Pwn2Own was useful because the common claim was that it wasnt just the huge userbase of windows that attracted exploit writers. but that it was that Windows was actually less secure than OSX. But when a shiney new laptop is on the line, people had no problem getting root. You can argue that OSX had 9 root-level exploits and Windows had 10 in any given competition-- but its sort of a moot point. By far and away the biggest factor in what systems get exploited is monetary gain and return on investment.
Id also note that, in the actual real world, somethin like 85-90% of exploits are non-OS-- theyre browser or browser plugin exploits. The only people arguing that Windows is more vulnerable to viruses are people with no friggin clue. Remove Java and virus incidence goes down like 50%.
Hes not wrong, except he beats a dead horse. Everyone knows what Windows activation is, that you cant patch Windows yourself, that you cant inspect the code.
Incidentally Driver Signing and Secure Boot can both be turned off, and theyre not to stop you from misusing your computer. You (he) might as well complain that AppLocker or Software Restriction Policies are draconian DRM-- except theyre really not, theyre a mechanism to harden the OS.
>>(Quote)
Stallman takes his ideology so far that he becomes completely irrelevant. I know of noone outside of the OSS movement (and surprisingly few in it) that actually take him seriously-- he goes so far off the deep end that hes managed to alienate a full half of the Unix userbase as well.
I imagine there are architectural differences between Win7 and Win8. Win7 is still supported heavily in the enterprise, and I dont believe for a second that Microsoft has some perverse desire to screw over their biggest customers.
Richard Stallman is full of crap if he is claiming that Windows is endemically, technically less secure. Anyone remember the Pwn2Own games? Anyone remember what OS fell first every time? Thats right, fully patched OSX (think that changed ~2012).
This could turn into a debate lasting days, but suffice it to say that from a technical level Windows is pretty secure. 90% of all exploits these days hit third-party applications that also happen to run on Linux and OSX (flash, java, adobe reader). Im sure Stallman would rail against those too, and he would actually be right, but the point is that the vast majority of users need those plugins and he is being deceitful if he is attempting to paint the various Flash player exploits as problems with Windows, or as problems endemic to Closed Source Software.
And you, too, have a bit of gall posting this, after some of the hugest security holes to hit the net were just released, both affecting OSS. Ideology is great until you hit the real world, and realize that things are never as simple as "I hate Microsoft, therefore Windows is technically bad", or "Closed source software has trust issues, therefore all OSS is inherently more secure". My hope is that all who take this like will grow up and abandon their zealotry before they enter the workforce.
Oh right. Because an aircraft carrier wont have any air defense, or any aircraft.
Oh wait, it does-- and we have some of the best of both. Seriously, attack an aircraft carrier, 1800 miles out into the ocean (from russia), with a bomber? How, exactly, is that gonna work when we launch our air superiority fighters?
Launching missiles generally seems like a phenomenally bad idea, as it might result in about 10 headed the other way. It also has the slight problem that it needs a launch platform; if its coming from the ocean, you once again have to deal with our carrier's escorts; if its coming from the land, we have 1800 miles to see it coming.
We're still number 2 in the world in manufacturing, so perhaps its a bit of an exaggeration to say they "own us" in that category. The idea that our manufacturing sector is in shambles is a myth.
Im not sure what world you live in where our response to Russia destroying a $5 billion military asset would be to quietly retreat.
Im also not sure what world you live in where they have the capability to destroy one of our carriers. We have 10 carriers and 62 destroyers. Russia has 1 carrier and 13 destroyers. We could go into nuclear weaponry but I dont think Russia is that dumb, even in a scenario where they decide to attack northern Canada.
Claiming them is all fun and games. Whats the plan to put troops on them, and how do you intend to deal with the largest navy in the world (Canada's good buddy) dropping by to say hi?
NATO doesnt need to nuke them. It can just plant an aircraft carrier near Greenland, and let that say "No" in lieu of any nukes.
YOU'VE been playing too much Command and Conquer. Russia attacking Canada would be suicide.
If Russia wants a piece of northern Canada, they're taking it, 65 jets or no.
Yea, have fun with that. You have any guesses as to what the US response to that would be? Or any sort of plan for getting an invasion force over here?
Er, there is a patch for those IE flaws, and it was released prior to full disclosure: https://technet.microsoft.com/... Theyre also only vaguely sort of issues "in Windows 8.1", in the same way that a safari bug is a flaw in OSX. The WMF bug was patched 8 years ago.
Open source code quality on average is a bit better than closed, but it's certainly no panacea.
This has got to be the mother of all speculation. Closed source software by definition does not have a source that you can compare to OSS; how on earth can you make a statement like that.
. You can also do your own security audit on open source software if you are really security conscious.
No, you cant, and if you think you can you have a serious ego problem.
A security audit of something like OpenSSL is not something that should be attempted by someone who does not earn a living doing code and crypto audits.
Your post sort of reinforces the point that a blanket statement about one or the other is pretty dumb.
Closed source can have a number of benefits if done right. It has a number of issues, too (like trust). Open source can have a number of benefits if done right. It has a number of issues, too (like getting volunteers who are experts in crypto, or preventing obfuscated malicious code).
The people need to trust that the justice system is fair in order for it to be relevant. The trials need to be open for the people to have faith that its fair.
Putting their money where their mouth is and pulling out of China, rather than continue to play along like the other Good Old Boys and divulge dissident info and participate in China's censorship game?
That to me says more than any of the rest of it; all of the technical stuff is just icing. Giving up a market like China is no minor thing; anyone who wants to criticize their "do no evil" mantra is gonna have to explain that.
Because...
* Unlike most of the other big internet companies, Google gave a big old finger to the Chinese Communist Party when they requested cooperation in censoring / blocking / spying through google. Microsoft and Yahoo have been happy to provide info (even on dissident bloggers) to them since ~2005/2006. Google DID cooperate for a few years but ceased all cooperation around 2010, and have generally been fighting for enduser privacy there since. Notably, Microsoft explicitly cooperates in the backdooring of Chinese Skype (its called TOM, and it reports everything to Big Brother)
* Google was one of the first to do SSL-by-default, and has been quite fast in responding to threats; they rapidly switched from AES-CBC to RC4 in response to the BEAST attack, while others had a mediocre response. They have generally put security ahead of "security theatre" and PR, such as their rejection of OCSP/CRL softfail and token gestures at securing the Chrome password vault (rely on OS security rather than false security).
* Google is very open about any DMCA / takedown requests they get. They cooperate with the EFF on relevant cases, and post any takedowns to ChillingEffects.org. They tend to be very antagonistic towards law enforcement without a court order or warrant; if there is any company that I would believe would tell the NSA to get lost, it would be Google (though that is perhaps a bit optimistic, as they ARE a US company).
Clearly refusing to comply with China's censorship and cooperation demands was all a ruse to make us THINK they were pro-user rights. Clearly their cooperation with the EFF and ChillingEffects to publicly report on DMCA (and other) takedowns is all a trick to get our precious, precious page impressions. Clearly their ahead-of-the-curve SSL by default on google.com is all because theyre in bed with Uncle Sam.
Not sure what you're smoking but keep it away from me.
Slashdot Mirror
Pwn2Own was useful because the common claim was that it wasnt just the huge userbase of windows that attracted exploit writers. but that it was that Windows was actually less secure than OSX. But when a shiney new laptop is on the line, people had no problem getting root. You can argue that OSX had 9 root-level exploits and Windows had 10 in any given competition-- but its sort of a moot point. By far and away the biggest factor in what systems get exploited is monetary gain and return on investment.
Id also note that, in the actual real world, somethin like 85-90% of exploits are non-OS-- theyre browser or browser plugin exploits. The only people arguing that Windows is more vulnerable to viruses are people with no friggin clue. Remove Java and virus incidence goes down like 50%.
Hes not wrong, except he beats a dead horse. Everyone knows what Windows activation is, that you cant patch Windows yourself, that you cant inspect the code.
Incidentally Driver Signing and Secure Boot can both be turned off, and theyre not to stop you from misusing your computer. You (he) might as well complain that AppLocker or Software Restriction Policies are draconian DRM-- except theyre really not, theyre a mechanism to harden the OS.
>>(Quote)
Stallman takes his ideology so far that he becomes completely irrelevant. I know of noone outside of the OSS movement (and surprisingly few in it) that actually take him seriously-- he goes so far off the deep end that hes managed to alienate a full half of the Unix userbase as well.
I imagine there are architectural differences between Win7 and Win8. Win7 is still supported heavily in the enterprise, and I dont believe for a second that Microsoft has some perverse desire to screw over their biggest customers.
and all the cool features involving touch are useless for the cube farm drones.
Powershell 4.0 and 5.0, however, are not, nor is HyperV.
Sort of amazing that a supposedly technical community thinks that the only thing different about Windows 8 is the GUI.
Richard Stallman is full of crap if he is claiming that Windows is endemically, technically less secure. Anyone remember the Pwn2Own games? Anyone remember what OS fell first every time? Thats right, fully patched OSX (think that changed ~2012).
This could turn into a debate lasting days, but suffice it to say that from a technical level Windows is pretty secure. 90% of all exploits these days hit third-party applications that also happen to run on Linux and OSX (flash, java, adobe reader). Im sure Stallman would rail against those too, and he would actually be right, but the point is that the vast majority of users need those plugins and he is being deceitful if he is attempting to paint the various Flash player exploits as problems with Windows, or as problems endemic to Closed Source Software.
And you, too, have a bit of gall posting this, after some of the hugest security holes to hit the net were just released, both affecting OSS. Ideology is great until you hit the real world, and realize that things are never as simple as "I hate Microsoft, therefore Windows is technically bad", or "Closed source software has trust issues, therefore all OSS is inherently more secure". My hope is that all who take this like will grow up and abandon their zealotry before they enter the workforce.
Oh right. Because an aircraft carrier wont have any air defense, or any aircraft.
Oh wait, it does-- and we have some of the best of both. Seriously, attack an aircraft carrier, 1800 miles out into the ocean (from russia), with a bomber? How, exactly, is that gonna work when we launch our air superiority fighters?
Launching missiles generally seems like a phenomenally bad idea, as it might result in about 10 headed the other way. It also has the slight problem that it needs a launch platform; if its coming from the ocean, you once again have to deal with our carrier's escorts; if its coming from the land, we have 1800 miles to see it coming.
Nothing like my daily dose of strawmen from slashdot.
We're still number 2 in the world in manufacturing, so perhaps its a bit of an exaggeration to say they "own us" in that category. The idea that our manufacturing sector is in shambles is a myth.
Im not sure what world you live in where our response to Russia destroying a $5 billion military asset would be to quietly retreat.
Im also not sure what world you live in where they have the capability to destroy one of our carriers. We have 10 carriers and 62 destroyers. Russia has 1 carrier and 13 destroyers. We could go into nuclear weaponry but I dont think Russia is that dumb, even in a scenario where they decide to attack northern Canada.
Claiming them is all fun and games. Whats the plan to put troops on them, and how do you intend to deal with the largest navy in the world (Canada's good buddy) dropping by to say hi?
NATO doesnt need to nuke them. It can just plant an aircraft carrier near Greenland, and let that say "No" in lieu of any nukes.
YOU'VE been playing too much Command and Conquer. Russia attacking Canada would be suicide.
If Russia wants a piece of northern Canada, they're taking it, 65 jets or no.
Yea, have fun with that. You have any guesses as to what the US response to that would be? Or any sort of plan for getting an invasion force over here?
Er, there is a patch for those IE flaws, and it was released prior to full disclosure: https://technet.microsoft.com/...
Theyre also only vaguely sort of issues "in Windows 8.1", in the same way that a safari bug is a flaw in OSX.
The WMF bug was patched 8 years ago.
Noone knows. Its best to form your own opinion, and if you feel like sharing it with others, to be explicit that it is just an opinion.
The official word is that they "got bored" according to someone who "emailed the devs".
Open source code quality on average is a bit better than closed, but it's certainly no panacea.
This has got to be the mother of all speculation. Closed source software by definition does not have a source that you can compare to OSS; how on earth can you make a statement like that.
. You can also do your own security audit on open source software if you are really security conscious.
No, you cant, and if you think you can you have a serious ego problem.
A security audit of something like OpenSSL is not something that should be attempted by someone who does not earn a living doing code and crypto audits.
There are STILL open issues in Windows 8.1 that have existed since Win2000,
You care to give examples? Preferably CVE links to Mitre or similarly respected databases.
Your post sort of reinforces the point that a blanket statement about one or the other is pretty dumb.
Closed source can have a number of benefits if done right. It has a number of issues, too (like trust).
Open source can have a number of benefits if done right. It has a number of issues, too (like getting volunteers who are experts in crypto, or preventing obfuscated malicious code).
And yet everyone threw a hissy fit when Firefox first made it a massive PITA to use self-signed / untrusted certs.
Honestly their implementation is pretty good; you can get through it, but blindly clicking will result in the cert being rejected.
The people need to trust that the justice system is fair in order for it to be relevant. The trials need to be open for the people to have faith that its fair.
How about:
Putting their money where their mouth is and pulling out of China, rather than continue to play along like the other Good Old Boys and divulge dissident info and participate in China's censorship game?
That to me says more than any of the rest of it; all of the technical stuff is just icing. Giving up a market like China is no minor thing; anyone who wants to criticize their "do no evil" mantra is gonna have to explain that.
Because...
* Unlike most of the other big internet companies, Google gave a big old finger to the Chinese Communist Party when they requested cooperation in censoring / blocking / spying through google. Microsoft and Yahoo have been happy to provide info (even on dissident bloggers) to them since ~2005/2006. Google DID cooperate for a few years but ceased all cooperation around 2010, and have generally been fighting for enduser privacy there since. Notably, Microsoft explicitly cooperates in the backdooring of Chinese Skype (its called TOM, and it reports everything to Big Brother)
* Google was one of the first to do SSL-by-default, and has been quite fast in responding to threats; they rapidly switched from AES-CBC to RC4 in response to the BEAST attack, while others had a mediocre response. They have generally put security ahead of "security theatre" and PR, such as their rejection of OCSP/CRL softfail and token gestures at securing the Chrome password vault (rely on OS security rather than false security).
* Google is very open about any DMCA / takedown requests they get. They cooperate with the EFF on relevant cases, and post any takedowns to ChillingEffects.org. They tend to be very antagonistic towards law enforcement without a court order or warrant; if there is any company that I would believe would tell the NSA to get lost, it would be Google (though that is perhaps a bit optimistic, as they ARE a US company).
Guess how I know you didnt read the article?
Heres a hint: your post does not address anything mentioned in the article. Its not server-side encryption, its end-to-end (hence the name).
Clearly refusing to comply with China's censorship and cooperation demands was all a ruse to make us THINK they were pro-user rights. Clearly their cooperation with the EFF and ChillingEffects to publicly report on DMCA (and other) takedowns is all a trick to get our precious, precious page impressions. Clearly their ahead-of-the-curve SSL by default on google.com is all because theyre in bed with Uncle Sam.
Not sure what you're smoking but keep it away from me.
I believe you can pin extension versions and prevent them from updating.
Google has earned a heck of a lot more trust in terms of security than any of the other big internet players.