Domain: unix.org.ua
Stories and comments across the archive that link to unix.org.ua.
Comments · 11
-
Re:Importance?
Never noticed these colors as well.
I did try to cut the number of warnings given, but uac still is not yet at a level it is user friendly.
Let me point out:
-It sometimes tells the publisher is unknown, and sometimes it show the publisher, but say it is unverified. It is just a conspiracy with verisign to sell code signing certificates.
-Java vm had fine grained access controls a long time ago, and the NSA build these into windows NT 4.0 also. But all UAC allows is to give full access(=admin that can install drivers) or deny (no option most of the times) it. Yes, you can apply all kind of rights to the user, but not to a program... This is a lost opportunity.
-Once UAC is popping up you have no way to take back control. So guess what a user does when he is confronted with {while (true)askPersmissiontoinstalltrojan;}
-...???
-profit. Yes for Steve Ballmer that is... ;) -
Re:Features vs. Security
Microsoft (and other software companies, but MS gets the most attention for it) spent years working under the paradigm where making things more convenient and/or more powerful for the user was the most important thing you could do to get people to use and buy your product.
Don't forget that that includes UNIX; from the preface to O'Reilly's "Practical Unix and Internet Security":When the first version of this book appeared in 1991, many people thought that the words "UNIX security" were an oxymoron-two words that appeared to contradict each other, much like the words "jumbo shrimp" or "Congressional action." After all, the ease with which a UNIX guru could break into a system, seize control, and wreak havoc was legendary in the computer community. Some people couldn't even imagine that a computer running UNIX could be made secure.
The various flavours of UNIX have come a long, long way since 1991. So have MS; but they have had farther to go, started later and have not been travelling nearly as fast. A modern Windows PC in skilled/sensible hands is safe enough, but so many are in less than optimal hands... -
Re:Shortcuts are nothing new"Interprets", yes:
When an NFS client does a stat( ) of a directory entry and finds it is a symbolic link, it issues an RPC call to read the link (on the server) and determine where the link points. This is the equivalent of doing a local readlink( ) system call to examine the contents of a symbolic link. The server returns a pathname that is interpreted on the client, not on the server.
But the symlink is a feature of the on-disk filesystem and is there whether the client does something with it or not. -
Re:Could someone explain how the attack works?I don't think you understand what NOTIFY is or how it works:
When a slave receives a NOTIFY announcement for a zone from one of its configured master name servers, it responds with a NOTIFY response. The response tells the master that the slave received the NOTIFY announcement so that the master can stop sending it NOTIFY announcements for the zone. Then the slave proceeds just as if the refresh timer for that zone had expired: it queries the master name server for the SOA record for the zone that the master claims has changed. If the serial number is higher, the slave transfers the zone.
Why doesn't the slave simply take the master's word that the zone has changed? It's possible that a miscreant could forge NOTIFY announcements to slaves, causing lots of unnecessary zone transfers and amounting to a denial-of-service attack against a master name server.
-- DNS and BIND, 4th Ed.
First off, it only applies to authoritative zones which means there aren't any caches to exploit. Second, query recursion and dns notify are completely unrelated.
If you send a NOTIFY for a domain that isn't a slave, the server will ignore it. Even if you happen to be in a position to mount a man-in-the-middle attack and forge the SOA QUERY results, all you'll manage to do is trigger a zone transfer -- which happens over TCP, not UDP, so poisoning the zone will be much more difficult. But we're straying off topic... this has nothing to do with recursion, nor is it a DDoS. (and very few people are in a position to mount such an exploit.)
Notify messages are validated, if not authenticated. They have to come from a configured master or they're ignored. At best, for each NOTIFY properly forged, 2 (*two*) packets, almost exactly the same size, will be generated: the NOTIFY response, and a QUERY for the SOA. If a 2x amplification is enough to be an effective DDoS, then it's very likely the script kiddie's zombie botnet is large enough to not need any amplification. Oh yeah, and the entire process is hinged on IP SPOOFING, not on the status of any dns server's "query recursion" settings.
Disabling recursive queries on public dns servers, and properly configuring the feature on internal dns servers is a good practice. HOWEVER, it's not the solution to using DNS servers in DDoS attacks. It is at best, a small part of the solution. All of this depends on successful ip spoofing; and that is what needs to be fixed, but because of lazy, and/or incompotent networking professionals, ip spoofing is going to be with us for a long time. (we've had the necessary technology for nearly a decade.) -
Re:Flamebait?
Unfortunately, it will still not be on par with what UNIX has done for decades now in that respect, but it does sound like a step forward. As far as its real world functionality, I think we'll definately have to wait and see. I remember hearing that Windows 2000 wouldn't require reboots, XP/2003 wouldn't require reboots, and now Vista won't either.
-
Or you could just go here
Or you could just go here and read them all for free: http://www.unix.org.ua/orelly/
Not that I condone this kind of activity. -
BoA should read this
Professionals in the field of authentication already know that it's a much stronger method of authentication to require two out of three of something you know, something you are, and something you have.
http://www.unix.org.ua/orelly/networking/firewall/ ch10_02.htm
But BoA's new system is just something you know, something else you know, another something you know, and yet another something you know. Unfortunately, teh Intarweb combined with the hardware that home users normally have isn't really suited for doing anything more than this, and even if you did have (say) a smart card reader to use with a bank-issued smart card, there's nothing saying that phishers couldn't haxor your smart card reader and make a copy of it.
I shudder at the thought, but this might actually be a benefit of Trusted Computing - preventing phishers from gaining access to a smart card reader included in a computer.
-
If Windows supports named pipes...
If Windows supports named pipes you can do something like this: http://www.unix.org.ua/orelly/perl/cookbook/ch16_
2 3.htm where instead of calling fortune you open a random wave file. -
full quote
http://www.unix.org.ua/orelly/networking/puis/ch0
1 _04.htm
""It was not designed from the start to be secure. It was designed with the necessary characteristics to make security serviceable.""
no idea who is right -
Re:modeling unknown passwords
Just use a salt in computing the password hash. Makes the space requirements for precomputing the hashes go up many many orders of magnitude.
It's too bad this idea wasn't around when Microsoft was designing LanMan. Oh, wait , Unix has had it for 20 years.
So unix passwords are only 4096 times harder. We'll have that kind of storage in about a decade, so it's time to start getting bigger keyspaces. -
parse tree
Perl compiles its code into an intermediary "tree" of logic nodes (Perl "opcodes"). Are there any topology strategies for optimizing that tree, in the graph itself? Any visualization tools that let Perl generate the tree, then let a programmer change the tree, then complete the compilation of the new tree to new code? Is Parrot/Perl6 making any of these strategies more feasible, or are they all going away?