The technical details of these tests aren't important, and anybody who writes me arguing for a different set will have fixated on the wrong level of the problem. The point is that, unlike a command tool for techies that should give them lots of choices, the goal of a GUI is to present the user with as few decision points as possible. Remember the Macintosh dictum that the user should never have to tell the machine anything that it knows or can deduce for itself.
this is as clueful as it gets. Most app designers should heed him
The other side of that coin is NFS. Think about how that works & has worked under Linux as opposed to Samba which has to deal with the " standards compliance" of it's filesystem inventor.
And Sun has already said that NFSv4 will have all the APIs & design stuctures open for interoperability
A boatload of IPv4 & IPv6 code. Structures & design for journaling file systems. etc.
I could go on.
Sun, of any of the major vendors who are tarred, rightly or wrongly, with the non-FOSS brush are about the most standards compliant & interoperabily friendly company out there.
"In the security bulletin published by MS it states, "In the most likely exploitable scenario, an attackerwould have to have direct access to the user's network."
The bulletin published by eEye states "...applications that make use of certificates (SSL, digitally-signed e-mail, signed ActiveX controls, etc.) [areaffected]".
I see a big disconnect there. Can you address this? Also, how would this potentially affect sites that are using an MS VPN solution?"
Yes, I am not sure what Microsoft did with the wording there that seems to be misleading to at least a few people so far.
There is just as much, if not more, chance of people using this vulnerability on server side applications as there is on client-side applications.
For example we setup a totally IPSEC secured network and we broke into that network via our ASN bug which is called by the Kerberos. We also
have written exploits that take advantage of ASN via NTLMv2 authentication. And the list goes on... How about evil ASN SSL CERTs?
Client or server? There is a menu a mile long for the avenues of attacks that this thing can be used for.
If your running, Windows NT 4.0, Windows 2000, Windows XP, or Windows
2003, you are 99.9999% positive to be vulnerable, regardless of what your configuration might be. Don't try to guess if you have any of the
affected protocols or applications (lets not forget third party apps using the MS ASN library), just install the patch.
Client side, server side, world wide.
Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
nice troll fanboy. get your facts correct before you start tarring Sun with the same brush you use on Microsoft
I work for Sun. It is well know within the company (yes, we have a very active & rabid linux community here in house) and has been publishid in other, respected trade journals, that the licence fees paid to SCO were for *some* SCSI drivers for Solaris that there was some question about
It was a CYA thing.
Trust me. SCO is looked at as a toy company in house. But the lawyers are notoriously paranoid
But I'm really disappointed that the retail Linux market never materialized to the point where they could keep shipping a high-quality, tested Linux desktop for ~$50-$70 and make money doing it
So am I. But if you really, really think about it you will understand that the home user area is the least likely area where they could conceivably make a profit For example. Think about what you need to do to enable a Flash or java plugin within Mozilla or Galeon in linux & compare it to the methodology used by IE
Can you say "support incident" And at a price of ~$50 a single support call wipes out your profit
No MP3...as long as the license for the codec is what it is you'll never see anything even remotely associated with Red Hat including it.
No 2.6...well 2.6 is not ready for the parameters of this type of release yet. And 2.4.22*.nptl does moderately rock...
prelink is absolulely amazing
I'm actually looking forward to how the "extras" path will pan out. For me on my personal boxes Fedora is a no brainer
but not for my servers.
unlike many of the/. whinegers I'm quite happy to tell the Powers That Be to fork over the money to Red Hat. For them it's the "security" factor.Easily understood in their finacial world For me it's the oppertunity to finally pay back Red Hat for some quality production level code that I have used over the years.
You seem to be under the mistaken impression that the film is what makes money for the theatre. it ain't so.
It's all about the popcorn & soda Yes. The longer the movie runs in the multiplex, the better chance they have of getting a bigger taste of the gate but with a movie that has the pent-up demand of this one I would not be supprised if the contracts were modified to tilt even more in favor of the MPAA
Slashdot Mirror
..but for *NIX I only need one. /sbin/lart
Oh ghu yes!
Just read some of Heinlien's latter works for empirical evidence.
You, my friend, have given evidence by that statement that you do not have Clue 1
There are a lot of things that " huge, expensive Sun servers" can do that commodity Windows boxes couldn't dream about on the best day they ever had.
disk I/O, multi proc sclability, OS hardening (Trusted Solaris)
I could go on
There is a damn good reason why Sun boxes are still deployed, and will continue to be deployed, in critical environments.
They just work. All the time.
And I for one thank the Powers That Be that *my* bank is smart enough to realize this.
Gives new meaning to the term "Boot up"
It certainly didn't hurt Sun's stock. Up ~20% today
If a business or pesrson wishes they can get support from Sun's Star Office team
The point is that, unlike a command tool for techies that should give them lots of choices, the goal of a GUI is to present the user with as few decision points as possible.
Remember the Macintosh dictum that the user should never have to tell the machine anything that it knows or can deduce for itself.
this is as clueful as it gets. Most app designers should heed him
The other side of that coin is NFS. Think about how that works & has worked under Linux as opposed to Samba which has to deal with the " standards compliance" of it's filesystem inventor.
And Sun has already said that NFSv4 will have all the APIs & design stuctures open for interoperability
A boatload of IPv4 & IPv6 code. Structures & design for journaling file systems. etc.
I could go on.
Sun, of any of the major vendors who are tarred, rightly or wrongly, with the non-FOSS brush are about the most standards compliant & interoperabily friendly company out there.
"In the security bulletin published by MS it states,
"In the most likely exploitable scenario, an attackerwould have to have direct access to the user's network."
The bulletin published by eEye states
"...applications that make use of certificates (SSL, digitally-signed e-mail, signed ActiveX controls, etc.) [areaffected]".
I see a big disconnect there. Can you address this? Also, how would this potentially affect sites that are using an MS VPN solution?"
Yes, I am not sure what Microsoft did with the wording there that seems to be misleading to at least a few people so far.
There is just as much, if not more, chance of people using this vulnerability on server side applications as there is on client-side applications.
For example we setup a totally IPSEC secured network and we broke into that network via our ASN bug which is called by the Kerberos.
We also have written exploits that take advantage of ASN via NTLMv2 authentication. And the list goes on... How about evil ASN SSL CERTs?
Client or server? There is a menu a mile long for the avenues of attacks that this thing can be used for.
If your running, Windows NT 4.0, Windows 2000, Windows XP, or Windows 2003, you are 99.9999% positive to be vulnerable, regardless of what your configuration might be.
Don't try to guess if you have any of the affected protocols or applications (lets not forget third party apps using the MS ASN library), just install the patch.
Client side, server side, world wide.
Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security
They just need to stay away from the STOP+A keys
!= not equivelant
!== not equal
and no, I do't do a lot of coding. just enough to do what I need to get done.
I admin. I don't develop
Bullshit
in this case perception !== reality
the BSD, GPL, LGPL etc. licence is not something to "get excited about" unless you are a zealot or have an agenda
Those of us who do real work with real servers don't get political about licences.
Yes, we do choose OSI approved when pratical, when appropriate (and when last checked the BSD licence was there)
but when it comes to putting food on the table I make damn sure I choose the right tool for the job
BSD, Linux,Solaris, yada,yada
and before you get all pissy on me the right tool, for the preponderance of the work I do, is Linux
IDC is as much beholden to MS as @Stake was & you saw what happened there when you embarass Microsoft
Play ball or lose money/job.
nice troll fanboy. get your facts correct before you start tarring Sun with the same brush you use on Microsoft
I work for Sun. It is well know within the company (yes, we have a very active & rabid linux community here in house) and has been publishid in other, respected trade journals, that the licence fees paid to SCO were for *some* SCSI drivers for Solaris that there was some question about
It was a CYA thing.
Trust me. SCO is looked at as a toy company in house. But the lawyers are notoriously paranoid
I know Hogan. That kind of tongue in cheek wise-ass comment is his signature.
:-)
And he dips his french fries in mayonaisse
But do not discount the fact that he passionatly believes in open/free software. Linux & doing the Right Thing
Ummm...
Last I knew a nipple was, by default, an ouput device
How about support from Sun included in the $50 price?
That's what
So am I. But if you really, really think about it you will understand that the home user area is the least likely area where they could conceivably make a profit
For example. Think about what you need to do to enable a Flash or java plugin within Mozilla or Galeon in linux & compare it to the methodology used by IE
Can you say "support incident"
And at a price of ~$50 a single support call wipes out your profit
no NTFS...yeah..that can be a pain. For some.
/. whinegers I'm quite happy to tell the Powers That Be to fork over the money to Red Hat.
No MP3...as long as the license for the codec is what it is you'll never see anything even remotely associated with Red Hat including it.
No 2.6...well 2.6 is not ready for the parameters of this type of release yet. And 2.4.22*.nptl does moderately rock...
prelink is absolulely amazing
I'm actually looking forward to how the "extras" path will pan out. For me on my personal boxes Fedora is a no brainer
but not for my servers.
unlike many of the
For them it's the "security" factor.Easily understood in their finacial world
For me it's the oppertunity to finally pay back Red Hat for some quality production level code that I have used over the years.
it ain't so.
It's all about the popcorn & soda
Yes. The longer the movie runs in the multiplex, the better chance they have of getting a bigger taste of the gate
but with a movie that has the pent-up demand of this one I would not be supprised if the contracts were modified to tilt even more in favor of the MPAA
With a Linux app you need to make it reliable
a Windows app only has to run for 30 minutes until the next unscheduled reboot