Yes, that's exactly how it's supposed to work - just ask any civil rights marchers from the Deep South, for instance. Once the government realizes that they can't throw everyone in jail, the laws get changed. Or sometimes you get a new government.
Really, you're taking a gamble that enough other people will join your civil disobedience that the government can't ignore you.
I agree - it's a bad situation. That's why the user's tools should protect them from viruses, rather than the user having to consider all of these strange conditions.
Not that I'm a huge fan of it, but I've never noticed this scale of virus/worm behavior when using Netscape/iPlanet servers and the Netscape Mail client. Sure, they have their share of crashes and some security holes, the same as any application. But that software has never been the great breeding ground of viral attacks because it doesn't make it nearly as easy for such attacks to spread. Or you could use any number of other MTAs, like sendmail (probably a bad security example, that:) or qmail, with just about any mail client in the world. None of them perfect, true, but none of them as broken-by-design as Outlook+Exchange.
And even if some mail software does permit such attacks, they wouldn't spread as well if everybody was using different kinds of software. It's the Microsoft Monoculture that's the other half of the problem - they've not only provided some great virus-spreading software, they've used illegal monopoly power to put it on everyone's desk. The result is millions of dollars in lost time, and I'm not even going to think about all of the documents that have been destroyed, sent to competitors, etc. If that's not consumer harm, I don't know what is.
Oh well, maybe someday the DOJ will quit hassling small-time college warez h0undz, and get back to hassling the big criminal on the block. But I'm not holding my breath.
Except I thought I heard all the warez folks saying they just collected, cracked, and traded it for fun, like baseball cards or something. How does making it cheaper really affect that?
Sure, mistakes can happen in both technologies. But it didn't take the Unix world scads of worms and millions of lost time and money in the business world to figure out that having your email client be hijackable by any email sender in the world is a bad idea. Although I'm not sure if Microsoft "gets it" even now.
Really, the whole virus/worm email thing is just a symptom of how Microsoft doesn't really understand the Internet as a whole. Their stuff used to only work in a PC context, and later would mostly work for a small workgroup. Now they're working up to corporate-wide software systems, but they still don't really conceive that there will always be part of the 'net that's not run by Microsoft, and thus can't be trusted to play by their (lax) rules.
Even worse, of course. That's where Joe Salesguy starts hearing "only open email from someone you know", at which point he might as well just go home early, or go back to deal making over the phone. This is a ridiculous expectation to put on the users of email - that they have to outwit their tools and be constantly on guard just to get a day's work done.
I guess it depends on where you think the problem is - by definition, a fix where the problem isn't is a band-aid. I thik the problem is with the software given to users that can betray them so easily, so that's what I want to see fixed.
You're never going to fix the outside world, and you will have great difficulty in sufficiently insulating your innards from it. For pervasive forms of communication like email, if you don't want to bring business to a halt, you have to harden your internal systems so that email can't bring it down by firing off viruses and worms. And I think it would be simpler, more efficient, and ultimately more secure to fix the users' systems so that they do what the user wants, not what the email sender wants, rather than trying to set up a company-wide filter that will handle everyone's mail and must be 100% accurate as far as what is a benign email and what is a malignant one.
He was also saying that the filter scans for Word macro viruses, etc. - those things can still get you. I'm not convinced that the last possible way to get Outlook to execute something has been found yet, either. So far I haven't seen anything to convince me that we're close to being able to filter things sufficiently enough to really rely on them indefinitely.
Blocking attachments is a band-aid in the sense that it doesn't solve the real problem. Sure, if you paste enough band-aids together you can cover over even a gaping hole, but IMHO that's not the right way to fix the problem - it makes you very dependent on band-aid manufacturers, for one thing.
And that's why I would suck at writing buggy, insecure email programs. I can't even execute an arbitrary unknown attachment properly, for cryin' out loud:)
I'd rather filter for a couple weeks until I installed a mail client that wasn't susceptible to this kind of stuff, and then quit worrying about the filter. But I suppose you could also use the filter for other somewhat useful things, like limiting attachment size, scanning for dirty words, etc. And if the bounce message informs the worm-ridden sender that they have a problem, then that's all for the better I guess.
Fair enough - that is exactly the term that I should have used. After a length of heavy use it is possible to say that the preponderance of the evidence indicates stability.
Mail Filter == BandAid, nothing more. I'm glad that it protects your small company for now, but you have to realize that the filter is only as good as the filter set, and someday someone will get past it and you'll have another worm outbreak. The only way to be really safe is to fix your users' email programs so that they don't easily execute things that the users are sent. Fix the root of the problem, not the symptom.
So, which Unix mail reader will automatically execute an ELF binary when I click on it? Examples, please. Even from a shell account with a text-based reader, I'd have to save the attachment and then:!execute it, or something like that.
I dunno, it seems to me that they point out security problems in any OS every chance they get. Microsoft just seems to furnish more frequent and more severe chances:)
P.S. You knew there was bias when you came in here - learn to live with it like the rest of us, or move on down the road to windowsmag.com or something like that.
That's the idiot that picked Outlook/Exchange for the corporate messaging system, right? Sorry, I'm not ranting at you, but I hear this a lot at work and want to set the record straight.
I don't think it's fair to blame the user for not knowing that ".txt.pif" is a magic extension that can hurt their computer, or just to tell them "don't open email from someone you don't know". The fact of the matter is that it's wrong for your email client or your web browser to executed code from an unknown source, and the user should have to take positive steps (more than one) to execute such things. Microsoft's email tools are fundamentally broken, even to the point where they betray their supposed ease of use by requiring the user to puzzle over which emails are safe and which aren't.
So no, I don't really blame the marketing guy for not knowing that ".txt" is OK but ".txt.pif" isn't OK - it's not his job to know. It's the job of the tools Mr. Marketing is given to tell the difference for him and not automatically or easily do something dangerous. And it's the job of corporate IT purchasers to make sure that the right tools are being given to Mr. Marketing. More than anything, the repeated Microsoft virus and worm attacks point to a fundamental failure to learn from past IT purchasing mistakes.
Don't get me started on my company's new internal IM system that only works from Windows - thanks for nothing there, guys.
Well, let me rephrase that. Part of stability is that the code stops changing so fast. This could be because no one is using the code and providing bug reports against it, or it could be because the code is "good enough" and there really isn't anything else to be done about it. Linux 2.0 really falls into that second category - it's good enough for what it does, and if you want more functionality, you move up to a later kernel.
I'm not sure how much the 1.x kernels were used, but 2.0.x were used a ton in a variety of commercial, industrial, and embedded realms. Although it's difficult to have certain proof of stability, I think we can use the massive amount of experience with 2.0.x as a proof that it is not unstable.
Hey, they're all supposed to be such geniuses - think what the software industry would be like if they were spread around a bit and actually using their enormous bulging crania for good rather than evil. If they're as smart as they keep telling us they are, they won't be unemployed for long.
If all you're considering is security and stability, then that's exactly what you should do. 2.0.x releases have been used for so long that there are reams of information available on how to tune them, and the chance of all security issues being knocked out is near 100%. Linux 2.2 is probably almost as good, but just hasn't had the years of stability (remember, part of stability is not getting a lot of updates or patches anymore) that 2.0 has.
Similarly, most of the problems with Win 98 have probably been knocked out by now. Not so with Win 2000, although that may be more due to the increased complexity of the OS rather than a particular large user base.
Re:Microsoft Passport vs. Liberty Alliance...
on
WinXP Security Flaw
·
· Score: 1
Quote 'o the day:
"Microsoft is challenged by the fact that people just fundamentally do not trust them," says
Scott Lowry, CEO of Digital Signature Trust, which provides online identity products.
P.S. the parent post is not redundant. Maybe slightly off-topic, but not redundant.
We don't post those stories, we have a guy called "The Turd Report" who posts them as diary entries. I was going to say "log entries", but I got to laughing too hard.
Slashdot Mirror
Yes, that's exactly how it's supposed to work - just ask any civil rights marchers from the Deep South, for instance. Once the government realizes that they can't throw everyone in jail, the laws get changed. Or sometimes you get a new government.
Really, you're taking a gamble that enough other people will join your civil disobedience that the government can't ignore you.
I agree - it's a bad situation. That's why the user's tools should protect them from viruses, rather than the user having to consider all of these strange conditions.
Then you're back to "only accept email from people that you expect it from", which takes all of the spontaneity and usefulness out of it.
Not that I'm a huge fan of it, but I've never noticed this scale of virus/worm behavior when using Netscape/iPlanet servers and the Netscape Mail client. Sure, they have their share of crashes and some security holes, the same as any application. But that software has never been the great breeding ground of viral attacks because it doesn't make it nearly as easy for such attacks to spread. Or you could use any number of other MTAs, like sendmail (probably a bad security example, that :) or qmail, with just about any mail client in the world. None of them perfect, true, but none of them as broken-by-design as Outlook+Exchange.
And even if some mail software does permit such attacks, they wouldn't spread as well if everybody was using different kinds of software. It's the Microsoft Monoculture that's the other half of the problem - they've not only provided some great virus-spreading software, they've used illegal monopoly power to put it on everyone's desk. The result is millions of dollars in lost time, and I'm not even going to think about all of the documents that have been destroyed, sent to competitors, etc. If that's not consumer harm, I don't know what is.
Oh well, maybe someday the DOJ will quit hassling small-time college warez h0undz, and get back to hassling the big criminal on the block. But I'm not holding my breath.
It's "genius", not "genious", so I'm not sure what you're getting at there.
And if all those Microsoft folks are getting new jobs, it's non-genius-type schmoes like you and me that are out of a job, not them :)
Except I thought I heard all the warez folks saying they just collected, cracked, and traded it for fun, like baseball cards or something. How does making it cheaper really affect that?
Sure, mistakes can happen in both technologies. But it didn't take the Unix world scads of worms and millions of lost time and money in the business world to figure out that having your email client be hijackable by any email sender in the world is a bad idea. Although I'm not sure if Microsoft "gets it" even now.
Really, the whole virus/worm email thing is just a symptom of how Microsoft doesn't really understand the Internet as a whole. Their stuff used to only work in a PC context, and later would mostly work for a small workgroup. Now they're working up to corporate-wide software systems, but they still don't really conceive that there will always be part of the 'net that's not run by Microsoft, and thus can't be trusted to play by their (lax) rules.
Even worse, of course. That's where Joe Salesguy starts hearing "only open email from someone you know", at which point he might as well just go home early, or go back to deal making over the phone. This is a ridiculous expectation to put on the users of email - that they have to outwit their tools and be constantly on guard just to get a day's work done.
I guess it depends on where you think the problem is - by definition, a fix where the problem isn't is a band-aid. I thik the problem is with the software given to users that can betray them so easily, so that's what I want to see fixed.
You're never going to fix the outside world, and you will have great difficulty in sufficiently insulating your innards from it. For pervasive forms of communication like email, if you don't want to bring business to a halt, you have to harden your internal systems so that email can't bring it down by firing off viruses and worms. And I think it would be simpler, more efficient, and ultimately more secure to fix the users' systems so that they do what the user wants, not what the email sender wants, rather than trying to set up a company-wide filter that will handle everyone's mail and must be 100% accurate as far as what is a benign email and what is a malignant one.
He was also saying that the filter scans for Word macro viruses, etc. - those things can still get you. I'm not convinced that the last possible way to get Outlook to execute something has been found yet, either. So far I haven't seen anything to convince me that we're close to being able to filter things sufficiently enough to really rely on them indefinitely.
Blocking attachments is a band-aid in the sense that it doesn't solve the real problem. Sure, if you paste enough band-aids together you can cover over even a gaping hole, but IMHO that's not the right way to fix the problem - it makes you very dependent on band-aid manufacturers, for one thing.
And that's why I would suck at writing buggy, insecure email programs. I can't even execute an arbitrary unknown attachment properly, for cryin' out loud :)
I'd rather filter for a couple weeks until I installed a mail client that wasn't susceptible to this kind of stuff, and then quit worrying about the filter. But I suppose you could also use the filter for other somewhat useful things, like limiting attachment size, scanning for dirty words, etc. And if the bounce message informs the worm-ridden sender that they have a problem, then that's all for the better I guess.
Fair enough - that is exactly the term that I should have used. After a length of heavy use it is possible to say that the preponderance of the evidence indicates stability.
Mail Filter == BandAid, nothing more. I'm glad that it protects your small company for now, but you have to realize that the filter is only as good as the filter set, and someday someone will get past it and you'll have another worm outbreak. The only way to be really safe is to fix your users' email programs so that they don't easily execute things that the users are sent. Fix the root of the problem, not the symptom.
So, which Unix mail reader will automatically execute an ELF binary when I click on it? Examples, please. Even from a shell account with a text-based reader, I'd have to save the attachment and then :!execute it, or something like that.
I dunno, it seems to me that they point out security problems in any OS every chance they get. Microsoft just seems to furnish more frequent and more severe chances :)
P.S. You knew there was bias when you came in here - learn to live with it like the rest of us, or move on down the road to windowsmag.com or something like that.
That's the idiot that picked Outlook/Exchange for the corporate messaging system, right? Sorry, I'm not ranting at you, but I hear this a lot at work and want to set the record straight.
I don't think it's fair to blame the user for not knowing that ".txt.pif" is a magic extension that can hurt their computer, or just to tell them "don't open email from someone you don't know". The fact of the matter is that it's wrong for your email client or your web browser to executed code from an unknown source, and the user should have to take positive steps (more than one) to execute such things. Microsoft's email tools are fundamentally broken, even to the point where they betray their supposed ease of use by requiring the user to puzzle over which emails are safe and which aren't.
So no, I don't really blame the marketing guy for not knowing that ".txt" is OK but ".txt.pif" isn't OK - it's not his job to know. It's the job of the tools Mr. Marketing is given to tell the difference for him and not automatically or easily do something dangerous. And it's the job of corporate IT purchasers to make sure that the right tools are being given to Mr. Marketing. More than anything, the repeated Microsoft virus and worm attacks point to a fundamental failure to learn from past IT purchasing mistakes.
Don't get me started on my company's new internal IM system that only works from Windows - thanks for nothing there, guys.
Well, let me rephrase that. Part of stability is that the code stops changing so fast. This could be because no one is using the code and providing bug reports against it, or it could be because the code is "good enough" and there really isn't anything else to be done about it. Linux 2.0 really falls into that second category - it's good enough for what it does, and if you want more functionality, you move up to a later kernel.
I'm not sure how much the 1.x kernels were used, but 2.0.x were used a ton in a variety of commercial, industrial, and embedded realms. Although it's difficult to have certain proof of stability, I think we can use the massive amount of experience with 2.0.x as a proof that it is not unstable.
Ah, if only he was the "Chief Hacking Officer and Assistant Directory". So close, and yet so far :)
Hey, they're all supposed to be such geniuses - think what the software industry would be like if they were spread around a bit and actually using their enormous bulging crania for good rather than evil. If they're as smart as they keep telling us they are, they won't be unemployed for long.
If all you're considering is security and stability, then that's exactly what you should do. 2.0.x releases have been used for so long that there are reams of information available on how to tune them, and the chance of all security issues being knocked out is near 100%. Linux 2.2 is probably almost as good, but just hasn't had the years of stability (remember, part of stability is not getting a lot of updates or patches anymore) that 2.0 has.
Similarly, most of the problems with Win 98 have probably been knocked out by now. Not so with Win 2000, although that may be more due to the increased complexity of the OS rather than a particular large user base.
Quote 'o the day:
P.S. the parent post is not redundant. Maybe slightly off-topic, but not redundant.
Crap, I think I'm on the wrong side of that equation, then :)
We don't post those stories, we have a guy called "The Turd Report" who posts them as diary entries. I was going to say "log entries", but I got to laughing too hard.
Or if you'd known Denise, apparently :)