"They say IE is a target because it's everywhere,... Why don't we hear about a new buffer overflow or mishandled JPG in Apache every two weeks?"
Apache is trivial by comparison. IE actually opens and loads a wide range of outside inputs including image files, text of different encodings, media files, XML, scripts that it loads and runs, plugins or all types, etc whereas Apache only accepts text input, some authentication blobs, and outputs uninterpreted blocks of data from files or does very basic script execution to bootstap stuff on top (e.g. PHP).
http://www.electoral-vote.com was running Apache on Linux
If he served the site on minix Truman would have the most electoral votes.
No Feedback Loop
on
Flying By Brain
·
· Score: 1, Interesting
The scientists were able to train the 'brain' to control the plane in the simulator and to react to conditions of the plane.
I seriously doubt this is true as there is very little incentive for this "brain" to perform. When you "train" an organizm you need some feedback loop like bananas, agar gel, money, etc to encourage the organizm to favor one behavior over another. Frankly a collection of neurons just isn't powerful enough to "learn" how to fly a plane.
Go download net-snmp (it's free!) and try to do something useful with it,...
When I said "simple" I meant the protocol should be simple to conserve resources and reduce the potential for exploits. If you're having problems with a particular implementation I don't think that qualifies as an argument against the protocol. Using an XML/HTTP based implementation isn't necessarily going to be easier.
give you? The database may be hierarchical but the data in messages is not. If the response is XML with one round trip you can retrieve an entire tree of information.
But you're right about traps. I didn't think they were that sophisticated.
I don't mean to pooh pooh this idea just because it's somewhat Windows specific but the only real advantage I see to this over snmp is that the delivery modes are more sophisticated and the data can be organized hierarchally. So why not just add builtin event notification to snmp? Otherwise using XML for something that should be a low-cost service seems wrong to me. System monitoring should be as small and SIMPLE as possible to reduce the possibility for exploits as it will likely be running with a high level of anonymous access on almost every workstation, server, and router in the organization. The whole thing smells of XML pixie dust designed to drive up requirements and thus sell servers and new software to go with. If you have a problem with snmp then fix it. Don't reinvent it with techniques that are expensive in clock cyles and exploits.
Why the hell are there multiple copies of the same, critical, shared system library...
I don't think they mean the same JPEG library is installed in multiple places. I believe a third party DLL can be statically linked against another library such as the JPEG library. I don't know if that's true in this case but that wouldn't be entirely unreasonable. The vendor may want to try to minimize the impact of future releases or simplify packaging.
The real question is; is this exploit triggered by kernel code and thus runs effectively as SYSTEM? Mentioning GDI seems to insinuate that is the case but I doubt GDI code actually parses JPEG files.
...because CS shouldn't be about practical implementations, but rather theoretical concepts...
This is exactly the opposite of what I beleive. We desperately need more education in "practical implementations". One of the biggest problems with software today is that very very few people know how to actually produce it and a fraction of those are given the latitute to deliver it. What good is theory when our applications are riddled with race conditions and yet people are debating how the buttons look. There needs to be much much more work regaring practical applications of computer science. In particular our general method of developing software is horrible. At least all of the methods that I have been witness to are absolutely pathetic. They should be talking about state machines, data structures, and algorithms, and not degenerate use-case analysis that some clueless MBA created with MS Project.
Fine but IIRC the last too exploits in IE were graphics library related. I don't know for sure how deeply that gets it's hooks into the kernel but my understanding was that the bulk of GDI code is in the kernel. In which case it won't matter what the security token of the current thread is because it won't be the current thread parsing and loading the image file.
Mmm, I wonder what it takes to run Firefox in a chroot jail. Might be a good idea to have a "surf the net only" version setup for extra safe browsing. I fear the amount of libraries necessary to do that. Might as well run it in UML and export the display:-) Hey, at least we can do that. MS apps don't conform well to the Principle of Least Privledge.
When I setup my little sister's website the registrar was pretty quick with their side. I think I had the domain and DNS records setup in ~2 hours. And it was a weekend. But of course those entries didn't propogate up and down to my ISP for ~48 hours. So that's a total of ~50 hours to conceive a site and have it running for the world to see. So will this be any different now?
I have never seen so much utter nonesense that what I'm seeing posted in this forum today and my karma has been 5 since 1999. I code more in C now than I ever did in Java but clearly you people have no clue what makes a good programming language or how to program. Java is a great programming language. Most of these posts are downright incorrect. And why the opinionated ones get modded Insightful is beyond me.
Obviously RTFA didn't help you understand why the principle of this offer is flawed. Bascially this is like saying "If you donate money to GreenPeace we will torch some Hummers." They are using a premeditated illegal action as a sort of endorsement for an organization. Therefore the correct response is for the EFF to denounce illegal activites regardless of wheather or not they believe the laws are constitutional.
Life at the molecular level is a very interesting topic. It's mysterious, it's a great unexplored frontier, and understanding it has direct consequences on our lives. I think you'll feel the same way if you read the following article. It's written specifically to be more accessible to the average reader but I assure you as a biochem major it is not a trivial explaination. You'll really understand what prions are and just how protein mis-folding is responsible for mad-cow and alzheimers.
Seriously, Africa needs this. India may be overcrowded but they have more graduate degrees than the entire US workforce and even the poorer folks are generally pretty civil. Africa on the other hand is one of the few places where a few hundred thousand people can be slaughtered and not get any attention in the news. There are many countries that are horribly poor. In the long run that hurts everyone. The key to battling this sort of problem is education. The smarter the kids are the less likely they will fall victim to AIDS participate in gang violence, kill Rhino's etc.
Is it really smart to send thousands of exploit riddled IE lusers to a website ran by a government that is known to actively conduct computer espionage?
I cannot believe the spin on this post. Even for slashdot this is way below the bar. Anybody who knows the slightest thing about databases knows that a performance improvment like this is not attributed to which operating system or database you use. They would have had to be running Access on Windows98 on a 386 ACER laptop to see a performance to increase like this. Obviously there's something else going on. For example, a simple change in how tablespaces are organized could be responsible in which case it would be possible do precisely the same thing with just about any reasonably DB/OS.
I absolutely beleive they can and do block such things. Recall when some extreemists in Pakistan tried to blow up Musharraf's car as it drove over a bridge but because they were jamming the signal it didn't go off until shortly after it passed by?
Slashdot Mirror
"They say IE is a target because it's everywhere, ... Why don't we hear about a new buffer overflow or mishandled JPG in Apache every two weeks?"
Apache is trivial by comparison. IE actually opens and loads a wide range of outside inputs including image files, text of different encodings, media files, XML, scripts that it loads and runs, plugins or all types, etc whereas Apache only accepts text input, some authentication blobs, and outputs uninterpreted blocks of data from files or does very basic script execution to bootstap stuff on top (e.g. PHP).
http://www.electoral-vote.com was running Apache on Linux
If he served the site on minix Truman would have the most electoral votes.
The scientists were able to train the 'brain' to control the plane in the simulator and to react to conditions of the plane.
I seriously doubt this is true as there is very little incentive for this "brain" to perform. When you "train" an organizm you need some feedback loop like bananas, agar gel, money, etc to encourage the organizm to favor one behavior over another. Frankly a collection of neurons just isn't powerful enough to "learn" how to fly a plane.
Yes, you're right. I'm wrong. Blah. I didn't think traps could execute arbitrary commands (e.g. mailx).
Go download net-snmp (it's free!) and try to do something useful with it, ...
When I said "simple" I meant the protocol should be simple to conserve resources and reduce the potential for exploits. If you're having problems with a particular implementation I don't think that qualifies as an argument against the protocol. Using an XML/HTTP based implementation isn't necessarily going to be easier.
The SNMP MIB tree is hierarchical.
That wasn't my point. What does:
ucdavis
give you? The database may be hierarchical but the data in messages is not. If the response is XML with one round trip you can retrieve an entire tree of information.
But you're right about traps. I didn't think they were that sophisticated.
I don't mean to pooh pooh this idea just because it's somewhat Windows specific but the only real advantage I see to this over snmp is that the delivery modes are more sophisticated and the data can be organized hierarchally. So why not just add builtin event notification to snmp? Otherwise using XML for something that should be a low-cost service seems wrong to me. System monitoring should be as small and SIMPLE as possible to reduce the possibility for exploits as it will likely be running with a high level of anonymous access on almost every workstation, server, and router in the organization. The whole thing smells of XML pixie dust designed to drive up requirements and thus sell servers and new software to go with. If you have a problem with snmp then fix it. Don't reinvent it with techniques that are expensive in clock cyles and exploits.
Why the hell are there multiple copies of the same, critical, shared system library...
I don't think they mean the same JPEG library is installed in multiple places. I believe a third party DLL can be statically linked against another library such as the JPEG library. I don't know if that's true in this case but that wouldn't be entirely unreasonable. The vendor may want to try to minimize the impact of future releases or simplify packaging.
The real question is; is this exploit triggered by kernel code and thus runs effectively as SYSTEM? Mentioning GDI seems to insinuate that is the case but I doubt GDI code actually parses JPEG files.
...because CS shouldn't be about practical implementations, but rather theoretical concepts...
This is exactly the opposite of what I beleive. We desperately need more education in "practical implementations". One of the biggest problems with software today is that very very few people know how to actually produce it and a fraction of those are given the latitute to deliver it. What good is theory when our applications are riddled with race conditions and yet people are debating how the buttons look. There needs to be much much more work regaring practical applications of computer science. In particular our general method of developing software is horrible. At least all of the methods that I have been witness to are absolutely pathetic. They should be talking about state machines, data structures, and algorithms, and not degenerate use-case analysis that some clueless MBA created with MS Project.
Yeah, that's pretty clear. As fonzi would say, "I'm wro-wro-wro-wrong" :-)
IE runs just fine as a limited user.
Fine but IIRC the last too exploits in IE were graphics library related. I don't know for sure how deeply that gets it's hooks into the kernel but my understanding was that the bulk of GDI code is in the kernel. In which case it won't matter what the security token of the current thread is because it won't be the current thread parsing and loading the image file.
Mmm, I wonder what it takes to run Firefox in a chroot jail. Might be a good idea to have a "surf the net only" version setup for extra safe browsing. I fear the amount of libraries necessary to do that. Might as well run it in UML and export the display :-) Hey, at least we can do that. MS apps don't conform well to the Principle of Least Privledge.
When I setup my little sister's website the registrar was pretty quick with their side. I think I had the domain and DNS records setup in ~2 hours. And it was a weekend. But of course those entries didn't propogate up and down to my ISP for ~48 hours. So that's a total of ~50 hours to conceive a site and have it running for the world to see. So will this be any different now?
I have never seen so much utter nonesense that what I'm seeing posted in this forum today and my karma has been 5 since 1999. I code more in C now than I ever did in Java but clearly you people have no clue what makes a good programming language or how to program. Java is a great programming language. Most of these posts are downright incorrect. And why the opinionated ones get modded Insightful is beyond me.
Oh, yeah. I forgot about that.
Did you READ the article?
/.
It's written by an "independant reviewer" because Newsforge didn't trust anyone on staff to qualify as unbiased.
Did you THINK about what this "independant reviewer" is going to do when asked to write a review for a client that he knows is bias?
He knows if he writes good things the client isn't going to publish the review and he isn't going to get his name linked on
Bzzt.
Thus, total system memory size for these processors is limited to 64GB
Oh, no! Does that mean I can't run Longhorn?!
So does mozilla statically or dynamically link with libpng?
If you've RTFA, you'd realize:
Obviously RTFA didn't help you understand why the principle of this offer is flawed. Bascially this is like saying "If you donate money to GreenPeace we will torch some Hummers." They are using a premeditated illegal action as a sort of endorsement for an organization. Therefore the correct response is for the EFF to denounce illegal activites regardless of wheather or not they believe the laws are constitutional.
Life at the molecular level is a very interesting topic. It's mysterious, it's a great unexplored frontier, and understanding it has direct consequences on our lives. I think you'll feel the same way if you read the following article. It's written specifically to be more accessible to the average reader but I assure you as a biochem major it is not a trivial explaination. You'll really understand what prions are and just how protein mis-folding is responsible for mad-cow and alzheimers.
Unraveling the Mystery of Protein Folding by W. A. (Bill) Thomasson
http://www.faseb.org/opar/protfold/protein.html
Enjoy!
Seriously, Africa needs this. India may be overcrowded but they have more graduate degrees than the entire US workforce and even the poorer folks are generally pretty civil. Africa on the other hand is one of the few places where a few hundred thousand people can be slaughtered and not get any attention in the news. There are many countries that are horribly poor. In the long run that hurts everyone. The key to battling this sort of problem is education. The smarter the kids are the less likely they will fall victim to AIDS participate in gang violence, kill Rhino's etc.
Is it really smart to send thousands of exploit riddled IE lusers to a website ran by a government that is known to actively conduct computer espionage?
True.
I cannot believe the spin on this post. Even for slashdot this is way below the bar. Anybody who knows the slightest thing about databases knows that a performance improvment like this is not attributed to which operating system or database you use. They would have had to be running Access on Windows98 on a 386 ACER laptop to see a performance to increase like this. Obviously there's something else going on. For example, a simple change in how tablespaces are organized could be responsible in which case it would be possible do precisely the same thing with just about any reasonably DB/OS.
I absolutely beleive they can and do block such things. Recall when some extreemists in Pakistan tried to blow up Musharraf's car as it drove over a bridge but because they were jamming the signal it didn't go off until shortly after it passed by?