I have had good luck using Notability for iOS: https://itunes.apple.com/us/app/notability/id360593530?mt=8
Easy to import PDFs, easy to highlight, easy to annotate with handwriting or typing, and easy to export back to PDF. Fairly responsive on my old first generation iPad.
The only drawbacks I've found are: 1. Documents with handwriting or free form drawing get larger r than I would expect (~ 1 MB per page for a page of Calculus homework or doodles) 2. Doesn't support ssh or git for uploading/downloading documents
This information has never been secret. Most electricity meters are mounted on the outside of the structure in an easily accessible location with dials that are easy to read at a distance with a pair of binoculars. This is by design, allowing the utility companies to do meter readings as efficiently as possible.
I have to second this, iSSH is surprisingly usable on the iPhone... it works well when you just need to jump in and attach to an already running gnu screen session to check on a job from a meeting or on the bus. Its not something that you'd write 10k lines of code in, but I would hate to be without it now. It even has a built-in X server.
My only wish is that it had skey/otp support built in, its a pain to have to keep switch to a different app to generate an skey response.
Have they dropped the paragraph from their beta eulas as to you agreeing not to admit to the existance of the product, or the existance or lack of features, etc, without Microsoft's permission?
-- Scott
Doesn't support Win2k / WinNT (dang it!)
on
Gaming On Demand
·
· Score: 1
This is a *really* cool idea -- get to play a game for virtually free when I need a diversion, without having to wait for the sun to come up to drive over to the local ComplUSAr just to buy a game that might not end up being any fun.
But it is a bit of a bummer to have to spend a half hour installing Win9x/WinME on one of my machines definitely is a bit of a drawback (though I suppose most people out there already have a working copy of consumer windows available), and its too bad they only have a handful of games (though that will probably change if it takes off)
The platform SDK is actually fairly well documented now... its gone from abysmal to nearly excellent in the last five years. (I'm sure people that were playing with this stuff before five years ago will say it was even worse before NT4 was released)
But IIS its a very complicated thing to evaluate because in addition to auditting the usermode code, its spud.sys actually registers a new system call table for use by IIS... so you have to audit those system calls' behavior within the kernel in addition to the normal NT system calls called by IIS, along with the usermode code and all of its places it interacts with extensions.
But for killing a crashed service, it should die if it doesn't have an exception handler registered from a __try block... unless you have a non-default system debugger set (I've had numerous cases where services have died from unhandled exceptions... perhaps there more to the problem than it apparent initially: have you verified which thread is crashing?). If there's a reason you need to be catching your exceptions with a __finally or an __except, you might be able to support to your service control handler routine to detect the problem and return a SERVICE_STOPPED status on a SERVICE_CONTROL_INTERROGATE request so that some other watching service can learn thats stopped and restart it.
As for a fork(), yes, the lack of an equivalent in the Win32 API has definitely been a royal pain on occasion... more than a pain, actually. One solution you might look at, if you don't mind using the native API, is Gary Nebbett's example in chapter six of his book with does a fairly thorough implementation of fork() for Win32 processes. Its a bit painful... the native api's process routines definitely make Win32's already painful CreateProcess() look trivial, but if you need a fork(), it might by one solution.
Another interesting approach to fork() is cygwin's... its not as elegant, as they're confined to the Win32 API, but it does work, though you'll want to strip out the cygwin-specific stuff.
To a certain extent -- DOS and Win16 apps run inside of VDMs -- the user can either choose to have all of them run in the same VDM, or spawn a separate VDM for individual applications. All of the DOS and Win16 apps running in the same VDM do lack memory protection from each other, but they are isolated from the system.
From what I understand about OS X, their MacOS9-in-a-process application (called "Classic") accomplishes somewhat the same thing, though it sounds like it has a tremendous amount of overhead compared to NT's VDMs.
as of September 26, 1997 the treaty remains in effect.
That was the view several years ago, but in recent years that became a bit foggy. The Bush Administration now appears to have completely moved to the position that since the Soviet Union no longer exists, the treaty is no longer in effect. (Secretary Rumsfeld touched on this a little last Friday (see: http://video.c-span.org:8080/ramgen/kdrive/c2k0126 01_pentagon.rm ), but quite a few of Bush's national security team have made similar comments)
Unless I missed something, I disagree with their method of denoting the "largest prime found so far"...
They start out by defining a series of symbols and methodology of representing base 10 numbers and equality using a set of (apparently) arbitrary symbols, by displaying the base 1 and base 2 equivalents. This seems fair, though I'm not sure I would have bothered with base 10.
They then include the first 24 prime numbers using the notation introduced above, which seems good.
Then suddenly they jump to including something that the decoded as:
3021377
2 ?1
with the "?" being a symbol that was not included anywhere else on the first page. This caused me quite a bit of confusion... especially the unknown symbol. I was beginning to think they had made a typo, or that it was one of the number symbols garbled. It looked more similar to the number symbols than the equality symbol, so I assumed that it was a number or letter, not a non-number symbol, such as a arithmetic operation or decimal point.
The number itself didn't seem to give any hints either... I was assuming that it was going to be something like pi or the natural log of 10... but the number wasn't familiar.
Turns out they intended this to mean 2**3021377 - 1, which they claim is the largest prime found at the time this was written.
This seems unnecessarily confusing for some poor alien trying to figure it out. In one step, they introduce a new symbol (without any context), indicating substraction, a method of denoting exponents (without introducing exponents), all to describe a number that provides someone trying to decode it no clue as to what the new symbol and new denotation mean.
Did anyone else figure out the "largest prime" on their own? Is there some other clue that I missed?
Yes, but the System account on a non-domain controller has no network access. Therefore, you might own a machine by 'getting System' but are unable to use that machine to probe or attack other machines.
It may not be able to open smb connections to domain resources and have those connections transparently authenticated (which is what ms means in the docs by "no network access"), it does have *complete* control over the local system, meaning if it is compromised, there are ways to get access to domain resources.
For example, by default lsass caches the password hashes of every domain user that has logged onto the local system so that it can still allow users to logon even if it can't contact a domain controller. Since ntlm (the default authentication method between nt4 boxes) does a challenge-response based on that hash, the system account of a local machine has everything it needs to gain access to domain resources as any user that has logged onto the local machine (assuming the user has not changed their password since they logged onto that particular mchine).
Now granted, most script kiddies don't have the knowledge of nt to attempt this, but if I remember correctly the rootkit Greg Hoglund and those guys were working on included a tool that did something like this.
Even if a hostile didn't want to go to that much trouble, they can still run *anything* they want on the local machine, packet sniffers, port scanners, whatever.
Having a system account compromise is effectively no different than having a root compromise -- just like an individual machine's root account, which may not directly have unlimited access to other machines on the network, it still has the means to launch attacks, and in most environments, the means to get priviledged access on other machines.
A better comparison is the system account -- it is equivalent to root in that it is the context most of the daemons run in, and has complete control over the local machine.
And like the root user of a central, trusted unix host in a unix shop, the system account of the domain controllers' has complete access on every machine in the domain.
nt's security paradigm definitely does allow much more granularity the unix's model does -- the security for virtually every type of object is managed uniformly, ranging from devices, files, registry keys, active directory objects, services, you name it, and each type of object has very specific rights that can each separately be allowed and auditted.
This is in stark contrast contrast to the unix model, where you have a a limited security mechanism on ipc primitives and anythiing that can be treated as a file, but you only have three kinds of access, and for most other objects there's no way to give someone who's not the owner, root, or sudoer any access.
It can be useful to be able to set the security descriptor on a service, or an arbitrary process, to allow a certain group of users to kill it without having to give them an equivlanet to "sudo kill". Or for a file, to be able to give someone only append accesss. Or to be able to give a running instance of a daemon (not the user it is running as) special access to a particular object.
But while this additional flexibility may be a blessing for a relatively small set of situations, it does make the task of writing security-aware applications for nt a much more involved process than it already is for any architecture, and makes the jobs of auditting a particular system a nightmare.
I personally like the additional functionality alot of the pieces of nt offers over the other architectures I've worked with, but it's definitely not clear to me that its security paradigm is "better" simply because it can do more. Security is something most organizations have to be aware of these days, therefore it should be made as simple as possible. Especially for an os like nt where the vast majority of admins are inexperienced when compared to the admins you find administering other architectures.
What made this even worse was even though nt had this very rich security framework, it comes out of the box with absolutely horrible initial permissions on the two most visible portions, the filesystem, and the registry. Before the security configuration editor appeared with ussp4, coming up with the scripts to secure an out-of-the-box nt install was a an extremely difficult and time consuming process that the vast majority of the sites out there never even attempted.
Microsoft is beginning to come around with the security configuration editor that appeared in ussp4, which brings the ability securing of an nt box to a semi-sane state to within reach of most admins, but we're talking about bringing the initial security up from being (sad to say) not much better than win95, to where it is now perhaps comparable to redhat. It's definitely a *huge* improvement, but there's still some very glaring holes in the permissions applied via the templates, to say nothing of exploits against the underlying system. With win2k, microsoft appears to have made another leap forward in terms of the security of the initial configuration, but imho, it's too early to tell.
But even say microsoft is able to bring win2k up on par with the competitors, that is only a fraction of the effort that will be required to audit it to the level that projects like openbsd have been auditted. Auditting the complete source tree of an entire os like openbsd, even if it is a simple bsd derivative, must have been an absolutely monstrous task. To audit the complete tree of a system as complex as win2k (or even solaris, which atleast was done by a company that allows their people to sleep and go home on weekends) isn't something I believe is possible by any of today's software vendors.
I personally really like nt and would like to see it succede. But with the persasive featurism comes complexity, and complexity is not ones friend when trying to implement a secure system.
Also, telnet server and Windows Terminal Server allow you to execute as much code as you care to remotely. WTS is also (in my experience) usually *faster* than an equivalent X-windows session over a 28.8k modem. You probably wouldn't want to run Photoshop on it - but Visual C++ 6.0 runs quite happily on it.
This matches my experience with WTS compared to X, presuming you're not running X with lbxproxy (supposedly with lbxproxy, their performance can be comparable, but I've haven't personally tried it). With a terminal server session forwarded through ssh, it is smooth enough to remotely administer nt fairly painlessly from my home, which is typucally 20-25 hops away from the university where I work.
As for other methods of remote shells, (for the non-w2k or nt4tse fortunate people) it should be pointed out that NT4 did come with telnetd on the reskit, although the inf that came with it required a minor rewrite before you could use it to install it. The reskit also included rconsole and rcmd, and then are a couple ports of sshd to run on nt (although the couple I've looked at were built ontop of cygwin32... the idea of a security-conscious package being built ontop of cygwin32 is kind of amusing). And then of course win2k comes with a kerborized telnet daemon.
Back to terminal server, a disadvantage with nt4tse was you had to buy licenses for the number of concurrent client connections, even if you were just using it for remote administration and not as an application server. This is improved somewhat with win2k -- you can have a limited number of admins connect via terminal server without a license, but they have to be administrators.
Slashdot Mirror
I have had good luck using Notability for iOS:
https://itunes.apple.com/us/app/notability/id360593530?mt=8
Easy to import PDFs, easy to highlight, easy to annotate with handwriting or typing, and easy to export back to PDF. Fairly responsive on my old first generation iPad.
The only drawbacks I've found are:
1. Documents with handwriting or free form drawing get larger r than I would expect (~ 1 MB per page for a page of Calculus homework or doodles)
2. Doesn't support ssh or git for uploading/downloading documents
I looked forward to trying it out, but it required iOS 6. :-( My poor old iPad isn't supported by iOS 6.
This information has never been secret. Most electricity meters are mounted on the outside of the structure in an easily accessible location with dials that are easy to read at a distance with a pair of binoculars. This is by design, allowing the utility companies to do meter readings as efficiently as possible.
I have to second this, iSSH is surprisingly usable on the iPhone... it works well when you just need to jump in and attach to an already running gnu screen session to check on a job from a meeting or on the bus. Its not something that you'd write 10k lines of code in, but I would hate to be without it now. It even has a built-in X server.
My only wish is that it had skey/otp support built in, its a pain to have to keep switch to a different app to generate an skey response.
4 years is a rather precise estimate for something as subjective as "to finish"...
Too bad we can't say the same about XP
Have they dropped the paragraph from their beta eulas as to you agreeing not to admit to the existance of the product, or the existance or lack of features, etc, without Microsoft's permission?
-- Scott
This is a *really* cool idea -- get to play a game for virtually free when I need a diversion, without having to wait for the sun to come up to drive over to the local ComplUSAr just to buy a game that might not end up being any fun.
But it is a bit of a bummer to have to spend a half hour installing Win9x/WinME on one of my machines definitely is a bit of a drawback (though I suppose most people out there already have a working copy of consumer windows available), and its too bad they only have a handful of games (though that will probably change if it takes off)
Cool!
The platform SDK is actually fairly well documented now... its gone from abysmal to nearly excellent in the last five years. (I'm sure people that were playing with this stuff before five years ago will say it was even worse before NT4 was released)
But IIS its a very complicated thing to evaluate because in addition to auditting the usermode code, its spud.sys actually registers a new system call table for use by IIS... so you have to audit those system calls' behavior within the kernel in addition to the normal NT system calls called by IIS, along with the usermode code and all of its places it interacts with extensions.
But for killing a crashed service, it should die if it doesn't have an exception handler registered from a __try block... unless you have a non-default system debugger set (I've had numerous cases where services have died from unhandled exceptions... perhaps there more to the problem than it apparent initially: have you verified which thread is crashing?). If there's a reason you need to be catching your exceptions with a __finally or an __except, you might be able to support to your service control handler routine to detect the problem and return a SERVICE_STOPPED status on a SERVICE_CONTROL_INTERROGATE request so that some other watching service can learn thats stopped and restart it.
As for a fork(), yes, the lack of an equivalent in the Win32 API has definitely been a royal pain on occasion... more than a pain, actually. One solution you might look at, if you don't mind using the native API, is Gary Nebbett's example in chapter six of his book with does a fairly thorough implementation of fork() for Win32 processes. Its a bit painful... the native api's process routines definitely make Win32's already painful CreateProcess() look trivial, but if you need a fork(), it might by one solution.
Another interesting approach to fork() is cygwin's... its not as elegant, as they're confined to the Win32 API, but it does work, though you'll want to strip out the cygwin-specific stuff.
To a certain extent -- DOS and Win16 apps run inside of VDMs -- the user can either choose to have all of them run in the same VDM, or spawn a separate VDM for individual applications. All of the DOS and Win16 apps running in the same VDM do lack memory protection from each other, but they are isolated from the system.
From what I understand about OS X, their MacOS9-in-a-process application (called "Classic") accomplishes somewhat the same thing, though it sounds like it has a tremendous amount of overhead compared to NT's VDMs.
-- Scott
as of September 26, 1997 the treaty remains in effect.
6 01_pentagon.rm ), but quite a few of Bush's national security team have made similar comments)
That was the view several years ago, but in recent years that became a bit foggy. The Bush Administration now appears to have completely moved to the position that since the Soviet Union no longer exists, the treaty is no longer in effect. (Secretary Rumsfeld touched on this a little last Friday (see: http://video.c-span.org:8080/ramgen/kdrive/c2k012
Unless I missed something, I disagree with their method of denoting the "largest prime found so far"...
They start out by defining a series of symbols and methodology of representing base 10 numbers and equality using a set of (apparently) arbitrary symbols, by displaying the base 1 and base 2 equivalents. This seems fair, though I'm not sure I would have bothered with base 10.
They then include the first 24 prime numbers using the notation introduced above, which seems good.
Then suddenly they jump to including something that the decoded as:
3021377
2 ?1
with the "?" being a symbol that was not included anywhere else on the first page. This caused me quite a bit of confusion... especially the unknown symbol. I was beginning to think they had made a typo, or that it was one of the number symbols garbled. It looked more similar to the number symbols than the equality symbol, so I assumed that it was a number or letter, not a non-number symbol, such as a arithmetic operation or decimal point.
The number itself didn't seem to give any hints either... I was assuming that it was going to be something like pi or the natural log of 10... but the number wasn't familiar.
Turns out they intended this to mean 2**3021377 - 1, which they claim is the largest prime found at the time this was written.
This seems unnecessarily confusing for some poor alien trying to figure it out. In one step, they introduce a new symbol (without any context), indicating substraction, a method of denoting exponents (without introducing exponents), all to describe a number that provides someone trying to decode it no clue as to what the new symbol and new denotation mean.
Did anyone else figure out the "largest prime" on their own? Is there some other clue that I missed?
-- Scott
Yes, but the System account on a non-domain controller has no network access. Therefore, you might own a machine by 'getting System' but are unable to use that machine to probe or attack other machines.
It may not be able to open smb connections to domain resources and have those connections transparently authenticated (which is what ms means in the docs by "no network access"), it does have *complete* control over the local system, meaning if it is compromised, there are ways to get access to domain resources.
For example, by default lsass caches the password hashes of every domain user that has logged onto the local system so that it can still allow users to logon even if it can't contact a domain controller. Since ntlm (the default authentication method between nt4 boxes) does a challenge-response based on that hash, the system account of a local machine has everything it needs to gain access to domain resources as any user that has logged onto the local machine (assuming the user has not changed their password since they logged onto that particular mchine).
Now granted, most script kiddies don't have the knowledge of nt to attempt this, but if I remember correctly the rootkit Greg Hoglund and those guys were working on included a tool that did something like this.
Even if a hostile didn't want to go to that much trouble, they can still run *anything* they want on the local machine, packet sniffers, port scanners, whatever.
Having a system account compromise is effectively no different than having a root compromise -- just like an individual machine's root account, which may not directly have unlimited access to other machines on the network, it still has the means to launch attacks, and in most environments, the means to get priviledged access on other machines.
-- Scott
A better comparison is the system account -- it is equivalent to root in that it is the context most of the daemons run in, and has complete control over the local machine.
And like the root user of a central, trusted unix host in a unix shop, the system account of the domain controllers' has complete access on every machine in the domain.
nt's security paradigm definitely does allow much more granularity the unix's model does -- the security for virtually every type of object is managed uniformly, ranging from devices, files, registry keys, active directory objects, services, you name it, and each type of object has very specific rights that can each separately be allowed and auditted.
This is in stark contrast contrast to the unix model, where you have a a limited security mechanism on ipc primitives and anythiing that can be treated as a file, but you only have three kinds of access, and for most other objects there's no way to give someone who's not the owner, root, or sudoer any access.
It can be useful to be able to set the security descriptor on a service, or an arbitrary process, to allow a certain group of users to kill it without having to give them an equivlanet to "sudo kill". Or for a file, to be able to give someone only append accesss. Or to be able to give a running instance of a daemon (not the user it is running as) special access to a particular object.
But while this additional flexibility may be a blessing for a relatively small set of situations, it does make the task of writing security-aware applications for nt a much more involved process than it already is for any architecture, and makes the jobs of auditting a particular system a nightmare.
I personally like the additional functionality alot of the pieces of nt offers over the other architectures I've worked with, but it's definitely not clear to me that its security paradigm is "better" simply because it can do more. Security is something most organizations have to be aware of these days, therefore it should be made as simple as possible. Especially for an os like nt where the vast majority of admins are inexperienced when compared to the admins you find administering other architectures.
What made this even worse was even though nt had this very rich security framework, it comes out of the box with absolutely horrible initial permissions on the two most visible portions, the filesystem, and the registry. Before the security configuration editor appeared with ussp4, coming up with the scripts to secure an out-of-the-box nt install was a an extremely difficult and time consuming process that the vast majority of the sites out there never even attempted.
Microsoft is beginning to come around with the security configuration editor that appeared in ussp4, which brings the ability securing of an nt box to a semi-sane state to within reach of most admins, but we're talking about bringing the initial security up from being (sad to say) not much better than win95, to where it is now perhaps comparable to redhat. It's definitely a *huge* improvement, but there's still some very glaring holes in the permissions applied via the templates, to say nothing of exploits against the underlying system. With win2k, microsoft appears to have made another leap forward in terms of the security of the initial configuration, but imho, it's too early to tell.
But even say microsoft is able to bring win2k up on par with the competitors, that is only a fraction of the effort that will be required to audit it to the level that projects like openbsd have been auditted. Auditting the complete source tree of an entire os like openbsd, even if it is a simple bsd derivative, must have been an absolutely monstrous task. To audit the complete tree of a system as complex as win2k (or even solaris, which atleast was done by a company that allows their people to sleep and go home on weekends) isn't something I believe is possible by any of today's software vendors.
I personally really like nt and would like to see it succede. But with the persasive featurism comes complexity, and complexity is not ones friend when trying to implement a secure system.
-- Scott
This matches my experience with WTS compared to X, presuming you're not running X with lbxproxy (supposedly with lbxproxy, their performance can be comparable, but I've haven't personally tried it). With a terminal server session forwarded through ssh, it is smooth enough to remotely administer nt fairly painlessly from my home, which is typucally 20-25 hops away from the university where I work.
As for other methods of remote shells, (for the non-w2k or nt4tse fortunate people) it should be pointed out that NT4 did come with telnetd on the reskit, although the inf that came with it required a minor rewrite before you could use it to install it. The reskit also included rconsole and rcmd, and then are a couple ports of sshd to run on nt (although the couple I've looked at were built ontop of cygwin32... the idea of a security-conscious package being built ontop of cygwin32 is kind of amusing). And then of course win2k comes with a kerborized telnet daemon.
Back to terminal server, a disadvantage with nt4tse was you had to buy licenses for the number of concurrent client connections, even if you were just using it for remote administration and not as an application server. This is improved somewhat with win2k -- you can have a limited number of admins connect via terminal server without a license, but they have to be administrators.
-- Scott