On perceptions of Microsoft: "We must also work to change a number of customer perceptions, including the views that older versions of Office and Windows are good enough and that Microsoft is not sufficiently focused on security.
Ignoring the uphill battle that they have convincing people that they are focused on security (read the news lately Ballmer?), how on earth do you change someone's view that older office and windows are good enough? I mean if it is, then it is.
Can we soon expect to see MS trash-talking all previous versions of their software? Or perhaps ridiculing their users for not being sophisticated enough to need the latest worthless widget they have crammed into Word? That could be entertaining.
they're primarily used after the fact to identify people or to follow people attempting to evade the police.
And you know that this is their primary use because........the government told you so? I'm no conspiracy theorist, but that is awfully trusting. Do you suppose they would tell you if they used those cameras for any non-after-the-fact use?
They really do respond quickly, usually the first time I hear of a new exploit is when automatic update prompts me to download and isntall it. Usually a few days before it's posted on Slashdot for the second time.
From your perspective, yes they respond quickly. Join a few security mailing lists and hang out with security people and you will see just how long it takes them to fix exploits that some people (perhaps not you or slashdot) know about. Believe me, the crackers and script kiddies are not relying on slashdot to let them know about 0day exploits.
Your work sounds quite interesting. Any thoughts on what possibilities for enhancements open up when synthetic eyes become a possibilities? Night vision, zoom, infra-red, etc? Is there any biological reason why that data (instead of normal light wavelengths) could not be processed and sent to the brain?
if someone with resources (like china) wants to break the code, then the code will get broken, its just that simple unfortunately, although it may take a while to do, with todays most modern and highpowered computers, you could easily crack a message perhaps even within a day.
The current estimates to brute force AES, Blowfish, and the like is beyond the estimated lifespan of the universe. RSA is even worse (especially if you are using 2048+ bit keys). Unless there is a clever cryptoanalysis attack that none of the best minds in cryptography (outside of the NSA and other government agencies) have figured out, then I'm not worried.
Besides, why spend the billions on supercomputers to take astronomical amounts of time to crack messages when you can just say "hand over your decrpytion key or I kill your family while you watch"?
And how many terrorists have been caught in the last three years using powers allocated by these new gargantuan bills? Didn't think so. Any terrorists who have been caught recently have been under surveillance for a _LONG_ time.
I don't presume for a second to know what electronic surveillance has yielded. We are still learning TODAY what the surveillance and cryptanalysis did for us in WWII...
How many terrorists or plots has all of this surveillance stopped? Close to zero. How many terrorists or plots have been stopped by plain old, word-of-mouth, guy-on-the-street info? More than the high-tech surveillance.
Not that I completely disagree with your point, but how on earth do you know?
In WWII nobody except a select few knew that that the only reason the war was won was pretty much exclusively due to the Ultra secret (breaking the Enigma and other crypto the Germens and Japan used). The secret was kept for decades.
It may not be likely, but you never knew. High tech surveillance may have prevented dozens of major terrorist attacks. They certainly are going to make that public knowledge.
I've been using Moz with MBNA since around 98 or so.
There may have been a time when I was faking the broweser ID string, but I don't think so.
Never missed a credit card bill...:) I guess it is possible that in those 3 months I wasn't using the credit card. Either way. it shows that people complain and stuff like that gets fixed.
AT&T was like that. All it took was me telling them their Blackberry site was blocking non IE request for them to change it. Granted it still warns you but at least the site is accessable.
This is what I am proposing we do. Complaining to Bugzilla is not going to do a thing. Let's get on the asses of the people who making these boneheaded web design decisions. Enough people complain and they will fix it.
You misunderstand. I am referring to the difference between making a mistake, but then making an effort to fix it, and making a mistake, and then blaming everyone but youself. All the while not fixing it.
I'm wondering at what point it becomes criminal negligance.
Even on my older PC (500Mhz K6-2), Firefox loads and performs visably about the same as IE under windows. Admittedly if it timed them Firefox is a bit slower but it is unnoticeable (to me anyway). If it were REALLY concerned about that I'd go back to an older version of IE, which are faster yet.
For real world use, IE and Firefox seem to perform about the same speed-wise.
IE is not compromised so often just because it's poorly written
Popularity of not, if it were not so poorly written (and so slow at fixing it's poor code), it would not be compromised. Popularily or not. Witness IIS va Apache.
Whether or not Moz has the kind of exploitable holes that IE is riddled with is yet to be seen. However the real saving grace will be with how quickly they fix any possible vulnerabilities AND how catastrophic said vulnerabilities are.
For them to be successful you are assuming that there are exploitable holes in Mozilla/Firefox. We do not know that there are. We DO however KNOW that there are exploitable holes in IE.
It doesn't matter so much about the attractiveness of a target if it is simply more secure. Witness Apache vs IIS.
You know, everyone says that but I never have problems. I've been using Mozilla (and then FireFox) for ages and I constantly do online banking (psecu), access my (admittedly too many) credit cards (mbna, discover, amex, etc) via web sites, get all my news online, buy stuff online, etc. The only time I ever had a serious problem using a website that was designed for IE and didn't work in Mozilla was AT&T's Blackberry webmail client. Seriously, that is THE ONLY ONE.
I think this whole "IE is required for banks, online stores, etc". is a big FUDdy myth. Start pointing out sites that do not work with standards if there are so many and let's all encourage those sites to fix their broken stuff.
The difference of course is that Sendmail and Apache fix security vulnerabilities in a reasonable amount of time (usually days, if not hours)
Furthermore, there are generally also configuration changes you can make in the mean time to these products to nullify the vulnerabiltiy. There is nothing you can do with IE except disable ActiveX and set the security level to high which (1) makes IE somewhat unusable and (2) STILL doesn't completly protect you.
However I do have a problem with people having an expectation of privacy in email. How long have we had email now? How many times has it been drilled into people that it is not private? How many high profile legal cases have highlighted this fact?
I don't use the default settings, and I doubt this would have gotten past my firewall trying to get out. Further, nothing gets "silently installed" on my machine. I have a monitor that records DLLs mapped into the IE and explorer shell process spaces and alerts me when it finds something out of the ordinary. Ditto for the shared Win32 service process. I rutinely check MD5 checksums of common DLLs in my system. I don't expect anything to get in through IE; in fact, IE is the least of my worries.
That is quite impressive (seriously), but I submit that you are in a very small minority when it comes to the diligence you display regarding your Windows system. The vast majority of people do not know that what you are doing is possible, let alone how to.
Sadly for them there is literally no safe way for browse the web if they are using IE. The vulnerabilities are unpatched, there is not magic bullet configurartion change to nullify them, and there seem to be a significant number of sites affected.
There wasn't any record of such vulnerability in IE yesterday.
CERT has had records published of unpatched vulnerabilities in IE for weeks now. Which is why they are recommending that it not be used.
That doesn't mean you won't get one in Mozilla tomorrow. If someone can find a vulnerability in the Linux kernel and root Debian and GNU I doubt Mozilla is going to fare much better for any amount of time, especially as more people start to use it.
Quite true. However I feel more comfortable with these technologies as they have significantly better track records. It can be argued that they do only because they have not achieved critical mass yet to be targets, but regardless the end result for me is the same. A safer system.
I remember him saying when Windows NT was still vapourware that," NT will be so easy to use, all point 'n click, that you will be able to hire sysadmins "off the street."!
Looking at the state of windows admins today, I think he might have predicted exactly what ended up happening. They don't seem to be the most competent group around.
Slashdot Mirror
On perceptions of Microsoft: "We must also work to change a number of customer perceptions, including the views that older versions of Office and Windows are good enough and that Microsoft is not sufficiently focused on security.
Ignoring the uphill battle that they have convincing people that they are focused on security (read the news lately Ballmer?), how on earth do you change someone's view that older office and windows are good enough? I mean if it is, then it is.
Can we soon expect to see MS trash-talking all previous versions of their software? Or perhaps ridiculing their users for not being sophisticated enough to need the latest worthless widget they have crammed into Word? That could be entertaining.
The UN does a lot of good all around the world.
Their latest goodwill project seems to involve trying to block the investigation into their oil for food scam. Thank you, UN.
Finkployd
Andross reveals his true form.
Been there, done that.
they're primarily used after the fact to identify people or to follow people attempting to evade the police.
And you know that this is their primary use because........the government told you so? I'm no conspiracy theorist, but that is awfully trusting. Do you suppose they would tell you if they used those cameras for any non-after-the-fact use?
Finkployd
They really do respond quickly, usually the first time I hear of a new exploit is when automatic update prompts me to download and isntall it. Usually a few days before it's posted on Slashdot for the second time.
From your perspective, yes they respond quickly. Join a few security mailing lists and hang out with security people and you will see just how long it takes them to fix exploits that some people (perhaps not you or slashdot) know about. Believe me, the crackers and script kiddies are not relying on slashdot to let them know about 0day exploits.
Finkployd
Your work sounds quite interesting. Any thoughts on what possibilities for enhancements open up when synthetic eyes become a possibilities? Night vision, zoom, infra-red, etc? Is there any biological reason why that data (instead of normal light wavelengths) could not be processed and sent to the brain?
Finkployd
Too many instances of the feds "caught" with information they shouldn't have should have pretty much put this myth to bed anyway.
Blind trust in (any) government will likely be the downfall of any country.
Finkployd
if someone with resources (like china) wants to break the code, then the code will get broken, its just that simple unfortunately, although it may take a while to do, with todays most modern and highpowered computers, you could easily crack a message perhaps even within a day.
The current estimates to brute force AES, Blowfish, and the like is beyond the estimated lifespan of the universe. RSA is even worse (especially if you are using 2048+ bit keys). Unless there is a clever cryptoanalysis attack that none of the best minds in cryptography (outside of the NSA and other government agencies) have figured out, then I'm not worried.
Besides, why spend the billions on supercomputers to take astronomical amounts of time to crack messages when you can just say "hand over your decrpytion key or I kill your family while you watch"?
Finkployd
And how many terrorists have been caught in the last three years using powers allocated by these new gargantuan bills? Didn't think so. Any terrorists who have been caught recently have been under surveillance for a _LONG_ time.
I don't presume for a second to know what electronic surveillance has yielded. We are still learning TODAY what the surveillance and cryptanalysis did for us in WWII...
Finkployd
Really? Who oversees them?
Finkployd
How many terrorists or plots has all of this surveillance stopped? Close to zero. How many terrorists or plots have been stopped by plain old, word-of-mouth, guy-on-the-street info? More than the high-tech surveillance.
Not that I completely disagree with your point, but how on earth do you know?
In WWII nobody except a select few knew that that the only reason the war was won was pretty much exclusively due to the Ultra secret (breaking the Enigma and other crypto the Germens and Japan used). The secret was kept for decades.
It may not be likely, but you never knew. High tech surveillance may have prevented dozens of major terrorist attacks. They certainly are going to make that public knowledge.
I've been using Moz with MBNA since around 98 or so.
:) I guess it is possible that in those 3 months I wasn't using the credit card. Either way. it shows that people complain and stuff like that gets fixed.
There may have been a time when I was faking the broweser ID string, but I don't think so.
Never missed a credit card bill...
Finkployd
AT&T was like that. All it took was me telling them their Blackberry site was blocking non IE request for them to change it. Granted it still warns you but at least the site is accessable.
This is what I am proposing we do. Complaining to Bugzilla is not going to do a thing. Let's get on the asses of the people who making these boneheaded web design decisions. Enough people complain and they will fix it.
Finkployd
You misunderstand. I am referring to the difference between making a mistake, but then making an effort to fix it, and making a mistake, and then blaming everyone but youself. All the while not fixing it.
I'm wondering at what point it becomes criminal negligance.
Finkployd
I would venture to guess that the majority of users who (1) know to do this and (2) know how to do this are probably not using IE anyway.
Finkployd
Even on my older PC (500Mhz K6-2), Firefox loads and performs visably about the same as IE under windows. Admittedly if it timed them Firefox is a bit slower but it is unnoticeable (to me anyway). If it were REALLY concerned about that I'd go back to an older version of IE, which are faster yet.
For real world use, IE and Firefox seem to perform about the same speed-wise.
Finkployd
IE is not compromised so often just because it's poorly written
Popularity of not, if it were not so poorly written (and so slow at fixing it's poor code), it would not be compromised. Popularily or not. Witness IIS va Apache.
Whether or not Moz has the kind of exploitable holes that IE is riddled with is yet to be seen. However the real saving grace will be with how quickly they fix any possible vulnerabilities AND how catastrophic said vulnerabilities are.
Finkployd
For them to be successful you are assuming that there are exploitable holes in Mozilla/Firefox. We do not know that there are. We DO however KNOW that there are exploitable holes in IE.
It doesn't matter so much about the attractiveness of a target if it is simply more secure. Witness Apache vs IIS.
Finkployd
You know, everyone says that but I never have problems. I've been using Mozilla (and then FireFox) for ages and I constantly do online banking (psecu), access my (admittedly too many) credit cards (mbna, discover, amex, etc) via web sites, get all my news online, buy stuff online, etc. The only time I ever had a serious problem using a website that was designed for IE and didn't work in Mozilla was AT&T's Blackberry webmail client. Seriously, that is THE ONLY ONE.
I think this whole "IE is required for banks, online stores, etc". is a big FUDdy myth. Start pointing out sites that do not work with standards if there are so many and let's all encourage those sites to fix their broken stuff.
Finkployd
The difference of course is that Sendmail and Apache fix security vulnerabilities in a reasonable amount of time (usually days, if not hours)
Furthermore, there are generally also configuration changes you can make in the mean time to these products to nullify the vulnerabiltiy. There is nothing you can do with IE except disable ActiveX and set the security level to high which (1) makes IE somewhat unusable and (2) STILL doesn't completly protect you.
Finkployd
I agree with you about the ruling.
However I do have a problem with people having an expectation of privacy in email. How long have we had email now? How many times has it been drilled into people that it is not private? How many high profile legal cases have highlighted this fact?
Finkployd
If it is on a postcard, yes. Do you expect them to avert their eyes when they come across a postcard?
Finkployd
If by "popular" you mean "only used by a handful of dorks performing a sort of digital circle-jerk", then yeah, it's popular...
You are talking about the internet right?
Finkployd
I don't use the default settings, and I doubt this would have gotten past my firewall trying to get out. Further, nothing gets "silently installed" on my machine. I have a monitor that records DLLs mapped into the IE and explorer shell process spaces and alerts me when it finds something out of the ordinary. Ditto for the shared Win32 service process. I rutinely check MD5 checksums of common DLLs in my system. I don't expect anything to get in through IE; in fact, IE is the least of my worries.
That is quite impressive (seriously), but I submit that you are in a very small minority when it comes to the diligence you display regarding your Windows system. The vast majority of people do not know that what you are doing is possible, let alone how to.
Sadly for them there is literally no safe way for browse the web if they are using IE. The vulnerabilities are unpatched, there is not magic bullet configurartion change to nullify them, and there seem to be a significant number of sites affected.
There wasn't any record of such vulnerability in IE yesterday.
CERT has had records published of unpatched vulnerabilities in IE for weeks now. Which is why they are recommending that it not be used.
That doesn't mean you won't get one in Mozilla tomorrow. If someone can find a vulnerability in the Linux kernel and root Debian and GNU I doubt Mozilla is going to fare much better for any amount of time, especially as more people start to use it.
Quite true. However I feel more comfortable with these technologies as they have significantly better track records. It can be argued that they do only because they have not achieved critical mass yet to be targets, but regardless the end result for me is the same. A safer system.
Finkployd
I remember him saying when Windows NT was still vapourware that," NT will be so easy to use, all point 'n click, that you will be able to hire sysadmins "off the street."!
Looking at the state of windows admins today, I think he might have predicted exactly what ended up happening. They don't seem to be the most competent group around.
Finkployd