Maybe there should be a constitutional law that any politician/leader proposing a war risks being _executed_ if he/she does not get enough referendum votes for the war proposal. e.g. 66% of the population must want war.
And another law so the said leaders could be redeemed if they get enough votes in a "Save me" referendum. e.g. 66% of the population must want a leader to be alive even though he/she proposed war and failed.
To me it's fair that you should risk your life as well if you are about to ask thousands or millions of your fellow citizens to risk theirs.
This way, there are far fewer ethical issues in citizens being targets for the war - since a significant majority wanted the war - they themselves feel that it is necessary to kill lots of people, put their own lives at risk etc etc.
As it is, leaders start wars without even majority support from the citizens.
Not talking about active voters, talking about total _citizens_.
It's because spammers are targeting stupid/ignorant people, and they're not going to bother with the extra effort required to get past half-decent spam filters of a few people, who won't be buying their stuff anyway.
Beating good or even average chess players is quite a big difference from detecting spam aimed at stupid/ignorant people.
So far my spam filters are working pretty well enough, and I haven't trained them for months. In fact I had to roll back some training (go back to older version) when it turned out to make it worse.
What you could do is to have a device that can read your thought patterns[1] as one of its possible inputs. And possibly send video to your brain via alternative methods[2] as one of its output channels.
That way you can set up "thought macros" for association with the device's perfect video/audio/photo memory.
You can also set up "thought macros" in order to control other devices (via that device). A form of virtual telekinesis.
And also communicate with other people - a form of virtual telepathy.
One of the biggest problem is actually not technological. It's copyright law. When you have perfect memory and people want to charge you to recall it or share it with others, or start imposing artificial restrictions, it could start becoming a nightmare.
[1] This is possible already, we have apes and other creatures controlling robotic arms with their thoughts.Also have a man who has lost both arms managing to controlling robot arms with a sense of touch too.
[2] Remember the seeing with tongue thingy? Brains can adapt to stimuli. Younger brains may have an advantage here.
That's fine if you only have a few buttons/windows. I usually have about 20+ to 30.
A fair number of the windows are titled Shell (and they have tabs - various connections to various machines, arranged so I can alt+tab easily between sessions to compare/monitor stuff etc, or put them side by side temporarily).
Even if the titles are the same, I usually have no problems remembering where which window is. Until KDE shuffles half of them just because I close one window. Heh, that makes me less likely to want to close windows - increasing clutter a bit;).
The other thing is the KDE icons seem to be all combinations of blue/orange by default and not very distinct. If you half-close your eyes, it's not easy to spot the diff between Kate and Konsole (Shell). Whereas if you look at the icons in other O/Ses, they are fairly distinct. OK, WinXP made some things a bit less distinct in the name of "progress/change", but OSS should aim higher.
Maybe it's just me?
Sure I can _cope_ with this. I'm a geek/nerd.
But the point is, it's not good. And Steve Jobs will definitely not call this sort of stuff insanely great.
Sure you can probably customize all these things, but a major part of usability is about picking good _defaults_.
Yeah it works on KDE too. You can also drag to a virtual desktop and activate the desktop and then drag it to the relevant task and so on. I've got things set so that all tasks from all desktops show on the same taskbar and are not grouped. Autogrouping isn't good for the way I work.
But unlike Windows, on KDE I can't press Esc to cancel the drag - I have to find a place where the drag is not allowed. Not sure what the key to do that is.
Anyway, point is, the Fold n Drop feature isn't that useful, when there's the alternative of dragging to the task's button.
Windows's taskbar already lets me drag and drop amongst arbitrary windows. You just drag the stuff to the task's button on the taskbar, wait till it goes foreground, then you drop it wherever you want.
I usually have more than 10 windows open, I don't want to waste time peeling through them one by one, especially when I know exactly which window it is (I just recently clicked its task button after all).
Once I have a taskbar, I don't often have to remember which windows are "below" or "above" each other. I just need to remember which task button represents the window to get to it.
Which comes to a related point - KDE orders the tasks on the taskbar top to bottom, left to right. This means that if you remove a task, the ALL of the tasks to the right of it will change their vertical positions. This is bad UI IMO. However the person in charge prefers it the way it is[1].
Windows does it left to right first then top to bottom. This means that only leftmost and rightmost tasks change positions if you remove one, so it's not as much of a mess trying to remember where a window is.
[1] Nope he doesn't go check with the "people in charge of Usability", because there aren't any. Which probably explains why Linux still has a mediocre GUI in terms of usability.
I am not a doctor but if the RSI pain is due to squashed nerves you could try methylcobalamin (it's a more easily absorbed methyl form of vitamin B12).
It doesn't fix whatever it is that causes your nerves to be squashed. But it keeps them alive whilst hopefully your body adapts;).
You should check with a decent doctor but usual starting dose is 1 x 500ug, three times a day after meals. You should notice within a week whether it helps or not. Side-effects and toxicity are quite low with vitamin B12.
What would be good for him would be low-cost battery-backed disks. Stick in a lithium battery (that lasts 10 years) into a HDD, add some RAM, and then your disk writing algorithms can be a bit different and perform better since you don't really have to write everything to disk, and data loss rates might actually go down, since when stuff is fsynced to the drive even if it doesn't hit the platters when the power fails, it's still on the battery backed RAM.
Whereas for most drives out there whilst fsync does mean the data is flushed to the drives, it doesn't mean it is flushed to nonvolatile storage - it could still be on the drive's caches.
If they really connect to your network, you may not really need to physically locate them to get them off your network.
What you could do is attach to the wireless network (don't try this in Florida;) ). If it appears to be connected to your corporate network, you can visit a website under your control and gather more info (e.g. if there's NAT/firewall involved what IP address it is), and then figure out the relevant IPs and MACs.
Next look for the MACs in all your switches (easily automated queries to your switches should do the trick). Once you've located the edge port they are on, and gathered a list of who's on that port, you can go figure out what to do next - like block them, and/or have a nice chat with the relevant culprit.
Oops correction. SuSE 9.1 at my workplace allows nonprimitive ACLs. I thought I remember trying to do it on some distro and it needed a kernel recompile or something stupid.
You ever tried filemon and regmon from sysinternals? I've used those a fair number of times to figure out what registry keys and directories misbehaving programs need to access.
If application developers still do that it really isn't Microsoft's fault. I believe it's been more than 5 years since they were told not to do that. It's just as if it were unix software insisting on being able to write to/usr/local/ _when_ executing.
I've managed to get a number of software to work with that. And the advantage of Windows NT/2000/XP is that it is a lot easier to create a group (e.g. gamers ) with the necessary privileges to those directories and registry keys and put the relevant users in the group. On NT/W2K you may need to use regedt32 to be able to change registry ACLs.
In contrast by default most Linux distros still use primitive ACLs and a file/directory can only have one group attribute.
Yes. People keep saying that Linux etc have solved the security problems of Windows. If Linux as easy to use as that, users will just be as vulnerable.
What we need is a distro/OS that will automatically run stuff by default with restricted privileges. Less than the main user account. Then when they run the little thing that shows them stock prices, it can only show stuff and it can't hang around.
Already seeing signs of that sort of stuff with windows firewall software, however it is still a bit klunky.
You don't always need an executable attachment to exploit someone. Just a buffer overflow or security problem in a plugin and so on. And then you'll enter the realm of my main point - by default the exploit has full main user account privileges.
Email and other apps on Linux have to handle "file associations" otherwise people won't be able to open pdfs docs etc easily.
Also how is Joe Average going to install and run stuff sent to him from friends?
"Cool screensaver, to install/run: sh screensaver"
Don't forget there were LOTs of users who actually entered zip passwords in order to execute malicious binaries.
And an AC on this topic said this: "See, Linux DOES solve this problem. Want to change a file association? No problem. Want to install a browser plugin? No problem."
And he thinks that means "Linux" is more secure compared to Windows which requires higher privileges to do that. Imagine that.
Whoopee.
An attacker just has to get a user to associate stuff with the "appropriate" program. Or pick an extension to target a suitable program.
I was responding to the claim about "flaws in the security model" and claims that open source O/Ses have fixed those.
As far as I see, there are no major effective differences in the security models (ignoring Win9x and their like) from the perspective of the usual attacks - trojans, worms, viruses, dumb users etc.
SuSE under the same circumstances with similar 3rd party software and users would be just as vulnerable.
Example scenario: SuSE 9.x/Windows XP user runs as normal user, checks email, does work, visits a website using an unpatched browser, gets exploited, _email_ and work documents can get compromised by exploit. User checks email, launches attachment, gets exploited. Same for both SuSE or Windows. Actually Windows XP SP2 might actually prevent some exploits from doing everything they want to even if the exploit is executed.
So what's the difference? Sure fewer people are attacking SuSE. That's because it's not worth it at the moment, not because attackers won't be able to do similar things or the same things.
Things would be safer if apps are run with less privileges by default - can only write to certain areas, read from certain areas, no network connections. But that would be a bit more of an inconvenience for Joe Average.
While it is indeed true it's the browser account that's compromised, it brings me to my main point - where it isn't that it's windows that makes it insecure.
The main problem with windows is the users browser/email accounts are typical high privilege accounts (or their main accounts with important data) AND the users will do silly stuff using those accounts. Once their main account is compromised it is usually good enough for the attacker - that machine can become a spam zombie (most linux distros won't prevent that either), or the attacker might even be able to escalate to an admin account using keylogging and other attacks.
Now if the browser accounts were _lower_ privilege accounts from the main user accounts, then that makes things a fair bit more secure. I've got that setup on some of the machines I use[1]. Even if I have an exploitable firefox or IE, it's harder for the attacker to read or affect my main account's data. It's not impossible - there are other attacks - e.g. shatter attacks, video exploits etc. But it is harder.
With respect to chroot, Windows does have enough fine grained control over the file system and the its registry. However if you are talking about jail ala freebsd and other security enforcement mechanisms then yeah Windows lacks those.
[1] I've this setup on my workplace machine (SuSE 9.1) and my previous workplace (Windows XP). So it's possible to do it for both O/Ses.
Currently on my home machine I actually view untrusted sites that require javascript etc using a browser running in a vmware virtual machine. I regard this as safe enough for my purposes.
I don't see Joe Average being willing to do what I do at home, but it shouldn't be too difficult for a distro to set things up the way I have it at work - just make sure the browser's downloaded/saved files and other files to be shared are stored in a folder that the main account can access (and other accounts can't).
Uh. This is not retina scanning. There's no contact with the iris scanner at all. How can infection spread?
Depending on how expensive the equipment used you can be from 6 inches away from the scanner to 2 or 3 feet.
This is possible becayuse all the scanner needs to do is take pictures of the iris which is visible outside of your eye.
I have tested such equipment. It does work, but for important stuff you still need people around to make sure it's being used the way its supposed to be used. E.g. not some guy with a fake iris strapped in front of a working/simulated pupil.
Thing is, this is just comparing pictures of something. It's only secure as long as it is too expensive/hard to make a copy that can be secretly used.
Print fake irises on contact lenses and you should be able to fool the cheaper scanners.
If you want to simulate a moving iris and pupil, maybe all you need to do is have some reading glasses on and jiggle it a bit. I haven't tested this, but in order to prevent significant false negatives I think it'll be hard to stop these sort of things.
"See, Linux DOES solve this problem. Want to change a file association? No problem. Want to install a browser plugin? No problem. "
Uh that is NOT more secure.
If it's so easy to install a browser plugin or change file associations as a normal user that could actually be a security problem too. Think about it - any software you run could secretly change the program used to open pdfs or other files. The bad guys just haven't got around to exploiting that.
Installing plugins and changing file associations is the same as installing new software or changing the way it behaves. And such things aren't _normal_ day to day activities and should require higher privileges. Whether it requires an admin or just a slightly more powerful user is open for debate.
In my opinion such things shouldn't be allowed to happen with the normal privilege levels, otherwise some exploit or some careless click on a trojan would result in the machine getting compromised. Just run a seemingly harmless executable and suddenly your file associations are changed, or some plugin is installed - and you may not even know what has happened. Whereas if you have to change privilege levels, it is harder for that sort of thing to happen without you knowing.
I am not a Microsoft fanboy. But I'm not a Linux fanboy either.
Netscape 4 sucked. It crashed so often it wasn't funny. I regarded it as a downgrade from Netscape 3. Both were also really slow at rendering tables compared to IE. I tried 6 briefly and gave up - can anyone tell me what improvements were in Netscape 6?
Mozilla crashes a lot AND by default it doesn't allow you to run separate processes - so when it crashes, everything goes. Stupid.
Whereas you can run multiple instances of IE as separate processes. So even if you crash it, only related instances die.
And on windows even if explorer goes crazy, you can usually use task manager to kill it and start a new explorer, and voila it's back (ok maybe the systray won't show everything, but like I care).
Whereas I've had situations with KDE where when the GUI goes nuts or locks up, even though the nonGUI stuff is still running fine (can ssh in etc), there appears to be NO way to restart the GUI and still have all the GUI apps back to where they are (data and all). Restart the GUI and say goodbye to your unsaved data in your GUI apps. OK I admit I just don't know X that well, but someone please tell me how to do it if it's actually possible.
The sort of windows users who keep getting infected by viruses are those who will launch email attachments (and even supply the necessary passwords to the encrypted zipfiles!) and not update their O/S or apps. I see nothing in Linux that prevents such users from getting infected, other than they aren't using Linux at the moment.
Mozilla/Firefox really isn't much more secure than IE.
If users run their browsers and email apps as root/admin whether it's Windows or Linux you'll have the same problems.
NOW, if users run their browsers using _different_ accounts/roles compared to their normal main user (nonadmin) account then they'll be in a much safer situation. You can do this on recent Windows O/Ses and you can do this on Linux.
Except old versions of Mozilla (e.g. from SuSE 9.1 which my workplace uses) insist on ignoring umask when saving files - thus making it hard to share downloaded files with the main user account.
You can secure Windows. The problem is doing it in a way Joe Average can accept. I don't see Linux etc solving that - heck you can't even get a standard desktop (talking about choice misses the point - it's the defaults). With windows, Helpdesk can tell Joe Average to click on Start->run etc. With Linux, is it Ubuntu or Kubuntu or SuSE or Redhat or Man-whatever-it-is-next.
If the OSS GUI people ever standardize on something, it'll be easier for the trojan guys to attack Joe Average - since it's easier to get a fake javascript/etc thingy to look like the proper/standard dialog (for a bit of phishing or something). As of now, it's likely to look different - so many Linux users customize their UI, and too few users will be fooled, so it's not worth it.
Hey Linux is useful (at work we can't do what we need to do without Linux).
But too many people don't seem to see that the reason why windows machines have so many security problems is usually because of the users.
Once Linux starts to allow 3rd party binaries to still work even if the kernel is updated for security issues, then Linux will have more software companies writing for it. However it'll mean the same "virus" that infects Linux 2.x will still infect 2.x+y.
Maybe SELinux and similar stuff will help. But as it is, Linux as installed by most popular distros out there is not really much better in terms of security architecture.
http://news.bbc.co.uk/1/hi/health/3241138.stm
6 82 ,00.html
http://wired-vig.wired.com/news/print/0,1294,41
So far it's for women, but I don't see why there wouldn't be a similar one for guys.
"Ethereal activity" was "a change in any MD5 signature or file-size for any file on the web server"
If a change in MD5 is sufficient cause to "disconnect" you can automate that.
Maybe there should be a constitutional law that any politician/leader proposing a war risks being _executed_ if he/she does not get enough referendum votes for the war proposal. e.g. 66% of the population must want war.
And another law so the said leaders could be redeemed if they get enough votes in a "Save me" referendum. e.g. 66% of the population must want a leader to be alive even though he/she proposed war and failed.
To me it's fair that you should risk your life as well if you are about to ask thousands or millions of your fellow citizens to risk theirs.
This way, there are far fewer ethical issues in citizens being targets for the war - since a significant majority wanted the war - they themselves feel that it is necessary to kill lots of people, put their own lives at risk etc etc.
As it is, leaders start wars without even majority support from the citizens.
Not talking about active voters, talking about total _citizens_.
I wonder what happens with people with RFID implants, tons of rings pierced everywhere or similar stuff.
;).
Well I guess its time for the foil hats (and clothes)
I wonder if people could use mirrors to reflect the stuff back at the attacker...
Uh. Spam filters do work.
It's because spammers are targeting stupid/ignorant people, and they're not going to bother with the extra effort required to get past half-decent spam filters of a few people, who won't be buying their stuff anyway.
Beating good or even average chess players is quite a big difference from detecting spam aimed at stupid/ignorant people.
So far my spam filters are working pretty well enough, and I haven't trained them for months. In fact I had to roll back some training (go back to older version) when it turned out to make it worse.
What you could do is to have a device that can read your thought patterns[1] as one of its possible inputs. And possibly send video to your brain via alternative methods[2] as one of its output channels.
That way you can set up "thought macros" for association with the device's perfect video/audio/photo memory.
You can also set up "thought macros" in order to control other devices (via that device). A form of virtual telekinesis.
And also communicate with other people - a form of virtual telepathy.
One of the biggest problem is actually not technological. It's copyright law. When you have perfect memory and people want to charge you to recall it or share it with others, or start imposing artificial restrictions, it could start becoming a nightmare.
[1] This is possible already, we have apes and other creatures controlling robotic arms with their thoughts.Also have a man who has lost both arms managing to controlling robot arms with a sense of touch too.
[2] Remember the seeing with tongue thingy? Brains can adapt to stimuli. Younger brains may have an advantage here.
I do use KDE - at work.
;).
That's fine if you only have a few buttons/windows. I usually have about 20+ to 30.
A fair number of the windows are titled Shell (and they have tabs - various connections to various machines, arranged so I can alt+tab easily between sessions to compare/monitor stuff etc, or put them side by side temporarily).
Even if the titles are the same, I usually have no problems remembering where which window is. Until KDE shuffles half of them just because I close one window. Heh, that makes me less likely to want to close windows - increasing clutter a bit
The other thing is the KDE icons seem to be all combinations of blue/orange by default and not very distinct. If you half-close your eyes, it's not easy to spot the diff between Kate and Konsole (Shell). Whereas if you look at the icons in other O/Ses, they are fairly distinct. OK, WinXP made some things a bit less distinct in the name of "progress/change", but OSS should aim higher.
Maybe it's just me?
Sure I can _cope_ with this. I'm a geek/nerd.
But the point is, it's not good. And Steve Jobs will definitely not call this sort of stuff insanely great.
Sure you can probably customize all these things, but a major part of usability is about picking good _defaults_.
Yeah it works on KDE too. You can also drag to a virtual desktop and activate the desktop and then drag it to the relevant task and so on. I've got things set so that all tasks from all desktops show on the same taskbar and are not grouped. Autogrouping isn't good for the way I work.
But unlike Windows, on KDE I can't press Esc to cancel the drag - I have to find a place where the drag is not allowed. Not sure what the key to do that is.
Anyway, point is, the Fold n Drop feature isn't that useful, when there's the alternative of dragging to the task's button.
Windows's taskbar already lets me drag and drop amongst arbitrary windows. You just drag the stuff to the task's button on the taskbar, wait till it goes foreground, then you drop it wherever you want.
I usually have more than 10 windows open, I don't want to waste time peeling through them one by one, especially when I know exactly which window it is (I just recently clicked its task button after all).
Once I have a taskbar, I don't often have to remember which windows are "below" or "above" each other. I just need to remember which task button represents the window to get to it.
Which comes to a related point - KDE orders the tasks on the taskbar top to bottom, left to right. This means that if you remove a task, the ALL of the tasks to the right of it will change their vertical positions. This is bad UI IMO. However the person in charge prefers it the way it is[1].
Windows does it left to right first then top to bottom. This means that only leftmost and rightmost tasks change positions if you remove one, so it's not as much of a mess trying to remember where a window is.
[1] Nope he doesn't go check with the "people in charge of Usability", because there aren't any. Which probably explains why Linux still has a mediocre GUI in terms of usability.
I am not a doctor but if the RSI pain is due to squashed nerves you could try methylcobalamin (it's a more easily absorbed methyl form of vitamin B12).
;).
It doesn't fix whatever it is that causes your nerves to be squashed. But it keeps them alive whilst hopefully your body adapts
You should check with a decent doctor but usual starting dose is 1 x 500ug, three times a day after meals. You should notice within a week whether it helps or not. Side-effects and toxicity are quite low with vitamin B12.
What would be good for him would be low-cost battery-backed disks. Stick in a lithium battery (that lasts 10 years) into a HDD, add some RAM, and then your disk writing algorithms can be a bit different and perform better since you don't really have to write everything to disk, and data loss rates might actually go down, since when stuff is fsynced to the drive even if it doesn't hit the platters when the power fails, it's still on the battery backed RAM.
Whereas for most drives out there whilst fsync does mean the data is flushed to the drives, it doesn't mean it is flushed to nonvolatile storage - it could still be on the drive's caches.
If they really connect to your network, you may not really need to physically locate them to get them off your network.
;) ). If it appears to be connected to your corporate network, you can visit a website under your control and gather more info (e.g. if there's NAT/firewall involved what IP address it is), and then figure out the relevant IPs and MACs.
What you could do is attach to the wireless network (don't try this in Florida
Next look for the MACs in all your switches (easily automated queries to your switches should do the trick). Once you've located the edge port they are on, and gathered a list of who's on that port, you can go figure out what to do next - like block them, and/or have a nice chat with the relevant culprit.
Oops correction. SuSE 9.1 at my workplace allows nonprimitive ACLs. I thought I remember trying to do it on some distro and it needed a kernel recompile or something stupid.
You ever tried filemon and regmon from sysinternals? I've used those a fair number of times to figure out what registry keys and directories misbehaving programs need to access.
/usr/local/ _when_ executing.
If application developers still do that it really isn't Microsoft's fault. I believe it's been more than 5 years since they were told not to do that. It's just as if it were unix software insisting on being able to write to
I've managed to get a number of software to work with that. And the advantage of Windows NT/2000/XP is that it is a lot easier to create a group (e.g. gamers ) with the necessary privileges to those directories and registry keys and put the relevant users in the group. On NT/W2K you may need to use regedt32 to be able to change registry ACLs.
In contrast by default most Linux distros still use primitive ACLs and a file/directory can only have one group attribute.
Yes. People keep saying that Linux etc have solved the security problems of Windows. If Linux as easy to use as that, users will just be as vulnerable.
What we need is a distro/OS that will automatically run stuff by default with restricted privileges. Less than the main user account. Then when they run the little thing that shows them stock prices, it can only show stuff and it can't hang around.
Already seeing signs of that sort of stuff with windows firewall software, however it is still a bit klunky.
You don't always need an executable attachment to exploit someone. Just a buffer overflow or security problem in a plugin and so on. And then you'll enter the realm of my main point - by default the exploit has full main user account privileges.
Email and other apps on Linux have to handle "file associations" otherwise people won't be able to open pdfs docs etc easily.
Also how is Joe Average going to install and run stuff sent to him from friends?
"Cool screensaver, to install/run: sh screensaver"
Don't forget there were LOTs of users who actually entered zip passwords in order to execute malicious binaries.
And an AC on this topic said this:
"See, Linux DOES solve this problem. Want to change a file association? No problem. Want to install a browser plugin? No problem."
And he thinks that means "Linux" is more secure compared to Windows which requires higher privileges to do that. Imagine that.
Whoopee.
An attacker just has to get a user to associate stuff with the "appropriate" program. Or pick an extension to target a suitable program.
You miss the point.
I was responding to the claim about "flaws in the security model" and claims that open source O/Ses have fixed those.
As far as I see, there are no major effective differences in the security models (ignoring Win9x and their like) from the perspective of the usual attacks - trojans, worms, viruses, dumb users etc.
SuSE under the same circumstances with similar 3rd party software and users would be just as vulnerable.
Example scenario: SuSE 9.x/Windows XP user runs as normal user, checks email, does work, visits a website using an unpatched browser, gets exploited, _email_ and work documents can get compromised by exploit. User checks email, launches attachment, gets exploited.
Same for both SuSE or Windows. Actually Windows XP SP2 might actually prevent some exploits from doing everything they want to even if the exploit is executed.
So what's the difference? Sure fewer people are attacking SuSE. That's because it's not worth it at the moment, not because attackers won't be able to do similar things or the same things.
Things would be safer if apps are run with less privileges by default - can only write to certain areas, read from certain areas, no network connections. But that would be a bit more of an inconvenience for Joe Average.
"I don't see any performance difference over previous versions"
;).
Of course, that's because your machine is no longer running hundreds of trojans and spyware. Naturally it's just as fast as before or faster
While it is indeed true it's the browser account that's compromised, it brings me to my main point - where it isn't that it's windows that makes it insecure.
The main problem with windows is the users browser/email accounts are typical high privilege accounts (or their main accounts with important data) AND the users will do silly stuff using those accounts. Once their main account is compromised it is usually good enough for the attacker - that machine can become a spam zombie (most linux distros won't prevent that either), or the attacker might even be able to escalate to an admin account using keylogging and other attacks.
Now if the browser accounts were _lower_ privilege accounts from the main user accounts, then that makes things a fair bit more secure. I've got that setup on some of the machines I use[1]. Even if I have an exploitable firefox or IE, it's harder for the attacker to read or affect my main account's data. It's not impossible - there are other attacks - e.g. shatter attacks, video exploits etc. But it is harder.
With respect to chroot, Windows does have enough fine grained control over the file system and the its registry. However if you are talking about jail ala freebsd and other security enforcement mechanisms then yeah Windows lacks those.
[1] I've this setup on my workplace machine (SuSE 9.1) and my previous workplace (Windows XP). So it's possible to do it for both O/Ses.
Currently on my home machine I actually view untrusted sites that require javascript etc using a browser running in a vmware virtual machine. I regard this as safe enough for my purposes.
I don't see Joe Average being willing to do what I do at home, but it shouldn't be too difficult for a distro to set things up the way I have it at work - just make sure the browser's downloaded/saved files and other files to be shared are stored in a folder that the main account can access (and other accounts can't).
Uh. This is not retina scanning. There's no contact with the iris scanner at all. How can infection spread?
Depending on how expensive the equipment used you can be from 6 inches away from the scanner to 2 or 3 feet.
This is possible becayuse all the scanner needs to do is take pictures of the iris which is visible outside of your eye.
I have tested such equipment. It does work, but for important stuff you still need people around to make sure it's being used the way its supposed to be used. E.g. not some guy with a fake iris strapped in front of a working/simulated pupil.
Thing is, this is just comparing pictures of something. It's only secure as long as it is too expensive/hard to make a copy that can be secretly used.
Print fake irises on contact lenses and you should be able to fool the cheaper scanners.
If you want to simulate a moving iris and pupil, maybe all you need to do is have some reading glasses on and jiggle it a bit. I haven't tested this, but in order to prevent significant false negatives I think it'll be hard to stop these sort of things.
"See, Linux DOES solve this problem. Want to change a file association? No problem. Want to install a browser plugin? No problem. "
Uh that is NOT more secure.
If it's so easy to install a browser plugin or change file associations as a normal user that could actually be a security problem too. Think about it - any software you run could secretly change the program used to open pdfs or other files. The bad guys just haven't got around to exploiting that.
Installing plugins and changing file associations is the same as installing new software or changing the way it behaves. And such things aren't _normal_ day to day activities and should require higher privileges. Whether it requires an admin or just a slightly more powerful user is open for debate.
In my opinion such things shouldn't be allowed to happen with the normal privilege levels, otherwise some exploit or some careless click on a trojan would result in the machine getting compromised. Just run a seemingly harmless executable and suddenly your file associations are changed, or some plugin is installed - and you may not even know what has happened. Whereas if you have to change privilege levels, it is harder for that sort of thing to happen without you knowing.
I am not a Microsoft fanboy. But I'm not a Linux fanboy either.
Netscape 4 sucked. It crashed so often it wasn't funny. I regarded it as a downgrade from Netscape 3. Both were also really slow at rendering tables compared to IE. I tried 6 briefly and gave up - can anyone tell me what improvements were in Netscape 6?
Mozilla crashes a lot AND by default it doesn't allow you to run separate processes - so when it crashes, everything goes. Stupid.
Whereas you can run multiple instances of IE as separate processes. So even if you crash it, only related instances die.
And on windows even if explorer goes crazy, you can usually use task manager to kill it and start a new explorer, and voila it's back (ok maybe the systray won't show everything, but like I care).
Whereas I've had situations with KDE where when the GUI goes nuts or locks up, even though the nonGUI stuff is still running fine (can ssh in etc), there appears to be NO way to restart the GUI and still have all the GUI apps back to where they are (data and all). Restart the GUI and say goodbye to your unsaved data in your GUI apps. OK I admit I just don't know X that well, but someone please tell me how to do it if it's actually possible.
Uh. How has OSS solved those problems?
The sort of windows users who keep getting infected by viruses are those who will launch email attachments (and even supply the necessary passwords to the encrypted zipfiles!) and not update their O/S or apps. I see nothing in Linux that prevents such users from getting infected, other than they aren't using Linux at the moment.
Mozilla/Firefox really isn't much more secure than IE.
If users run their browsers and email apps as root/admin whether it's Windows or Linux you'll have the same problems.
NOW, if users run their browsers using _different_ accounts/roles compared to their normal main user (nonadmin) account then they'll be in a much safer situation. You can do this on recent Windows O/Ses and you can do this on Linux.
Except old versions of Mozilla (e.g. from SuSE 9.1 which my workplace uses) insist on ignoring umask when saving files - thus making it hard to share downloaded files with the main user account.
You can secure Windows. The problem is doing it in a way Joe Average can accept. I don't see Linux etc solving that - heck you can't even get a standard desktop (talking about choice misses the point - it's the defaults). With windows, Helpdesk can tell Joe Average to click on Start->run etc. With Linux, is it Ubuntu or Kubuntu or SuSE or Redhat or Man-whatever-it-is-next.
If the OSS GUI people ever standardize on something, it'll be easier for the trojan guys to attack Joe Average - since it's easier to get a fake javascript/etc thingy to look like the proper/standard dialog (for a bit of phishing or something). As of now, it's likely to look different - so many Linux users customize their UI, and too few users will be fooled, so it's not worth it.
Hey Linux is useful (at work we can't do what we need to do without Linux).
But too many people don't seem to see that the reason why windows machines have so many security problems is usually because of the users.
Once Linux starts to allow 3rd party binaries to still work even if the kernel is updated for security issues, then Linux will have more software companies writing for it. However it'll mean the same "virus" that infects Linux 2.x will still infect 2.x+y.
Maybe SELinux and similar stuff will help. But as it is, Linux as installed by most popular distros out there is not really much better in terms of security architecture.
I'm interested whether anyone has told them of those problems. What was their response?
Just get their bishop involved or something. Heh.
Oops. what I meant by toys are these "robotic" stuff with no real new intelligence or innovation.