I'm not denying that Windows has had a track record I wouldn't want, but that said, if the data is important enough to these "hackers", and the employees are using OSX/Linux/*BSD/AIX/ZOS it's really not going to matter. This was a social engineering attack against people. Yes, you have to trust people in this day and age if you want to get any work done. Yes, the more people you trust, the lower your organization's overall trustworthiness is. It's simple math. People are not perfectly trustworthy, therefore:
limit (N->infinity) T = t(a) * t(b) * t(c)... * t(N) = 0 where t is less than 1
Sure, technically speaking the sysadmins could be running systems where installing malware in root land (for all users) is prevented (non-admin users), but look at the alternative OSes-- they all let users execute apps in their user profiles (OSX/BSD/Linux, etc.)! All the "hackers" really needed was to trick them into running code in their user profiles, because all the trojans needed to do was access data that the users already had access to-- not data that was stored in admin/root land-- userland!
--
Don't get into religious OS wars... They all suck!
Violence can be defined as increasing the further away the assailant is from his/her target. School children in a fight is violent. A bully using a baseball bat (increasing his reach and distance) is more violent. A pilot of a plane dropping a bomb (an even further reach) is more violent still. Remote controlled military aircraft, AFAIK, is the farthest reach yet (save perhaps ICBMs), and therefore (according to this definition) the most violent yet.
"Sure, this seems like a good idea, but it's really not cool to play around with the Moon's emotions like that. No one has visited it in 35 years, and it is getting pretty desperate for attention."
Masses 300 lbs, weighs nothing, but still no friend of mobility.
Somebody who does this for a living will have to back me up (or shut me up), but isn't pounds (as in lbs.) a measurement of weight, as in the English-system unit of mass times the earth's gravitational acceleration, unlike the metric unit, grams, which is strictly-speakly a measurement of mass-only (as in free of gravitational acceleration)?
And on that note, how is having 300 lbs (or mass-equivalent) less gear going to keep you from hopping off the moon into outerspace forever? Didn't the extra mass come in handy to keep people from flying away?
Before you mod me insensitive clod, keep in mind that we have spent $Billions to try to find other worlds outside of our own because we can't get along with the nation a thousand miles away, let alone the bloke next door. We search for ways to sustain life in celestial places with no water and no atmosphere because we think we're going to ruin ours, yet it doesn't dawn on us that if we ruin ours we will have already found a place with no water or oxygen-rich atmosphere! Say what you will, but this is definitely escapism.
"In versions 7.0.69.0 and earlier running on Linux and Solaris, malicious attackers could exploit an error in the interaction between the Flash Player and certain browsers. That could potentially lead to a leaking of keystrokes to a Flash Player applet, Secunia noted."
What, not on Windows?
I'm not surprised to see that there is little or no coverage on slashdot about this detail. I realize that the flash player isn't linux, but it's on linux. So, both of the linux flash users will have to update their plugins.
Seriously, it goes to show that all platforms will have their problems. Regardless of the underlying OS, there are always twinkie-apps written by some twinkie-eating-developer.
Please, no flamebait, no off-topic, and no OS religious wars (they all suck).
Re:Once again, they didn't read the article.
on
Attacking Sandboxes
·
· Score: 1
Right, but if you think about how a person would determine if software was bad...
Imagine that an "analyst" is either not allowed to use automated tools or that s/he doesn't have any (but if s/he doesn't have any, why do this? Just bear with me...). If the analyst looks at each instruction and maps them all out, the analyst would then be able to see if the software is benevolent or malevolent. The analyst could also see if the software attempts to determine if it's running in a VM, etc.
This is why I think that, in the end, only a lazy analyst could be defeated (i.e. one that isn't looking closely at the instructions or at all of the instructions hitting the CPU). And if a human can do it, we could certainly build better automated tools to work more slowly and under less assumptions, asking the human analyst for input as necessary.
I for one, welcome the return of the discipline the mainframe guys (you know, the grizzled, bearded guys collecting dust in the back of your IT shops (yet they still make more than you!)), only this time in our desktop computing environments. From my perspective, most operational problems are config management problems. If there's a single point of config (instead of 20,000), we won't need to maintain all of those tools whose sole purpose is to keep devices in synchrony (think SMS, Patch Management, Virus defs, etc.).
Don't forget, thin clients could bring an end to 'yet another stolen or lost laptop' security breaches we see in the daily news. Lost your thin client? No biggie, we'll just disable it and get you a new one (oh, but your boss is going to have sign off on the $400 PO).
The only sad aspect of this is that it looks like it's taking us 3-4 decades to migrate 3270 terminals into a GUI.
"Information security firm OpenLogic has begun letting users download... to identify open source software."
Wow. I guess all of those other security problems are either solved or no longer lucrative to attempt to solve. Goodbye viruses, phishing, MITM, malicious insiders, unintentional data disclosures... a new security threat must have moved into town!
some of these people are even telling the press exactly how to "anonymously" describe them: Cheney, for example, always demands to be quoted as "a senior Bush administration official."
We could mod this funny only if it weren't true. Mod sad???
Slashdot editors make it look like the administrative assistants, custodians, and assembly line workers are evil or something. Call it like it is: try "agents".
Now is all the implementations I've seen described there is a progressive trust is creates as each layer...
I think your browser's Bayesian Spam Filter is working in negation, keeping you from making any sense to English speakers. Just how [is] many [is] verbs does [is] a geek's sentence [is] need?
Imagine you're wanting to make a service offering to host corporate America's email, which includes all of the private juicy tidbits of data that are in it as well. It makes a lot more sense, from the corporate entity's standpoint to have that interaction be with one outsourced company, not two like it is today (READ: Gmail for your domain currently uses Postini for anti-SPAM). Add onto that the compliance aspects of outsourced email (think: lawyers needing copies of email for lawsuits), which Postini is selling as an add-on feature for Enterprise Gmail, and you can see why they might want to tap that datastream for an administrator's "google for everyone's email with search terms X" for some lawsuit.
Apologies... I typed the above on speculation before reading the linked article. Turns out my hunches are dead-on.
Slashdot Mirror
I'm not denying that Windows has had a track record I wouldn't want, but that said, if the data is important enough to these "hackers", and the employees are using OSX/Linux/*BSD/AIX/ZOS it's really not going to matter. This was a social engineering attack against people. Yes, you have to trust people in this day and age if you want to get any work done. Yes, the more people you trust, the lower your organization's overall trustworthiness is. It's simple math. People are not perfectly trustworthy, therefore:
... * t(N) = 0
... They all suck!
limit (N->infinity) T = t(a) * t(b) * t(c)
where t is less than 1
Sure, technically speaking the sysadmins could be running systems where installing malware in root land (for all users) is prevented (non-admin users), but look at the alternative OSes-- they all let users execute apps in their user profiles (OSX/BSD/Linux, etc.)! All the "hackers" really needed was to trick them into running code in their user profiles, because all the trojans needed to do was access data that the users already had access to-- not data that was stored in admin/root land-- userland!
--
Don't get into religious OS wars
Violence can be defined as increasing the further away the assailant is from his/her target. School children in a fight is violent. A bully using a baseball bat (increasing his reach and distance) is more violent. A pilot of a plane dropping a bomb (an even further reach) is more violent still. Remote controlled military aircraft, AFAIK, is the farthest reach yet (save perhaps ICBMs), and therefore (according to this definition) the most violent yet.
... is not to play.
And on that note, how is having 300 lbs (or mass-equivalent) less gear going to keep you from hopping off the moon into outerspace forever? Didn't the extra mass come in handy to keep people from flying away?
Exclusive pictures.
Turns out, it only works if you wear it in a robotic cat.
Telescope envy?
Before you mod me insensitive clod, keep in mind that we have spent $Billions to try to find other worlds outside of our own because we can't get along with the nation a thousand miles away, let alone the bloke next door. We search for ways to sustain life in celestial places with no water and no atmosphere because we think we're going to ruin ours, yet it doesn't dawn on us that if we ruin ours we will have already found a place with no water or oxygen-rich atmosphere! Say what you will, but this is definitely escapism.
I'm not surprised to see that there is little or no coverage on slashdot about this detail. I realize that the flash player isn't linux, but it's on linux. So, both of the linux flash users will have to update their plugins.
Seriously, it goes to show that all platforms will have their problems. Regardless of the underlying OS, there are always twinkie-apps written by some twinkie-eating-developer.
Please, no flamebait, no off-topic, and no OS religious wars (they all suck).
I guess that makes the news about GPS & EU Galileo convergence relevant, eh? What timing ... but at the same time, not a dupe. ;)
Oh ... Web 2.1 beta. Is that what this pervasive, location-aware encryption is all about?
Right, but if you think about how a person would determine if software was bad...
Imagine that an "analyst" is either not allowed to use automated tools or that s/he doesn't have any (but if s/he doesn't have any, why do this? Just bear with me...). If the analyst looks at each instruction and maps them all out, the analyst would then be able to see if the software is benevolent or malevolent. The analyst could also see if the software attempts to determine if it's running in a VM, etc.
This is why I think that, in the end, only a lazy analyst could be defeated (i.e. one that isn't looking closely at the instructions or at all of the instructions hitting the CPU). And if a human can do it, we could certainly build better automated tools to work more slowly and under less assumptions, asking the human analyst for input as necessary.
So, Google's security team found the flaw in Sun's java JRE ... Isn't that like Microsoft's security team finding bugs in Apple's or IBM's code?
Looks like it doesn't even need a Google-Bomb.
So between this and yesterday's news, are we going to see OLPC output one VM per child for those where infrastructure is possible to do so?
"Dissent is the highest form of patriotism"
- Thomas Jefferson and/or Howard Zinn
I for one, welcome the return of the discipline the mainframe guys (you know, the grizzled, bearded guys collecting dust in the back of your IT shops (yet they still make more than you!)), only this time in our desktop computing environments. From my perspective, most operational problems are config management problems. If there's a single point of config (instead of 20,000), we won't need to maintain all of those tools whose sole purpose is to keep devices in synchrony (think SMS, Patch Management, Virus defs, etc.).
Don't forget, thin clients could bring an end to 'yet another stolen or lost laptop' security breaches we see in the daily news. Lost your thin client? No biggie, we'll just disable it and get you a new one (oh, but your boss is going to have sign off on the $400 PO).
The only sad aspect of this is that it looks like it's taking us 3-4 decades to migrate 3270 terminals into a GUI.
Don't we need a crawlbot before a runbot, or did I miss something here?
You'll need this.
Slashdot editors make it look like the administrative assistants, custodians, and assembly line workers are evil or something. Call it like it is: try "agents".
I think your browser's Bayesian Spam Filter is working in negation, keeping you from making any sense to English speakers. Just how [is] many [is] verbs does [is] a geek's sentence [is] need?
And before the obligatory reponse: 42!
If I had to guess why it's worth $millions, I'd say it's because of Google Apps for the Enterprise.
... I typed the above on speculation before reading the linked article. Turns out my hunches are dead-on.
Imagine you're wanting to make a service offering to host corporate America's email, which includes all of the private juicy tidbits of data that are in it as well. It makes a lot more sense, from the corporate entity's standpoint to have that interaction be with one outsourced company, not two like it is today (READ: Gmail for your domain currently uses Postini for anti-SPAM). Add onto that the compliance aspects of outsourced email (think: lawyers needing copies of email for lawsuits), which Postini is selling as an add-on feature for Enterprise Gmail, and you can see why they might want to tap that datastream for an administrator's "google for everyone's email with search terms X" for some lawsuit.
Apologies
-Tim