It's correct. We can go to war and kill people and break things... and if that's how you define "winning" then we will win (even without this satellite).
If your criteria are other than killing people and breaking things, then this won't be necessary.
We've gone through how many wars in the past 50 years without this tech and the people we'll be fighting in future wars will STILL be fighting with tech and tactics recognizable 50 years ago.
It seems that certain organizations are trying to hype every vulnerability that can be associated with FireFox. From my point of view they'd be ranked like this:
#1. Remote root access that does NOT require human intervention or other app running.
#2. Remote non-root access that does NOT require human intervention or other app running.
#3. Local root access that does NOT require human intervention or other app running.
#4. Local non-root access that does NOT require human intervention or other app running.
#5. Local root access that requires some human interaction or some combination of apps.
#6. Local non-root access that requires some human interaction or some combination of apps (this is where this exploit is)
#7. Remote OS crash
#8. Remote app crash
#9. Local OS crash
#10. Local app crash
This is MY opinion. Get your own opinion. There is no way this exploit is "critical". It's one step above a stupid DoS attack and would NOT affect ANY of my servers.
Any data kept in your home directories SHOULD be backed up by the sysadmin.
The worst that should ever happen is that you lose any new data (from this morning until now).
The really important data is usually kept inside databases that the user does not have rights to delete.
Wiping out your home directory is only "annoying" (unless you have an important meeting in a few minutes).
Infecting the system is "BAD" because then EVERYONE's data is vulnerable AND you cannot trust last night's backups. You must go back and find out when you were infected and, in some cases, recreate ALL of the data that was in those databases since that point.
Sure, the user might be pissed that his spreadsheet was deleted by the "cool screensaver" that he just tried to download AND he has a meeting with the division president in the next 15 minutes........
but that don't mean jack when the CFO notices that none of the numbers match for the last 3 months anymore.
I'm really tired of people claiming that not running as root is a miracle cure. Yes, it prevents some really nasty trivial attacks, but it doesn't protect your most valuable data (e.g. -- yours) and it doesn't prevent a lot of attacks that are perfectly happy to run in non-privledged space.
It's not a "miracle cure" but it does protect the most important information the company has.
Ideally, the user's home directories will be set to non-execute so that crap they download won't destroy their data.
Even with both of those in place, I still get people who DELETE THEIR OWN FILES and need them restored from the night before.
Security is all about IDENTIFYING the risks and REDUCING them.
I can reduce the risks of everything else to a point below that of regular human stupidity. But nothing will ever save you from that.
And re "this is not a flaw in firefox" yes you are right, this time, but comments like the OP pop up every time, and is a (possible)flaw in the distribution system not a flaw in the software?
Duh! Of course it isn't. The software is the code.
The distribution system is how people get the code.
I know it's a common situation where software is downloadable from different sources but still there appears to be a problem (not that I have a solution) You know none of the users will check the md5sums from the original website (moz.org)
If the md5sums from the main site would be valid, then why not download from the main site?
Once you start installing apps from random sites you open yourself up for all kinds of problems.
if some windows flaw is posted everybody goes "boo ms" even though you are also required to run as admin and whatever, but if it's an OSS flaw they go "this isn't a flaw because I secure my pc"
Yeah. Keep believing that. Maybe you've heard of this stuff called "spyware" that infects machines via IE's ActiveX implementation.
Or maybe you haven't heard that a restricted user cannot use IE because the permissions aren't correct.
So, on Windows, you must have elevated permissions just to use the various apps and THAT is what results in so many infections.
Comparing Microsoft's ActiveX implementation (installed on every Windows box) to an infected Mozilla binary hosted on some Korean site that I'll never download from is "insightful"?
Please, I like firefox as much as the next poster, but please apply equal standards when comparing/recommending firefox.
"equal standards"? You're comparing ActiveX to an infected binary on some Korean site.
If you still believe firefox is Perfect, surprise, no software is.
Again, this was not a flaw in FireFox. It was some Korean site putting up infected binaries.
ActiveX is a stupid security model. That is why so many exploits for it exist and why you have to keep your anti-virus signatures updated every day.
There is no equivalent in FireFox.
Anyone, anywhere can put up infected FireFox binaries. Whether anyone will ever download and install them is another matter.
I believe the point is if MS did this, it wouldn't matter how fast they removed the infected binaries, there would be a string of posts pontificating on how this clearly demonstrates linux/firefox as superior. And they'd all be modded +5.
If Microsoft distributed infected binaries, then it would be Microsoft distributing infected binaries.
Of course saying the reverse here will quickly get you troll/flamebait/overated down to -1.
You do realize that you're completely wrong.
This is not about Mozilla distributing infected binaries. Mozilla did not. If they had, your analogy would be correct.
This is about a 3rd party site distributing binaries of compiled Mozilla code that were infected.
The only Microsoft comparision that can be made would be if HP (or some OEM) shipped WinXP computers with a virus.
The real question is how did that virus get there in the first place. It's been around for a while but it doesn't spread.
yes, it also was Network Solutions, and I had to fax in a copy of my drivers license to get them to change their info.
Since then I haven't had a problem with them.
The only issue would be if you were NOT listed as ANY of the contacts (tech, admin or registrant). And in that case, I wouldn't let you change anything either.
Digital books are great for quick searches, but I still prefer the physical book (hard cover if possible) and will still purchase the physical book.
Why not incorporate both technologies and offer hard cover reprints of books that people request? Can anyone tell me how difficult it would be to do a single printing of a book? How expensive? Or what the minimum order would have to be to get the price down to $50 or less?
I have a lot of worn paperbacks that just are not available in hard cover.
Anyone who uses any browser online should still be running virus-detection software. This will never change, no matter what OS or browser you use.
I'm running FireFox with the NoScript extension. That way, no JavaScript runs from any site I don't specifically whitelist. So, no exploits from that side.
FireFox, by default, requires you to whitelist sites to install software from them. So, no exploits from that side.
And so on and so forth.
The key to security is to reduce the avenues of attack.
If my browser will not run any code from your site and I will not download any apps from your site, then I do not have to worry about being cracked via my browser going to your site.
That said, response time to threats is better for Firefox. The total threat posed is probably less, because the time of exposure is a fraction of IE vulnerabilities.
No. That only applies if 100% of the population (or close to it) applies those patches as soon as they're released.
You cannot depend upon the users applying patches so you must focus on removing the threat before the user is involved. That is where FireFox's whitelists beat Microsoft every time.
But Mozilla faces a tough road ahead -- if they maintain or gain market share, they have to be very cautious, as their vulnerabilities will begin to be targeted seriously by malware.
Again, that is only the case if the vulnerabilities can be exploited. If I don't allow Java or JavaScript or installs from a website, then it is going to have to be a pretty dramatic vulnerability for me to be infected.
And until that vulnerability is shown to exist, the discussion is purely theoretical while the discussion of IE's exploits is documented fact.
The "experts" writing these "articles" will be out of a job as security increases.
From TFA:
According to the latest edition of Symantec's Internet Security Threat Report, 25 vulnerabilities were disclosed for Mozilla browsers and 13 for Microsoft Internet Explorer in the first half of 2005.
And that statistic means absolutely nothing. Simply counting the vulnerability ANNOUNCEMENTS does not tell you anything about the vulnerabilities themselves.
Is a vulnerability that causes FireFox to crash the same as a vulnerability that automatically installs an ActiveX control? Nope.
Graham Pinkney, head of threat intelligence EMEA at Symantec, said that switching from IE to Firefox as a way of minimising security risks was no longer valid advice.
Yeah. Whatever. How about you do a survey and find out how many FireFox machines have been compromised via FireFox? Huh? How about that?
"Cross-site scripting attacks have been used to attack more vulnerabilities in Mozilla browsers over the last six months than IE," Pinkney told an IDC security conference last week ahead of the publication of Symantec's threat report today.
And he has determined that... how?
Seems to me that IE's still being hit by spyware and such crap. Or didn't he mean those attacks?
John Cheney, chief executive of email filtering firm BlackSpider, replied that the release of Firefox had "helped Microsoft to raise its game" in terms of browser security.
"We sincerely thank the person who killed our daughter because it makes us appreciate our son so much more now." Does that make sense to anyone?
As well as making comments that will doubtless irk Firefox fans, Symantec has renewed its assault of the perceived security advantages of Apple Macs.
Hmmmm, Symantec sells anti-virus software and the like.
Macs don't seem to be having massive virus/trojan/worm problems.
Something doesn't look right.
"Mac users may be operating under a false sense of security as a noteworthy number of vulnerabilities and attacks were detected against Apple Mac's operating system, OS X," Symantec said, reflecting comments in the previous edition of its threat report that OS X was an emerging target for attack.
When "emerging" becomes "successfully attacked and cracked" it will become an issue. Until then, the "threat" is purely theoretical.
"While the number of vendor-confirmed vulnerabilities in OS X has remained relatively constant during the last two reporting periods [12 months], Symantec predicts this could change in the future."
Again, it isn't the number of vulnerabilities, it's how they can be exploited.
Yet I keep seeing references the the NUMBER of vulnerabilities announced.
Symantec's analysis on a rootkit (OSX/Weapox) reveals it is designed to take advantage of OS X.
#!/bin/bash cd / rm -R
Oh my GOD!!! It's a trojan that is designed to exploit the bash shell on LINUX!!!
"This particular trojan demonstrates that as OS X increases in popularity, so too will the scrutiny it receives from potential attackers."
As does my example with regards to bash and Linux.
It isn't whether someone can write a virus/worm/trojan. It's whether they can get such onto your box.
Away from the desktop, Microsoft enterprise applications remain the top hacker target.
Why "away from"?
Aren't they also the top target on the desktop?
How about "As well as the desktop, Microsoft's enterprise apps are targets for attack"?
Nothing but more crap from a vendor who's seeing their gravy train getting ready to leave the station on its last run.
The question isn't why someone would not re-implement the rpm app.
The question is why the various distributions have not included the LSB package format in their default package management apps AND why those LSB packages are not as easily managed as the default packages for those systems.
Until that happens, the LSB will continue to be irrelevant and no ISV's will support it.
Instead, you have the.rpm format which is only used and supported by default via Red Hat-based distributions.
But the ISV's would rather deal directly with Red Hat and certify their apps on Red Hat than getting them LSB certified.
The LSB "standard" is up to version 3.0 now and still there aren't any ISV's supporting it.
#1. You need the avenues of attack. That means open ports for worms, user writable executables for viruses and user stupidity for trojans.
So, looking at that, the only avenue for attacking a Mac is a trojan. And that takes more effort to run on a Mac than on Windows.
Which brings up the second concept.
#2. If the infection rate is lower than that uninfection rate, the malware dies. In order to spread, it has to infect more computers than it is being removed from. That is because it needs a base to spread from.
With those two basic concepts you can see why there aren't many viruses/worms/trojans IN THE WILD for the *nix systems.
Anyone can write one for *nix (Mac or Linux or whatever) but they remain limited to the classroom/lab.
"Immunity" isn't the issue. No one will ever be "immune".
But being part of a HIGHLY resistant community is just as good as being "immune" for 99.99% of the people.
Take some time and examine your goals here. What are you personally looking to get out of this assignment?
The facts are: #1. Any changes you make will be "wrong" compared to what the last guy did.
#2. Unless something is done about the water, your systems will eventually fail (and you will be blamed because the last guy never had that problem).
#3. You'll be spending a lot of time and effort on making friends just to accomplish your technical goals.
#4. No matter how great you are, there will always be someone on staff who talks to a friend who uses Windows and will tell everyone that no one else is having the problems you have with Windows.
If you're going to put yourself through all that stress, be sure you understand why you are doing that to yourself. And it is you doing it to yourself.
Too many times we tend to see the people who use the systems as the problem. Maybe they don't agree with your goals, but is that really a problem? Instead, examine your goals and see if you really want to fight that fight, under those conditions to achieve your goals.
And be realistic in your goals. They will not worship you for bringing them to the promised land of a firewalled sub-net. They don't even know anything is wrong. The best you can do is to be respected by a bunch of people who can't remember their own username/password's.
Sometimes not getting involved in a disaster is the best option.
Looks like certain software companies sit on the issues for a long time (and are still sitting on them).
In their defense, most of the KNOWN viruses/worms/trojans are written after the public release of the patch when the less capable people can see the exploitable code.
The best way to approach this is to have a lot of small steps. That way, any minor advance that has a problem can be rolled back without killing the entire project.
The trick is to space out the changes that the end user has to deal with so they don't get overwhelmed by them.
Would a Kroger executive talk enthusiastically about your new "partnership" with them?
Usually, companies don't want to be seen publicly supporting nutcases who try to make a news story about buying some toothpaste.
SCO can have the press conferences it wants and tell everyone whatever they want... but it changes when another company is quoted as saying anything more than "we sold them a license and we'll sell you one too!"
It's correct. We can go to war and kill people and break things ... and if that's how you define "winning" then we will win (even without this satellite).
If your criteria are other than killing people and breaking things, then this won't be necessary.
We've gone through how many wars in the past 50 years without this tech and the people we'll be fighting in future wars will STILL be fighting with tech and tactics recognizable 50 years ago.
It seems that certain organizations are trying to hype every vulnerability that can be associated with FireFox. From my point of view they'd be ranked like this:
#1. Remote root access that does NOT require human intervention or other app running.
#2. Remote non-root access that does NOT require human intervention or other app running.
#3. Local root access that does NOT require human intervention or other app running.
#4. Local non-root access that does NOT require human intervention or other app running.
#5. Local root access that requires some human interaction or some combination of apps.
#6. Local non-root access that requires some human interaction or some combination of apps (this is where this exploit is)
#7. Remote OS crash
#8. Remote app crash
#9. Local OS crash
#10. Local app crash
This is MY opinion. Get your own opinion. There is no way this exploit is "critical". It's one step above a stupid DoS attack and would NOT affect ANY of my servers.
The worst that should ever happen is that you lose any new data (from this morning until now).
The really important data is usually kept inside databases that the user does not have rights to delete.
Wiping out your home directory is only "annoying" (unless you have an important meeting in a few minutes).
Infecting the system is "BAD" because then EVERYONE's data is vulnerable AND you cannot trust last night's backups. You must go back and find out when you were infected and, in some cases, recreate ALL of the data that was in those databases since that point.
Sure, the user might be pissed that his spreadsheet was deleted by the "cool screensaver" that he just tried to download AND he has a meeting with the division president in the next 15 minutes
but that don't mean jack when the CFO notices that none of the numbers match for the last 3 months anymore.It's not a "miracle cure" but it does protect the most important information the company has.
Ideally, the user's home directories will be set to non-execute so that crap they download won't destroy their data.
Even with both of those in place, I still get people who DELETE THEIR OWN FILES and need them restored from the night before.
Security is all about IDENTIFYING the risks and REDUCING them.
I can reduce the risks of everything else to a point below that of regular human stupidity. But nothing will ever save you from that.
http://securityresponse.symantec.com/avcenter/ven
http://securityresponse.symantec.com/avcenter/ven
http://securityresponse.symantec.com/avcenter/ven
http://securityresponse.symantec.com/avcenter/ven
You see? All but one had "number of sites" between 0 and 2.
They
Do
Not
Spread
Linux's security model is far more effective than Microsoft's one for Windows.
Anyone can write a virus/worm/trojan for Linux, but they cannot get them to spread beyond any machine that they themselves do no have access to.
The distribution system is how people get the code.If the md5sums from the main site would be valid, then why not download from the main site?
Once you start installing apps from random sites you open yourself up for all kinds of problems.Yeah. Keep believing that. Maybe you've heard of this stuff called "spyware" that infects machines via IE's ActiveX implementation.
Or maybe you haven't heard that a restricted user cannot use IE because the permissions aren't correct.
So, on Windows, you must have elevated permissions just to use the various apps and THAT is what results in so many infections.
ActiveX is a stupid security model. That is why so many exploits for it exist and why you have to keep your anti-virus signatures updated every day.
There is no equivalent in FireFox.
Anyone, anywhere can put up infected FireFox binaries. Whether anyone will ever download and install them is another matter.
Anti-virus apps are REACTIONARY patches to hide that failure of the security model.
I will continue to run Linux WITHOUT anti-virus software because I understand how viruses/worms/trojans work.
Why should everyone degrade their system just because one site put up an infected binary?
Writing a virus for Linux is easy.
Getting that virus onto someone else's box is very difficult.
Getting that virus to spread from that box is even more difficult.
Linux viruses have an infection rate that is lower than their removal rate so they die in the wild.
The real question is how did that virus get into that code? Linux viruses tend to have total infection numbers of less than 100 machines.
This is not about Mozilla distributing infected binaries. Mozilla did not. If they had, your analogy would be correct.
This is about a 3rd party site distributing binaries of compiled Mozilla code that were infected.
The only Microsoft comparision that can be made would be if HP (or some OEM) shipped WinXP computers with a virus.
The real question is how did that virus get there in the first place. It's been around for a while but it doesn't spread.
yes, it also was Network Solutions, and I had to fax in a copy of my drivers license to get them to change their info.
Since then I haven't had a problem with them.
The only issue would be if you were NOT listed as ANY of the contacts (tech, admin or registrant). And in that case, I wouldn't let you change anything either.
In certain script situations, I use goto for the main loop which is comprised of a series of gosubs.
The main trick is writing the gosubs so that they execute cleanly and return the state of the sub-routine when they return to the main loop.
Digital books are great for quick searches, but I still prefer the physical book (hard cover if possible) and will still purchase the physical book.
Why not incorporate both technologies and offer hard cover reprints of books that people request? Can anyone tell me how difficult it would be to do a single printing of a book? How expensive? Or what the minimum order would have to be to get the price down to $50 or less?
I have a lot of worn paperbacks that just are not available in hard cover.
FireFox, by default, requires you to whitelist sites to install software from them. So, no exploits from that side.
And so on and so forth.
The key to security is to reduce the avenues of attack.
If my browser will not run any code from your site and I will not download any apps from your site, then I do not have to worry about being cracked via my browser going to your site.No. That only applies if 100% of the population (or close to it) applies those patches as soon as they're released.
You cannot depend upon the users applying patches so you must focus on removing the threat before the user is involved. That is where FireFox's whitelists beat Microsoft every time.Again, that is only the case if the vulnerabilities can be exploited. If I don't allow Java or JavaScript or installs from a website, then it is going to have to be a pretty dramatic vulnerability for me to be infected.
And until that vulnerability is shown to exist, the discussion is purely theoretical while the discussion of IE's exploits is documented fact.
From TFA: And that statistic means absolutely nothing. Simply counting the vulnerability ANNOUNCEMENTS does not tell you anything about the vulnerabilities themselves.
Is a vulnerability that causes FireFox to crash the same as a vulnerability that automatically installs an ActiveX control? Nope.Yeah. Whatever. How about you do a survey and find out how many FireFox machines have been compromised via FireFox? Huh? How about that?And he has determined that
Seems to me that IE's still being hit by spyware and such crap. Or didn't he mean those attacks?"We sincerely thank the person who killed our daughter because it makes us appreciate our son so much more now." Does that make sense to anyone?Hmmmm, Symantec sells anti-virus software and the like.
Macs don't seem to be having massive virus/trojan/worm problems.
Something doesn't look right.When "emerging" becomes "successfully attacked and cracked" it will become an issue. Until then, the "threat" is purely theoretical.Again, it isn't the number of vulnerabilities, it's how they can be exploited.
Yet I keep seeing references the the NUMBER of vulnerabilities announced.#!
cd /
rm -R
Oh my GOD!!! It's a trojan that is designed to exploit the bash shell on LINUX!!!As does my example with regards to bash and Linux.
It isn't whether someone can write a virus/worm/trojan. It's whether they can get such onto your box.Why "away from"?
Aren't they also the top target on the desktop?
How about "As well as the desktop, Microsoft's enterprise apps are targets for attack"?
Nothing but more crap from a vendor who's seeing their gravy train getting ready to leave the station on its last run.
The question isn't why someone would not re-implement the rpm app.
.rpm format which is only used and supported by default via Red Hat-based distributions.
The question is why the various distributions have not included the LSB package format in their default package management apps AND why those LSB packages are not as easily managed as the default packages for those systems.
Until that happens, the LSB will continue to be irrelevant and no ISV's will support it.
Instead, you have the
But the ISV's would rather deal directly with Red Hat and certify their apps on Red Hat than getting them LSB certified.
The LSB "standard" is up to version 3.0 now and still there aren't any ISV's supporting it.
Why is that?
#1. Define the format of the package that LSB apps will be shipped in.
#2. Define the functionality needed by the package management system to install, update/upgrade, remove those packages.
#3. Let the various distributions add that functionality to their own systems IN ADDITION to the functionality they already have.
Never define a app as the "standard".
Always define the functionality so anyone can write an app to that standard.
Right now, the worst that happens is you have to reformat your hard drive when the pop-ups and re-directors stop you from doing anything online.
If the systems were destroyed, you'd see a lot more effort put into protecting them.
Moderation +2
... but giving it the other mod's just doesn't make sense from a technical viewpoint.
50% Insightful
20% Interesting
20% Overrated
Okay, I can see the "Overrated" mod
Windows boxes STILL have BSOD's. So why would an anonymous post questioning someone who made a joke about such BSOD's be mod'ed "Insightful"?
You're missing two key concepts.
#1. You need the avenues of attack. That means open ports for worms, user writable executables for viruses and user stupidity for trojans.
So, looking at that, the only avenue for attacking a Mac is a trojan. And that takes more effort to run on a Mac than on Windows.
Which brings up the second concept.
#2. If the infection rate is lower than that uninfection rate, the malware dies. In order to spread, it has to infect more computers than it is being removed from. That is because it needs a base to spread from.
With those two basic concepts you can see why there aren't many viruses/worms/trojans IN THE WILD for the *nix systems.
Anyone can write one for *nix (Mac or Linux or whatever) but they remain limited to the classroom/lab.
"Immunity" isn't the issue. No one will ever be "immune".
But being part of a HIGHLY resistant community is just as good as being "immune" for 99.99% of the people.
Take some time and examine your goals here. What are you personally looking to get out of this assignment?
The facts are:
#1. Any changes you make will be "wrong" compared to what the last guy did.
#2. Unless something is done about the water, your systems will eventually fail (and you will be blamed because the last guy never had that problem).
#3. You'll be spending a lot of time and effort on making friends just to accomplish your technical goals.
#4. No matter how great you are, there will always be someone on staff who talks to a friend who uses Windows and will tell everyone that no one else is having the problems you have with Windows.
If you're going to put yourself through all that stress, be sure you understand why you are doing that to yourself. And it is you doing it to yourself.
Too many times we tend to see the people who use the systems as the problem. Maybe they don't agree with your goals, but is that really a problem? Instead, examine your goals and see if you really want to fight that fight, under those conditions to achieve your goals.
And be realistic in your goals. They will not worship you for bringing them to the promised land of a firewalled sub-net. They don't even know anything is wrong. The best you can do is to be respected by a bunch of people who can't remember their own username/password's.
Sometimes not getting involved in a disaster is the best option.
... your "employment solution" for just a month and half post-"educational solution"?
http://www.eeye.com/html/research/upcoming/index.h tml
Looks like certain software companies sit on the issues for a long time (and are still sitting on them).
In their defense, most of the KNOWN viruses/worms/trojans are written after the public release of the patch when the less capable people can see the exploitable code.
Massive changes almost never work.
The best way to approach this is to have a lot of small steps. That way, any minor advance that has a problem can be rolled back without killing the entire project.
The trick is to space out the changes that the end user has to deal with so they don't get overwhelmed by them.
And neither do your techs.
It's all about the migration plan.
Would a Kroger executive talk enthusiastically about your new "partnership" with them?
... but it changes when another company is quoted as saying anything more than "we sold them a license and we'll sell you one too!"
Usually, companies don't want to be seen publicly supporting nutcases who try to make a news story about buying some toothpaste.
SCO can have the press conferences it wants and tell everyone whatever they want
If I go to the store and buy a copy of MSOffice, that's one thing.
If I get a site license from Microsoft, that's something else.
If Bill Gates and I do a press release about our new partnership, that's an entirely different thing.
SCO and MySQL AB did the press release thing. That's not the same as SCO buying a license to distribute.