You didn't read far enough
Load KERNEL32.DLL using a hardcoded address specific to Windows XP Service Pack 2. On other versions of Windows, Excel will simply crash All of the other actions listed in the exploit sequence seem to be legitimate actions which, unless Microsoft wants to rewrite legitimate function calls or handle the "XOR shellcode" on a case by case basis (apparently, if it's allowed, there was/is a legitimate use for it someplace), cannot be blocked without creating major compatibility/useability issues for legit users.
If the exploit can be written for one hardcoded address, which can be found, then it can be written for any hardcoded address, which can still be found.
> apps of that era were NOT resilient to malformed input
What? Again I say, what?
Apps of that era only had 8-bit character sets to deal with. Malformed input was so much easier to check for. Not that the expanded character sets of today are any real excuse but still, again I saw, what?
Maybe it's the industry which needs to die (well, shrink a lot). Nobody wants to be a computer scientist or a software engineer--those things are hard. They require work and intellect and study and attention.
Everyone just wants to get an MBA and suckle on the stock market tit. The fact that the passwords for line jumping on the way to the stock market tit are all currently set using CS jargon is a coincidence.
> So, my question is, who's doing it right and how ?
Code has become so enormous that the answer is, more than likely, nobody.
I'm still puzzled. Spreadsheet programs, word processors, database programs, etc. etc. etc. all fit on one, maybe two, floppy disks at one time. If anyone wonders how to write secure code the largest starting point is: cut out the advertising glitz and cruft.
But then the rest of the population would happily go back to sticky notes, $2.99 calculators, pencils, the telephone, US Mail, and the kitchen table (for solitaire) and that wouldn't be profitable for the market sector. So, love it or hate it, just view the security industry not as a problem to be solved but as a tiger to be fed and groomed.
True. O'07 is in the 0-15 day section. It'll take the original exploit author a few more days to track down the new memory location, recompile, and test. Maybe the new memory location floats. That might take another day or two to peruse the proper.dll and determine the floating method.
The zeroes and ones also need to be properly sorted. You may have your zeroes and ones for free but you'll have to pay someone (I'm homeless and available to start work tomorrow morning) to arrange them correctly.
How old are you? How long have you been available in the wild? How long did your brother exist in SP1 before you came along in SP2? Do you have a cousin which works in Win98/SE? How long have corporate managers been using you to spy on their employees?
Because nobody without an employee badge, employee escort, or a preexisting appointment with an employee makes it past the front desk. Where have you worked? Fast food?
> You were probably
Maybe. Maybe not. Do you know?
> you have forgotten
No I have not.
> your responsibility to find a job
I've sent over 1000 resumes to positions for which I'm qualified.
> he blamed others for his failures
I blame others for their failures. I take credit for my own.
> by blaming
You're pretty hooked on that word.
> Did you ever think
Psychological belittlement.
> there are other people who are more skilled than you?
Maybe. Maybe not. Do you know?
> they may have
Maybe. Maybe not. Do you know?
> he went looking for a job until he found one
I'm still looking. Do you have any leads?
> I've been able to get jobs without a resume
Are those social connections I hear in your background? Are you sharing?
> seeing as how you missed the context it was in and took this personally
How did you miss the "Homeless" part in my handle?
> Try going in and asking for a job
I would never make it past the front desk. You probably knew that.
> by calling an scheduling an interview
HR reps don't post their telephone numbers on the front page (or any other page) of the open corporate website nor do they list themselves in the yellow pages under the company's heading. You probably knew that.
> Seeing as how there are other ways
Such as responding with my resume, over the course of an entire year, to every position for which I was qualified for?
> it is still your fault
The ball is in somebody else's court. It is not my fault. Not this time.
What the heck have I paid taxes, over the last 18 years, for?
I type, and I make a good showing, and every pharmaceutical company within 200 miles has my resume.
I've already done everything which could be reasonably expected. If there are no employment opportunities in my Inbox it is no longer my fault and, therefore, no longer my problem.
Physically walk or SSH/remote desktop to the system controlling the data storage device on which the backup is stored,
Export the mail to a PST file and then walk or SSH/remote desktop to the production system and, if necessary, recreate the account in the manner of a new account generation. While I don't work with MS-Exchange this very simple method, requiring less than thirty minutes, works to restore entire *NIX accounts including Mozilla, pine, mail, Gnome/KDE/Enlightenment settings, etc.. Anything beyond that is corporate cruft.
> every 2 months i archive stuff off to a cheap medium, say dvd-r.
And don't forget that, should you decide to tell the customer,"You've bothered me so much that I won't even accept your application for premium service even if you pay cash"...
You still have the cheap backup media! You cannot possibly, honestly, tell the customer that their data is irrevocably deleted.
Abuse of administrative authority to belittle somebody else for personal amusement.
In the workplace such behavior (if continued over a span of time) can be the basis for a harassment lawsuit. On the street such behavior (if properly escalated) can be the basis for a criminal citation of assault.
Slashdot Mirror
Too bad. The world forgot plain text in favor of featureware a long time ago.
If the exploit can be written for one hardcoded address, which can be found, then it can be written for any hardcoded address, which can still be found.
> apps of that era were NOT resilient to malformed input
What? Again I say, what?
Apps of that era only had 8-bit character sets to deal with. Malformed input was so much easier to check for. Not that the expanded character sets of today are any real excuse but still, again I saw, what?
Maybe it's the industry which needs to die (well, shrink a lot). Nobody wants to be a computer scientist or a software engineer--those things are hard. They require work and intellect and study and attention.
Everyone just wants to get an MBA and suckle on the stock market tit. The fact that the passwords for line jumping on the way to the stock market tit are all currently set using CS jargon is a coincidence.
I'm homeless. I wasn't able to see it. Let me know how funny the commercials were.
> So, my question is, who's doing it right and how ?
Code has become so enormous that the answer is, more than likely, nobody.
I'm still puzzled. Spreadsheet programs, word processors, database programs, etc. etc. etc. all fit on one, maybe two, floppy disks at one time. If anyone wonders how to write secure code the largest starting point is: cut out the advertising glitz and cruft.
But then the rest of the population would happily go back to sticky notes, $2.99 calculators, pencils, the telephone, US Mail, and the kitchen table (for solitaire) and that wouldn't be profitable for the market sector. So, love it or hate it, just view the security industry not as a problem to be solved but as a tiger to be fed and groomed.
True. O'07 is in the 0-15 day section. It'll take the original exploit author a few more days to track down the new memory location, recompile, and test. Maybe the new memory location floats. That might take another day or two to peruse the proper .dll and determine the floating method.
The zeroes and ones also need to be properly sorted. You may have your zeroes and ones for free but you'll have to pay someone (I'm homeless and available to start work tomorrow morning) to arrange them correctly.
Dear Exploit,
How old are you? How long have you been available in the wild? How long did your brother exist in SP1 before you came along in SP2? Do you have a cousin which works in Win98/SE? How long have corporate managers been using you to spy on their employees?
Signed,
Secret Admirer
That entire conversation reads so well. :-)
> Why wouldn't you make it past the front desk?
Because nobody without an employee badge, employee escort, or a preexisting appointment with an employee makes it past the front desk. Where have you worked? Fast food?
> You were probably
Maybe. Maybe not. Do you know?
> you have forgotten
No I have not.
> your responsibility to find a job
I've sent over 1000 resumes to positions for which I'm qualified.
> he blamed others for his failures
I blame others for their failures. I take credit for my own.
> by blaming
You're pretty hooked on that word.
> Did you ever think
Psychological belittlement.
> there are other people who are more skilled than you?
Maybe. Maybe not. Do you know?
> they may have
Maybe. Maybe not. Do you know?
> he went looking for a job until he found one
I'm still looking. Do you have any leads?
> I've been able to get jobs without a resume
Are those social connections I hear in your background? Are you sharing?
> seeing as how you missed the context it was in and took this personally
How did you miss the "Homeless" part in my handle?
> Try going in and asking for a job
I would never make it past the front desk. You probably knew that.
> by calling an scheduling an interview
HR reps don't post their telephone numbers on the front page (or any other page) of the open corporate website nor do they list themselves in the yellow pages under the company's heading. You probably knew that.
> Seeing as how there are other ways
Such as responding with my resume, over the course of an entire year, to every position for which I was qualified for?
> it is still your fault
The ball is in somebody else's court. It is not my fault. Not this time.
> If you don't have a job, go look for one
What the heck have I paid taxes, over the last 18 years, for?
I type, and I make a good showing, and every pharmaceutical company within 200 miles has my resume.
I've already done everything which could be reasonably expected. If there are no employment opportunities in my Inbox it is no longer my fault and, therefore, no longer my problem.
> Social Obligations means working for your own money, not making other people work for it so it can be given to you
Politicians, bankers, stock brokers, investment brokers, what?
What happened to:
Physically walk or SSH/remote desktop to the system controlling the data storage device on which the backup is stored, Export the mail to a PST file and then walk or SSH/remote desktop to the production system and, if necessary, recreate the account in the manner of a new account generation. While I don't work with MS-Exchange this very simple method, requiring less than thirty minutes, works to restore entire *NIX accounts including Mozilla, pine, mail, Gnome/KDE/Enlightenment settings, etc.. Anything beyond that is corporate cruft.
> every 2 months i archive stuff off to a cheap medium, say dvd-r.
...
And don't forget that, should you decide to tell the customer,"You've bothered me so much that I won't even accept your application for premium service even if you pay cash"
You still have the cheap backup media! You cannot possibly, honestly, tell the customer that their data is irrevocably deleted.
That is the point of the outrage.
> There is no law, rule, guideline, or expectation that someone has to be nice
Perhaps this may help.
Or this
Or this
> The terms of service
Are not the point.
> my actions
Were you the Lycos guy?
> That's kind of obscure, don't you think?
So was the OPs choice of "Subject".
Some people catch on more quickly than others. Both the subject line and the OP's username "Deep Fried Geekboy" are a troll.
> Facing the consequences of your decisions
Such as the decision to be deliberately cruel, to the point of making statements which are verifiably false, for the purpose of personal amusement?
Sounds like harassment to me.
> This is a clear-cut case of
Abuse of administrative authority to belittle somebody else for personal amusement.
In the workplace such behavior (if continued over a span of time) can be the basis for a harassment lawsuit. On the street such behavior (if properly escalated) can be the basis for a criminal citation of assault.
Ignoring for a moment the personal repercussions on her own life...
That is the _perfect_ expose.
> To read the headline you'd think the company just deleted someone's emails for no reason
Okay. You win a point. There was a reason: to be cruel for personal amusement.
Correction:
Dear Mr. Admin, sir,
I believe you have saved my e-mail someplace. I hope that you have saved my e-mail. I adore my e-mail.
I believe, I hope, and I adore my e-mail.
Signed,
Shell Account