Slashdot Mirror
40 Windows Apps Said To Contain Critical Bug
CWmike writes "About 40 different Windows applications contain a critical flaw that can be used by attackers to hijack PCs and infect them with malware, says HD Moore, chief security officer at Rapid7 and creator of the open-source Metasploit penetration-testing toolkit. Gregg Keizer reports that the bug was patched by Apple in its iTunes software for Windows four months ago, but remains in more than three dozen other Windows programs. Moore did not reveal the names of the vulnerable applications or their makers, however. Each affected program will have to be patched separately. Moore first hinted at the widespread bug in a message on Twitter on Wednesday. 'The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,' he tweeted, then linked to an advisory published by Acros, a Slovenian security firm."
http://www.youtube.com/watch?v=wxlhyX-4qKI
Only 40? That's definitely an improvement over the 7 year old Linux exploit that was only just fixed where any GUI app could gain root access.
But alas, I'm running Linux :)
Just 40?
Then worry about this:
http://it.slashdot.org/story/10/08/18/1534258/Linux-Xorg-Critical-Security-Flaw-Silently-Patched?from=rss
Palm trees and 8
/. is as bad for this as anywhere else on the net as far as I can tell. All bugs are flaws, but flaws are not necessarily bugs. This sounds like a flaw, even a vulnerability, but not a bug. Sorry, as you were.
So there are forty unknown applications with an unknown flaw that results in code execution. This sounds like it includes web browsers (given the references to 'viewing a web page' in the article), but it doesn't specify which. It also doesn't specify what sort of file(s) (except in the case of iTunes -- a 'media file') are affected.
So what're we supposed to do? There's no detail here, not even cursory detail, on what filetypes or applications to avoid. I'm fine with no details on the innermost workings of this exploit being widely disseminated, but why announce it with such fanfare if there's not even a way to avoid exposing yourself (i.e., listing these supposed '40 applications')?
I better pull my internet plug until all 40 apps are fixed. 'Cause you know, I use windows and my machine gets infected everyday!
Tired of my customary (Score:1)
Then worry about this:
Yeah, I'm far more worried about a _fixed_ exploit that requires I install a malicious GUI app than an active exploit that just requires I open a malicious Word document.
What a load of crap. On the other hand, I have found a virus that will immediately destroy your computer if you don't send me 1 million dollars.
Mean what you say...say what you mean.
They fixed a bug in the Linux kernel? I'm worried now.
Well, not all distros are up to date on these things. Are you sure that the distro you use has distributed the update yet?
Palm trees and 8
'The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,'
That sounds really bad!
'The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,' he tweeted
Oh, doesn't seem so bad now...
Just because a patch was issued doesn't mean every single system was patched and that there won't be countless people still running a vulnerable version.
Or windows have several orders less apps than i think, or is the safest operating system on earth (ok, or something is missing in that formulation, like being 40: as in millons, or just counting in the included by default apps)
Just because a patch was issued doesn't mean every single system was patched and that there won't be countless people still running a vulnerable version.
So now the disto just has to install a malicious trojan on their system and they're doomed. Because if the distro developers are malicious, that would be so much easier than just installing a trojan that runs as root.
I honestly don't see why people can't understand the huge difference between requiring malicious software to be installed on your PC by a software updater that _already runs as root and can change any file on the system_ and requiring you to open a malicious Word document.
Sure, maybe Joe Sixpack is dumb enough to install a random 'Naked Chicks Screensaver' that exploits a Linux bug, but the vast majority of people only install software from their Linux distro, which they have little choice but to trust.
Yeah, none of those 40 problem apps will run on Linux. Unfortunately, neither will thousands of other apps.
SJW: Someone who has run out of real oppression, and has to fake it.
Sure, maybe Joe Sixpack is dumb enough to install a random 'Naked Chicks Screensaver' that exploits a Linux bug, but the vast majority of people only install software from their Linux distro, which they have little choice but to trust.
Well hopefully that distro didn't download the trojaned version of unrealIRCD that it's own developers didn't realize someone had switched. Or are the developers of that program and anyone who trusted that what they were sharing wasn't trojaned are just "dumb Joe Sixpacks"?
I honestly don't see why you seem to think that the XOrg vulnerability has something to do with your software updater, rather than being one where any GUI app run by any user can run anything as root.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
There are many reasons to use Linux, but better security is not one of them. If you still believe this, put up a Linux server completely exposed to the Internet, and broadcast all over IRC that your server is badass and can't be hacked. It is a common misconception among Linux zealots that Linux doesn't have the security issues that Windows does, but mostly it's because its less popular, and very few exploit writers target Linux machines. In fact, even though ProPolice has been around for years, many Linux distros (including default Ubuntu) do not take advantage of it, and thus open themselves to a myriad of exploits that even Windows XP did not have. The performance gain from not using ProPolice is negligible, and the expoitablility of such a machine, given the quality of code from many Linux apps, is almost guaranteed.
So, your smart-ass comment only shows your ignorance. Linux is pretty cool as a development environment, and it's not a half-bad desktop, especially given the price. But I would run Windows Server long before I would consider putting a Linux machine on the net without a decent firewall (i.e. not Linux) in front of it.
"Please describe the scientific nature of the 'whammy'" - Agent Scully
I honestly don't see why you seem to think that the XOrg vulnerability has something to do with your software updater, rather than being one where any GUI app run by any user can run anything as root.
Sigh.
Which part of 'the only way the average Linux user is going to be running malicious software is if their distro ships it to them' is proving so hard for Windows users to understand?
I was under the impression that very few Windows applications were statically compiled... so why can't this just be updated in whatever shared object it uses again?
I know he says
but what and why?
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
If your distro is installing malicious software on your system, then you have much more to worry about than an X-server bug.
Or Joe Sixpack visits a website with a Flash applet, and there happens to be a vulnerability in Flash player that allows those applets to issue requests directly to the X server. Or, Joe Sixpack opens a PDF file using acroread, and there is a vulnerability in acroread. Or any number of other vulnerabilities; all an attack needs is to be able to issue requests directly to the X server.
It really was not a trivial, uninteresting bug. It was a serious security problem for desktop Linux users that had been around for years.
Palm trees and 8
http://www.archlinux.org/packages/core/i686/kernel26/
Patched on 8/13, new kernel package on 8/14. I'm not concerned. And slower-updating distros generally have a security team to patch these kinds of things into their current kernel release.
Yeah, it would be way better for Windows users if they could be protected by a massive ego like a certain percentage of people running Linux.
You assume they would be doing it purposefully which isn't necessarily true. In the case of unrealIRCD not even the developers of the program knew that the version they were serving had been switched to a version with a trojan in it until months after they had been serving the files.
The part where an exploit that allows malicious programs to be run without the user's knowledge? Or did you think there were no such exploits?
For the record, I am a Fedora user, not a Windows user. I am willing to acknowledge when there is a security problem. I am glad it was fixed, but that does not imply that it was not a real problem.
Palm trees and 8
But...but...those are clearly just dumb Winblows users!!! HURP DURP!!!
The part where an exploit that allows malicious programs to be run without the user's knowledge? Or did you think there were no such exploits?
So in order to exploit this exploit you need to make up another exploit which already allows them to do anything on my PC with my user privileges, which means that they've already installed a keylogger in Firefox and stolen my bank passwords and I no longer give a flying monkey turd about whether they've trashed my OS.
How far down this 'but what if there was another exploit too!' rabbit-hole do you intend to run?
Just to further elaborate, there is nothing in the case of the Xorg exploit that says that the vulnerability in the program that allows the someone to use the exploit has to have been put in their purposefully. So this whole notion about distros and their package managers is just a big red herring.
Don't run X as root. Who does that these days?
KMS, bitches.
In the case of unrealIRCD not even the developers of the program knew that the version they were serving had been switched to a version with a trojan in it until months after they had been serving the files.
Yeah, one tar file on one server had been hacked. If your distro is downloading random unauthenticated tar files (no signature, not even a checksum) and shipping them out to end-users then you have much bigger problems than a random X-server exploit.
I'm running Linux :)
That's like not worrying about pregnancy because you're a homosexual.
Turning to a Linux advocate for thoughts on Microsoft is like asking Hitler how he felt about the Jews.
You are assuming that was the ONLY flaw in Linux...
Not a safe assumption. If that has been around for 7 years, what else could there be?
I'm certainly not saying Linux is less secure than Windows (I'm pretty sure the opposite, in fact, is true), however that doesn't mean that you are safe on that high horse of yours.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
Actually, the attack allowed malicious code to bypass SELinux, which is often to used to prevent exploits that run with user privileges from accomplishing much.
Why are you downplaying the significance of this attack?
Palm trees and 8
If your distro is downloading random unauthenticated tar files (no signature, not even a checksum) and shipping them out to end-users then you have much bigger problems than a random X-server exploit.
Because downloading a file from the official of the program is equivalent to downloading a random file from an untrusted server? lolwut?
official website*
You misunderstand. The Xorg bug doesn't require a malicious GUI app; it just requires a perfectly normal GUI app with an exploitable vulnerability. So if OpenOffice.org (or Acrobat Reader, or Firefox, or any other document viewer) has a flaw which can be exploited by a malicious document, the Xorg bug turns that into a privilege-escalation vulnerability, circumventing not only the normal permission mechanisms but also tools such as SELinux sandboxes (which protect against malicious code running in the sandboxed user application, not the X server).
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
You might as well give up. Anything you say is going to be thrown back at you with in some ridiculous caricatured form in order for him to dispute it.
Need your computer hacked? There's an app for that.
.. and that's better than the unpatched issue we're discussing how?
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
So in order to exploit this exploit you need to make up another exploit which already allows them to do anything on my PC with my user privileges, which means that they've already installed a keylogger in Firefox and stolen my bank passwords and I no longer give a flying monkey turd about whether they've trashed my OS.
No. In fact, for example, a maliciously-formed PDF file opened in a PDF reader, even if that reader is run in a sandbox, can be used to gain root through the exploit.
Oh, wait, I forgot, there is not a slashdot/gmail filter that falls under the heading of "I'm still stupid enough to run windows being the case in point of a virus ridden insecure operating system because it isn't open sourced."
Google has managed to get it right. Only show people news (or advertisements) with significant relevance to the viewer. I'm sorry, I've used Unix since 1974, and although there was a brief period of time when I engaged with Windows in the mid-to-late '90s, I'm now back with Linux.
What was it that Forrest once said... Stupid is as stupid does.
Please report on whether the vulnerabilities might perhaps impact programs typically run under Linux. I run almost entirely open source but that does not mean that could be immune to exploits. Simply means we can resolve them much faster.
Also, where else do you expect a distro developers to download the source code for a program if not from the official upstream developer themselves (which is where the trojaned version was pulled from)?
...and nothing of value was lost.
I'm sure you could get these running under Wine.
I am officially gone from
No, of course not and I wasn't implying such a ridiculous thing either. But to act as if just because there is patch out that the issue is now non-existent is silly. It's no different to back when code red was a big problem. Even after Microsoft pushed out a patch, for many months after there were still people spreading the infection due to not updating their systems.
Don't run X as root. Who does that these days?
Probably quite a few. Not everyone is running a version of the 2.6 kernel that has KMS.
But alas, I'm running Linux :)
Do you wish you had the luxury of worrying about unwanted pregnancy, too? :)
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Ah, sorry for misreading you :)
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Exploitable != Malicious. A system without stack protection is an accident waiting to happen. You should read up on how stack protections eliminate an entire class of exploits, and how subtle exploitable code really is. Even the .NET compiler includes stack protection. I have no idea why Linux has not adopted the use of ProPolice across the board.
My previous response was not a troll; it was based on years of experience running Windows, Linux, Mac and BSD machines. Linux is the most brittle of all of the systems I've used. Even remaining up-to-date from the distro is very little protection, since the underlying problem is not being addressed. Nearly every Linux distro could ship with better security, but SELinux and ProPolice are not enabled by default.
"Please describe the scientific nature of the 'whammy'" - Agent Scully
"Each affected program will have to be patched separately."
And this is why Linux package managers that know how to handle shared library dependencies are better than one-click installers that bring along their own versions of the libraries.
Who? People that run proprietary drivers from Nvidia or ATI do. So do people that use drivers from less popular vendors that don't yet have KMS in their drivers (KMS is not in every open driver yet). It's enough to stop most distros from shipping with X running as another user.
But alas, I'm running Linux :)
Ugh. Here we go again...
/* No Comment */
I'd say that putting any OS on the Internet without a reasonable firewall is a poor idea, the exception being a laptop [1] just out of necessity. Yes, most operating systems are hardened, but what brings the bugs are the applications that run on them. This is why having a hardened machine with as little running on it as possible is essential between the general purpose computers and the rest of the Internet.
[1]: I have seen tiny embedded Linux adapters just bigger than an Ethernet plug. Why can't laptop makers build a tiny firewalling router into one of those and mount it on the motherboard? This way, it doesn't matter what OS is, attacks from remote will be minimized, and one could configure it to disallow outgoing ports (such as port 25) that the laptop shouldn't ever need to go out on. I'm sure similar functionality can be done for Wi-Fi. As an added bonus, if a machine gets DoS-ed, it won't be the main CPU that has to sort out the offending packets, but the one on the built in firewall.
Assuming that xpdf has an exploit. Or that someone is running acrobat for linux for some weird reason.
to enable by default, remote/network based DLL's to automatically be loaded, and then call this a bug in the applications which do basic DLL loading, me thinks something fishy is going on. Is there a way to watch for any and all DLL's loading from outside of the local machine? I'd like to see who might be feeding their application DLL's over the interweb. Legit or not, this sounds like an OS flaw when just loading a data file allows the application processing the data file to suck in DLL's from the location where the data file resided. If the application loaded from that remote location then fine, but we are talking about content, not application code. Sure sounds fishy.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
And that's exactly why they shouldn't be running the proprietary drivers.
So what're we supposed to do?
Run around like headless chickens predicting the end of Microsoft, and Windows, rant and rave about the virtues of Linux, how there are no Linux viruses and how any year now it will be the year of the desktop, and generally feel smug.
You're new here, aren't you?
These posts express my own personal views, not those of my employer
What should concern you is that this bug was patched by SUSE in 2004, but it took 6 years for that fix to make it into mainline...
cat:
Here's a link to the original advisory. It's worth a read as it contains useful remediation advice: http://www.acrossecurity.com/aspr/ASPR-2010-08-18-1-PUB.txt
I fail to see how that's a problem, as long as it was only your work email box that was erased. That just means less work for you, and any problems can be blamed on IT.
I don't understand why he feels the need to overshadow ACROS for this? I hope he adds something useful, otherwise this seems kind of like a dick move.
"Remote Binary Planting – An Overlooked Vulnerability Affair
Mitja Kolsek, ACROS Security
The binary planting vulnerability, although documented for over a decade, remained overlooked by researchers and developers alike - until now. Our research hopes to put it in its rightful place on the top 10 lists where it seems to belong. Binary planting is an attack method where an attacker places a malicious executable on a local or network drive, possibly on the Internet, from where a vulnerable user’s application will load and execute it. The main enabler for this attack is the fact that Windows include the current working directory in the search order when loading executables. In order to perform the research, we developed a tool for monitoring how applications set their current working directory and how they load their binaries. We launched the tool against more than 200 leading Windows applications. The results were surprising: almost every one of them was vulnerable to remote attacks. More than 520 vulnerabilities we discovered in these applications amount to roughly 100,000.000,000 (yes, that’s a hundred billion!) holes in existing computers worldwide. In many cases, the malicious binary is loaded immediately after a user double-clicks a remote document, which we dubbed a \double-click-bang" effect. (Such bugs can easily be turned into worms.) Live attack demonstrations for various types of these vulnerabilities will show how easily exploitable many of them are. We will show how Windows Explorer and most of the leading file management alternatives make it easier to exploit these bugs, and explain why Microsoft can’t implement any quick fixes to eliminate them without breaking many existing applications. Apart from collecting binary planting bugs, our research aimed to discover the root causes of their existence. We will show the common mistakes developers make to introduce binary planting vulnerabilities in their products, and try to explain why they make them. We will also see how an application can become vulnerable when ported to another Windows platform. Finally, developers in the audience will get tips for avoiding or fixing binary planting bugs in their code, and users will learn what they can do to protect themselves. "
https://deepsec.net/docs/speaker.html
~TurboBorland~
http://www.securityfocus.com/archive/1/513190
Which part of 'the only way the average Linux user is going to be running malicious software is if their distro ships it to them' is proving so hard for Windows users to understand?
What you're saying is that Linux is totally bulletproof, as long as you run it as much as possible like an iPhone -- trusting only applications that your OS provider says are okay, and that it's not reasonable to examine it in a situation where that's not the case.
So yeah, I can understand why some people would have a hard time making sense of your claim that the most secure, most free OS should be run as walled garden if you expect it to be secure.
Only on /. do insightful comments get modded troll, and spam modded funny...
cat:
but better security is not one of them.
And you'd be wrong. Even with a directly connected Linux box it takes someone manually targeting that machine. As far as I know, no one has successfully automated *nix hacking and certainly not any kind of effective drive-by attack. Even if the automated attack gets a foot in the door, they still have to manually find a way to escalate privileges.
If you still believe this, put up a Linux server completely exposed to the Internet, and broadcast all over IRC that your server is badass and can't be hacked.
Connect that same box running Windows directly to the internet and you don't even have to announce its presence. It's like auto-hork.
Linux doesn't have the security issues that Windows does, but mostly it's because its less popular,
Another fallacy. If that were true then the exploits out in the wild should be relative to percentage of machines running that OS. And yet there aren't any. That popularity tripe was a talking point from a MSFT PR firm advertising campaign that went around a few years ago.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
But alas, I'm running Linux :)
So your doing nothing productive with your PC then?
As far as I know, no one has successfully automated *nix hacking and certainly not any kind of effective drive-by attack.
Then you don't know where to look. I've found rootkits for MySQL, various ftpds, old versions of Apache, etc. Automating such rootkits is a trivial task. Writing C code given the explanation of the vulnerability is usually also a trivial task. Hell, the first Linux server I put on the 'net in '98 was rooted within a month through a vulnerability in wuftpd. It certainly wasn't any kind of targeted attack, as it simply put eggdrop in an obscure location and replaced /bin/ps to hide the process.
Even if the automated attack gets a foot in the door, they still have to manually find a way to escalate privileges.
And therein lies the rub. My Linux server was rooted because wuftpd ran with elevated privileges, as it was delivered by the distro. Older Windows versions did basically everything as Administrator, so the privilege escalation part was trivial. Later versions of Windows do not have this problem. Every single problem that you point to in Windows either no longer exists, or also existed in the default installation of a particular distro. Yeah, you can do your own security and do better, but you can say the same about any OS. The problem is that most people use the defaults, not having the time or inclination to become an expert in, say, SELinux.
Connect that same box running Windows directly to the internet and you don't even have to announce its presence. It's like auto-hork
OK, I'll do you one better. I've announced its presence but won't tell you where it is. It's running Server 2003 with SP3 and has a hardware firewall in front of it. That should be more than enough to root it if your boast is even remotely true.
If that were true then the exploits out in the wild should be relative to percentage of machines running that OS. And yet there aren't any.
Once again, you don't know where to look. And, the number of exploits available for Windows 7 is considerably lower than for previous versions, probably in part due to the stack protections in the .NET framework. Until ProPolice is implemented in every default Linux distro, Linux is more exploitable than Windows, as every single mistake that can lead to a buffer overflow is exploitable, whereas with stack protection it is not.
That popularity tripe was a talking point from a MSFT PR firm advertising campaign that went around a few years ago.
And let's not forget the fine marketing campaign from the Linux side. Information wants to be Free! Proprietary Software is Evil and will only be used to Invade Your Privacy and Sell You Stuff You Don't Want. Bask in the Free Goodness and Never Get Paid to Code Again! All marketing is bullshit, and frankly, there's so much FUD on all sides that I've decided that my loyalty is simply for sale. Maybe one day you will become hungry and desparate enough that it's simply not worth getting involved in the politics.
"Please describe the scientific nature of the 'whammy'" - Agent Scully
As far as I know, no one has successfully automated *nix hacking and certainly not any kind of effective drive-by attack.
Funnily enough, the first network worm ran on Unix systems, causing massive denials of service. You should google the Morris worm.
Actually, even though Nvidia does not support KMS their drivers do support running X as a normal user. Users of the ATI proprietary drivers are SOL.
Using KMS does not automatically remove the root requirement. For example, Ubuntu uses KMS drivers for many cards currently, but one of the big improvements for 10.10 will be to run X as a normal user with some drivers.
People do run applications from network shares. But if you want to keep people on your machine from running executables from remote locations, I think you can set up a software restriction policy with an appropriate path rule and with the global settings set to check DLLs too.
I would guess that the problem isn't that reading a data file causes a DLL to be automatically "sucked in" from that location, but that the application sets the current working directory to that location, causing subsequent DLL loads to potentially happen from that location.
XP SP2, Vista, and above have a somewhat safer search path by default, checking system directories before the working directory. Earlier versions checked the working directory second, after the application directory. Windows 2000 SP4 and XP prior to SP2 can also be set to use the safer search path. But if the application attempts to load a DLL that doesn't exist elsewhere, or one that only exists somewhere else in the user's PATH, it can still be tricked into loading one from the working directory.
Applications that change the current working directory based on user input should be calling SetDllDirectory, on Windows versions that support it, to remove the current working directory from the search path. I'm not surprised that there are many applications that do not.
its still just a software layer
oh so he has a linux based firewall, so all I have to do is exploit that and wow gee all his windows machines are wide ass open
Issue has so big evil potential that, they are afraid to tell the exact details. You can be sure black hats are all over the private forums, google and irc to figure out what this thing could exactly be.
What pisses me off is, it was later "tweeted" to be a 10 year old, reported bug, in official way (Bugtraq) and 3-5 kernels and explorers later, there was nothing done against it.
http://www.securityfocus.com/bid/1699/discuss
See the reporter? That is one of the most respected white hat hackers, especially in Windows land. It is not some teenager misunderstanding something and reporting as flaw.
This sounded a bit like the DNS issue. So big that it better not be detailed until top popular apps (and better, explorer itself) gets patched.
Twitter is loved by people who has something to say, in short and hates the idea of "blogging" or facebook.
You can be sure that the actual security issue will be released in traditional .txt form.
I don't have a twitter account.
According to The Register article, it is 200 now and counting. In fact, 40-200 etc. happens because downloading/testing software takes time, not anything else :)
One day, something will hit Windows real bad that it will effect anyone, Linux users or even Z/OS using banks.
That junk is running on 95% of machines connected to the Internet. If I wasn't lazy, I would give a far more impressive real number, e.g. billions.
I remember not being to do anything meaningful on the Internet because of some Windows worm while I was using OS X on Apple G5.
Look this way, http://www.securityfocus.com/bid/1699/discuss
10 years earlier, Kaminsky reported it very polite and decently and obviously he didn't release an exploit. Did it change anything other than being ignored by MS?
Even Apple as far as I know (and don't like) would stay open at weekend if someone found an issue like that on OS X, until they release a fix. MS doesn't even respond to well known technical news sites run by reporters, not some no name bloggers.
Windows Contains Critical Bug Affecting 40 Apps
Just because a patch was issued doesn't mean every single system was patched and that there won't be countless people still running a vulnerable version.
Dude--I use 'cssh'. Every system was patched--and it was done simultaneously to boot.
There's no place like
Script Kiddie: Dear diary: Jackpot.
What you're saying is that Linux is totally bulletproof, as long as you run it as much as possible like an iPhone -- trusting only applications that your OS provider says are okay, and that it's not reasonable to examine it in a situation where that's not the case.
How is installing applications from the repos anything like using an iPhone? With Linux, I can install any application I want from anywhere I want as long as it's compatible (just like most other OS's). I can compile from source, write and run my own code on it, whatever floats my boat. I and most other Linux users get most of our software from the repositories because 99 percent of anything you'd want to install is in there and the packages in the repos are generally well tested to work with the system you are using. It would be foolish to not use them. With the iPhone, unless you jailbreak it, you're locked in. That's a walled garden. No Linux distro I've ever used has worked like that at all.
The soylentnews experiment has been a dismal failure.
At least the homepages are looking better (now with Flash) ... unfortunately clicking "Terms & Conditions" gives you a blank page, the blog seems to be entries from cheapcigarettes.co.uk ... oh and did I mention despite the apparent European feel to the site, it's still knockoff sweatshop crap made and shipped from China.
Where did they come up with the number 40? Is 40 a lot?
This whole story is the equivalent to "There are 40 terrorists in the country! We won't tell you where they are or how to stop them, but be careful!!!"
Network based firewalls do comparitively little real Layer 4 to 7 inspection, and it can only ever be generic. Whilst an inbuilt 'hardware' firewall is novel approach that is worth exploring, a DoS attack typically affects access to bandwidth more the primary threat vector for hosts is obviously applications.
To tie down these applications you need something that both controls that IP based access and behavioral control of each application (API, DLL, etc access). This is a role that can only be fulfilled by a desktop firewall.
IT: We are not responsible. F. off.
My boss: IT never works and you knew that... all we are subject to the same conditions and yet we work and don't complain. Why are you special?
Me: WTF?
You to boss: Fuck you!
Honestly, how is data integrity not IT's problem? It was their dumb idea to use Windows, which is so susceptible to malware. They're supposed to have something called "backups" in case of disaster. If they don't, they're not doing their jobs. My current job has an incompetent IT department too, but at my last job, they had some fancy backup system that backed up everything on your desktop, nightly. So if something did wipe out your email inbox or something, they could recover it.
I'd start looking for a new job if they give you any grief.
How is installing applications from the repos anything like using an iPhone? With Linux, I can install any application I want from anywhere I want as long as it's compatible (just like most other OS's). I can compile from source, write and run my own code on it, whatever floats my boat.
Correct. However, the poster I was responding to was insisting that if you did any of that and got some malware, it was your own fault and that Linux couldn't be expected to run securely if you ever ran something that didn't come from your distro's repository, and why were people so stupid that they couldn't understand that?
Why would Joe Sixpack be running Linux anyway? I thought we left Windows for those people?
I would guess that the problem isn't that reading a data file causes a DLL to be automatically "sucked in" from that location, but that the application sets the current working directory to that location, causing subsequent DLL loads to potentially happen from that location.
One way that can happen is using the standard open file dialog GetOpenFileName. By default, when a user browses to a folder with it, the working directory gets changed.
Mod parent up please.
Why can't laptop makers build a tiny firewalling router into one of those and mount it on the motherboard?
How would you configure it? If the laptop's OS can send change requests to the firewall, then it's effectively identical to the firewall running on the OS itself, but with more complexity. Note: that's why I always disable UPnP on hardware firewalls. A security system that allows infected clients to open random ports isn't significantly better than no security system at all.
Dewey, what part of this looks like authorities should be involved?