I guess the usb guys are doing this to raise moar money for them.
Its also possible that in standard slashdot fashion the article / headline presents only one side of the story in an incredibly slanted fashion, and theres some important detail we're missing.
Forgive the cynicism, but after so many years here one begins to think that the summaries-- and often even the articles-- dont tend to be an accurate snapshot of reality.
Addendum: And of course, that appears to be the case. The letter sent wasnt a "screw you and your OSS tendencies", it was more of a "no, you cannot transfer PIDs like you want to; please cease pursuing that plan":
The VID is provided to the assigned company to identify only its own products and neither the VID nor associated PIDs may be sublicensed, transferred or offered for resale in any manner. The policy of the USB-IF regarding vendor ID numbers (VIDs) is as stated in the attached policy statement. In general, VIDs are not transferable. The USB-IF has long had a VID/PID process for hobbyists. Please immediately cease.........
Pretty sure Windows generally gets (sometimes substantially) better battery life than Linux.
The author is a massive troll for comparing Surface Pro hardware (which runs a full blown i5 processor) with iOS and Android hardware (which is typically far lower power both in terms of wattage and processing).
This just in: Windows Server 2012 installations typically use far more power than a Nexus 10 tablet! ZOMG!
You could make the same argument about computers and technology access for poor people: By holding on to that computer for as long as possible instead of upgrading every year, you cause the prices for tech to remain higher than they could be. Maybe we should mandate yearly computer replacements for all people to keep prices down?
You do realize that its not really my responsibility as a citizen to subsidize your health decisions, right?
Poverty kills more people than all health problems combined.
Bull. Combined deaths in the US for starvation and exposure are quite low, around 20,000 last time I checked-- and thats for all reasons and all age groups.
You probably get more people dying from the flu annually (over 30,000) than people dying from "being poor".
If a few million people suffer or die in the meantime,
Wow, THATS not hyperbole.
Remind me, how many people are dying in the US due to lack of insurance? Not that I think theres going to be a terribly accurate way of measuring that, but I think even liberal estimates would be substantially lower than "a few million".
This sentiment also demonstrates one of the dangers: That its no longer considered a personal responsiblity to maintain your health / insurance / affairs-- its the government's responsibility.
The one that was supposed to magically work day 1 to support the kind of load that every other website grew to support organically?
Every other site that grew organically didnt have the backing of a few hundred million dollars behind it. This is a federally mandated and funded thing, I dont think they have the same concerns facebook or twitter had during their early days.
The difference is that in practical terms the most popular accounting software on the planet will not run in XP if you are not the administrator. It is not the only software that does this.
You can get away with non-admin on XP, but its a gigantic pain in the butt, and UAC is honestly the best thing about windows 7.
I don't claim to be as much an expert on Windows 7 as I am on Linux and perhaps XP, but the only additional security that I understand Windows 7 has but XP doesn't is the UAC stuff - and that's primarily there to stop idiots who are logged in with administrator privileges not allowing everything to run that asks to run.
TO some degree, thats right, but it does a lot more than "stopping idiots". I tried running as non-admin, and I tried setting it up for many users, but the reality was that many programs simply would not work without admin privileges, and it was a nightmare to configure and work with. Runas only worked some of the time, some programs inexplicably refused to run if they failed the admin check, there was no real capability of modifying protected files while logged in as a normal user (as you cannot easily / without hacks do a "runas" on explorer.exe), etc etc etc.
UAC allowed non-admin logins to actually be feasible for 99% of users. It also introduced the idea of truly gaining and dropping privileges on the fly, rather than the binary "either you are or arent an admin".
And please define what you mean by "EOL'd" when applied to Linux 2.4?
and any vulnerabilities in it can be mitigated through backporting of existing patches or other external mitigation
The term EOL refers to when it no longer has support. Attempting to backport patches to a kernel that hasnt been supported in 2 years sounds rather daunting and ill-advised. Running 2.4 in production on anything that is not heavily resource constrained boggles the mind, honestly. Even newer DD-WRT builds are using 2.6, and they generally have under 64MB of RAM and processors clocked under 500mHz.
not least to fix the vulnerability yourself.
Are you aware of how time-intensive a job like that would be for something as simple as Firefox, let alone the monstrosity that is Linux? How many lines of code are we dealing with here? Ever heard the term "regression"?
If you want to be the one to explain to your boss how your backported patch caused all sorts of unexpected fun, and there are no companies who can provide anything resembling support because of that backport, go ahead. EOL is EOL, and theres a reason people stay away from it.
http://thequeue.gallup.com/2012/03/americans-on-individual-mandate-and.html Monday, March 26, 2012-- 20% of americans think the individual mandate is constitutional (and only 37% of democrats), while 72% think it is unconstitutional. Without the individual mandate, the thing falls to pieces. Numbers and polls can be tricky, but I dont think theres anything misleading or "spin-y" about the term "individual mandate".
http://www.gallup.com/poll/164078/americans-wary-not-familiar-health-law.aspx Using the term "Affordable Care Act", 49% of americans disapprove, and 41% approve. The majority also indicate that both in regard to their own families and the US at large, they believe (and have believed) that it will make things worse.
Worst of all from that poll, Americans who say they are very or somewhat familiar with the law are more likely to disapprove (55%) than approve of it (42%). The picture is much more muddled among those who are not too or not at all familiar with the law: 36% approve, 39% disapprove, and 21% aren't sure.
Im not really sure how this meshes with "60% of conservatives changing their tune". Im actually not sure how anyone could be called conservative who approved of expanding the federal government into the healthcare sector, now that I think on it.
more people don't know enough about it, or are ideologically incapable of agreeing with ANYTHING that has Obama's name on it.
Doesnt really jive with what Gallup says, but if you want to go with DailyKos over Gallup I cant stop you. I would just point out that only one of those has anything resembling a non-partisan, non-biased record, and it aint DailyKos.
You wouldnt open them, but your browser would unless you (unlike 90% of users) changed the default setting and used an extension or browser which makes those objects click-to-play.
You can argue the point but it is statistically the most common vector, and my experience is that users who are infected are usually not "doing something wrong", other than failing to update their plugins.
it can happen that malware is served up within those - but again, highly unlikely in legitimate sites and mostly mitigated with a good ad-blocker.
You call it unlikely, I call it statistically common. It has historically happened a LOT.
I've no idea what "confirmation bias" means, I've never come across that term before.
It means that you have a hypothesis, and most evidence that you get will be interpreted to support that hypothesis. If you are dealing with home users, you may be aware of certain bad habits they have and use this to reinforce your idea that viruses are because of computer misbehavior. But the two may not be related at all, and my experience when narrowing down the point of infection is that they generally arent.
I'd also consider the possibility of the receptionist herself unknowingly installing a trojan program
I do consider that possibility, and its easily checkable by looking in the downloads folder and in the browser history. Every virus (save maybe one or two) ive seen in the last several years has originated in the temp folder, which is not used except for plugin objects (these users are on firefox / chrome, so no "InternetExplorer-clicked-run-not-save").
Just because it's there in the morning doesn't mean that what installed it only appeared during that previous night.
There are other sources showing the same sort of thing, but the basic trend has been to use drive-bys as they are more reliable, and it is incredibly difficult to keep all users up-to-date with all of their plugins. Virus-writers go for the low hanging fruit, and it is simply going to get a higher hit-rate to infect every user with an out of date Adobe plugin than to try to entice users to download and run a file. You have to keep in mind that Adobe Reader is installed on something like 95% of internet-connected computers (one stat I saw said 98%), and that it has historically been riddled with security problems.
Most sane programs would throw a hissy fit if someone tried to MITM an SSL communication with constructed SSL keys-- A) because the thumbprint would drastically change and B) because the cert would not be signed by a trusted CA
Except for the whole "XP lacks separation of privileges" thing, which makes every minor attack on a webpage capable of rooting your machine, together with the lack of any sort of OS hardening other than DEP, sure.
XP is as old as Linux 2.4 (which was EOL'd 3 years ago). Would you ever run Linux 2.4 as your desktop OS?
For any PC to get owned that is tucked behind a NAT router, it's the user that has to do something stupid first.
If all you ever do is use a web browser to go to well-known sites and you know how to read and interpret a URL, then unless one of those sites has been hacked and some malware has been injected into it,
Yea! Except thats the MOST COMMON ATTACK VECTOR out there. Most viruses are coming from "legitimate" websites which either have ads or have been hacked and are serving up infected PDF, Java, or flash objects.
Plus, the whole idea of "just go to well-known sites" is the stupidest advice ever to come from redmond. This isnt 1995; it is neither uncommon nor particularly far-fetched to use google to look up some bit of information, and find your answer on a site youve never been to before. Should the user now vet every restaurant site, every reviews site, etc?
In my experience in computer and Internet security, it's going to dodgy sites for pr0n or warez that opens the doors to something nasty.
Your experience is wrong, and Id suspect is the result of confirmation bias. In business settings ive been in, ive seen countless viruses appear in the morning (8-9AM) on receptionist PCs where the user visiting a "dodgy site" is incredibly unlikely, and their browser history has tended to prove that.
Not everyone is A) ready to shell out $100 for bitlocker (for windows professional) when they could simply buy the better, and cross-platform, bestcrypt; B) ready to trust Microsoft's FDE.
Your post doesnt really make much sense. A webmail provider (like Google) has to be able to see what your email is, even if only because they are sending you the HTML containing your emails. Everything Ive seen suggests that the Google et al taps were done via tapping at the ISP level or else sending NSLs, neither of which a company can really do much about so long as they are based in the US.
You could sell adverts on a webmail even if it werent tappable (say, they require the use of VPN)-- the server could scan the mail and insert ads as it is delivering the email webpage; you could even insert javascript which simply does it client-side (which i believe is what most of these sites do) so the server doesnt have a hand in picking the ads.
Google has replaced federated XMPP in GTalk with non-federated XMPP in Google Hangouts.
While Im not happy with that, I fail to see how the use or lack thereof of XMPP somehow presents an obstacle to the NSA.
Slashdot Mirror
I guess the usb guys are doing this to raise moar money for them.
Its also possible that in standard slashdot fashion the article / headline presents only one side of the story in an incredibly slanted fashion, and theres some important detail we're missing.
Forgive the cynicism, but after so many years here one begins to think that the summaries-- and often even the articles-- dont tend to be an accurate snapshot of reality.
Addendum: And of course, that appears to be the case. The letter sent wasnt a "screw you and your OSS tendencies", it was more of a "no, you cannot transfer PIDs like you want to; please cease pursuing that plan":
The VID is provided to the assigned company to identify only its own products and neither the VID nor associated PIDs may be sublicensed, transferred or offered for resale in any manner.
The policy of the USB-IF regarding vendor ID numbers (VIDs) is as stated in the attached policy statement. In general, VIDs are not transferable.
The USB-IF has long had a VID/PID process for hobbyists.
Please immediately cease.........
Pretty sure Windows generally gets (sometimes substantially) better battery life than Linux.
The author is a massive troll for comparing Surface Pro hardware (which runs a full blown i5 processor) with iOS and Android hardware (which is typically far lower power both in terms of wattage and processing).
This just in: Windows Server 2012 installations typically use far more power than a Nexus 10 tablet! ZOMG!
You could make the same argument about computers and technology access for poor people: By holding on to that computer for as long as possible instead of upgrading every year, you cause the prices for tech to remain higher than they could be. Maybe we should mandate yearly computer replacements for all people to keep prices down?
You do realize that its not really my responsibility as a citizen to subsidize your health decisions, right?
Poverty kills more people than all health problems combined.
Bull. Combined deaths in the US for starvation and exposure are quite low, around 20,000 last time I checked-- and thats for all reasons and all age groups.
You probably get more people dying from the flu annually (over 30,000) than people dying from "being poor".
If a few million people suffer or die in the meantime,
Wow, THATS not hyperbole.
Remind me, how many people are dying in the US due to lack of insurance? Not that I think theres going to be a terribly accurate way of measuring that, but I think even liberal estimates would be substantially lower than "a few million".
This sentiment also demonstrates one of the dangers: That its no longer considered a personal responsiblity to maintain your health / insurance / affairs-- its the government's responsibility.
The one that was supposed to magically work day 1 to support the kind of load that every other website grew to support organically?
Every other site that grew organically didnt have the backing of a few hundred million dollars behind it. This is a federally mandated and funded thing, I dont think they have the same concerns facebook or twitter had during their early days.
Extensions, corrupt profile, or buggy google labs addins?
The fact that 99% of other users dont get this problem would seem to indicate its something with your setup.
This author is astonishingly ignorant. There was a bigger bubonic plague outbreak in the 7th century in Constantinople. It spread to...
central and south Asia; North Africa and Arabia;[citation needed] and Europe all the way to Denmark and Ireland
(thanks wikipedia), and its suspected to have originated in China or in Egypt (a lot of wheat was imported from there).
This meme that somehow the world wasnt "globalized" until the 19th century is hilarious, and wrong.
The difference is that in practical terms the most popular accounting software on the planet will not run in XP if you are not the administrator. It is not the only software that does this.
You can get away with non-admin on XP, but its a gigantic pain in the butt, and UAC is honestly the best thing about windows 7.
I don't claim to be as much an expert on Windows 7 as I am on Linux and perhaps XP, but the only additional security that I understand Windows 7 has but XP doesn't is the UAC stuff - and that's primarily there to stop idiots who are logged in with administrator privileges not allowing everything to run that asks to run.
TO some degree, thats right, but it does a lot more than "stopping idiots". I tried running as non-admin, and I tried setting it up for many users, but the reality was that many programs simply would not work without admin privileges, and it was a nightmare to configure and work with. Runas only worked some of the time, some programs inexplicably refused to run if they failed the admin check, there was no real capability of modifying protected files while logged in as a normal user (as you cannot easily / without hacks do a "runas" on explorer.exe), etc etc etc.
UAC allowed non-admin logins to actually be feasible for 99% of users. It also introduced the idea of truly gaining and dropping privileges on the fly, rather than the binary "either you are or arent an admin".
And please define what you mean by "EOL'd" when applied to Linux 2.4?
I simply went to the Linux Kernel wikipedia page, which noted that 2.4.37.11 was released in 2010, and it stopped being maintained in December 2011. The official announcement is here:
https://lkml.org/lkml/2010/12/18/73
and any vulnerabilities in it can be mitigated through backporting of existing patches or other external mitigation
The term EOL refers to when it no longer has support. Attempting to backport patches to a kernel that hasnt been supported in 2 years sounds rather daunting and ill-advised. Running 2.4 in production on anything that is not heavily resource constrained boggles the mind, honestly. Even newer DD-WRT builds are using 2.6, and they generally have under 64MB of RAM and processors clocked under 500mHz.
not least to fix the vulnerability yourself.
Are you aware of how time-intensive a job like that would be for something as simple as Firefox, let alone the monstrosity that is Linux? How many lines of code are we dealing with here? Ever heard the term "regression"?
If you want to be the one to explain to your boss how your backported patch caused all sorts of unexpected fun, and there are no companies who can provide anything resembling support because of that backport, go ahead. EOL is EOL, and theres a reason people stay away from it.
http://thequeue.gallup.com/2012/03/americans-on-individual-mandate-and.html
Monday, March 26, 2012-- 20% of americans think the individual mandate is constitutional (and only 37% of democrats), while 72% think it is unconstitutional. Without the individual mandate, the thing falls to pieces. Numbers and polls can be tricky, but I dont think theres anything misleading or "spin-y" about the term "individual mandate".
http://www.gallup.com/poll/164078/americans-wary-not-familiar-health-law.aspx
Using the term "Affordable Care Act", 49% of americans disapprove, and 41% approve.
The majority also indicate that both in regard to their own families and the US at large, they believe (and have believed) that it will make things worse.
Worst of all from that poll,
Americans who say they are very or somewhat familiar with the law are more likely to disapprove (55%) than approve of it (42%). The picture is much more muddled among those who are not too or not at all familiar with the law: 36% approve, 39% disapprove, and 21% aren't sure.
Im not really sure how this meshes with "60% of conservatives changing their tune". Im actually not sure how anyone could be called conservative who approved of expanding the federal government into the healthcare sector, now that I think on it.
more people don't know enough about it, or are ideologically incapable of agreeing with ANYTHING that has Obama's name on it.
Doesnt really jive with what Gallup says, but if you want to go with DailyKos over Gallup I cant stop you. I would just point out that only one of those has anything resembling a non-partisan, non-biased record, and it aint DailyKos.
You wouldnt open them, but your browser would unless you (unlike 90% of users) changed the default setting and used an extension or browser which makes those objects click-to-play.
You can argue the point but it is statistically the most common vector, and my experience is that users who are infected are usually not "doing something wrong", other than failing to update their plugins.
it can happen that malware is served up within those - but again, highly unlikely in legitimate sites and mostly mitigated with a good ad-blocker.
You call it unlikely, I call it statistically common. It has historically happened a LOT.
I've no idea what "confirmation bias" means, I've never come across that term before.
It means that you have a hypothesis, and most evidence that you get will be interpreted to support that hypothesis. If you are dealing with home users, you may be aware of certain bad habits they have and use this to reinforce your idea that viruses are because of computer misbehavior. But the two may not be related at all, and my experience when narrowing down the point of infection is that they generally arent.
I'd also consider the possibility of the receptionist herself unknowingly installing a trojan program
I do consider that possibility, and its easily checkable by looking in the downloads folder and in the browser history. Every virus (save maybe one or two) ive seen in the last several years has originated in the temp folder, which is not used except for plugin objects (these users are on firefox / chrome, so no "InternetExplorer-clicked-run-not-save").
Just because it's there in the morning doesn't mean that what installed it only appeared during that previous night.
Well, thats true, but there are actual statistics out there about where this malware comes from:
http://www.securelist.com/en/images/vlill/q2malware2012_pic04_all.png
(Source: http://www.securelist.com/en/analysis/204792228/Monthly_Malware_Statistics_April_2012 )
This shows Adobe + Java accounting for ~70% of detected attacks; these are usually drive-bys that trigger a plugin exploit.
There are other sources showing the same sort of thing, but the basic trend has been to use drive-bys as they are more reliable, and it is incredibly difficult to keep all users up-to-date with all of their plugins. Virus-writers go for the low hanging fruit, and it is simply going to get a higher hit-rate to infect every user with an out of date Adobe plugin than to try to entice users to download and run a file. You have to keep in mind that Adobe Reader is installed on something like 95% of internet-connected computers (one stat I saw said 98%), and that it has historically been riddled with security problems.
Most sane programs would throw a hissy fit if someone tried to MITM an SSL communication with constructed SSL keys--
A) because the thumbprint would drastically change and
B) because the cert would not be signed by a trusted CA
Except for the whole "XP lacks separation of privileges" thing, which makes every minor attack on a webpage capable of rooting your machine, together with the lack of any sort of OS hardening other than DEP, sure.
XP is as old as Linux 2.4 (which was EOL'd 3 years ago). Would you ever run Linux 2.4 as your desktop OS?
For any PC to get owned that is tucked behind a NAT router, it's the user that has to do something stupid first.
If all you ever do is use a web browser to go to well-known sites and you know how to read and interpret a URL, then unless one of those sites has been hacked and some malware has been injected into it,
Yea! Except thats the MOST COMMON ATTACK VECTOR out there. Most viruses are coming from "legitimate" websites which either have ads or have been hacked and are serving up infected PDF, Java, or flash objects.
Plus, the whole idea of "just go to well-known sites" is the stupidest advice ever to come from redmond. This isnt 1995; it is neither uncommon nor particularly far-fetched to use google to look up some bit of information, and find your answer on a site youve never been to before. Should the user now vet every restaurant site, every reviews site, etc?
In my experience in computer and Internet security, it's going to dodgy sites for pr0n or warez that opens the doors to something nasty.
Your experience is wrong, and Id suspect is the result of confirmation bias. In business settings ive been in, ive seen countless viruses appear in the morning (8-9AM) on receptionist PCs where the user visiting a "dodgy site" is incredibly unlikely, and their browser history has tended to prove that.
Not everyone is
A) ready to shell out $100 for bitlocker (for windows professional) when they could simply buy the better, and cross-platform, bestcrypt;
B) ready to trust Microsoft's FDE.
They win their case, get the judge to pierce the corporate veil, and hold you liable for damages.
So, no, I'm not entirely convinced that the parents wield nearly as much authority as you believe.
Then they lack a backbone.
If you don't think that failure is directly related to her parents choices then you are a fucking dolt
TIL theres no personal responsibility; if youre a messed up person, its not YOUR fault, its your parents fault!
Why exactly is that scary? Are guns particularly hard to get a hold of, or manufacture? /NewsToMe
IIRC, USB will add up to 10ms of latency to whatever youre using USB for.
Look at the velocity of that reaction!
Obama signed it. Its his constitutional responsibility to know whats in it.
Sorry, Im not buying that he rallied for it and signed it but had no idea what was in it.
As long as people continue this mentality of my guy is better than yours we're screwed.
Welcome to the human race?
Your post doesnt really make much sense. A webmail provider (like Google) has to be able to see what your email is, even if only because they are sending you the HTML containing your emails. Everything Ive seen suggests that the Google et al taps were done via tapping at the ISP level or else sending NSLs, neither of which a company can really do much about so long as they are based in the US.
You could sell adverts on a webmail even if it werent tappable (say, they require the use of VPN)-- the server could scan the mail and insert ads as it is delivering the email webpage; you could even insert javascript which simply does it client-side (which i believe is what most of these sites do) so the server doesnt have a hand in picking the ads.
Google has replaced federated XMPP in GTalk with non-federated XMPP in Google Hangouts.
While Im not happy with that, I fail to see how the use or lack thereof of XMPP somehow presents an obstacle to the NSA.