in related news
by
jannesha
·
· Score: 5, Informative
There's new critical updates available on Windows Update (5 in all, for WinXP + IE 6SP1).
Re:A perspective from a gentoo user
by
MrRuslan
·
· Score: 2, Informative
After you run emerge sync you should run emerge -u -p world it will tell you what you can update...u dont have to do evrything...just pick whatever makes sense...no need to update OpenOfiice.org from 1.1 to 1.1.1....but if there is something like ssh or postfix its a good idea to grab those...i mean use common sense...and sense u read slashdot you should know of any BIG remote exploits that apear and emerge fixes for them...but if it work for you dont fix it by emerge -u world....simply not neccesary.
Re:But then how can vendors be 1337?
by
tomhudson
·
· Score: 1, Informative
There's one point that has been missed so far... here's the quote from the article:
They know there is a much easier way to determine the details of a particular vulnerability than
slogging through millions of lines of assembly.
It's not possible to slog through millions of lines of assembly. Even if you do 1 line a second, 8 hours a day, 5 days a week, you won't finish in less than a few months (of course, if you have a 10-million-line source code program, the binary will hold a LOT more than "a few million lines of assembler"). You won't finish within your working lifetime.
By then you're out of date anyway.
Guess we can score 1 more argument for open source.
Re:Speaking of astroturf
by
Fapestniegd
·
· Score: 2, Informative
So if some people have figured out an exploit in software and are exploiting it, then revealing it to the whole world is a... service?
Yes, it allows me to turn the software off, or take the machines down running it until I can patch it. Keeping me in the dark is doing me a disservice. That fact that a good deal of people are not vigilant about security and let their machines get exploited is no reason those of us who are vigilant should be penalized.
And I realize that 24 hours is not a lot of time to install a patch, but If you're serious about security, you stay up all night applying them if need be, and have vulnerability alerts going to a pager or cell phone. I don't understand how keeping it a secret and leaving people vunerable is better than allowing them to take *any* action to fix it.
You don't have to wait for the patch to shut down a service, or switch off a feature. As far as I'm concerned there should be a preliminary warning the moment the vendor is aware of an expliotable service, and a patch made available ASAP. Then people paying attention can get on with their day, and those who aren't can get hit when the worm comes out (after the patch is released)
Re:This will tick off C++ programmers but...
by
chgros
·
· Score: 2, Informative
If they wrote their software in Pascal, this wouldn't be a problem. If they used STL string / vector, this would also probably not be a problem. Not to mention, a buffer overflow in Pascal would make the program quit with a runtime error: great security!
Re:I don't think you'll get an argument from MS
by
Anonymous Coward
·
· Score: 1, Informative
You mean crackers in lieu of hackers, don't you.
Re:I pity the hacker...
by
BoomerSooner
·
· Score: 2, Informative
They don't wade through 300MB, they do a diff on the dll's/exe's and find the location of the overflow, it takes longer to code the exploit than to find the problem. I'm learning assembly and my hobby is reverse engineering the install codes in software (learning only, and I'm not good by any means, yet). If you look for starter kits they tell you that WinZip (I'm not sure about current versions but older ones were "easy") is a good program to start learning how to look for instruction patterns to find where the registration routine is. The only thing you had to do was just jump past the routine.
Assembly is difficult but rewarding to learn. Plus there are so many great tools available now that weren't when I first got into programming (NASM, the Art of Assembly book, etc).
Re:Windows Security Update CD
by
myov
·
· Score: 2, Informative
I've been waiting over a month for mine. I could have transferred the contents over dialup by this point! (probably held up in customs, but still...)
One other thing I discovered is that MS automatically made a passport for me when I filled out the order form. It didn't say anything about that until I tried to check the order status and was redirected.
In response to the parent about changing WinXP themes... get a patched uxtheme.dll file. WinXP file protection will complain but you can ignore it. Then, you can use any of the third party themes. I use watercolor - a nice simple, clean theme. The florescent-green-on-blue-designed-by-a-4-year-old theme got to me. (one thing I love about OSX... the gui is functional without screaming in your face)
-- I use Macs to up my productivity, so up yours Microsoft!
Re:OpenSSH tried this once
by
Tuck
·
· Score: 2, Informative
It was June 2002, and here are the details including a description of the release process.
At the time of the original announcement it was specified that there was a way to mitigate the problem (Privilege Separation) and at least some of the criticism was because PrivSep didn't work on all platforms.
The patch was released early because the discoverer released the announcement early. I don't know if there were exploits available at that time.
Disclosure: I'm one of the OpenSSH developers, but I wasn't at the time, so I only know what was made public.
Slashdot Mirror
There's new critical updates available on Windows Update (5 in all, for WinXP + IE 6SP1).
After you run emerge sync you should run emerge -u -p world it will tell you what you can update...u dont have to do evrything...just pick whatever makes sense...no need to update OpenOfiice.org from 1.1 to 1.1.1 ....but if there is something like ssh or postfix its a good idea to grab those...i mean use common sense...and sense u read slashdot you should know of any BIG remote exploits that apear and emerge fixes for them...but if it work for you dont fix it by emerge -u world....simply not neccesary.
It's not possible to slog through millions of lines of assembly. Even if you do 1 line a second, 8 hours a day, 5 days a week, you won't finish in less than a few months (of course, if you have a 10-million-line source code program, the binary will hold a LOT more than "a few million lines of assembler"). You won't finish within your working lifetime.
By then you're out of date anyway.
Guess we can score 1 more argument for open source.
So if some people have figured out an exploit in software and are exploiting it, then revealing it to the whole world is a... service?
Yes, it allows me to turn the software off, or take the machines down running it until I can patch it. Keeping me in the dark is doing me a disservice.
That fact that a good deal of people are not vigilant about security and let their machines get exploited is no reason those of us who are vigilant should be penalized.
And I realize that 24 hours is not a lot of time to install a patch, but If you're serious about security, you stay up all night applying them if need be, and have vulnerability alerts going to a pager or cell phone. I don't understand how keeping it a secret and leaving people vunerable is better than allowing them to take *any* action to fix it.
You don't have to wait for the patch to shut down a service, or switch off a feature. As far as I'm concerned there should be a preliminary warning the moment the vendor is aware of an expliotable service, and a patch made available ASAP. Then people paying attention can get on with their day, and those who aren't can get hit when the worm comes out (after the patch is released)
If they wrote their software in Pascal, this wouldn't be a problem.
If they used STL string / vector, this would also probably not be a problem.
Not to mention, a buffer overflow in Pascal would make the program quit with a runtime error: great security!
You mean crackers in lieu of hackers, don't you.
They don't wade through 300MB, they do a diff on the dll's/exe's and find the location of the overflow, it takes longer to code the exploit than to find the problem. I'm learning assembly and my hobby is reverse engineering the install codes in software (learning only, and I'm not good by any means, yet). If you look for starter kits they tell you that WinZip (I'm not sure about current versions but older ones were "easy") is a good program to start learning how to look for instruction patterns to find where the registration routine is. The only thing you had to do was just jump past the routine.
Assembly is difficult but rewarding to learn. Plus there are so many great tools available now that weren't when I first got into programming (NASM, the Art of Assembly book, etc).
I've been waiting over a month for mine. I could have transferred the contents over dialup by this point!
(probably held up in customs, but still...)
One other thing I discovered is that MS automatically made a passport for me when I filled out the order form. It didn't say anything about that until I tried to check the order status and was redirected.
In response to the parent about changing WinXP themes... get a patched uxtheme.dll file. WinXP file protection will complain but you can ignore it. Then, you can use any of the third party themes. I use watercolor - a nice simple, clean theme. The florescent-green-on-blue-designed-by-a-4-year-old theme got to me. (one thing I love about OSX... the gui is functional without screaming in your face)
I use Macs to up my productivity, so up yours Microsoft!
At the time of the original announcement it was specified that there was a way to mitigate the problem (Privilege Separation) and at least some of the criticism was because PrivSep didn't work on all platforms.
The patch was released early because the discoverer released the announcement early. I don't know if there were exploits available at that time.
Disclosure: I'm one of the OpenSSH developers, but I wasn't at the time, so I only know what was made public.
$ find