>>while many basic features work in a cross-platform way, the more sophisticated features don't.
translation: sophisticated >> *useful*
Why ??? because no IE/active-X
Exactly... and as for suggestions... they may be sending requests with keystrokes, but I would imagine they are not 'storing' them along with their order and identifiable data (They could be, but I doubt it). I would think that would be too unreliable and risky in terms of performance. Firefox does essentially the same thing via it's search box when Google and/or Yahoo are selected.
I bet they do store *queries*. A Request does not automatically equate to storing something in a database. Do MSN/BING/Yahoo!/[INSERTSEARCHPROVIDER] not store the queries (along with environmental info. about those queries) and the subsequent clicks and look at that data?
And there's things like this from the article: --- In the second part of the video, LePage demonstrates how Internet Explorer 8 has a privacy feature called InPrivate, a privacy mode to allow browsing without leaving a trace. Unfortunately, he fails to acknowledge the existence of Google Chrome's Incognito, which disables history tracking, which undercuts his argument. ---
And there's the question of how IE does it's Anti-phishing... I'm sure it send all your URL's through M$'s network. Does he address whether or not those are stored? M$ is just mad that Google beat them to the idea... Look for it in a future version of IE. Move along folks... nothing new to see here.
Just check your browser's privacy options and set them to level you are comfortable using them.
"(1) "Subversive organization" means every corporation, society, association, camp, group, bund, political party, assembly, body or organization, composed of two or more persons, which directly or indirectly advocates, advises, teaches or practices the duty, necessity or propriety of...
controlling - lobbyists, right?
conducting - lobbyists and defense contractors
seizing - either party in an election year, year before an election year... or these days, the day after the election we just had.
overthrowing the government of the United States - what the hell does that mean!?!?!?!?
...
But in the end... I think this (bolded) is the important part: ... of this State or of any political subdivision thereof by force or violence or other unlawful means
So.. in the end, it's just a virtual turing stupidity test; An easy way to round up the bottom feeder idiot anarchists/communists/whatever-ists.
Doesn't it seem just a LITTLE odd that the Chinese government would want this information, Google knows someone wants this information, and the attack originated in China?
And to make waters muddier... how about throwing this in the mix... to whom is the 'responsible' part of responsible disclosure? If I paid for software (.e.g IBM DB2 and other commercial vendors are on the list), the company needs to be responsible and disclose the issue to me if it was disclosed to them (... IMO). How many vendors do that when a security researcher/firm 'responsibly' discloses a vulnerability/exploit to them (with or without embargo date)?
There's more than one angle for responsibility in the debate.
At my last 2 jobs developers have had security exceptions for local admin rights. The combination of money lost due to wasted time otherwise plus the fact that developers are going to cause less harm than average users is apparently enough to persuade even management.
I think there's validity to that... for most semi-responsible developers.
However, if you are programming with security exceptions, you are likely to develop things that have/require more security exceptions (e.g. you must be admin/dbo/superuser/root to run it). It's not going to happen just because you're running as admin... but it becomes much easier to do so... unless you have pretty rigorous testing specifically targeting other user types. My team all has regular user accounts on their desktops and we do just fine. A couple of us (me as lead) have admin rights to maintain the system (we have a duplicated network/environment to do our work), install stuff etc.
Why propagate the Microsoft development model of must-be-admin-to-run-the-software?>
Wait?!?!?! This would suggest that there may be different kinds of 'sales people', like there are different kids of us 'IT people'? Can that be possible?
One way is to buy-and-shelf. There's also flooding the market with a free-but-inferior product... that didn't quite work with Money against Quicken though
and made contractual obligations with their resellers. *gasp*
Some would say that's where they used thugs and tommy guns... or some modern equivalent, like lawyers who can manipulate 'immoral laws'.
Yes... if OEMs and other companies had more cojones to tell M$ to screw off, some of this would have taken care of itself. Of course, we're in the US... we use legislators and lawyers to solve that stuff.
SubEthaEdit (Hydra once upon a time) allows live collaborative editing. not sure of the security or other implications/issues. I tried it once or twice. Was a decent editor otherwise... no real big frills.
Granted, some of you are concerned about people finding out the sites you visit, but what about a real world problem (or two)?
Some time back, there was an attack that threw a phony dialog pop-up saying that your timeout had been expired at your bank site. Combine that with being able to see *what* bank's site (and whether or not you have been at it recently). This could even be injected through a compromised ad-server system or the like. Maybe you don't even have to visit my site. There's some moving parts in there, but things like this, combined with click-happy-and-fill-in-personal-data user syndrome could make for some pretty sophisticated attacks.
From a private organization's perspective (many of whom have private systems, blocked off from the outer world)... this can also be used to help map their internal network from the outside (just by one of their users visiting a site). Think about that after you visit your interal cisco web interface and then merrily tab into some other site.
I am particular about who I allow to set cookies, but not so much about my history (except that I do wipe it.. and other 'private data' when FF closes). don't know that I'll change that behavior yet, but will probably modify the config on visited site styles as some have suggested here.
But most SS card applications are issued at the hospital nowadays. I got mine when I was 8 or 10 or something (I remember getting it). in the case of all my kids, my wife filled out the application at the hospital, or it was included in a packet from the hospital.
Just another reason to hate SS (and the rat hole it is that we pound money down into).
Security is a mindset. Every person has to have the concept of "secure environment" in their head every day, be they developers, users of IT systems, or even the seemingly-rare non-IT user (i.e. custodians). People need to understand why security is so crucial, and they have to be involved in the process; just designing technical controls around them always fails quickly, because people who don't value security will abuse whatever privileges they have, thinking that they're helping someone.
And you need an ISSO or some other security expert/chief/scary person to strike fear into them and into having that mindset. I think a Czar sounds scary, don't you?;-)
>>The Democrats aren't much better, but at least they're trying to spend money on people in THIS HEMISPHERE, let alone in this country.
Well, then independent of who let this through (below), Bush's Admin. or the Democratic Congress... maybe they should go kill this (heard about it on the radio):
but the notion that "wireless=fundamentally insecure" seems dubious at best.
I would say "Wireless=More Attack Surface"... Some might say fundamentally *less* secure because of that fact. A key factor in security is reducing attack surface to only what is necessary for the required/intended of the functionality.
Yes... people should take more care in operating wired networks as well.
so I'm not sure what you plan on doing with your recorded authentication attempts.
I was thinking of sampling and using them like Dr. Dre, Vanilla Ice and others. One or two hits and I could retire early. There's gotta be a golden one in there somewhere with all that traffic!
Well... we're dealing with folks who like tax revenue.. so they'd probably like to say **BOTH**.
Also IANAL, but isn't congress not supposed to make laws about interstate commerce?
In reality though, - taxing from the seller state makes states it less attractive for businesses to do business there. - From the buyer's side, makes it complicated, because then the business may have to pay/file in every state depending on where
Either way... it's a discouragement for the businesses as far as I can see. They're using the recession to say that they really need this. Yeah... I'm sure that's the solution!! I bet that will make big government and its employees more responsible with the money they from the US' collective pockets.
Slashdot Mirror
>>while many basic features work in a cross-platform way, the more sophisticated features don't. translation: sophisticated >> *useful* Why ??? because no IE/active-X
Exactly ... and as for suggestions ... they may be sending requests with keystrokes, but I would imagine they are not 'storing' them along with their order and identifiable data (They could be, but I doubt it). I would think that would be too unreliable and risky in terms of performance. Firefox does essentially the same thing via it's search box when Google and/or Yahoo are selected.
I bet they do store *queries*. A Request does not automatically equate to storing something in a database. Do MSN/BING/Yahoo!/[INSERTSEARCHPROVIDER] not store the queries (along with environmental info. about those queries) and the subsequent clicks and look at that data?
And there's things like this from the article:
---
In the second part of the video, LePage demonstrates how Internet Explorer 8 has a privacy feature called InPrivate, a privacy mode to allow browsing without leaving a trace. Unfortunately, he fails to acknowledge the existence of Google Chrome's Incognito, which disables history tracking, which undercuts his argument.
---
And there's the question of how IE does it's Anti-phishing ... I'm sure it send all your URL's through M$'s network. Does he address whether or not those are stored? M$ is just mad that Google beat them to the idea ... Look for it in a future version of IE. Move along folks ... nothing new to see here.
Just check your browser's privacy options and set them to level you are comfortable using them.
Is it April 2nd yet?
[waves hand in front of face]
"(1) "Subversive organization" means every corporation, society, association, camp, group, bund, political party, assembly, body or organization, composed of two or more persons, which directly or indirectly advocates, advises, teaches or practices the duty, necessity or propriety of ...
But in the end ... I think this (bolded) is the important part:
... of this State or of any political subdivision thereof by force or violence or other unlawful means
So .. in the end, it's just a virtual turing stupidity test; An easy way to round up the bottom feeder idiot anarchists/communists/whatever-ists.
Doesn't it seem just a LITTLE odd that the Chinese government would want this information, Google knows someone wants this information, and the attack originated in China?
Malevolent/Corrupt/Evil ... yet. Odd ... no.
And to make waters muddier ... how about throwing this in the mix ... to whom is the 'responsible' part of responsible disclosure? If I paid for software (.e.g IBM DB2 and other commercial vendors are on the list), the company needs to be responsible and disclose the issue to me if it was disclosed to them (... IMO). How many vendors do that when a security researcher/firm 'responsibly' discloses a vulnerability/exploit to them (with or without embargo date)?
There's more than one angle for responsibility in the debate.
PwnDak
I think there's validity to that ... for most semi-responsible developers.
However, if you are programming with security exceptions, you are likely to develop things that have/require more security exceptions (e.g. you must be admin/dbo/superuser/root to run it). It's not going to happen just because you're running as admin ... but it becomes much easier to do so ... unless you have pretty rigorous testing specifically targeting other user types. My team all has regular user accounts on their desktops and we do just fine. A couple of us (me as lead) have admin rights to maintain the system (we have a duplicated network/environment to do our work), install stuff etc.
Why propagate the Microsoft development model of must-be-admin-to-run-the-software?>
Wait?!?!?! This would suggest that there may be different kinds of 'sales people', like there are different kids of us 'IT people'? Can that be possible?
One way is to buy-and-shelf. There's also flooding the market with a free-but-inferior product ... that didn't quite work with Money against Quicken though
and made contractual obligations with their resellers. *gasp*
Some would say that's where they used thugs and tommy guns ... or some modern equivalent, like lawyers who can manipulate 'immoral laws'.
Yes ... if OEMs and other companies had more cojones to tell M$ to screw off, some of this would have taken care of itself. Of course, we're in the US ... we use legislators and lawyers to solve that stuff.
YOW ... I think I just heard a rhino choking on buzzwords! He was saved only by the lack of 'win-win'. ;-)
SubEthaEdit (Hydra once upon a time) allows live collaborative editing. not sure of the security or other implications/issues. I tried it once or twice. Was a decent editor otherwise ... no real big frills.
Granted, some of you are concerned about people finding out the sites you visit, but what about a real world problem (or two)?
Some time back, there was an attack that threw a phony dialog pop-up saying that your timeout had been expired at your bank site. Combine that with being able to see *what* bank's site (and whether or not you have been at it recently). This could even be injected through a compromised ad-server system or the like. Maybe you don't even have to visit my site. There's some moving parts in there, but things like this, combined with click-happy-and-fill-in-personal-data user syndrome could make for some pretty sophisticated attacks.
From a private organization's perspective (many of whom have private systems, blocked off from the outer world) ... this can also be used to help map their internal network from the outside (just by one of their users visiting a site). Think about that after you visit your interal cisco web interface and then merrily tab into some other site.
I am particular about who I allow to set cookies, but not so much about my history (except that I do wipe it .. and other 'private data' when FF closes). don't know that I'll change that behavior yet, but will probably modify the config on visited site styles as some have suggested here.
their new hobbit overlord.
Oh wait! That's North Korea ... my bad!
But most SS card applications are issued at the hospital nowadays. I got mine when I was 8 or 10 or something (I remember getting it). in the case of all my kids, my wife filled out the application at the hospital, or it was included in a packet from the hospital. Just another reason to hate SS (and the rat hole it is that we pound money down into).
>>"effort and awareness" ...
And next, you're going to expect "reason and logic" to prevail too, right!?!?!
And you need an ISSO or some other security expert/chief/scary person to strike fear into them and into having that mindset. I think a Czar sounds scary, don't you? ;-)
>>The Democrats aren't much better, but at least they're trying to spend money on people in THIS HEMISPHERE, let alone in this country.
Well, then independent of who let this through (below), Bush's Admin. or the Democratic Congress ... maybe they should go kill this (heard about it on the radio):
http://www.cnsnews.com/public/content/article.aspx?RsrcID=47976&print=on
http://mediamatters.org/research/200905130010
Hope you're not trying to "enumerate the bad" (i.e looking at $foo ~= /<script/i in the input ... or even '<'). There are lots of ways to escape such validators. A great resource on some is here:
http://ha.ckers.org/xss.html
I say, unescape everything back to the browser (even email addresses). OWASP has a good resource:
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
>>It's at least as secure as your wired ethernet connections to your Windows desktop workstations.
You had me feeling good until you qualified it with the "Windows desktop workstations" part. ...
Come on! somebody had to say it! ;-)
I would say "Wireless=More Attack Surface" ... Some might say fundamentally *less* secure because of that fact. A key factor in security is reducing attack surface to only what is necessary for the required/intended of the functionality.
Yes ... people should take more care in operating wired networks as well.
I was thinking of sampling and using them like Dr. Dre, Vanilla Ice and others. One or two hits and I could retire early. There's gotta be a golden one in there somewhere with all that traffic!
I beg to differ .... What about all the poor people who couldn't share funny pictures of their cats you insensitive clod?!?!?! ;)
Well ... we're dealing with folks who like tax revenue .. so they'd probably like to say **BOTH**.
Also IANAL, but isn't congress not supposed to make laws about interstate commerce?
In reality though,
- taxing from the seller state makes states it less attractive for businesses to do business there.
- From the buyer's side, makes it complicated, because then the business may have to pay/file in every state depending on where
Either way ... it's a discouragement for the businesses as far as I can see. They're using the recession to say that they really need this. Yeah ... I'm sure that's the solution!! I bet that will make big government and its employees more responsible with the money they from the US' collective pockets.