I got in trouble with my wife last night for not reading her emails to me, and I could not figure out why synchronization wasn't working. Thank you, Slashdot! You saved my marriage!!!
My Windows Vista Business Edition upgrade DVD arrived with my latest Action Pack shipment. I've been looking forward to Vista primarily for its user interface improvements (love the new Start menu), promises of performance gains (e.g., boot-time speed-ups), and updated tablet PC support (better handwriting recognition, performance fixes, etc). I tried it out on a Dell Latitude D410, because I had too much stuff sitting on my tablet that needed to be backed up. Of course, the laptop's video card precluded the new Aero interface, but I don't care a lot about Mac-like eye candy.
On Wednesday, I re-installed Windows XP on the laptop. Several of the applications on which I depend for work either malfunctioned (VCON vPoint HD could send audio/video but not receive) or crashed (the Cisco VPN Client would stop responding, then blue-screen Vista upon shutdown/reboot). I spent an excessive amount of time searching for updated Bluetooth drivers, DVD playing software, and so forth, and I was unable to find compatible drivers for my old IBM webcam (which I replaced) and my PC5740 EVDO wireless card (though Smith Micro says that updated drivers should be available some time in the next few months). (I also had to upgrade several older applications and utilities, including anti-virus software, but that's to be expected.)
I'm also not as impressed with the user interface. The new Start menu is about the only thing that I like. The rest of the navigation and UI changes make me feel like I'm in a maze of twisty passages, all alike. For example, the Control Panel offers a lot of different functionality, but it feels very cluttered to me. Folder views were also unnecessarily complicated. I like the basic "list" and "details/sort by name/arrange in groups" views in Windows 2000, XP, and 2003, but re-creating them in Vista took a little too much fiddling (and even then, the "arrange in groups" views didn't quite do what I wanted). I can tell that I've been using Plone for too long, because I have been thinking about a file system browser where a savvy user could code up various custom views as page templates in DTML or TAL.:)
If I didn't depend on this laptop for work, I probably would have stuck with it - UI bloat included. As it is, I think that I'll wait at least until the summer before revisiting Vista. I didn't expect so many significant compatibility problems, given my generally positive experience during the Windows 2000-to-XP transition. I might give Vista another try sooner, assuming I can find time to image my tablet. I am really, REALLY interested in the new Tablet PC features, but my tablet has even more arcane hardware than the Dell Lattitude (e.g., a fingerprint sensor, the digitizer). As much as I'm looking forward to reviewing the tablet stuff, I'm not looking forward to the inevitable driver hunt.:(
I grew tired of the all-weekend-long disk recoveries, so I approached the problem of my Mom and siblings the same way I would in a small-to-medium-sized office: extreme paranoia plus enterprise management. First, I tried my best to encourage my family to be suspicious of every email, every web site, every floppy disc (or CD-R, or flash stick). I bragged about all of the hacking demos that my buddies and I performed, especially the ones where we wrote our own viruses and set up dummy web sites that looks almost (but not quite) like the real thing. Nowadays, Mom is pretty good about not running anything that she receives in an email, even if it looks OK like a movie or an MP3 file, unless she's expecting it.
Then, I set up an enterprise environment in miniature. I have a standard desktop environment, with application software and browser security settings pushed out from a central location. (If someone ran into a web site they couldn't use, I told them to call me and that I would help them get it working.) I moved all of their files off their computers and onto my server, where I could run backups and create mirrored disks and so forth. For my parents, I set up a branch-office VPN (thank God for OpenVPN and OpenWRT). I encouraged everyone to move to my hosted email system, where I set up anti-spam and anti-virus filtering. The whole setup isn't perfect, and there are aspects of it that might not scale in the real world (though I still plan to install a server at Mom and Dad's house in order to get a second replica of everyone's home directories, the directory service, and the email system). It also costs money and time that some people might not have. I didn't mind buying the software or building the infrastructure. The whole thing evolved over the last 6 years - maybe three or four major iterations of the general idea - and it's only gotten really stable in the last two.
So keep 'em scared of the big scary Internet, so that they don't trust what pops up on the browser or in their mailbox, and layer defenses around them and shove the right tools and settings down their throats, so that they don't have to worry about keeping themselves up to date or anything silly like that. If OneCare or MyCIO or ASAP or whatever weren't so blasted expensive and worthless, I probably wouldn't have made this much of an effort. I mean, security services that don't automatically include off-site backup? What idiot came up with a risk assessment missing "Availability"? The biggest threats to home users isn't the exploit du jour - it's the hard drive that inexplicably fails, taking 5 years worth of kids photos and your Mom's poetry journal with it.
Also, I've not had the troubles installing applications on Windows that I have had installing them on Linux.
One killer feature that is missing from the Linux distributions I use regularly (RHEL 2/3, FC4/5) is a software deployment mechanism. Group policies plus Windows Installer (MSI) packages really make my life easier, even when I'm just supporting my family. I am aware of tools like cfengine, and I am certain I could script yum commands out via SSH, but I'm forced to admit that Microsoft's interface to that sort of thing is really nice. (I haven't used systems like ZENworks, Tivoli, or SMS, but I'm told that they're pretty good, too.) I'd love to see a Linux distribution (Redhat?) provide enterprise management tools similar to what AD/GPO/MSI give me, especially if it could give me a pretty GUI to a well-formatted text-based config file (unlike the binary/XML mess that Microsoft and Apple try to shove down my throat).
I guess I could write such a system myself in my copious free time.:)
I've re-packaged a few GPL-ed (and ZPL-ed) programs as Windows Installer (MSI) packages. I always include the applicable license text in an Agree/Disagree dialog box, as I feel that (a) end users should be aware of the terms governing the use of software in their possession, and that (b) it is necessary to agree to the terms of these licenses in order to be able to use, to copy, and to modify the covered software. The GPL et al operate on a legal theory that assumes the acceptance of the license when someone uses, copies, or modifies the covered work (otherwise, that person has no legal right to use, copying, or modification). In creating that license dialog box, I am merely making explicit this assumed license acceptance.
Of course, these EULA dialogs are generally ignored by all end users, so the whole question is practically moot, anyway.
(I'm not a lawyer. This isn't legal advice. I could be very well wrong, legally, ethically, and morally.)
I still think that's a rather skewed viewpoint of American/European research efforts, but you're right: I'm an IT guy, not a scientist. It is pretty sad that profit-driven research seems to give us yet another treatment for erectile disfunction. I'm glad that biomedical research isn't just the province of Big Pharma, and as much as I don't like how Bill Gates got his money, I really like this part of what he's doing with it.
The United States, via government agencies like NIH/NIAID or USAID, funds and performs extensive research on HIV/AIDS, malaria, and tuberculosis in situ throughout Africa and Asia. When you get a free moment, take a look at CHAVI or NIAID, maybe do a few Google searches on the scientists' names. And all of these projects' participants, all the way down to admin staff and IT types like me, realize the current heavy burden of these three diseases on Africa and Asia (both socially and economically). I realize you have issues with large pharmaceutical companies, but please don't think that they are the only ones who do medical research here and abroad.
Oh good grief. It isn't very difficult to contain newly-written virus/worm code in a sandbox. In any case, it's pretty obvious that straight pattern-recognition doesn't work. From my perspective, the A/V companies are just complaining because they know how badly they already perform against things like the wild list. Unfortunately, real-time (or near-real-time) analysis has its own problems (though in retrospect, my testing behavior-based hIPS while running normal virus scanners at the same time was probably a mistake akin to running two A/V products simultaneously).
Even with the posted IRC logs, this may not be the entire story. I haven't scrolled through enough of the 600+ comments yet, and I can't verify the legitimacy of the quotation. But let's assume it's valid. The guy is supposed to be in Afghanistan right now. That means he is taking preventative medication for malaria. At least one of the anti-malarial drugs typically administered by the U.S. military in Afghanistan, mefloquine (a.k.a. Lariam), occasionally causes mental problems. It's rare - usually, mefloquine just causes an upset stomach or insomnia - but it's possible that the degree of this fellow's reaction is induced by the medication. If he lost close friends in the attack, it's also conceivable that he was so overcome that his comments on IRC were made in the heat of the moment, especially given the following (very low-key) email. It's probably better to give the fellow the benefit of the doubt, concentrate on his positive contributions, and move on.
This product already exists in the form of ISS's Proventia Desktop. Unfortunately, it introduces a noticable delay when executing a program the first time (for VM execution and analysis) and only a slightly noticable delay when executing a program the nth times (for comparison against a MD5 hash; if the hash is different, it re-scans the program). As far as I can tell, this process happens on every PE file load as well as the usual "non-executable" executable-bearing file types like.doc or.zip. It's a great idea - no signature updates (like most AV software), no complicated API access control list (like most host-based behavioral IPSes) - but it was brand new as of last year. Our performance problems may have been exacerbated by the fact that we were running this in tandem with McAfee VirusScan 7.1/8.0, both of which are serious resource hogs. Running something like Proventia Desktop together with a main-stream AV product might be akin to running multiple anti-virus systems in tandem - not usually a good idea.
With all of the talk about the deplorable working conditions in game development companies, I'm surprised anyone wants to work in that segment of the industry.
The AJAX technique appears to be pretty simple. To me, it looks just like RPC. I've been pouring over the Google Maps JavaScript. It appears to marshall (unmarshal) native data types to (from) XML, which it exchanges with the back-end server over HTTP. The hard parts, I imagine, are in developing the XML style sheet (i.e. the RPC protocol itself) and in creating the user interface (i.e. the RPC client). The only documented samples out there mimic Google Suggest, which is pretty straightforward when compared to Google Maps. I wish better public documentation and tutorials existed.
Except Schneier says (on the page to which you linked):
These changes address most of the major security weaknesses of the orginal protocol. However, the revised protocol is still vulnerable to offline password-guessing attacks from hacker tools such as L0phtcrack. At this point we still do not recommend Microsoft PPTP for applications where security is a factor.
That same page links to the updated paper, which concludes:
Microsoft has improved PPTP to correct the major security weaknesses described in [SM98]. However, the fundamental weakness of the authentication and encryption protocol is that it is only as secure as the password chosen by the user.
So, new version or no, I still think PPTP is unsuitable for general use. Offline password analysis is a serious flaw, especially given the poor quality of most users' passwords plus modern tools like rainbow tables.
I really like OpenVPN. It works as a client or a server on Windows, Linux, FreeBSD, Mac OS X, and other operating systems, and it is pretty easy to install, configure, and run. I just followed the how-to. It operates over UDP or TCP, you can tunnel it through HTTP or SOCKS proxies, and the server can use any cipher or hash available in the OpenSSL library. PPTP is ubiquitous, but it has serious flaws. IPSEC is supposed to be standard, but interoperability is a configuration nightmare (especially if you try to do something complex, like use X.509 certificates, or something non-standard, like authenticate users against RADIUS). Firewall/NAT traversal can present serious challenges in some cases as well, as some firewalls can't handle non-TCP/UDP protocols. CIPE requires special support in the operating system kernel and only works on Linux and Windows, and tunneling TCP over TCP (when running PPP over SSH) is a really bad idea.
I'm using OpenVPN to tie routers running OpenWRT (Linux), routers running FreeBSD, and workstations/laptops running Windows, FreeBSD, and Mac OS X together. It works flawlessly.
Screw that. I want a public malicious code archive. As soon as I figure out the legal ramifications and code up a web interface, I'm going to set one up. I'm tired of all of the "in the know" companies and researchers having access to information that mere mortals can't touch.
Doesn't the Post Office act as an agent for the receiver? If so, Netflix could be engaging in fraud if they are not registering those DVDs as having been received when the Post Office postmarked them.
Slashdot Mirror
There were so many double-quotes in that write up that I thought it was a """paean to VMS""". It's nice to see that Python continues the practice.
I got in trouble with my wife last night for not reading her emails to me, and I could not figure out why synchronization wasn't working. Thank you, Slashdot! You saved my marriage!!!
My Windows Vista Business Edition upgrade DVD arrived with my latest Action Pack shipment. I've been looking forward to Vista primarily for its user interface improvements (love the new Start menu), promises of performance gains (e.g., boot-time speed-ups), and updated tablet PC support (better handwriting recognition, performance fixes, etc). I tried it out on a Dell Latitude D410, because I had too much stuff sitting on my tablet that needed to be backed up. Of course, the laptop's video card precluded the new Aero interface, but I don't care a lot about Mac-like eye candy.
:)
:(
On Wednesday, I re-installed Windows XP on the laptop. Several of the applications on which I depend for work either malfunctioned (VCON vPoint HD could send audio/video but not receive) or crashed (the Cisco VPN Client would stop responding, then blue-screen Vista upon shutdown/reboot). I spent an excessive amount of time searching for updated Bluetooth drivers, DVD playing software, and so forth, and I was unable to find compatible drivers for my old IBM webcam (which I replaced) and my PC5740 EVDO wireless card (though Smith Micro says that updated drivers should be available some time in the next few months). (I also had to upgrade several older applications and utilities, including anti-virus software, but that's to be expected.)
I'm also not as impressed with the user interface. The new Start menu is about the only thing that I like. The rest of the navigation and UI changes make me feel like I'm in a maze of twisty passages, all alike. For example, the Control Panel offers a lot of different functionality, but it feels very cluttered to me. Folder views were also unnecessarily complicated. I like the basic "list" and "details/sort by name/arrange in groups" views in Windows 2000, XP, and 2003, but re-creating them in Vista took a little too much fiddling (and even then, the "arrange in groups" views didn't quite do what I wanted). I can tell that I've been using Plone for too long, because I have been thinking about a file system browser where a savvy user could code up various custom views as page templates in DTML or TAL.
If I didn't depend on this laptop for work, I probably would have stuck with it - UI bloat included. As it is, I think that I'll wait at least until the summer before revisiting Vista. I didn't expect so many significant compatibility problems, given my generally positive experience during the Windows 2000-to-XP transition. I might give Vista another try sooner, assuming I can find time to image my tablet. I am really, REALLY interested in the new Tablet PC features, but my tablet has even more arcane hardware than the Dell Lattitude (e.g., a fingerprint sensor, the digitizer). As much as I'm looking forward to reviewing the tablet stuff, I'm not looking forward to the inevitable driver hunt.
Asking for permission first isn't exactly what I would call a common trait amongst the hackers I know (nascent or wizened).
Oh look honey: Someone who gets to travel for pleasure, not business. How quaint.
I grew tired of the all-weekend-long disk recoveries, so I approached the problem of my Mom and siblings the same way I would in a small-to-medium-sized office: extreme paranoia plus enterprise management. First, I tried my best to encourage my family to be suspicious of every email, every web site, every floppy disc (or CD-R, or flash stick). I bragged about all of the hacking demos that my buddies and I performed, especially the ones where we wrote our own viruses and set up dummy web sites that looks almost (but not quite) like the real thing. Nowadays, Mom is pretty good about not running anything that she receives in an email, even if it looks OK like a movie or an MP3 file, unless she's expecting it.
Then, I set up an enterprise environment in miniature. I have a standard desktop environment, with application software and browser security settings pushed out from a central location. (If someone ran into a web site they couldn't use, I told them to call me and that I would help them get it working.) I moved all of their files off their computers and onto my server, where I could run backups and create mirrored disks and so forth. For my parents, I set up a branch-office VPN (thank God for OpenVPN and OpenWRT). I encouraged everyone to move to my hosted email system, where I set up anti-spam and anti-virus filtering. The whole setup isn't perfect, and there are aspects of it that might not scale in the real world (though I still plan to install a server at Mom and Dad's house in order to get a second replica of everyone's home directories, the directory service, and the email system). It also costs money and time that some people might not have. I didn't mind buying the software or building the infrastructure. The whole thing evolved over the last 6 years - maybe three or four major iterations of the general idea - and it's only gotten really stable in the last two.
So keep 'em scared of the big scary Internet, so that they don't trust what pops up on the browser or in their mailbox, and layer defenses around them and shove the right tools and settings down their throats, so that they don't have to worry about keeping themselves up to date or anything silly like that. If OneCare or MyCIO or ASAP or whatever weren't so blasted expensive and worthless, I probably wouldn't have made this much of an effort. I mean, security services that don't automatically include off-site backup? What idiot came up with a risk assessment missing "Availability"? The biggest threats to home users isn't the exploit du jour - it's the hard drive that inexplicably fails, taking 5 years worth of kids photos and your Mom's poetry journal with it.
One killer feature that is missing from the Linux distributions I use regularly (RHEL 2/3, FC4/5) is a software deployment mechanism. Group policies plus Windows Installer (MSI) packages really make my life easier, even when I'm just supporting my family. I am aware of tools like cfengine, and I am certain I could script yum commands out via SSH, but I'm forced to admit that Microsoft's interface to that sort of thing is really nice. (I haven't used systems like ZENworks, Tivoli, or SMS, but I'm told that they're pretty good, too.) I'd love to see a Linux distribution (Redhat?) provide enterprise management tools similar to what AD/GPO/MSI give me, especially if it could give me a pretty GUI to a well-formatted text-based config file (unlike the binary/XML mess that Microsoft and Apple try to shove down my throat).
I guess I could write such a system myself in my copious free time. :)
I've re-packaged a few GPL-ed (and ZPL-ed) programs as Windows Installer (MSI) packages. I always include the applicable license text in an Agree/Disagree dialog box, as I feel that (a) end users should be aware of the terms governing the use of software in their possession, and that (b) it is necessary to agree to the terms of these licenses in order to be able to use, to copy, and to modify the covered software. The GPL et al operate on a legal theory that assumes the acceptance of the license when someone uses, copies, or modifies the covered work (otherwise, that person has no legal right to use, copying, or modification). In creating that license dialog box, I am merely making explicit this assumed license acceptance.
Of course, these EULA dialogs are generally ignored by all end users, so the whole question is practically moot, anyway.
(I'm not a lawyer. This isn't legal advice. I could be very well wrong, legally, ethically, and morally.)Now THAT would be an awesome addition to the Slashdot moderation system!
I still think that's a rather skewed viewpoint of American/European research efforts, but you're right: I'm an IT guy, not a scientist. It is pretty sad that profit-driven research seems to give us yet another treatment for erectile disfunction. I'm glad that biomedical research isn't just the province of Big Pharma, and as much as I don't like how Bill Gates got his money, I really like this part of what he's doing with it.
The United States, via government agencies like NIH/NIAID or USAID, funds and performs extensive research on HIV/AIDS, malaria, and tuberculosis in situ throughout Africa and Asia. When you get a free moment, take a look at CHAVI or NIAID, maybe do a few Google searches on the scientists' names. And all of these projects' participants, all the way down to admin staff and IT types like me, realize the current heavy burden of these three diseases on Africa and Asia (both socially and economically). I realize you have issues with large pharmaceutical companies, but please don't think that they are the only ones who do medical research here and abroad.
Oh good grief. It isn't very difficult to contain newly-written virus/worm code in a sandbox. In any case, it's pretty obvious that straight pattern-recognition doesn't work. From my perspective, the A/V companies are just complaining because they know how badly they already perform against things like the wild list. Unfortunately, real-time (or near-real-time) analysis has its own problems (though in retrospect, my testing behavior-based hIPS while running normal virus scanners at the same time was probably a mistake akin to running two A/V products simultaneously).
Even with the posted IRC logs, this may not be the entire story. I haven't scrolled through enough of the 600+ comments yet, and I can't verify the legitimacy of the quotation. But let's assume it's valid. The guy is supposed to be in Afghanistan right now. That means he is taking preventative medication for malaria. At least one of the anti-malarial drugs typically administered by the U.S. military in Afghanistan, mefloquine (a.k.a. Lariam), occasionally causes mental problems. It's rare - usually, mefloquine just causes an upset stomach or insomnia - but it's possible that the degree of this fellow's reaction is induced by the medication. If he lost close friends in the attack, it's also conceivable that he was so overcome that his comments on IRC were made in the heat of the moment, especially given the following (very low-key) email. It's probably better to give the fellow the benefit of the doubt, concentrate on his positive contributions, and move on.
This product already exists in the form of ISS's Proventia Desktop. Unfortunately, it introduces a noticable delay when executing a program the first time (for VM execution and analysis) and only a slightly noticable delay when executing a program the nth times (for comparison against a MD5 hash; if the hash is different, it re-scans the program). As far as I can tell, this process happens on every PE file load as well as the usual "non-executable" executable-bearing file types like .doc or .zip. It's a great idea - no signature updates (like most AV software), no complicated API access control list (like most host-based behavioral IPSes) - but it was brand new as of last year. Our performance problems may have been exacerbated by the fact that we were running this in tandem with McAfee VirusScan 7.1/8.0, both of which are serious resource hogs. Running something like Proventia Desktop together with a main-stream AV product might be akin to running multiple anti-virus systems in tandem - not usually a good idea.
With all of the talk about the deplorable working conditions in game development companies, I'm surprised anyone wants to work in that segment of the industry.
Hey! I resemble that remark, you insensitive clod!
The AJAX technique appears to be pretty simple. To me, it looks just like RPC. I've been pouring over the Google Maps JavaScript. It appears to marshall (unmarshal) native data types to (from) XML, which it exchanges with the back-end server over HTTP. The hard parts, I imagine, are in developing the XML style sheet (i.e. the RPC protocol itself) and in creating the user interface (i.e. the RPC client). The only documented samples out there mimic Google Suggest, which is pretty straightforward when compared to Google Maps. I wish better public documentation and tutorials existed.
Except Schneier says (on the page to which you linked):
That same page links to the updated paper, which concludes: So, new version or no, I still think PPTP is unsuitable for general use. Offline password analysis is a serious flaw, especially given the poor quality of most users' passwords plus modern tools like rainbow tables.I really like OpenVPN. It works as a client or a server on Windows, Linux, FreeBSD, Mac OS X, and other operating systems, and it is pretty easy to install, configure, and run. I just followed the how-to. It operates over UDP or TCP, you can tunnel it through HTTP or SOCKS proxies, and the server can use any cipher or hash available in the OpenSSL library. PPTP is ubiquitous, but it has serious flaws. IPSEC is supposed to be standard, but interoperability is a configuration nightmare (especially if you try to do something complex, like use X.509 certificates, or something non-standard, like authenticate users against RADIUS). Firewall/NAT traversal can present serious challenges in some cases as well, as some firewalls can't handle non-TCP/UDP protocols. CIPE requires special support in the operating system kernel and only works on Linux and Windows, and tunneling TCP over TCP (when running PPP over SSH) is a really bad idea.
I'm using OpenVPN to tie routers running OpenWRT (Linux), routers running FreeBSD, and workstations/laptops running Windows, FreeBSD, and Mac OS X together. It works flawlessly.
YES! This new rover could use atomic batteries for power, and turbines for speed!
They're made out of meat!
Screw that. I want a public malicious code archive. As soon as I figure out the legal ramifications and code up a web interface, I'm going to set one up. I'm tired of all of the "in the know" companies and researchers having access to information that mere mortals can't touch.
I read that as "incredibly, incredibly pricky", but your working makes sense, too.
What's a Nubian?
Doesn't the Post Office act as an agent for the receiver? If so, Netflix could be engaging in fraud if they are not registering those DVDs as having been received when the Post Office postmarked them.