The emphasis on "DANGER" was yours and not mine. There is risk in mere existence if we want to philosophize, but I tend to regard that as a bit ridiculous in this context.
I consider there to be minimal danger posed in the way I pass slower motorists, for the most part. With all the idiot leaf peepers coming up to the mountains this time of year, I do that a lot in fact (including morons who just *stop* in the middle of the road, sometimes getting out of their cars to take photos, while there are cars behind them...). But there's no need for hyperbole; if you're passing safely, there should be minimal danger posed to anyone on the road, and the fact that you're passing someone who's impeding traffic is more a reflection on them being inconsiderate and stupid. If you are creating inordinate danger (to the point it's even worth mentioning) while passing slower drivers, then you're driving recklessly and that would be a reflection on you. There is no hurry or schedule that justifies reckless driving, no matter how slow or stupid someone else is.
As someone willing to put YOUR LIFE and YOUR PASSENGERS' LIVES IN DANGER to pass you slow ass...
Nice...so you're basically a reckless driver who will pass others unsafely because you're in a hurry and someone is being a 'tard?
I got held up for around 40 minutes on my commute this morning because of someone just like you. There are no stoplights along the two-lane canyon highway my commute takes me along, but there are plenty of curves. Some morons drive at a snail's pace with a white-knuckle grip on the steering just because a couple of snowflakes fell over the weekend and there's a little ice here and there on the roads. Some maniac chose to throw caution to the wind and attempt to pass those morons in order to arrive at their destination a couple minutes faster, lost control, spun-out into oncoming traffic, and everyone gets to wait until the emergency crews arrive to haul away the 4 junk vehicles and mop up the blood and broken glass. For a road with a speed limit of 45MPH, on a corner rated for only 30, that was an impressive amount of destruction.
I guess I just fail to understand why people are so limited in their abilities to exercise a little common courtesy. I notice that the farther down the mountain towards civilization I drive, the more inconsiderate drivers seem to become. At the higher elevations, on the more rural roads, folks tend to pull over if someone catches-up to them as soon as a safe opportunity presents itself, to let a faster driver around. Down towards the plains, drivers seem to be oblivious to everyone else. Some impede traffic and ignore the dozen cars they're slowing down, others tailgate and pass unsafely, it's an accident waiting to happen. Is it so hard to treat other drivers how they'd like to be treated?
True, many people do actually play it, I'd question whether they just view a lot of the tedium as a chore ("can't have your pudding if you don't eat your meat" sort of thing), or if they really enjoy the entire game including the mindless repetition. I'd be most inclined to think it's skewed towards the former, folks who don't really enjoy all aspects, but don't loathe them enough to either stop playing or cheat.
I would agree with you that just because a computer can manage to play a game doesn't necessarily mean the game is bad; the key point (to me, anyway) is that upwards of 100,000 people preferred to let the computer play WoW for them, because they probably thought they had better things to do with their time, were bored to tears with farming, wanted to get ahead, or whatever.
Chess also is a different class of game from computer games. The basic game mechanics are almost painfully simple and moves are absolute (there is no random chance), it's the strategy involved with actions and reactions in a finite number of possible moves that make the game interesting. MMORPGs like WoW have nearly infinite movement sequence possibilities, since it's a freeform. It's just that these sorts of games just aren't as interesting, because there's minimal strategy required when you just have to go around killing things until you progress in some measurable form. This difference means that anybody (or nobody, in the case of MMOGlider) can manage to play through the menial tedium of a game like WoW and accomplish something, whereas not everyone can succeed at solving the strategic puzzles presented by chess.
This all reminds me of Progress Quest. I think that had to be about the most brilliant parody of RPGs I've ever seen, mocking the tedious filler that seems to be characteristic of the genre. MMOGlider sounds like it basically turned WoW into a graphical version of PQ.
Actually, more like you click on something at work, you come across an unsavory site, it tries to load pr0n popups on you, the corporate web-nanny blocks them all, you get called into HR to explain the situation. The only thing is, this sort of web-cruft has been around a while. This is just a way to make it happen through real external-site clicks rather than just launching popups. A nuisance, but not a particularly scary exploit. Maybe it just takes a lot to scare me-- I'd be worried if it could perform actions on pages it brought up, but if all it does is make me follow links it wants me to visit, the worst case scenario is that I'm going to close the browser and never go to the site again...
That's the first problem. HTTPS is only a protocol. The ONLY thing it does is prevents folks from sniffing the traffic between the server and your browser. Pages still have to be constructed competently for them to be secure. If a developer is not being careful about the links he's embedding in a webpage, then competence is the primary issue.
There are plenty of little tricks that require a modicum of prudence in order to thwart. It's a matter of how much someone trusts a website, and making sure certificates are correct.
The thing with this exploit is, based on the available information (or lack thereof), and possessing knowledge of what HTML can do and what its limitations are, there's no reason to get hysterical regarding what it "might" be able to do. The key to being security-minded is to analyze the situation, have a good feel for the possibilities. Hysteria-based security is nothing more than a distraction.
Ignorance breeds hysteria. In this example, I have a reasonably good working knowledge of what HTML can do and what it can't. Analyzing the situation, the range of browsers it affects (and doesn't!), and the statements that it doesn't appear to have anything to do with plugins such as Java or Flash tells me a bit about the level it's written at. Assembling these pieces, I have a pretty good idea of what the exploit does. Can it do more than my understanding of it would indicate? Quite possibly, especially if HTML and the more basic webscripting I know is outdated enough.
We'll see how it turns out-- I'm not trusting enough to believe this hysteria is anything meaningful. It could change folks' browsing habits a bit in the short term, and browsers should be patched to stop the exploit. But no, at this point it just doesn't seem like the sky is falling. I'm not scared because the evidence so far just isn't that compelling.
You could Digg a story you know nothing about. Sucks for Digg, time for more captchas or something.
You could not bid on an eBay auction-- the exploit apparently can only force you to click on links within its own page. Any sort of frames, whether embedded or not, are discrete pages and unless demonstrated otherwise, the primary page can't do anything to them via this script.
If anyone can embed a direct One-click purchasing link on their own webpages to an Amazon product, you could be buying it. If One-click is implemented like that, Amazon is incredibly stupid. I'm under the impression you can only One-click purchase from the appropriate links on the Amazon website, but I choose not to play with fire when it comes to such "conveniences", so I don't know exactly how One-click actually works.
The exploit would not be able to delete your emails from any webmail utility unless they have an allowance for 3rd-party interfaces, much as the above situation.
It would be atrociously bad design for any site to use simple GET commands to do anything more than fetch pages. Anything that requires a login or other user interaction would defeat this exploit.
This exploit could target pages on your local machine, sure! You'd have to code it into the html yourself. Or have a website on your local machine-- the remote site could plug your own IP into a force-clicked link and show you your own site.
The key is understanding the limitations of the protocols and languages involved. Let's not let our imaginations run wild here until the facts are out. Until I have more details that might show otherwise, this exploit simply doesn't seem to have the ability to do anything more than click links in the page you've just loaded without your consent. That means that the exploit:
Has to be written into the html on the page you're visiting.
Has no influence on any pages that it hasn't been coded into. All it appears to be able to do is issue GET commands without interaction from the end user.
Does a website have any influence over a frame, embedded or otherwise? Unless things have changed in recent iterations of html usage, I believe the answer is "no".
I'm trying to think of the ways this could be used to cause harm, so far the biggest threat I see is to the pay-per-click ad model, since this would be great for clickfraud. Other than that, a website could bounce you to another page on their site that you didn't intend to go to, and possibly overwhelm your browser & bandwidth with a redirect loop. I can see a hint of an issue in the way frames might be used with this exploit and 3rd-party sites (as noted in the article), but that seems to be a bit of a stretch since the original site would still be sending someone away from their site in another redirect. Plenty of sites who make the choice to be annoying already make you go through a little effort to break out of their frames when you go to an external site from one of their links, it's not the end of the world.
I'd like to hear other folks' ideas on ways this may be used for an exploit that could do damage to anything other than Google's bottom-line. Until I hear a more compelling one, this exploit doesn't strike me as being the least bit "scary". A "small potential nuisance" might be a more apt description, since it would be fairly simple for end users to just ignore its effects.
Maybe they just like to make the Baby Steve Jobs cry.
It's like, totally sticking-it-to-The-Man when you get the software to work on platforms they don't want you to run it on, even if you just gave them a fistful of cash.
What percentage of Windows attacks really rely on stupid users and not some system exploit? If a user clicks on a box to do something stupid, they're stupid. If a user visits an unsavory website, that's dumb, but the blame isn't fully on the user because the browser and OS allow malicious scripts to install stuff behind the user's back. The user isn't stupid at all if it visits a website that is respectable, but had an MS-SQL injection exploit that cooperates with the scripting flaws in IE/XP that allows malware to be installed behind their backs. The user isn't stupid at all for receiving spam that exploits Outlook into installing a malicious payload without the user's knowledge or consent.
Times are changing as Microsoft catches-up a little on security issues, but it used to be that the tricks that relied on the user's gullibility were quite obvious and a relatively small share, whereas the system exploits that hit flaws in the architecture were the most damaging and prevalent. It's all that much more important to have restricted user accounts and intricate controls on what users are permitted to do and not do, and Windows still fails massively on this count, since even under Vista, almost everything STILL needs to be run with administrator credentials, and it's still a ridiculous amount of trouble if a user isn't just logging in with an admin account.
Buy Windows if you don't care about stability or security and think being exploited by malware is cool.
Buy Mac if you value form over function.
Acquire Linux if you like to tinker with stuff.
Except under certain circumstances where DRM is platform-dependent, OS just doesn't matter all that greatly. I certainly won't let an application dictate the OS I use under most circumstances, and it doesn't slow me down any.
I could've done a 1-to-1 hardware comparison back before Blizzard released a patch that caused WoW to stop running correctly in Direct-3D mode and come out way ahead. I have a friend with an identical laptop running Windows and who plays WoW. My framerates have consistently been higher than his (I also used to run things like UI size and resolution higher, too), but I've noticed a lot more in the way of graphics glitches under OpenGL and sometimes the framerate fluctuates wildly. Cedega & Wine's current implementation of a D3D protocol doesn't seem to be compatible with the current WoW patch level. Hardware does matter; ATI tends to yield poorer performance under Linux than Nvidia.
Then there's anecdotal evidence; aside from some glitches introduced in certain patches which I had to change config settings to mitigate, I can't recall the WoW client ever crashing for me under Wine or Cedega. It used to crash a couple times per week on my gaming box when it ran Windows (only the client, not Windows). After I ditched Windows and got games up-and-running under Wine or Cedega, it became rock-solid stable. Of everyone in guild and raids, I easily have the most stable client/OS. I see that as a big component of performance, since it's hard to say you're performing well despite crashing with relative frequency.
And of course there's that even less-quantifiable gain that relates to the satisfaction of getting an application to work on an unsupported platform better than on most implementations of its native environment.
Because of the quality of their implementation, Steam is my preferred method of acquiring games. It's huge that Steam is compatible with Wine. Games like HL2 would play better on my hardware if I ran them natively under Windows, but they do run well enough under Linux that I don't feel the door was just slammed in my face. The DRM isn't obtrusive, and it makes logical sense in the *SPIRIT* of most EULAs, which is that you (the individual) are licensed to run ONE instance of the software at any given time. They're not trying to grub money unfairly by saying that you need to buy an instance of the software for every machine you wish to run it on, they make the "media" freely and readily available (unlike companies that expect you to front up the cash and purchase your product again if you lose the discs), and they don't deprive any customer of the ability to use the product which he or she purchased with the very basic requirement of just logging-in and authenticating.
If the DRM prevents ANY customer from enjoying FULL use of the product under reasonable terms of installation, then it's DEFECTIVE. By "reasonable terms of installation", I mean things like stated requirements that the purchaser "has an internet connection" or "has a CD-ROM". To decree, through arbitrary limitations on the product, that the customer will only need to upgrade/reinstall the OS or upgrade hardware 3 times in his or her lifetime is not reasonable.
Past a point though, playing to have fun hits a ceiling. If you don't play enough to earn a first-string position in a good raid, already have the appropriate high-level gear, have the skill, *and* have the gold to buy a lot of consumables for said raids, that content will simply be unavailable.
The real problem with the current WoW model is arguably that a lot of the content is time-wasting grinding, and there's rather little of what you might like to do, if it involves raiding, that doesn't also require a lot of gold (repairs) and farming/resource-purchasing. It was never a problem for me because I was resourceful and miserly enough to have substantial gold and resources for everything I needed, with minimal effort. But I can certainly see how someone with limited time might spend money, if his/her time is a scarce resource, to buy the resources necessary to participate in "fun" activities, rather than doing the menial, tedious chores to "earn" them.
That said, while I have the resources and everything else, including a willingness to spend a couple evenings a week to raid, during a hiatus I took over the past few months, it seems that the raids I was in disbanded, guilds are in shambles, and I just don't feel like going through all the effort of currying favor with new guilds and players for raid positions that may never materialize. When my play time this month expires in a day or two, I think I'm done for good. There are some grinds that money just can't buy, and one of those is getting a permanent position in a raid roster, and the respect and friendship of one's fellow raiders.
Sending spam is money. Enlarging the spam mailing list is money. Building a botnet is money. Spending hours to extract data to perpetrate one identity theft that carries a greater risk of prosecution and may not be overly successful would be like stopping for a couple of seconds to pick a penny up off the sidewalk, when you make well in excess of $36.00/hour (i.e., more than a penny a second) and would make more just going to work and clocking-in. Your computer is worth more to the scum of the net as a tool (botnet node and/or spam relay) and the only information they're likely to want is your address book, MAYBE a gaming account if it's a popular MMORPG that they can turn a quick profit on by looting and then vanish with minimal exposure.
There was an article linked by/. a few months ago rating the relative value of your computer to a cracker. They consider Linux/UNIX machines that have been rooted to be the most valuable since they're more likely to be always-on and connected to a commercial-duty connection. They use those for command and control, further infections, and so on. They're probably not going to refuse any new genuine (as opposed to honeypot) botnet nodes, but they're not as valuable. And a non-Windows machine, if a userspace account is compromised, but root isn't, is all but useless for all those things.
I think you fail at reading comprehension, though.:P Lenovo has indeed *manufactured* Thinkpads for the past several years, but models in the T60 series were the first they *engineered* themselves after purchasing the brand from IBM.
My own experience, as a former IBM/Lenovo warranty field technician, is that T40-series TPs had bombproof electronics that were reliable and rarely failed unless some component on the laptop's interlocking (but extremely easy-to-work-on!) skeleton failed and allowed the base cover to flex and the motherboard cracked. The T60 series have incredible (if not complete overkill) one-piece skeletons, but the quality of the electronics is just nowhere near the old IBM-designed boards and I replaced dozens that had various failures within the first 6 months of ownership, including a couple dozen that had problems right out of the box. It's like Lenovo doesn't bother with much QC anymore, or just didn't test the designs as thoroughly as IBM did.
But anyway, yes, I'd agree that Thinkpads are generally far better-built than the competition, even under Lenovo. Dell is about the only brand that comes close, but for the same basic reliability and quality of construction, their designs tend to be substantially larger, clumsier, and heavier. And uglier too, for what my subjective opinion is worth.
Anyone, I repeat, anyone, who is dependent on others for his/her own feelings of well-being, especially someone who s/he has NEVER met in real life, has some pretty serious problems, which are quite possibly not compatible with life. This sort of attachment sounds almost parasitic, it's so obsessive. Most kids are able to handle going in and out of crushes. Being rejected and humiliated when you're at your most vulnerable sucks, but THAT'S JUST PART OF LIFE. Crushes come and crushes go, and those are too emotionally immature to be considered 'love'. Manipulating and abusing someone harboring a crush is something a player would do, but I've never heard of someone being a player being an actionable offense. Such manipulators are pathetic and lame, but again, they're out there and are just part of life. True love may be blind, but it's not stupid or delusional.
You could probably expect that the Geek Squad would not upload your pictures to 4chan.
Yeah, the big thing is to not take showers when the Geek Squad is in the house, that's the sort of thing they try to take photos of and upload to 4chan.
Well said; as soon as I read the article I figured I'd post something along those lines, and you stated it well. It boils down to confidentiality; professionals are the sorts you trust to manage your stuff and not sell you out. I see private information all the time in the course of troubleshooting. Professionalism means I'm not snooping for the sake of my curiosity, and I am not going to simply forget all of the details that don't relate to my job, so long as ethics wouldn't compel me to reveal that in the name of public safety or something.
I don't buy it. If they were competent at building a case, there would be no opportunity for stonewalling or lying. The more likely scenario is that the defendant didn't assist the RIAA in making their case, which was too shoddy to stand on the evidence gathered by their sloppy investigative methods.
IANAL, but I'm pretty sure in a civil proceeding, the defendant is under no obligation to go out of its way to provide evidence to the plaintiff. The plaintiff can use court orders and such to require specific things be handed over, but they're responsible for knowing exactly what they want to be turned over to them, and where it's located. If the plaintiff doesn't know the right questions to ask (and is granted permission by a judge in a court of law to compel an answer), there is no obligation on the part of the defendant to volunteer relevant information. That was pretty much the outcome of a filesharing case a few months back where the RIAA filed suit againt one member of a family, but it turned out that another member had committed the alleged copyright infringement...the RIAA cried because they felt it was unfair, but when one files a lawsuit against a specific individual, one must simply make sure they have the right individual before proceeding. If the RIAA's methods aren't conclusive enough to ID an individual with reasonable accuracy (which they're obviously not), they deserve every loss that's handed to them. With prejudice.
Actually, most dot-matrix printers are a bit on the noisy side-- they're impact printers just as various flavors of letter-quality printers are. They have tiny pins arranged in a matrix that strike through an ink ribbon. Even though their quality is pretty abysmal, Okidata's dot matrix printers are still made (AFAIK) and are pretty common in applications where the printer works with continuous multi-part forms.
Even though the exploit does compromise Flash running on Linux or Mac, and even if the Windows trojan horse executable somehow worked on platforms other than Windows, there's still a matter of permissions keeping the malware from getting system-level access.
As far as Vista goes, the main thing I wonder about is if the exploit requires that the user give it permission to run through UAC. Even though UAC seems to be pretty useless in terms of only teaching users to click "allow" repeatedly to get anything done, it doesn't help at all if the compromised processes happen to be running under system level permissions anyway. I'd hope at the very least users would have to click 'allow' mindlessly to be infected by the trojan.
Slashdot Mirror
The emphasis on "DANGER" was yours and not mine. There is risk in mere existence if we want to philosophize, but I tend to regard that as a bit ridiculous in this context.
I consider there to be minimal danger posed in the way I pass slower motorists, for the most part. With all the idiot leaf peepers coming up to the mountains this time of year, I do that a lot in fact (including morons who just *stop* in the middle of the road, sometimes getting out of their cars to take photos, while there are cars behind them...). But there's no need for hyperbole; if you're passing safely, there should be minimal danger posed to anyone on the road, and the fact that you're passing someone who's impeding traffic is more a reflection on them being inconsiderate and stupid. If you are creating inordinate danger (to the point it's even worth mentioning) while passing slower drivers, then you're driving recklessly and that would be a reflection on you. There is no hurry or schedule that justifies reckless driving, no matter how slow or stupid someone else is.
As someone willing to put YOUR LIFE and YOUR PASSENGERS' LIVES IN DANGER to pass you slow ass...
Nice...so you're basically a reckless driver who will pass others unsafely because you're in a hurry and someone is being a 'tard?
I got held up for around 40 minutes on my commute this morning because of someone just like you. There are no stoplights along the two-lane canyon highway my commute takes me along, but there are plenty of curves. Some morons drive at a snail's pace with a white-knuckle grip on the steering just because a couple of snowflakes fell over the weekend and there's a little ice here and there on the roads. Some maniac chose to throw caution to the wind and attempt to pass those morons in order to arrive at their destination a couple minutes faster, lost control, spun-out into oncoming traffic, and everyone gets to wait until the emergency crews arrive to haul away the 4 junk vehicles and mop up the blood and broken glass. For a road with a speed limit of 45MPH, on a corner rated for only 30, that was an impressive amount of destruction.
I guess I just fail to understand why people are so limited in their abilities to exercise a little common courtesy. I notice that the farther down the mountain towards civilization I drive, the more inconsiderate drivers seem to become. At the higher elevations, on the more rural roads, folks tend to pull over if someone catches-up to them as soon as a safe opportunity presents itself, to let a faster driver around. Down towards the plains, drivers seem to be oblivious to everyone else. Some impede traffic and ignore the dozen cars they're slowing down, others tailgate and pass unsafely, it's an accident waiting to happen. Is it so hard to treat other drivers how they'd like to be treated?
True, many people do actually play it, I'd question whether they just view a lot of the tedium as a chore ("can't have your pudding if you don't eat your meat" sort of thing), or if they really enjoy the entire game including the mindless repetition. I'd be most inclined to think it's skewed towards the former, folks who don't really enjoy all aspects, but don't loathe them enough to either stop playing or cheat.
I would agree with you that just because a computer can manage to play a game doesn't necessarily mean the game is bad; the key point (to me, anyway) is that upwards of 100,000 people preferred to let the computer play WoW for them, because they probably thought they had better things to do with their time, were bored to tears with farming, wanted to get ahead, or whatever.
Chess also is a different class of game from computer games. The basic game mechanics are almost painfully simple and moves are absolute (there is no random chance), it's the strategy involved with actions and reactions in a finite number of possible moves that make the game interesting. MMORPGs like WoW have nearly infinite movement sequence possibilities, since it's a freeform. It's just that these sorts of games just aren't as interesting, because there's minimal strategy required when you just have to go around killing things until you progress in some measurable form. This difference means that anybody (or nobody, in the case of MMOGlider) can manage to play through the menial tedium of a game like WoW and accomplish something, whereas not everyone can succeed at solving the strategic puzzles presented by chess.
This all reminds me of Progress Quest. I think that had to be about the most brilliant parody of RPGs I've ever seen, mocking the tedious filler that seems to be characteristic of the genre. MMOGlider sounds like it basically turned WoW into a graphical version of PQ.
Actually, more like you click on something at work, you come across an unsavory site, it tries to load pr0n popups on you, the corporate web-nanny blocks them all, you get called into HR to explain the situation. The only thing is, this sort of web-cruft has been around a while. This is just a way to make it happen through real external-site clicks rather than just launching popups. A nuisance, but not a particularly scary exploit. Maybe it just takes a lot to scare me-- I'd be worried if it could perform actions on pages it brought up, but if all it does is make me follow links it wants me to visit, the worst case scenario is that I'm going to close the browser and never go to the site again...
HTTPS =/= "secure"
That's the first problem. HTTPS is only a protocol. The ONLY thing it does is prevents folks from sniffing the traffic between the server and your browser. Pages still have to be constructed competently for them to be secure. If a developer is not being careful about the links he's embedding in a webpage, then competence is the primary issue.
There are plenty of little tricks that require a modicum of prudence in order to thwart. It's a matter of how much someone trusts a website, and making sure certificates are correct.
I'm quite security-minded, thanks! :)
The thing with this exploit is, based on the available information (or lack thereof), and possessing knowledge of what HTML can do and what its limitations are, there's no reason to get hysterical regarding what it "might" be able to do. The key to being security-minded is to analyze the situation, have a good feel for the possibilities. Hysteria-based security is nothing more than a distraction.
Ignorance breeds hysteria. In this example, I have a reasonably good working knowledge of what HTML can do and what it can't. Analyzing the situation, the range of browsers it affects (and doesn't!), and the statements that it doesn't appear to have anything to do with plugins such as Java or Flash tells me a bit about the level it's written at. Assembling these pieces, I have a pretty good idea of what the exploit does. Can it do more than my understanding of it would indicate? Quite possibly, especially if HTML and the more basic webscripting I know is outdated enough.
We'll see how it turns out-- I'm not trusting enough to believe this hysteria is anything meaningful. It could change folks' browsing habits a bit in the short term, and browsers should be patched to stop the exploit. But no, at this point it just doesn't seem like the sky is falling. I'm not scared because the evidence so far just isn't that compelling.
You could Digg a story you know nothing about. Sucks for Digg, time for more captchas or something.
You could not bid on an eBay auction-- the exploit apparently can only force you to click on links within its own page. Any sort of frames, whether embedded or not, are discrete pages and unless demonstrated otherwise, the primary page can't do anything to them via this script.
If anyone can embed a direct One-click purchasing link on their own webpages to an Amazon product, you could be buying it. If One-click is implemented like that, Amazon is incredibly stupid. I'm under the impression you can only One-click purchase from the appropriate links on the Amazon website, but I choose not to play with fire when it comes to such "conveniences", so I don't know exactly how One-click actually works.
The exploit would not be able to delete your emails from any webmail utility unless they have an allowance for 3rd-party interfaces, much as the above situation.
It would be atrociously bad design for any site to use simple GET commands to do anything more than fetch pages. Anything that requires a login or other user interaction would defeat this exploit.
This exploit could target pages on your local machine, sure! You'd have to code it into the html yourself. Or have a website on your local machine-- the remote site could plug your own IP into a force-clicked link and show you your own site.
The key is understanding the limitations of the protocols and languages involved. Let's not let our imaginations run wild here until the facts are out. Until I have more details that might show otherwise, this exploit simply doesn't seem to have the ability to do anything more than click links in the page you've just loaded without your consent. That means that the exploit:
Does a website have any influence over a frame, embedded or otherwise? Unless things have changed in recent iterations of html usage, I believe the answer is "no".
I'm trying to think of the ways this could be used to cause harm, so far the biggest threat I see is to the pay-per-click ad model, since this would be great for clickfraud. Other than that, a website could bounce you to another page on their site that you didn't intend to go to, and possibly overwhelm your browser & bandwidth with a redirect loop. I can see a hint of an issue in the way frames might be used with this exploit and 3rd-party sites (as noted in the article), but that seems to be a bit of a stretch since the original site would still be sending someone away from their site in another redirect. Plenty of sites who make the choice to be annoying already make you go through a little effort to break out of their frames when you go to an external site from one of their links, it's not the end of the world.
I'd like to hear other folks' ideas on ways this may be used for an exploit that could do damage to anything other than Google's bottom-line. Until I hear a more compelling one, this exploit doesn't strike me as being the least bit "scary". A "small potential nuisance" might be a more apt description, since it would be fairly simple for end users to just ignore its effects.
Try these (among other explanations):
What percentage of Windows attacks really rely on stupid users and not some system exploit? If a user clicks on a box to do something stupid, they're stupid. If a user visits an unsavory website, that's dumb, but the blame isn't fully on the user because the browser and OS allow malicious scripts to install stuff behind the user's back. The user isn't stupid at all if it visits a website that is respectable, but had an MS-SQL injection exploit that cooperates with the scripting flaws in IE/XP that allows malware to be installed behind their backs. The user isn't stupid at all for receiving spam that exploits Outlook into installing a malicious payload without the user's knowledge or consent.
Times are changing as Microsoft catches-up a little on security issues, but it used to be that the tricks that relied on the user's gullibility were quite obvious and a relatively small share, whereas the system exploits that hit flaws in the architecture were the most damaging and prevalent. It's all that much more important to have restricted user accounts and intricate controls on what users are permitted to do and not do, and Windows still fails massively on this count, since even under Vista, almost everything STILL needs to be run with administrator credentials, and it's still a ridiculous amount of trouble if a user isn't just logging in with an admin account.
I'd phrase that differently:
Except under certain circumstances where DRM is platform-dependent, OS just doesn't matter all that greatly. I certainly won't let an application dictate the OS I use under most circumstances, and it doesn't slow me down any.
I could've done a 1-to-1 hardware comparison back before Blizzard released a patch that caused WoW to stop running correctly in Direct-3D mode and come out way ahead. I have a friend with an identical laptop running Windows and who plays WoW. My framerates have consistently been higher than his (I also used to run things like UI size and resolution higher, too), but I've noticed a lot more in the way of graphics glitches under OpenGL and sometimes the framerate fluctuates wildly. Cedega & Wine's current implementation of a D3D protocol doesn't seem to be compatible with the current WoW patch level. Hardware does matter; ATI tends to yield poorer performance under Linux than Nvidia.
Then there's anecdotal evidence; aside from some glitches introduced in certain patches which I had to change config settings to mitigate, I can't recall the WoW client ever crashing for me under Wine or Cedega. It used to crash a couple times per week on my gaming box when it ran Windows (only the client, not Windows). After I ditched Windows and got games up-and-running under Wine or Cedega, it became rock-solid stable. Of everyone in guild and raids, I easily have the most stable client/OS. I see that as a big component of performance, since it's hard to say you're performing well despite crashing with relative frequency.
And of course there's that even less-quantifiable gain that relates to the satisfaction of getting an application to work on an unsupported platform better than on most implementations of its native environment.
Very well-said!
Because of the quality of their implementation, Steam is my preferred method of acquiring games. It's huge that Steam is compatible with Wine. Games like HL2 would play better on my hardware if I ran them natively under Windows, but they do run well enough under Linux that I don't feel the door was just slammed in my face. The DRM isn't obtrusive, and it makes logical sense in the *SPIRIT* of most EULAs, which is that you (the individual) are licensed to run ONE instance of the software at any given time. They're not trying to grub money unfairly by saying that you need to buy an instance of the software for every machine you wish to run it on, they make the "media" freely and readily available (unlike companies that expect you to front up the cash and purchase your product again if you lose the discs), and they don't deprive any customer of the ability to use the product which he or she purchased with the very basic requirement of just logging-in and authenticating.
If the DRM prevents ANY customer from enjoying FULL use of the product under reasonable terms of installation, then it's DEFECTIVE. By "reasonable terms of installation", I mean things like stated requirements that the purchaser "has an internet connection" or "has a CD-ROM". To decree, through arbitrary limitations on the product, that the customer will only need to upgrade/reinstall the OS or upgrade hardware 3 times in his or her lifetime is not reasonable.
Past a point though, playing to have fun hits a ceiling. If you don't play enough to earn a first-string position in a good raid, already have the appropriate high-level gear, have the skill, *and* have the gold to buy a lot of consumables for said raids, that content will simply be unavailable.
The real problem with the current WoW model is arguably that a lot of the content is time-wasting grinding, and there's rather little of what you might like to do, if it involves raiding, that doesn't also require a lot of gold (repairs) and farming/resource-purchasing. It was never a problem for me because I was resourceful and miserly enough to have substantial gold and resources for everything I needed, with minimal effort. But I can certainly see how someone with limited time might spend money, if his/her time is a scarce resource, to buy the resources necessary to participate in "fun" activities, rather than doing the menial, tedious chores to "earn" them.
That said, while I have the resources and everything else, including a willingness to spend a couple evenings a week to raid, during a hiatus I took over the past few months, it seems that the raids I was in disbanded, guilds are in shambles, and I just don't feel like going through all the effort of currying favor with new guilds and players for raid positions that may never materialize. When my play time this month expires in a day or two, I think I'm done for good. There are some grinds that money just can't buy, and one of those is getting a permanent position in a raid roster, and the respect and friendship of one's fellow raiders.
Sending spam is money. Enlarging the spam mailing list is money. Building a botnet is money. Spending hours to extract data to perpetrate one identity theft that carries a greater risk of prosecution and may not be overly successful would be like stopping for a couple of seconds to pick a penny up off the sidewalk, when you make well in excess of $36.00/hour (i.e., more than a penny a second) and would make more just going to work and clocking-in. Your computer is worth more to the scum of the net as a tool (botnet node and/or spam relay) and the only information they're likely to want is your address book, MAYBE a gaming account if it's a popular MMORPG that they can turn a quick profit on by looting and then vanish with minimal exposure.
There was an article linked by /. a few months ago rating the relative value of your computer to a cracker. They consider Linux/UNIX machines that have been rooted to be the most valuable since they're more likely to be always-on and connected to a commercial-duty connection. They use those for command and control, further infections, and so on. They're probably not going to refuse any new genuine (as opposed to honeypot) botnet nodes, but they're not as valuable. And a non-Windows machine, if a userspace account is compromised, but root isn't, is all but useless for all those things.
I think you fail at reading comprehension, though. :P Lenovo has indeed *manufactured* Thinkpads for the past several years, but models in the T60 series were the first they *engineered* themselves after purchasing the brand from IBM.
My own experience, as a former IBM/Lenovo warranty field technician, is that T40-series TPs had bombproof electronics that were reliable and rarely failed unless some component on the laptop's interlocking (but extremely easy-to-work-on!) skeleton failed and allowed the base cover to flex and the motherboard cracked. The T60 series have incredible (if not complete overkill) one-piece skeletons, but the quality of the electronics is just nowhere near the old IBM-designed boards and I replaced dozens that had various failures within the first 6 months of ownership, including a couple dozen that had problems right out of the box. It's like Lenovo doesn't bother with much QC anymore, or just didn't test the designs as thoroughly as IBM did.
But anyway, yes, I'd agree that Thinkpads are generally far better-built than the competition, even under Lenovo. Dell is about the only brand that comes close, but for the same basic reliability and quality of construction, their designs tend to be substantially larger, clumsier, and heavier. And uglier too, for what my subjective opinion is worth.
Anyone, I repeat, anyone, who is dependent on others for his/her own feelings of well-being, especially someone who s/he has NEVER met in real life, has some pretty serious problems, which are quite possibly not compatible with life. This sort of attachment sounds almost parasitic, it's so obsessive. Most kids are able to handle going in and out of crushes. Being rejected and humiliated when you're at your most vulnerable sucks, but THAT'S JUST PART OF LIFE. Crushes come and crushes go, and those are too emotionally immature to be considered 'love'. Manipulating and abusing someone harboring a crush is something a player would do, but I've never heard of someone being a player being an actionable offense. Such manipulators are pathetic and lame, but again, they're out there and are just part of life. True love may be blind, but it's not stupid or delusional.
You could probably expect that the Geek Squad would not upload your pictures to 4chan.
Yeah, the big thing is to not take showers when the Geek Squad is in the house, that's the sort of thing they try to take photos of and upload to 4chan.
Well said; as soon as I read the article I figured I'd post something along those lines, and you stated it well. It boils down to confidentiality; professionals are the sorts you trust to manage your stuff and not sell you out. I see private information all the time in the course of troubleshooting. Professionalism means I'm not snooping for the sake of my curiosity, and I am not going to simply forget all of the details that don't relate to my job, so long as ethics wouldn't compel me to reveal that in the name of public safety or something.
I don't buy it. If they were competent at building a case, there would be no opportunity for stonewalling or lying. The more likely scenario is that the defendant didn't assist the RIAA in making their case, which was too shoddy to stand on the evidence gathered by their sloppy investigative methods.
IANAL, but I'm pretty sure in a civil proceeding, the defendant is under no obligation to go out of its way to provide evidence to the plaintiff. The plaintiff can use court orders and such to require specific things be handed over, but they're responsible for knowing exactly what they want to be turned over to them, and where it's located. If the plaintiff doesn't know the right questions to ask (and is granted permission by a judge in a court of law to compel an answer), there is no obligation on the part of the defendant to volunteer relevant information. That was pretty much the outcome of a filesharing case a few months back where the RIAA filed suit againt one member of a family, but it turned out that another member had committed the alleged copyright infringement...the RIAA cried because they felt it was unfair, but when one files a lawsuit against a specific individual, one must simply make sure they have the right individual before proceeding. If the RIAA's methods aren't conclusive enough to ID an individual with reasonable accuracy (which they're obviously not), they deserve every loss that's handed to them. With prejudice.
Actually, most dot-matrix printers are a bit on the noisy side-- they're impact printers just as various flavors of letter-quality printers are. They have tiny pins arranged in a matrix that strike through an ink ribbon. Even though their quality is pretty abysmal, Okidata's dot matrix printers are still made (AFAIK) and are pretty common in applications where the printer works with continuous multi-part forms.
Affected platforms: Windows 95-Vista, and everything in between.
http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-052714-3021-99
Even though the exploit does compromise Flash running on Linux or Mac, and even if the Windows trojan horse executable somehow worked on platforms other than Windows, there's still a matter of permissions keeping the malware from getting system-level access.
As far as Vista goes, the main thing I wonder about is if the exploit requires that the user give it permission to run through UAC. Even though UAC seems to be pretty useless in terms of only teaching users to click "allow" repeatedly to get anything done, it doesn't help at all if the compromised processes happen to be running under system level permissions anyway. I'd hope at the very least users would have to click 'allow' mindlessly to be infected by the trojan.
I wonder where people who not only purchased, but still use it rank. Heheheh.