Slashdot Mirror


User: khasim

khasim's activity in the archive.

Stories
0
Comments
5,818
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,818

  1. Please tell me you don't write code. on Several Critical MSIE Flaws Uncovered · · Score: 5, Insightful
    Well, you have to consider also that, Internet Explorer having somewhere in the range of 90% market share as opposed to under 7% market share for Mozilla, about 13 times as many vulnerabilities would logically be found... (and only about 5 times as many are)
    No .... that's only "logical" if there is no such thing as "security", just "marketshare".

    By your logic, a program written by a first year student who didn't pay any attention to any security would have as many flaws discovered as a program written by an expert who tested for vulnerabilities ....

    As long as both of them had the same number of users.

    In other words, the flaws aren't errors in code writing, the flaws magically spaw when a certain number of people use it.
  2. Just click on the floppy drive icon. on 25 Years After DOS - Lessons for Linux? · · Score: 2, Insightful
    realworld manager: "great now make it work for joe in accounting. he's spent the last 2 hours tring to find his 'a' drive."
    Just double click on the floppy drive icon on the desktop.
    it's all well and good that linux is technically better (which is a point other people are making about pc-dos being technically worse than alternatives) but if it is a pain in the ass to implement for the average user it likely won't hit the desktop in a big way.
    That's a big "if" now-a-days.

    Aside from running specific apps that haven't been ported to Linux yet, name anything that Windows can do that Linux cannot.

    Linux is quickly taking over the server market segment so SOMEONE has to like the Linux approach.

    I'm typeing this on Ubuntu and Windows is behind on ease of use.

    Surprise! Linux both technically better AND easier to use now.

    Remember, it's easier to make a stable and secure platform easy to use than it is to make an unstable/insecure platform stable and secure, no matter how easy it is for the end user to use.

    Linux will take the server market first.

    Then it will take the corporate/government desktop.

    Only then will it take the home user desktop (if such still exists then).
  3. Because it worked. on 25 Years After DOS - Lessons for Linux? · · Score: 1

    With NetWare, it was very easy to walk through each step of the process to get a server up and running.

    Which means it was also easy to isolate any problems and work around them.

    DOS was just the loader program for NetWare. Once NetWare had load, you could remove DOS from memory.

    I'm running NetWare 6.5 and I'm still booting to DOS.

  4. Why do you think they aren't? on 25 Years After DOS - Lessons for Linux? · · Score: 2, Insightful
    This is the attitude that is going to prevent that from ever happening.
    Huh? How?
    I wish the movers and shakers in the Linux world would decide to focus on a subset of the OS market, and do it well, instead of trying to do everything and losing focus of good engineering practices...
    Are you saying that they have lost "focus of good engineering practices"?

    Strange, Linux seems to be rock solid.

    And it runs on everything from a wristwatch to a mainframe.

    It seems as if they have the engineering practices under control.

    As for focusing on "a subset", why?

    Won't the stability needed for a server be a good feature in a workstation?

    Won't the plethora of devices on a workstation give you more flexibility in choosing a server (ATA, SATA, SCSI, etc).

    Won't the real-time features necessary for certain segments be nice with workstation audio playback?
  5. I don't know. Entering a name is difficult. on Does Voting Technology Affect Election Outcomes? · · Score: 1
    Would you use an ATM that didn't require a PIN (or, for that matter, a card)? Suppose you could just walk up to it, enter your name, and withdraw money from your account. Simple, and much less chance of error, right?
    I don't know. Entering a name is harder than entering 4 numbers and a card.

    It would result in fewer errors if people could just get money from the cash machine without entering any info or carrying any cards, right?

    Yeah, I know. :D

    You make excellent points but you did leave off one item.

    User interface testing.
    We can test the system BEFORE the elections and work out the worst "bugs". We can use the dumbest people we can round up.

    We can put together fully interactive context-sensitive help systems (voice/video/help screens).

    We can make a system so easy that a 10 year old could use it (and we should be TESTING it with those 10 year olds).
    What amazes me is that people realize that a bad guy would go to considerable length to be able to filch a few hundred dollars out of their bank accounts, or even to wrest control of some third world bannana republic, but very few people accept that somebody might want to exercise undue influence over the richest and most powerful nation in the world.
    Are you ready for the real kicker?

    Why isn't there a FEDERAL agency overseeing this issue? Where are the FEDERAL agents to review the code and hardware?

    Vote for me! My first act will be to establish a FEDERAL department for electronic voting with completely Open Source software and open standards for hardware.

    I'll make it so easy for every person in the US to vote me out of office.

    I'll put together a system so that 4 years later, you can see me lose the election, state by state, hour by hour.

    With no question that every vote is counted correctly.
  6. What part of "counting the vote" did you miss? on Does Voting Technology Affect Election Outcomes? · · Score: 1
    ANd therefore the votes are unverifiable.
    Do you even know what that word means?

    The context in which you use it seems to indicate that you do not.
    Just because you see someone count a piece of paper that says Gore on it doesn't mean that a vote for gore was really cast, just that you saw him count it.
    I think you also have a problem with the word "cast".

    Someone counts a ballot with a vote for Gore.

    And you still claim there is a problem.

    Either you don't know what you're talking about or you don't know the meaning of the words you are using to express it.

    Either way, buh bye!
  7. You are completely wrong. on Does Voting Technology Affect Election Outcomes? · · Score: 1
    No, they can't, hence the point of secret voting.
    The "secret" is in what you marked on the ballot. Not on what happens to the ballot after that.
    There's a reason why the vote counters are specific people.
    And there's a reason why any citizen can watch them count the votes.
    And there's no guarantee that what goes in the ballot boxes is what comes out, nor a guarantee that the counters will count correctly, or represnt the results correctly.
    That is why any citizen can watch the ballot box and watch the vote counters.

    That is the guarantee.
    The very nature of secret ballots is that somewhere not everyone will get to see what happens, and at that moment, something can go wrong.
    Again, you're confusing the act of marking a "secret" ballot with the process of counting the votes.

    Other than the initial marking of the ballot (the "secret" part), the entire process can be viewed by any citizen.

    And each political party has its own representatives present to do just that.
  8. Because you don't like the facts ... on LinuxWorld Senior Editorial Staff Resigns · · Score: 1
    doesn't mean that they aren't facts.

    It still comes down to "people I like deserve more protection than people I don't like."
    I'm getting that impression from you.

    Because people find out that the White House granted special permission to a gay hooker to attend press conferences UNDER AN ASSUMED NAME and lob easy questions ....

    That's the same as publishing the address of the mother of some "harridan" you don't like.
    Bah. You're just another hypocrite playing the double-standards game.
    Nope. Your problem is that you're too tied up in your pro-Gannon viewpoint to see the difference.

    Gannon and PJ both had their personal lives dug up and published.

    Gannon had his because of the story involving the White House.

    PJ had her's because MOG couldn't find any story.

    *sigh* I remember the trolls we used to have back in the day. Now all we have are these wannabe trolls crying "hypocrite" as if it makes them sound mature.

    Buh bye, little troll. Keep eating the food mommy gives you and one day you might grow up to be a big bad TROLL.
  9. Have the receipt be the ballot. on Does Voting Technology Affect Election Outcomes? · · Score: 1

    That way, the individual can verify that his vote is printed correctly on the receipt.

    He drops the receipt in a sealed ballot box.

    The machine adds up the votes at the end of the day.

    If there's any question about vote fraud ...

    the machine's displayed total
    is checked against
    the machine's internal tape
    which is checked against
    the sealed ballot box.

    In case of error, the ballots in the sealed box are the official record.

    That way you get instant results, 100% verfication and the voter can individually confirm his/her vote.

    The question of WHY it isn't being done like this reveals the corruption behind the current line of "voting" machines.

  10. Actually, you can see what is done with them. on Does Voting Technology Affect Election Outcomes? · · Score: 1

    There is no reason why you cannot watch the ballot boxes, and the vote count.

    With paper ballots, that is.

    In theory, any citizen can watch the entire process.

  11. Not enough info in the blurb. on Does Voting Technology Affect Election Outcomes? · · Score: 2, Interesting

    And it isn't worth the $5 to get the material if I cannot post it here.

    And they're looking at touch-screen tech and talking about paper-less machines.

    It is possible to have touch-screen tech and a paper trail.

  12. Now I'm really confused. on LinuxWorld Senior Editorial Staff Resigns · · Score: 3, Interesting
    I apologize, I thought I made it clear that I was masking some non-essential bits of information in the log examples. One of those bits was the IP address. I replaced it with localhost in the example. I didn't feel is necessary to put the real-world IP in the example.
    I understand that part. It was the IP address I was talking about.
    As you and others have now pointed out, it could be that people were wget'ing the site for other reasons. However, that's not how it looked. All the requests that I saw were from the same IP and were all for the root / URL.
    Then it would NOT be a DDoS.

    It sounds more like the /. effect and ONE machine trying to cache sys-con's entire site.

    So it should be VERY easy to track down the machine using that IP address at that time and find out whether it was an "attack" or an attempt to cache their server.

    Here's the first step: http://www.arin.net/whois/
    That should be able to tell you who owns that block.
    Unfortunately, I don't have all of the information. I agree that it would be nice to have more. I have what I have and now you have what I have, minus two lines of log file that are virtually the same as the three already shown.
    And that's the problem. Yet in your "blog", you state:
    There is still some doubt over whether the DoS attacks against Sys-Con actually existed or whether they were the result of 'The Slashdot Effect' for lack of a better term. I believe the DoS attacks did exist. I too was initially skeptical but based on e-mail correspondence I now believe them to have happened. In fact, from what I can tell the attacks were distributed, thus making this a DDoS.
    Yet now you seem to be saying that the "distributed" portion was NOT the wget action you mentioned.

    So, the "distributed" portion was nothing more or less than the /. effect?

    Which only leaves that single IP address with the wget command. And it should be easy to determine whether that was an "attack" or an attempt to cache their site.
  13. Send money to Groklaw. on LinuxWorld Senior Editorial Staff Resigns · · Score: 1

    Don't send that stuff to her relatives.

    It would only give the media another circus to cover which means more of an invasion.

  14. Please correct me if I'm wrong ... on LinuxWorld Senior Editorial Staff Resigns · · Score: 1
    But, from your "blog" ... this is an example of part of the "DDoS":

    127.0.0.1 - - [NN/May/2005:NN:20:44 -0400] "GET / HTTP/1.0"
    200 49107 "-" "Wget/1.9.1" eudora="autourl"


    Now, from one of my logs on my home server:

    192.168.1.188 - - [01/May/2005:13:52:27 -0700] "GET /~conner/ HTTP/1.1" 200 4626
    "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050405 Firefox/1 .0 (Ubuntu package 1.0.2)"

    So ..... I'm going to guess that you've "blocked" the IP address of the machine(s) doing the wget with "127.0.0.1". But why you would do this, I don't understand.

    Wouldn't your first step be to locate the machines with those IP addresses at that time and see if they were faked or not?

    If they were not faked, wouldn't it make sense to see if you could contact the owners of those machines?

    This may be far less than a DDoS "attack".

    It may just be several people attempting to download EVERYTHING on sys-con's site. Maybe in an attempt to get the material in a local cache so it wouldn't be destroyed by sys-con.

    It would only appear to be a DDoS if those addresses were assigned to machines that the owners DID NOT use to wget those files.

    As you state:
    My opinion is that the DoS was a combination of a few factors. First, the sites were Slashdotted twice this week. I distinctly recall conversations with Sys-Con in the past when the sites got Slashdotted and then became unavailable or severely degraded. So, in effect, a Slashdotting could hamper the performance of the Sys-Con sites anyway. Not only did the sites get Slashdotted, but other news outlets picked up on the stories as well thus generating even more traffic. Finally, the proverbial straw that broken the camel's back were the extra requests generated by the HTTP GET requests.
    I believe that you're still over-using the "DoS" statement.

    You should have all the info to verify those wget commands as legitimate (people archiving sys-con's site prior to a "cleansing") or an attack (machines hitting sys-con's site without their owner's knowledge).

    Since the machines were already straining under the /. effect (compounded as other media sites picked up the story), the additional archiving would easily have caused the server errors that many people saw.

    Just because a server cannot hold up under the demand does NOT make the demand an "attack".
  15. Here is the difference. on LinuxWorld Senior Editorial Staff Resigns · · Score: 3, Interesting
    When MOG got the info on PJ, NONE of it showed that PJ had any special contacts or services with IBM.

    With Gannon, it was shown that he had LOTS of special contacts and such with the White House.

    The story wasn't about Gannon. The story was about how the White House had no problems giving special permissions to a gay hooker and allowing him to use a fake name to lob soft questions.

    Now, IF MOG had turned up evidence that PJ was supported by IBM or IBM's lawyers and faked the "privacy" issue in an attempt to hide that connection, then THAT would have been the story.

    But even THAT would NOT have been a reason to publish her Mom's address and pictures of her house.

    Since MOG could NOT dig up the story she wanted to publish ... she published the info she had and refered to PJ as a "harridan".

    If Gannon had NOT had any special priviledges from the White House and had NOT used a fake name, then publishing personal details about him would also be over the line.
    Here's a related concept: privacy no longer exists. Get over it.
    Don't try to hide behind that bullshit.
    Our choices are either pretend we have privacy and be subject to random exposure and to surveillance by the powerful, or to recognize the truth and ensure a level playing field for everyone.
    Digging into people's lives takes time and money.

    There will ALWAYS be a discrepency between what the average person can spend (time and money) digging and what "the powerful" can spend.

    So there will never be "a level playing field" like you believe.
  16. That article was linked all over the web. on Free Software Mag Interviews Sys-Con Publisher · · Score: 1

    I'm sure it had a LOT more hits on it than her other articles.

  17. Big time. on Free Software Mag Interviews Sys-Con Publisher · · Score: 5, Insightful
    From TFA:

    The "editorial board members" of LinuxWorld are appointed from among the leading professionals and participants of the Linux community at large.

    Well, that's just sweet. But what does it have to do with anything?

    LinuxWorld's independent advisory board and the core editorial team(s) have full editorial decision-making authority in everything that goes to print.

    But MOG doesn't appear in print. Her articles are posted on your web site.

    So what does anything about "print" have to do with this story?

    They funnel that passion into the accurate and unbiased editorial content that you look for in the pages of our magazine(s) every month and in every new issue.

    Still, not in print so why are you talking about this?

    We believe that a magazine such as LinuxWorld, supported by hands-on participants and leading industry experts, offers real-life editorial content that you will not find elsewhere.

    Hey! I can write this "note" and try to turn it into a free ad for my wonderful magazine.

    Our compensation and deep satisfaction is in knowing that we are providing a valuable service that benefits Open Source, Linux, and everyone in the industry.

    Yep. If I ever need to find PJ's mom, I'll know the site that provides that "valuable service".

    This is how LinuxWorld differentiates itself from other venues.

    Yep. Linux Journal certainly wouldn't publish that, even on its web site. Nor any other technical publication.

    On the pages of LinuxWorld you read articles written by the most knowledgeable and experienced professionals in the world.

    Did I mention the part about turning this into a free ad?

    Last but not least, we are pleased to announce that with the launch of our new Web site, we now made all our archived content and past issues available online.

    Thanks for having me on the show, did I mention my new web site? Can I do a quick plug for it?

    Please be sure to take a look at the "LinuxWorld Topics" section of our new Web site to explore our archived content grouped under a rich number of categories.

    I'm real sure I mentioned the free ad time. Right?

    Before I end my note, I would like to take this opportunity to share with you our publishing guidelines.

    End your note? You haven't even gotten to the subject.

    We believe in the Golden Rule.

    Give us the gold and you make the rules.

    In all our dealings we strive to be friendly and courteous, as well as fair and compassionate.

    This was not a single article. Read the past ones. You'll see an ongoing stream of hatred.

    But those were okay to put on your sites.

    We treat sources, subjects, and colleagues as human beings deserving of respect. We show compassion, show good taste, and avoid pandering to lurid curiosity.

    Hmmmm..... You might need to check this page then - http://linuxbusinessnews.sys-con.com/read/49228.ht m?CFID=39636&CFTOKEN=75BBE516-14D5-139B-BC4011A448 3558B3

    Yep, Linux Business News on the sys-con.com site. And if I may post some of the hate there:

    Whatever you think of his politics, McBride may have a point or two. How come such an influence peddler is so mysterious?

    So, PJ is "mysterious".

    The name PJ is apparently a nom de plume or, in this case maybe it's a nom de guerre.

    Maybe it stands for "Pam Jones".

  18. Trojans are the current, biggest threat. on Microsoft To Offer Virus Defense · · Score: 1
    By your definition, viruses aren't much of a problem to begin with.
    Viruses were a VERY big problem back in in the 90's.

    But, over time, the threats change to take advantage of new avenues.

    Email trojans are currently a much larger threat to most people than viruses are ... currently.
    We have malware outbreaks every few months where I work, amd it's always a trojan or worm, never a virus.
    That's the current situation.

    In the future, cell phone worms may be the biggest problem.

    Over time, the threats change.
    Sure, disallowing modification of executables would make it easier to clean up after a problem, but it would also make it a pain to patch software.
    Nope. It is easy to patch my Debian systems. I just have to su to root.
    Software that patches itself without user intervention would be disallowed by this scheme, I'm thinking.
    Exactly. And that is because it is a HUGE security hole.

    A security model states what can and cannot be done by which users, etc.

    Not allowing something to be done IS part of the security model. Even if a different OS does allow that.
  19. That IS the flaw. on Microsoft To Offer Virus Defense · · Score: 1
    Worms and trojans frequently exploit holes in the OS, but traditional viruses work by modifying executables.
    And an OS that allows a regular user to alter executables is FLAWED.

    The OS should PROTECT the executables.
    Unless we disable the ability to write to the disk (or disable the ability to execute code), viruses aren't going away.
    No. You don't need to stop disk writes.

    You need to stop modifying existing executables by regular users.

    On Linux, this is easy. Which is why viruses do not spread on Linux systems.

    Trojans exploit human nature, not the OS.

    Worms exploit flaws in a running service.
  20. That's a "trojan", not a "virus". on Microsoft To Offer Virus Defense · · Score: 1

    Microsoft made spreading trojans EASY when it allowed the extension to be hidden. You think it's a picture, but it's an executable.

    Real viruses aren't that common right now.

    Stopping trojans requires a different approach than stopping viruses. To prevent trojans, you either have to disable the user's ability to run new code or only allow new code to be run in a sandbox.

  21. Marketshare != Security on Microsoft To Offer Virus Defense · · Score: 1
    While what you have said is correct, one thing that you have not addressed is that, for some virus writers, getting their spooge to spread as far and as wide as possible is the goal.
    And the goal of many robbers is to get cash.

    The most cash is in the banks.

    Yet the robbers rob people's homes instead of banks because the banks have far better security than most homes.

    It isn't the desire ... it's the security model.
    If you wanted to have your creation on as many systems as possible, would you target a less popular system that is as air-tight as a collander, or would you take the time to find a hole in the most in-use system?
    And if your skill level is not sufficient to find a hole in the secure system ... then your virus never happens.

    Just because you WANT to find a hole that can be exploited at your level of skill does not mean that one is there.
    Now, if the OS is coded correctly, it would be a LOT harder to find security holes in it.
    Yep. That's the whole point. Any script-kiddie can write a "virus" for Windows and it can spread easily.

    Security is not about marketshare.

    Security is about restricting the avenues of attack.

    If Linux is so secure that 99% of the people writing viruses for Windows will NOT be able to write them for Linux, that means that Linux will have fewer viruses.
    Even the most well-designed and built OSes have some holes and security flaws.
    Yep. But having "some" holes is not the same as having a flawed security model.
    They've tightened up, but you are fooling yourself if you think they are bulletproof.
    No one ever said they were "bulletproof".

    All it takes for Linux to be safe from viruses is for Linux's security model to be secure enough that the infection rate falls below the repair rate.

    If the virus is being removed from machines faster than it can spread, the virus is dead on Linux.
    My argument is that, if some system other than Windows were dominant, there would be a lot more focus on finding those flaws.
    I understand that argument.

    It has been made many Many MANY MANY times before.

    That doesn't make it any more accurate.

    Having people looking for flaws does not mean that flaws for them to find are magically created.
    Attention would be on the bigger target.
    Again, looking for something does NOT mean that you will find it if it does not exist.
    However, it has a lot to do with how many exploits are found that would not be noticed if someone were not specifically looking for them.
    No.

    Finding exploitable holes requires the following:

    #1. That an exploitable hole be there to be found.

    #2. That a person of sufficient skill be looking for exploitable holes.

    Then, for that to actuall BE exploitable, the hole has to be in a sub-system that is common on Linux boxes. Finding an exploit in a 7 year old app that isn't included in any distribution any more won't get you very far.

    And for those reasons, Linux is more secure than Windows AND will have fewer viruses even when it has more marketshare.
  22. No, not part of the OS, just fix the OS. on Microsoft To Offer Virus Defense · · Score: 4, Insightful

    Viruses exploit a flaw in the security model of the OS. Fix the flaw and the viruses cannot spread.

    Anti-virus software should NOT be part of the OS.

    But, by that same token, Microsoft should NOT be selling anti-virus software.

  23. And THAT is the real problem. on Real-ID Passes U.S. Senate 100-0 · · Score: 1
    Corrupt workers indeed...
    Sarcasm aside, good point. The card will work exactly on those it doesn't need to work on, while leaving large avenues for exploitation
    The good people will NOT be made any safer by this.

    The bad people will have an EASIER time getting ID's to use in any state.

    Which means the good people will be LESS safe with RealID than they are right now.

    Wait until the first news story breaks about some punk drug dealer with 3 different RealID's.
  24. It goes even further than that. on Real-ID Passes U.S. Senate 100-0 · · Score: 1

    You're just covering the aspects that apply to the LAW-ABIDING citizens.

    So, the good people now have an increased risk of having their identity stolen.

    But this is a worthwhile trade-off because this system will stop the bad guys, right?

    No. This system will HELP the bad guys by giving them an ID that will be accept NATIONWIDE but can be picked up at any corrupt worker in any state.

    So, I commit some crimes in NYC and I'm having some problems.

    I pick up a faked Wisconsin ID and move to California. Now I have a clean slate. It isn't like the CA cops will have any reason to suspect my RealID.

  25. Your point #5 on Real-ID Passes U.S. Senate 100-0 · · Score: 2, Insightful
    5 Only as long as the thief doesn't:

    1. Create a fake realID (incredibly difficult, but nothing's impossible)
    Or more likely...
    2. Use easier to forge documents to gain a realID, then use that as a basis.

    Usage of the realID to prevent identity theft is spotty at best, and really, putting all of our trust into a single ID sounds to me like inviting identity thieves.
    You left off corrupt workers filing fake RealID paperwork.

    Since this thing will be accepted NATIONWIDE, the value of it to criminals will go through the roof.

    And remember what Capitalism has taught us, where there's a market, there's a supply.

    So, the bad guys can search the entire nation, looking for the weakest link to exploit because the return will be HUGE.

    Right now, people pay thousands of dollars (per person) to be smuggled into the US. With RealID, they arrive with a nationally accepted identity.

    This system is "brittle". Once any ONE point (out of thousands) is cracked, the entire system is open.

    And the incentive to find that weakest point is huge.