How exactly is this any different? A sculptor takes the tools that he knows and the skills that he learned to turn something into a sculpture. You give the sculptor a picture, and he uses those skills to carve.
The "programming" in this case is nothing more than the skill the computer has learned (or has been taught) on how to do something. You feed it the 3D image (what difference does it make if the image is 2D or 3D? In fact, I would imagine most sculptors would prefer 3D images themselves), and then it uses the skills it has to carve said object.
Gene transfer from the living bacteria transferred into the Japanese people's genome that produces enzymes in the gut that make breaking down seaweed easier (i.e. they get more from it).
They didn't say you couldn't eat seaweed and that it was bad for you if you don't have these enzymes, just that it's better for you if you do.
I'm pretty sure if the electric wiring in your house is burning to the point of causing you problems with toxic fumes, you've got quite a bit more to worry about.
A) Teach your kids to fight. Flat out, if a bully gets the shit kicked out of them it's usually a good way to get them to stop, because they'll continue to get the shit kicked out of them.
B) For any of your kids that are being bullied, tell them to think of it this way: "Wouldn't it be a huge disservice to the world if these kids grow up and have children and raise them in the same way?" That's pretty much would helped me get through some of the crap I went through in HS.
Seriously, fighting back is the only way. You won't get into too much trouble by hitting some kid. Suspension? Okay, big deal. Kid stays home from school and then they get to go outside and do whatever they want. If you're a smart parent, you would realize why your kid was in the right and wouldn't punish them.
No, I think the project is a good idea--even if the actual cost of the project was $100,000,000 to produce. But you have to factor in that actual "cost" of the project. You see big numbers and you're like "wow that's such a waste of taxpayer funds!", but then if you look at the multi-year benefit of the project you go "hmm, maybe it isn't."
The problem is very clearly the people involved in the project, and I don't necessarily mean the government employees either (though they are partially to blame), but I blame the consulting companies. All it takes is someone on top to realize something needs to be up, but again--being hands off to these sorts of things is something you learn very early on whether public or private. It's not a battle they consider worth fighting, because ultimately, it's not their battle.
In this case, since it's a government, the battle lies in the hands of the people and the elected officials. If you don't like how so much money is being spent on the project, or rather how it's being spent, then people in those areas should voice their concerns to their elected officials, and if those officials don't do anything, then vote them out and choose someone else.
Ultimately in this case, it is the taxpayer's responsibility (in that local area) to put a stop to it. And because of that, the managers that are making significantly more than they're actually worth they will simply milk it until the funding is done.
I'm also going to play a bit of a devil's advocate here. If you were the project manager in charge of this project, and you had no relevant actual skill to doing anything productive, would you not milk it for what it's worth also?
If you can milk over $500,000/year from a business (government is a form of business) over the course of a decade without anyone crying foul about it, would you not do it? The same could be said about $100,000/year. You end up with a stable job doing practically nothing and getting a ton of money for it, of course you're going to make it last because you fear reentering the hiring force and having to compete against people who actually have skills going for them.
This has nothing to do with "smaller" government and everything to do with exactly what you expect to be doing when you enter the working world as one of the "masses". "Business Management" people that don't have any relevant or useful skills at all that enter the workforce.
If you RTFA, the people that are getting the highest salaries are "Project Managers". Generally these types of people don't know their ass from a hole in the ground and don't actually contribute to doing any work because they have no idea what it is they're doing. And these people are likely the reason the project isn't actually getting done. In fact, the people actually doing the grunt work on the project are likely making 10% of the stated figures.
This sort of thing happens in many, many businesses. The difference is that many businesses aren't required to report those figures and even then they are under far less scrutiny. I assure you this is about par course for American business in general both public and private.
There are better ways to do things, but until we vastly change the corporate culture that everyone is used to operating under we aren't going to see more efficiencies. The reality is that it's not the "government" wasting money here because this is what everyone that goes into these projects expects to be doing. And this is generally something that scales with said project; so cheaper projects get cheaper prices on management but it is still disproportionately higher than those that are doing the actual work.
Firewalls are far from perfect, sure--but at the same time you also have a bit of a dynamic IT infrastructure now moreso than you did in the past. Users are administrators of their own machines, management tends to have laptops more than they have desktops these days. You also may have contractors or sales guys that come in and link to your network.
Ultimately, you have far less control than simply being able to say "lock down all users with mandatory profiles, terminal services, virtualized desktops, dumb terminals, etc." If you suggest any of these over a solid, perimeter-based configuration, you ultimately haven't worked in IT for very long.
Most of these solutions are best in isolated cases, depending on the environment. Do you manage a call center? Maybe mandatory virtualized desktops is the way to go. Do you have a more open infrastructure where management tends to roam a lot with their laptops, from building to building, from home to work, etc? Do you allow people to VPN in from their home and connect to various services?
There are some basics you can control without significantly impacting the end user experience. One of these is modern PCs with updated versions of Windows, another of these is a proper AV policy with a proper host-based firewall policy. Another of which is more work on the back end configurations (firewalls, vpn policy, etc.) that most end users don't ever see. These are the areas where you're going to have the most control over.
It really depends on the size of the companies and the resources they're willing to spend on proper security. You should do a cost analysis of the downtime, not to mention the IT time required to fix the ecosystem. You can do it in waves, and some changes will be more well received than others.
#1. Don't allow users to be Admins of their own machines. I know in this day and age it's harder to push this one on people, but the ultimate reality is that if the user can't infect the system then they aren't going to get very far.
#2. Managed, host-based firewalls on each of the machines that have rules for incoming and outgoing. This can be any number of centrally managed tools. if you're on XP, your best solution is likely something from say Symantec, Mcafee, or whichever company you want to use. I know with SEP you can manage the firewall portions and prevent worms from auto spreading.
#3. Transparent, Layer 7 filtering at the network edge. Whether you want to use a proxy or a firewall for this is up to you. Juniper makes some pretty nice layer 7 devices for this purpose.
#4. NAC/NAP. Again, useful technologies--prevent systems from communicating on the network that don't register as having proper updates or AV settings.
These are just some basics, there's probably something entirely different based on the specific method these worms are using to spread. Perhaps a centrally managed website policy that locks systems down a bit more is all that's needed? Maybe keeping things more up-to-date, such as rolling out Windows 7 desktops with IE8?
I hope you're being sarcastic given the fact that your word choice is very simplistic and direct. Most people who truly believe this aren't quite as blunt.
Keep in mind that this type of connection isn't necessarily for the current "client-server" model that we're used to today. Not to mention that not all data "requires" a 100Mbit connection.
Imagine having HD surveillance of your house at all times? Imagine being able to stream HD x264 encoded content across multiple TVs and devices in your house? Or being able to access your movie library while over a friend's house?
Instead of the hosted servers, you can run your own services and devices from your own home internet connection.
And there are a whole lot more things that we haven't even thought of yet that this could allow.
Nothing really "interesting". What you notice is that around 9:00PM a bunch of East Asian countries start to show some spiked traffic. My guess is botnets on computers that are being turned on during the day generating a lot of traffic data. Or just computers coming on in general, for anything. There's no context as to what data they were requesting, it could have been simple search hits or image hits, or link hits in google or whatever else. But what it shows to me is nothing more than "hey look, the eastern half of the world wakes up when it's evening time in the US."
Despite all of your ranting on the.NET exploits that you're talking about, you have yet to provide me any links to any information on any.NET exploits that bypass UAC.
With regards to the UAC mechanism "exploits", kicking UAC to the highest level in 7 (which is the default in Vista) prevents these sorts of attacks from escalating silently. In fact, any of the posts that talk about it should certainly tell you this.
The problem is not an underlying structure issue with UAC and more to do with the fact that UAC was the largest complaint people had on Vista, so Microsoft toned down the requirements. That "any protection" is better than "no protection at all". Though in my opinion, it might as well be no protection at all.
I've tried searching for any updates to.NET or any exploits that you've stated and I just can't find them. So please definitely link me to articles that talk about them and explain how they are vulnerable.
All you've linked to was DEP being bypassed. That's fair enough. But DEP is not UAC.
All an exploit has to do to is execute on the system to be considered working. But code that's executing at all is a far cry from code that's executing with Administrative privileges.
If this weren't the case, there wouldn't be such a huge push in the linux world for users to "never run as root".
I'm not downplaying that the browser was vulnerable, it very clearly was. What I'm trying to make a point of is that when you use IE8 on Windows 7 with UAC maxed out and DEP on, even if an exploit is able to get through--it still will have to bypass UAC to do any serious damage.
The fact of the matter is, users will tell you they don't do anything wrong. If you've worked support long enough you know that unless you have absolute proof, they will deny it until the end of time. And when you catch them lying, they still deny it. In fact, the only time I've been able to get someone to admit they screwed up is when it was their job on the line.
I would guess that a VAST MAJORITY of security problems are the users' faults.
Either way, none of this defeats the fact that IE8 on Windows 7 with UAC kicked up is your best protection against any of these attacks, short of using something like Chrome which provides extra sandboxing.
Do you have any proof showing that UAC and Protected Mode does not guard against this exploit or others? So far from the security researchers, I've only read very specific conditions under the latest systems that it's a problem.
Knowing what I've read about the various security contests, the only thing that needs to be done is execute code as the user.
But what limited scope is this? Does the vulnerability get contained within the Low profile of IE? If it drops files in there, who gives a damn? Even if it can execute code at the medium privilege level, it still doesn't have access to core system files and settings.
The severity of the vulnerability to me under Windows is what I care more about, simply saying the application is "vulnerable" isn't enough.
Not that I'm downplaying the exploit nor any fixes for it, I'm just trying to shed light on the various methods used to prevent such things from gaining much traction on a user's computer.
If the exploit can get by IE Protected Mode and execute under medium integrity I'd be a bit worried, but the attack surface is very limited until it generates a UAC prompt.
If the user clicks OK to the UAC prompt and lets the thing get elevated privileges, well, at that point I no longer blame the application--I blame the user.
With this I completely agree. I furthermore think they should completely discontinue support for Windows XP. I'm at a huge fight in our organization at the moment regarding the move to Windows 7. I'm getting met with a lot of resistance when we don't actually have an excuse to stick on XP. We already pay for the licensing for 7....
From my understanding, every version of IE is vulnerable to the exploit, however not every install of IE is vulnerable. There are claims that "IE8 with DEP on" is vulnerable, but it says nothing about the combination of DEP and UAC.
Essentially, if you're using back versions of the operating system and don't keep updated, you're vulnerable. What makes this exploit different from a lot of others is that it has such a large attack surface. However, from what I'm gathering, the default Windows 7 install with IE8 should be safe from any attacks. As soon as you start disabling technologies (UAC, DEP)--you will run into problems.
Slashdot Mirror
How exactly is this any different? A sculptor takes the tools that he knows and the skills that he learned to turn something into a sculpture. You give the sculptor a picture, and he uses those skills to carve.
The "programming" in this case is nothing more than the skill the computer has learned (or has been taught) on how to do something. You feed it the 3D image (what difference does it make if the image is 2D or 3D? In fact, I would imagine most sculptors would prefer 3D images themselves), and then it uses the skills it has to carve said object.
The article states clearly that:
Gene transfer from the living bacteria transferred into the Japanese people's genome that produces enzymes in the gut that make breaking down seaweed easier (i.e. they get more from it).
They didn't say you couldn't eat seaweed and that it was bad for you if you don't have these enzymes, just that it's better for you if you do.
I'm pretty sure if the electric wiring in your house is burning to the point of causing you problems with toxic fumes, you've got quite a bit more to worry about.
A) Teach your kids to fight. Flat out, if a bully gets the shit kicked out of them it's usually a good way to get them to stop, because they'll continue to get the shit kicked out of them.
B) For any of your kids that are being bullied, tell them to think of it this way: "Wouldn't it be a huge disservice to the world if these kids grow up and have children and raise them in the same way?" That's pretty much would helped me get through some of the crap I went through in HS.
Seriously, fighting back is the only way. You won't get into too much trouble by hitting some kid. Suspension? Okay, big deal. Kid stays home from school and then they get to go outside and do whatever they want. If you're a smart parent, you would realize why your kid was in the right and wouldn't punish them.
Just throwing out random numbers here, but if one person is making $600,000 and another making $50,000 ; the average between them is $325,000.
As long as you're a smooth talker and look good, you can get away with a lot of things.
No, I think the project is a good idea--even if the actual cost of the project was $100,000,000 to produce. But you have to factor in that actual "cost" of the project. You see big numbers and you're like "wow that's such a waste of taxpayer funds!", but then if you look at the multi-year benefit of the project you go "hmm, maybe it isn't."
The problem is very clearly the people involved in the project, and I don't necessarily mean the government employees either (though they are partially to blame), but I blame the consulting companies. All it takes is someone on top to realize something needs to be up, but again--being hands off to these sorts of things is something you learn very early on whether public or private. It's not a battle they consider worth fighting, because ultimately, it's not their battle.
In this case, since it's a government, the battle lies in the hands of the people and the elected officials. If you don't like how so much money is being spent on the project, or rather how it's being spent, then people in those areas should voice their concerns to their elected officials, and if those officials don't do anything, then vote them out and choose someone else.
Ultimately in this case, it is the taxpayer's responsibility (in that local area) to put a stop to it. And because of that, the managers that are making significantly more than they're actually worth they will simply milk it until the funding is done.
I'm also going to play a bit of a devil's advocate here. If you were the project manager in charge of this project, and you had no relevant actual skill to doing anything productive, would you not milk it for what it's worth also?
If you can milk over $500,000/year from a business (government is a form of business) over the course of a decade without anyone crying foul about it, would you not do it? The same could be said about $100,000/year. You end up with a stable job doing practically nothing and getting a ton of money for it, of course you're going to make it last because you fear reentering the hiring force and having to compete against people who actually have skills going for them.
Please don't blame this on "government" and just blame it on how people operate here in general, as I assure you it is :P
This role is voluntary also, if those people don't like it they can enter the private workforce.
This has nothing to do with "smaller" government and everything to do with exactly what you expect to be doing when you enter the working world as one of the "masses". "Business Management" people that don't have any relevant or useful skills at all that enter the workforce.
If you RTFA, the people that are getting the highest salaries are "Project Managers". Generally these types of people don't know their ass from a hole in the ground and don't actually contribute to doing any work because they have no idea what it is they're doing. And these people are likely the reason the project isn't actually getting done. In fact, the people actually doing the grunt work on the project are likely making 10% of the stated figures.
This sort of thing happens in many, many businesses. The difference is that many businesses aren't required to report those figures and even then they are under far less scrutiny. I assure you this is about par course for American business in general both public and private.
There are better ways to do things, but until we vastly change the corporate culture that everyone is used to operating under we aren't going to see more efficiencies. The reality is that it's not the "government" wasting money here because this is what everyone that goes into these projects expects to be doing. And this is generally something that scales with said project; so cheaper projects get cheaper prices on management but it is still disproportionately higher than those that are doing the actual work.
Firewalls are far from perfect, sure--but at the same time you also have a bit of a dynamic IT infrastructure now moreso than you did in the past. Users are administrators of their own machines, management tends to have laptops more than they have desktops these days. You also may have contractors or sales guys that come in and link to your network.
Ultimately, you have far less control than simply being able to say "lock down all users with mandatory profiles, terminal services, virtualized desktops, dumb terminals, etc." If you suggest any of these over a solid, perimeter-based configuration, you ultimately haven't worked in IT for very long.
Most of these solutions are best in isolated cases, depending on the environment. Do you manage a call center? Maybe mandatory virtualized desktops is the way to go. Do you have a more open infrastructure where management tends to roam a lot with their laptops, from building to building, from home to work, etc? Do you allow people to VPN in from their home and connect to various services?
There are some basics you can control without significantly impacting the end user experience. One of these is modern PCs with updated versions of Windows, another of these is a proper AV policy with a proper host-based firewall policy. Another of which is more work on the back end configurations (firewalls, vpn policy, etc.) that most end users don't ever see. These are the areas where you're going to have the most control over.
A properly implemented firewall solution would guard against all of these things, as a properly implemented solution will also filter layer 7.
It really depends on the size of the companies and the resources they're willing to spend on proper security. You should do a cost analysis of the downtime, not to mention the IT time required to fix the ecosystem. You can do it in waves, and some changes will be more well received than others.
#1. Don't allow users to be Admins of their own machines. I know in this day and age it's harder to push this one on people, but the ultimate reality is that if the user can't infect the system then they aren't going to get very far.
#2. Managed, host-based firewalls on each of the machines that have rules for incoming and outgoing. This can be any number of centrally managed tools. if you're on XP, your best solution is likely something from say Symantec, Mcafee, or whichever company you want to use. I know with SEP you can manage the firewall portions and prevent worms from auto spreading.
#3. Transparent, Layer 7 filtering at the network edge. Whether you want to use a proxy or a firewall for this is up to you. Juniper makes some pretty nice layer 7 devices for this purpose.
#4. NAC/NAP. Again, useful technologies--prevent systems from communicating on the network that don't register as having proper updates or AV settings.
These are just some basics, there's probably something entirely different based on the specific method these worms are using to spread. Perhaps a centrally managed website policy that locks systems down a bit more is all that's needed? Maybe keeping things more up-to-date, such as rolling out Windows 7 desktops with IE8?
MobyDisk:
http://msdn.microsoft.com/en-us/library/dd370990(VS.85).aspx
I hope you're being sarcastic given the fact that your word choice is very simplistic and direct. Most people who truly believe this aren't quite as blunt.
Keep in mind that this type of connection isn't necessarily for the current "client-server" model that we're used to today. Not to mention that not all data "requires" a 100Mbit connection.
Imagine having HD surveillance of your house at all times? Imagine being able to stream HD x264 encoded content across multiple TVs and devices in your house? Or being able to access your movie library while over a friend's house?
Instead of the hosted servers, you can run your own services and devices from your own home internet connection.
And there are a whole lot more things that we haven't even thought of yet that this could allow.
"He was so sick and tired of getting viruses"
His fault, not the computer's fault.
Nothing really "interesting". What you notice is that around 9:00PM a bunch of East Asian countries start to show some spiked traffic. My guess is botnets on computers that are being turned on during the day generating a lot of traffic data. Or just computers coming on in general, for anything. There's no context as to what data they were requesting, it could have been simple search hits or image hits, or link hits in google or whatever else. But what it shows to me is nothing more than "hey look, the eastern half of the world wakes up when it's evening time in the US."
Despite all of your ranting on the .NET exploits that you're talking about, you have yet to provide me any links to any information on any .NET exploits that bypass UAC.
.NET or any exploits that you've stated and I just can't find them. So please definitely link me to articles that talk about them and explain how they are vulnerable.
With regards to the UAC mechanism "exploits", kicking UAC to the highest level in 7 (which is the default in Vista) prevents these sorts of attacks from escalating silently. In fact, any of the posts that talk about it should certainly tell you this.
The problem is not an underlying structure issue with UAC and more to do with the fact that UAC was the largest complaint people had on Vista, so Microsoft toned down the requirements. That "any protection" is better than "no protection at all". Though in my opinion, it might as well be no protection at all.
I've tried searching for any updates to
All you've linked to was DEP being bypassed. That's fair enough. But DEP is not UAC.
All an exploit has to do to is execute on the system to be considered working. But code that's executing at all is a far cry from code that's executing with Administrative privileges.
If this weren't the case, there wouldn't be such a huge push in the linux world for users to "never run as root".
I'm not downplaying that the browser was vulnerable, it very clearly was. What I'm trying to make a point of is that when you use IE8 on Windows 7 with UAC maxed out and DEP on, even if an exploit is able to get through--it still will have to bypass UAC to do any serious damage.
The fact of the matter is, users will tell you they don't do anything wrong. If you've worked support long enough you know that unless you have absolute proof, they will deny it until the end of time. And when you catch them lying, they still deny it. In fact, the only time I've been able to get someone to admit they screwed up is when it was their job on the line.
I would guess that a VAST MAJORITY of security problems are the users' faults.
Either way, none of this defeats the fact that IE8 on Windows 7 with UAC kicked up is your best protection against any of these attacks, short of using something like Chrome which provides extra sandboxing.
Do you have any proof showing that UAC and Protected Mode does not guard against this exploit or others? So far from the security researchers, I've only read very specific conditions under the latest systems that it's a problem.
Knowing what I've read about the various security contests, the only thing that needs to be done is execute code as the user.
But what limited scope is this? Does the vulnerability get contained within the Low profile of IE? If it drops files in there, who gives a damn? Even if it can execute code at the medium privilege level, it still doesn't have access to core system files and settings.
The severity of the vulnerability to me under Windows is what I care more about, simply saying the application is "vulnerable" isn't enough.
Not that I'm downplaying the exploit nor any fixes for it, I'm just trying to shed light on the various methods used to prevent such things from gaining much traction on a user's computer.
If the exploit can get by IE Protected Mode and execute under medium integrity I'd be a bit worried, but the attack surface is very limited until it generates a UAC prompt.
If the user clicks OK to the UAC prompt and lets the thing get elevated privileges, well, at that point I no longer blame the application--I blame the user.
With this I completely agree. I furthermore think they should completely discontinue support for Windows XP. I'm at a huge fight in our organization at the moment regarding the move to Windows 7. I'm getting met with a lot of resistance when we don't actually have an excuse to stick on XP. We already pay for the licensing for 7....
From my understanding, every version of IE is vulnerable to the exploit, however not every install of IE is vulnerable. There are claims that "IE8 with DEP on" is vulnerable, but it says nothing about the combination of DEP and UAC.
http://www.computerworld.com/s/article/9145958/Researchers_up_ante_create_exploits_for_IE7_IE8?taxonomyId=17&pageNumber=2
Essentially, if you're using back versions of the operating system and don't keep updated, you're vulnerable. What makes this exploit different from a lot of others is that it has such a large attack surface. However, from what I'm gathering, the default Windows 7 install with IE8 should be safe from any attacks. As soon as you start disabling technologies (UAC, DEP)--you will run into problems.