld.com/news/2008/072108-ipv6nat.html for details. It'll have 2 uses...

1) The many-devices-to-one-address-mapping that we all know and love with IPV4 NAT

2) Automatic translation between IPV4 and IPV6. If you use the analogue-TV-to-digital-TV analogy, this NATing function is like the cheap converter boxes that allow your old analogue TV to receive digital broadcasts. Joe Sixpack will be told to plug his computer into the box, and the box plugs into his modem *AND THINGS WILL AUTOMAGICALLY WORK JUST LIKE BEFORE*.

Item #2 is the biggie. If we can make the migration asynchronous (i.e. no "flag-day" when everybody must switch over at the same time) things become a lot easier. And when Joe's current computer, running Windows 98SE or WinME (don't laugh) dies, he'll buy a new one with Vista or WIndows 7, and it'll support IPV6 out of the box. Just like when your current analogue CRT TV dies, you'll buy a new one, and it'll natively tune in digital broadcasts. And you won't need the NAT box anymore, except as a security blanket.

What WILL happen is "carrier-grade NAT" deployments inside service provider networks.

Residential and personal mobile device customers can expect to pay extraâ" on the order of US$5-10 per monthâ" if they want a public, i.e. non-RFC1918, IPv4 address assigned to them. Also, don't expect the carrier-grade NAT to support any kind of port forwarding whatsoever. Lastly, you can expect the NAT to implement address/port-dependent endpoint filtering.

So, the writing for P2P applications like BitTorrent is pretty much on the wall now. Read it and weep, MF'ers, we TOLD you this would happen a long time ago, and you didn't believe us.

It doesnt necessarily mean it was Thawte, though. From an earlier article:

he simply checked the box that stated that the certificate was not going to be used on the internet and was for internal testing only. Luckily, Michael also stated that most CA's rejected his requests.

It's a little vague, but it might mean that a lot of CAs have this checkbox.

Where in the world would you have to pay $340 for a vista license. Vista is $99 - $219.

The list price (since I quoted list for OS X) of Vista Ultimate is $340. You can pay less, assuming you are OK with getting a hobbled version of Windows. The $130 list price of OS X is completely full-featured. What kind of Windows do you get for that same list price? An "upgrade" all the way to Vista Home Basic, which hardly qualifies as an operating system. In no way does Vista Basic compare with OS X 10.5.

Mac cost of ownership is lower than PC? Bullshit! That is an out and out LIE.
PC's are SIGNIFICANTLY lower in price ACROSS THE BOARD!

And your citation for that?

Here is what the real world has to say:
Network World:
"The results of this TCO astounded me. For my small enterprise, owning a WinTel box for three years costs twice as much as owning a MacTel. When I talked with several of our clients, I found that the burdened cost of ownership per PC - just for support - ranged from $1,300 to $4,000 per year."

Tom's Hardware:
(Sorry no simple quote, just seven pages of proof why Macs are a better value if you don't make stupid purchasing choices.)

And so on; bored now. So show me one study saying that the total cost of ownership of a PC is cheaper than owning a Mac. And note that the references above are hardcore PC publications.

And more to the point of the article...Mac hardware is not available for me to build my own which saves me even MORE money by choosing PC.

And so we return to my original post. Apple doesn't let their OS run on any old hardware, and thus they can deliver a better experience. If that's not for you, then the Mac is not for you... you can go spend your days trying to hack cheapass generic hardware together into a sometimes-stable system while I am doing nothing but enjoying the use of my computer.

I love how you, an obvious anything-but-Mac fanboy goes about calling me a fanboy and a liar (with no proof) while hiding behind AC.

I don't see any major damage from having a presentation delayed for all of 72 hours either

Excepting, as pointed out in another reply, that this caused a presentation at a conference to be "Restrained" past the end of the conference, thus causing great damage to both the conference itself (one less presentation, bunch of pissed-off people that came to see said presentation) and the presenters (missed opportunity for a large live audience to present to). Since DefCon lists the presentations ahead of time, the MBTA should have had plenty of time to issue their TRO, get the facts straight, and get on with life such that the presentation could go on. Instead they waited and filed the TRO just prior, in a successful attempt to quash the presentation. Looking back through pages, the wifi warcarting article was posted to Slashdot on the 5th, along with mention of the subway hack presentation, so given normal slashdot posting times, it must have been on the DefCon site since at least late July. And checking further, confirmation: "An MBTA vendor tipped off the authority on July 30 that the talk was scheduled"

The TRO was not filed until the 8th. They knew a permanent injunction would not hold up, so they waited until the last minute to request the temporary one. They had plenty of time, 9+ days, to work with the courts and the presenters and they didnt....

Tm

This version may be easier to read.

Bottom line: The Linkup is blaming Nirvanix (a third-party service provider) which is, of course, blaming The Linkup. FTA:

Nirvanix says it has not deleted any customer data, and promises that its Storage Delivery Network is immune to the problem that plagued The Linkup. At The Linkup, a "system administrator ran a script that misidentified active account data and disassociated physical files from their owners," Nirvanix says. "This led to files being marked offline in the old Streamload/MediaMax file system when they shouldn't have been." Iverson, meanwhile, claims it was a Nirvanix engineer who caused the data loss.

Summary: "He did it." "No, he did it." "No, it was him!" "You did it FIRST!" "Idiot!" "Moron!" "Jackass!" ** customers shoot them both **

You sound like Cisco. http://www.networkworld.com/community/node/26841

Submitted July 17th

Submitted July 17th

Linux also saves companies money since it consumes less energy!

If we create great PHP support and we create excitement among PHP developers then there is opportunity for Windows Servers, Ramji said.

:: shudders ::
Just what the world needs, more windows servers ...

Oh please. Everyone knows it's the standard practice to store sensitive data unencrypted, on a single backup tape in your car. See here:

http://news.slashdot.org/article.pl?sid=08/04/26/0115227
http://it.slashdot.org/article.pl?sid=07/10/11/0412230&from=rss
http://cyberinsecure.com/backup-tape-with-private-details-stolen-from-greensboro-gynecology-associates/
http://www.theregister.co.uk/2005/06/07/citigroup_lost_tape/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=319327
http://www.cio.com/article/16133/
http://www.networkworld.com/news/2008/060208-lost-backup-tape-prompts-it.htm

Yes, all are different cases (and there are scores more)

The problem is that DNSSec doesn't do anything. It requires an infrastructure of trustworthy certificate authorities (like Verisign). It's akin to "SSL-encrypt everything and damn the costs".

Of course, it might be useful if DNSSec actually solved any issues that we're having, but it doesn't. DJBDNS is immune to this design flaw in BIND even though this design flaw has been brought up many times before. The real message you should be taking away from this is, and they expect us to trust them?

http://www.networkworld.com/community/node/29644?page=2&ts=

I just sat through an hour long presentation where Verizon was trying to sell me on switching to their MPLS;

http://www.networkworld.com/news/2007/032107-verizon-business-mpls-vpn.html

One of their features is a PIP satellite MPLS connection which has much less jitter (latency) than Hughes, DircPC, and such. They said they have customers using this for Citrix, VPN, and Voice and these customers find it much better than traditional satellite. They also offered to us to have one of their disaster recovery mobile MPLS satellite vans pull up so we could hook a laptop and VoIP phone up and test for ourselves.

They also offer such services over EVDO (or will) if you get Verizon EVDO in that area of Canada.

I don't speak from experience, but you asked for options and this might just be one.