Somehow, I'm not concerned with the theoretical possibility that MS is just going to suddenly blanket revoke the licenses for everyone and the speculation on what this patent covers, despite the fact that no one speculating has read the patent text.
"Out of context"? That is a quote directly from the license. The sentence is reproduced in it's entirety with no editing. It is a single sentence, contained entirely within it's own paragraph. How do you believe it is possible to quote a single stand-alone sentence out of context? It can not be out of it's own context.
I see the retard brigade has woken up this morning to troll Slashdot. You obviously don't know what 'out of context' means. Being out of context has nothing to do with editing or even being contained within a single sentence. It can be an entire sentence, even two or three or four, quoted verbatim and still be out of context. Your quote neglects to mention what those "rights" are in the first place. Your quote doesn't even mention the patent, let alone what it covers. That's the context that's missing.
It means that Microsoft grant you a royalty free licence to their patents when you agree to their licensing terms, but you are not able to transfer that right to others.
Wow, you got all that from "you are not licensed to sublicense or transfer your rights"? Funny, because that quote mentions nothing in the CONTEXT of patents or royalties, yet you somehow extracted those out of it. I suggest you go look up the meaning of context now.
That said, that quote and nothing you've said so far describes what the patent covers, which is a specific implementation of xml processing software, as outlined by the link I pasted, WHICH YOU DIDNT READ.
Lastly, why would you want to transfer those rights to anyone else? Microsoft is handing them out to everyone who wants them, what's the point in you trying to grant them?
Which is of course exactly what any Open Source program needs to be able to do in order for it to be distributed legally.
No, wrong, dead wrong. You're very confused. You're thinking specifically of a restriction of the GPL which doesn't apply to other Open Source licenses. And that's all assuming the patent covers what you think it does, which it doesn't.
Broad, non-specific. This could include any kind of use of the schemas.
That's just the patent summary. Patent summaries, being brief, are typically very broad sounding, even (especially?) when dealing with something that is very technical and complex. You need to read the actual patent text to see what it covers.
This has to be one of my bigges pet peeves when it comes to Slashdot readers. They get pissed off at patent applications based only on the patent summary.
No, and that pretty much pissed off everybody at W3C. They filed for the patent in secret while developing CSS with the other members of the W3C.
If that's the case and their patent is valid, why aren't they enforcing it against all implementations of CSS?
The issues are nothing to do with the schema itself, but rather to do with openness.
Actually, in the interview, he WAS making it about the schemas. And XML is more than just a bunch of tags, there are actually quite a few requirements in the standard, but you wouldn't know that, being ignorant and all:(
If you want to write an application that speaks it, you have to ask Microsoft; they can charge you money for telling you, withhold bits if they see fit, and withdraw the privilege anytime. And if you do anything that Microsoft told you not to do, they can punish you.
Wow. Nope. Wrong. Stop spreading the FUD. Not only do you not know what MS' patents cover (a specifici implementation--which you wouldn't have to use), you also neglect to note that the patents are licensed "royalty free." You can download the XML Schemas and write fully compliant software for free. Wow. Totally closed. You're right.
You can expect the problem with Microsoft's format that only Microsoft -- and a chosen few appointed by Microsoft -- are allowed to write programs that can retrieve your data once it has been saved in Microsoft's proprietary format.
Nope, FUD-master is wrong again. Even if the patent covered that, the whole "royalty free" thing would have you there. Oh yeah, it's not proprietary when it's well documented, sorry if that concept is hard for you to understand:-(
Now someone else's document converter may well not be able to handle Microsoft's proprietary format correctly. Your data might become inaccessible!
Uh, the same could be said of OpenDocument, that's not a valid argument.
There is also a very real possibility that Microsoft may not exist 10 years from now, and they may take their proprietary formats to the grave with them.
HAHAHAHAHA, " a very real possibility"? Now the fud-master has gone off the deep end. Even if they went out of business, that would mean their patents would become void and everyone would be free to use the XML Schemas as they please, making it a wide open format. So in other words, your "very real possibility" would actually be a positive.
No such guarantee can be made in respect of Microsoft's schema.
Why not? Are all the copies of MS' schema going to be wiped off of every hard drive in existence? For such a popular format, what are the chances of it just suddenly *poof* vanishing into thin air?
I'm sorry fud-master, but your arguments are not only totally illogical, but they're batshit insane.
That's a nice out of context quote that doesn't actually specify what the patent covers. Did you not understand "royalty free"? Perhaps you should read this.
Yes. The XML Schemas are freely downloadable, you don't have to sign anything. They are just patenting their own software implementation that processes those XML documents. You can still make your own implementaiton.
if it's mixing in dynamic SQL queries there's a good chance it also has SQL injection holes.
I'll take that "if" to mean you haven't read the documentation and didn't actually watch the video. Stop frothing at the mouth about SQL injection holes. If you had bothered to watch the fucking video (which you didn't), you'd notice it has specific mechanisms to deal with them.
Also, its main purpose isn't to "catch bugs", it's to make things easier on the programmer. Abstraction toolkits like this are good. God forbid someone make things easier.
I call BS. First off, SQL is a set-based language. Very rarely do you need to loop over a result set (if you find yourself looping in SQL code, you're not thinking hard enough). Whatever "loop and operate" action you'd take with Python can be done quicker and more efficiently with SQL code than with app code.
And I call BS on your BS, because you didn't actually read what you were responding to. I'm beginning to notice a pattern here, first you start frothing at the mouth based on speculation from not having RTFV (video), then you do it for not reading the comment you're responding to. They specifically used the descriptive words "powerful" and "easier" not "faster." The issue isn't effeciency, no one is claiming that TurboGears produces the most effecient code. The whole purpose of TurboGears is to make things easier on the programmer, which is what this does. Designing the logic within python, which actually does allow you to do quite a bit more in terms of 'business logic', makes things easier.
Finally, while it may be "easier" for a developer proficient in Python and not the SQL dialect used by your chosen DBMS, that's a cop-out. As so many people are so fond of saying, you should use the right tool for the job
No, even for someone very proficient in SQL it's still easier in Python due to these bindings. Of course, not having actually read anything about TurboGears (e.g. the documentation) and engaging and rampant speculation and all, you wouldn't know that.
And they ARE using the right tool for the right job, you should follow your own damn advice. TurboGears is designed for jobs where EASE is a priority over effeciency. GUESS WHAT, effeciency isn't always the #1 priority, genius.
You speak boldly, but you can't read worth shit, excercise critical thinking skills nor even follow your own advice.
I've intentionally ignored the problem of database portability, because a) you should be using stored procedures, which means you'll want to port them yourself anyway for maximum benefit, b) you should be using a proper DBI layer such that you just have to tell it, "I'm using Oracle now instead of Postgres, do the right thing", and c) because you're using stored procedures, you won't be switching to a DBMS that doesn't support the
A isn't even a "reason", it's just a circular statement. "You'll want to do it because you'll want to." B isn't valid either, which leads me to believe that you're not actually a database programmer, since DBI layers don't just magically translate from one proprietarism to another. If you DO use an sql stored procedure, you're forced to stick to strict standards, otherwise the DBI layer becomes useless. C is just a lame excuse to bash MySQL, it's not even a real reason. Keep on frothing there, buddy.
Sure, if you want an uglier, single paradigm language that's harder to maintain, it's great. But us non-zealots prefer to use languages that are easier to read and don't think that a single programming paradigm is the end-all and be-all.
The "lines of code" argument is tired, old and bullshit, frankly. Anyone can write a minimal line version of practically anything, but that says nothing for maintainability, readinability or anything else. Someone's written a 3 line RSA utility in perl, but have you taken a look at it?
RTFA yourself. The article said nothing like that, it says the opposite. Escape analysis involves storing things on the stack because, AS THE ARTICLE STATES, stack allocation is very effecient.
You act as if they're being generous or something. Most, if not all, of those licenses are already GPL compatible, so they could be combined with any GPL code anyway. So all they're doing is saying "hey, we're making a special 'exception' to allow you to do what you could already do wanyway."
So yes, the grandparent is right, you are forced to release it under a GPL license. All BSD/MIT/LGPL/whatever code can be safely licensed under the GPL regardless of any special exception.
You're also missing the point too, that anthing that is not under an open source license can't use those libraries, which is ridiculous. I don't even know why they bother doing it, since they're forcing people to right libraries under more lax licenses, which only delays the matter.
The only people who can complain about the MySQL licensing policy are freeloaders who want to benefit from free software without giving anything back to the developers or the community. You will, I trust, forgive me if I don't weep for such people.
Congratulations, you just described the vast majority of OSS software users. Most of them don't have the expertise to give anything back and most that do, give little or nothing. I'm betting that you yourself have given nothing back. Save your self-righteous indignation for someone else.
This goes against what the GPL was created for. The GPL was created to allow certain software to be 'free', which is what GPL'ing the MySQL daemon does. GPL'ing the library, however, is just being a control freak. The LGPL was created for the purpose of licensing unoriginal libraries that provide trivial or standard functionality (e.g. libc). If your philosophy were followed, things like libc would be GPL'ed and practically no one would use OSS, because they'd be forced to open source all their software just by the mere act of compiling it for an OSS platform.
Actually, they did find a correlation, they just dismissed it as cognitive decline as being due to age rather than marijuana use. They even admit the test they used isn't that sensitive to measuring cognitive decline. Guess you should read the study you paste:-(
Then you take a look and notice that they also created a "George W. Bush's Response to Hurricane Katrina" article. As if the title itself wasn't biased, the article contains a rather liberal biased perspective slanted towards shifting the blame on Bush.
Yes, Wikipedia does good with popular subjects that are non-controversial, but those are uncommon. Virtually eveything, including technical subjects, becomes controversial due to zealots. The problem is that the system is not designed to handle them really, since Wikipedia admins/arbitrartors aren't supposed to get involved in content/POV disputes (even though they actually do make thinly veiled attempts to do that). Inevitably one side of zealots wins, because the other side either tires out, is outnumbered and/or the side has the ideological backing of the dozen or so total arbitrators (whose decisions on Wikipedia can't be overturned).
Yes, this technology has a lot of potential. It also has scary consequences, since it can also basically map (if that's the correct term) every gene in your DNA. Microfluidics has already been used to create chips that can detect specific genetic defects. Now think about the implications about it, Gattaca style. Being able to identify any diseases/conditions and genetic predisposition towards disease/conditions can potentially be used for discriminatory purposes, especially with health insurance companies denying policies due to PREDICTED conditions. I don't think it's really going to be a big, alarmist deal in the future, but it will be a significant issue nonetheless.
I myself have actually gotten tested with one of these "genetic chips" for a genetic disorder relating to metabolization of drugs by a company called Genelex (there are other companies that do it too, but I don't know their names off hand). It's pretty interesting stuff. I've been too lazy to really compile resources, but this Wikipedia seems like a good starting point: http://en.wikipedia.org/wiki/Microfluidics
Honestly, do you really think they would manage to overlook something so obvious? I find it stunning that a Slashdot reader thinks that they've managed to easily find a fatal, obvious flaw in a sophisticated technology developed by prestigious researchers. I'm fairly certain they have people working on this much smarter and who have much better credentials than you.
Microfluidics, the type of technology involved here, doesn't just measure the types of things encountered in the blood stream, it can also measure the amounts of them as well. Not just that, but they can use this technology to analyze individual cells to see what is and isn't there, ruling out the possibility of it being non-cancerous through other indicators too, although I don' think this particualar implementation does that.
Furthermore, if you RTFA, you'd note that this can be used to detect practically anything in the blood. That includes everything from specific gene sequences, to any kind of toxins, or anything else. There are ALREADY "genetic chips" on the market right now that can do testing for genetic defects using microfluidics technology. I know because I've actually gotten a test done with one. Think Gattica, only a lot more far reaching, as it can detect virtually anything that's blood borne in just a few minutes, making it a fast "lab in a chip."
is also preloaded as part of the operating system. Obviously it has an advantage here.
That's not a valid excuse, Firefox is slow due to poor optimization. MSIE doesn't have access to super magical rendering features that Firefox doesn't. It wasn't until Firefox 1.5 Beta that they got speeds comparable to IE's and before then all the apologists were stepping in to say that IE had some magical advantage.
Nor is it the fault of the Mozilla devteam that people are making, and using slow extensions.
The extensions aren't slow, Mozilla's Javascript interpreter is slow. The fact of the matter is, if you want certain functionality, you will inevitably slow down Firefox regardless of how well optimized the Javascript is. You want to know why you don't receive complaints concering speed for plugins for IE? Because they're all compiled--making them super fast. There's no reason why Mozilla couldn't at least compile to bytecode or JIT it.
There should be a name for this phenomenon. When there is a performance issue or other fundamental issue with some technology, apologists first shift the blame on third parties (e.g. people who develop stuff for it). Then years later when they finally get their act together and fix the problems and make it run well and the same exact third party stuff runs very fast, they suddenly say "oh yeah it was slow in the past, but now it's really totally awesome, which totally excuses our past dishonest behavior where we claimed it was everyone elses fault!"
I get sick of this intellectual dishonesty. People only admit it's a problem with the group that they're defending only AFTER it's all been fixed and is a thing of a past. While it's a problem, before it's a fixed, it's always someone elses fault. Whether it be performance, security or something elses, there's always something.
To people like ME, speed is itself useless - page download times massively eclipse time taken by the browser itself.
They do? Are you on dial-up? Because the page actually downloads faster than Firefox can render it for me for many pages and I'm on a 2Ghz P4. Most pages will download in a fraction of a second and with all the AJAX/javascript stuff out there, rendering time greatly increases. No, it's not because of spyware, stop using that BS excuse, this is a common problem reported by everyone. The fact that 1.5 beta managed to speed things up shows that it was, in fact, an issue with the developers of Firefox and not spyware.
The firefox developers can't be all things to all people.
So they must have a slow browser? You act as if speed is an unimportant feature, that's ludicrous. With the rising popularity of AJAX technology, optimizing their Javascript and rendering better damn well be a priority.
If speed is a priority over customisability and compatibility, perhaps you are better off using a different browser (like Opera, or maybe Lynx) instead.
That is the silliest false dichotomy I've ever heard. Why must either of those be sacrificed? There is ABSOLUTELY NO REASON why they can't optimize their code while maintain customizability and compatibility.
The difference is that a trojan can be disassembled, or be noticed by a heuristic scan or whatever.
The same applies to your proposed attack. Your attack requires that the insider insert specific malicious code into Q to properly switch between the 'good' and 'evil' versions of code based on whether A & B are present.
Seriously, you don't understand how this attack works. The executable differs ONLY by A & B, where A & B are random junk data that hash to the same value. Let me explain it again, this time in terms of how it's structured:
=Data section= garbage_data = A or B
=Code section=...
if garbage_data is A then do good()
otherwise do evil()... good() {... } evil() {... }
END PROGRAM
Get it now? The only difference between the two versions is the random garbage data (A & B). The good() and evil() code exists in both versions, it's just that only one is called in each version.
If I plant BackOrifice in a library, someone might find it.
And if you plant the malicious code in Q, which you absolutely must, someone might find it.
If BackOrifice is B and I plant some random garbage A in advance, noone will find anything wrong with A.
Jesus H. Christ on a stick. You still don't get it. BO couldn't possibly be B. As I've said, A & B are random junk data, they don't represent anything meaningful.
The collisions found through this attack are found AT RANDOM. They are not found based on some data you created. That means A & B are random garbage. I will keep repeating that until eventually you get it.
If you could, in fact, generate A (junk data) that hashed to the same value as meaningful code, then that would mean you wouldn't actually need an insider in the first place. Also, even if you could do that and attempted to do so, you'd still need some added code in the executable which could be detected with heuristics.
Honestly, I have no idea what is going through your head, because you're not making any sense.
But you didn't read that. You just jumped in to karma-whore with the "but you can't fake H(Q)!!!" thing. Without even understanding what you're talking about.
I read it and it was wrong. You were under the mistaken impression that either A or B could be replaced with something meaningful. They can't. The executable is EXACTLY THE SAME aside from some junk data.
We're talking maths and security...
Which you don't seem to understand. Maybe you should take it as a hint that when everyone is telling you that you are wrong, maybe you are.
You ran out of arguments, didn't you?
No, I've presented mine very clearly. You, otoh, seem insistent on not listening to anything said.
If you can't make a coherent point, you just have to get someone to silence the bad man who dares disaggree with you.
Pot, kettle, black. You have yet to make a single coherent point. People are modding you down because you're wrong. You have made a common mistake that has been corrected many times in this post and yet you're one of the few who doesn't want to accept that they're wrong.
I'm saying it's possible for an insider to plant a seed in advance that they can replace later[...]No, you can't start from scratch, but basically it becomes feasible for one _hell_ of a lot of people to plant such pieces of padding in advance, for future use.
It's already possible without this MD5 attack. It's called modifying the code to put a trojan or subtle vulnerability in it. You're just proposing a needlessly complicated method of taking advantage of being on the inside.
Your initial posting didn't mention anything about inside jobs, it described the attack entirely as if some outsider could launch this on their own.
Please mod this guys posting down, "people on the inside can trojan executables" is not the slightest bit insightful, nor is it specific to MD5 attacks.
do you automatically trust everyone working at Blizzard? How about some disgruntled temp employee at the publisher? Do you trust everyone at the company who made the install program too?
You have no choice but to trust them, that's not the issue here.
As long as I control the A and B versions of the self-extractor module, Blizzard's own content is the Q in that equation.
A and B are random garbage data that form an MD5 collision, they aren't valid executable data. Q is the only valid executable data and that's the data you have no control over.
Look, you REALLY don't understand the article and many people here have misunderstood it just like you have and have been corrected, please just accept that you're wrong and move on.
I'll explain it in no uncertain terms here:
if H(A) = H(B), then H(A+Q) = H(B+Q)
A & B are pre-generated random collisions that hash to the same values. They are random data. Thus, in order to make a 'good' and an 'evil' version of an executable, you have to two that both contain the same code, with them only differing by that random chunk of data (A & B). There's a conditional statement at the beginning of the code, if it encounters random chunk A, it executes the good code, if it executes random chunk B, it executse the bad code. The problem is though, the code is the Q in the equation--the part that Blizzard created, which you don't have control over.
The hash for Blizzard's installer is actually H(Q), whereas you'd be creating H(A+Q)=H(B+Q). H(Q) is NOT the same hash as H(A+Q).
Maybe, JUST MAYBE, it's news because this is the first publically released Firefox exploit that could be easily integrated into a webpage to take over their systems. Did you even RTFA? What part of NOT-run-of-the-mill don't you understand? Do you realize that means "atypical"? Do you realize that means "unique"?
Wow. Get over your damn blind zealotry for a moment and actually use your BRAIN. The news media reports it whenever a major virus/worm for Windows comes out, so why is it inconceivable that the they report it, on a less significant page (read: NOT FRONT PAGE), when a browser that is rapidly gaining in popularity has its first exploit that is easily adaptable to be put 'in the wild'?
And it's not like this is being reported left and right. The past reports about Firefox have been small opinion pieces in less popular computer publications like eWeek. Way to spread FUD and imply that major news sources are constantly covering Firefox vulnerabilities, WHEN NOTHING REMOTELY LIKE THAT IS HAPPENING.
You cannot attach an executeable file to an e-mail and expect it to run on a Mac upon opening the attachment or download from the web.
UNLESS THERE IS A VULNERABILITY, WHICH IS THE WHOLE DAMN POINT. Christ you're dense. You're basically saying "as long as soft package X is totally secure and operates 100% as expected, it will not run malicious code."
How do you think the most prolific e-mail attached viruses/worms spread on Windows? They spread by exploiting vulnerabilities in the e-mail software. Macs aren't magically immune to that.
On a Mac you have to put the various components of a program into a zip or dmg file which then can be unzipped into an application package.
Hello? Ever heard of a buffer overflow exploit? It immediately bypasses all of those restrictions, as it runs with the privileges and trust levels of the e-mail program.
Not just that, but the default settings for OE (the default windows e-mail client) now forbid users from running attachments directly from e-mail AND group policies on Windows allow administrators to forbid users from saving attachments completely (regardless of file type) if they like.
nasty files can only go into a few places where they can easily be found and trashed.
You obviously have practically no understanding of how viruses work. Viruses INFECT trusted executable files. They can 'piggyback' on legitimate programs, that means they can sit anywhere they want.
A determined non admin user can, with effort get a malware to run, but that will then only affect that users space but not the system and other users.
You do realize that in a business setting that Windows can be configured to restrict users in the SAME WAY, right? Windows has had ACLs (fine-grained file system controls) and fine grained security policies much longer than Mac OS has ever had. It's all up to the admin to configure it how they wish.
In windows there is a useless thing called the registry, which any malware can mess up and it requires an extremely knowledgeable person to repair a screwed up registry.
Wrong, wrong, WRONG. If you're going the "business setting" route, then you must acknowledge that Windows also has ACLs attached to the registry, meaning that the user is restricted to only the specific part of the registry that contains their personal settings. They can't clobber the registry settings of anything else.
There is no such single point of failure and attack in OSX unless the user has root access.
Hello? 99% of home users have root access and use it without a second thought, have you been paying attention? Your average users inclination, when prompted to do something, is to click 'yes' and type in whatever is needed, password protection for home users is pointless.
Not just that, but you don't need root access to spread a worm/virus and cause havoc. Regular users have full internet access, which is all that's needed to spread.
There are root kits for OSX, but they cannot be installed by any standard user or a program he/she may run.
Uh, the same applies to regular user accounts in Windows. Have you actually done anything with Windows administration? You obviously know very little about Windows security.
most users MUST run as administrator because Windows developers don't seem to heed MS guidelines and almost every user I know has at least one program that will not run unless the user has full root equivalent admin rights.
This has already been covered. Most software does not require administrator privileges and you can lock down the rest. For most home users, it's mostly games that require administrator privileges and you can easily switch users for that, it's not hard to maintain seperate accounts for that purpose.
When I was a system admin for our local school district, I was stymied again and again by the fact that a large number of Windows programs would not work correctly if I set up the
I'm certainly not suggesting that paleomacos is a shining paragon of security, just that it was consistently better than its Windows contemporaries.
Really? Even Win9x provided some level of memory protection. The NT based Windows OSes had provided ACLs for and full memory protection for a long time before than even. Windows security has long had it beat. Mac OS was playing catch-up.
This sounds interestingly unlike you providing a reference for your claim that "Apple admitted" that macos was less secure than Windows.
They admit that they had no memory protection and no file system security. They also admit what I already described above about Windows. The implication is obvious.
. How is that relevant to this discussion? The end result is still patched software installed on nearly all machines.
It's relevent because even if Apple was super-quick, they have to rely on others to fix bugs for them, which means that they are at the mercy of the expediency of others. So if the others are slow, Apple is slow by association.
And you know what? The faster spreading Windows worms set records in just matters of hours and hit massive numbers in days. It doesn't take long to spread a worm.
The overwhelmingly vast majority of users do not change the default settings of most software they use.
I don't think you understand how much fiddling end users do with their systems, seriously. End users have a tendency to play with things that they shouldn't, anyone in tech support can tell you that.
Helllooooo, ad hominem.
"Ad hominem" is not a synonym for "insult", please go look it up and get back to me, moron.
Specifically relevant to this conversation, their track record is consistently much better than Microsoft's.
Yeah, if you count security through obscurity as part of their track record. Please. OS X was their first consumer OS to ever include any kind of file system security and any kind of memory protection, Windows had already beaten them to the punch by YEARS.
And if such a person were in such a situation, why wouldn't they just set it to pre-download updates in the middle of the night or day, and have them queued up waiting for authorization when they're actually at the machine?
You make a lot of assumptions about the users making smart, educated decisions, which is really the last thing you want to do when it comes to security. Honestly, I can't help you with that.
Everything that an attacker could reliably expect to have on a target machine to use as a vector is covered by Apple's software update: the kernel, the Finder, Mail, Safari, itunes, Quicktime, sshd, apache, samba.
"Everything"? You have statistics on it? I wasn't aware that the only software on the majority of OS X machines was listed above. Hell, even at 10% of machines, that would be huge damage.
You sure have a strange definition of everything. Interesting that it didn't even include Firefox, but then again, what do I expect from someone who pulls statistics out of their ass and uses words like "everything" when they really mean "some things." Time to call the hyperbole police.
It's of course possible for users to manually install software that's outside the scope of what Apple's updates cover
Duh, that was the whole point.
but that drastically raises the odds that that user is comfortable with also upgrading that software as necessary.
HAHAHAHAHAHA. WOW. That is, BY FAR, the WORST security related assumption you've made so far. Numerous windows users will just download third party software like crazy, without a second thought and only update it when they hear about a new feature, *maybe*.
Assuming these people crossed over to OS X, how would it be any different?
Furthermore, even if the user is more educated, why are you excluding the possibility that they're lazy? In fact, lazy isn't even the right word, I shoul
I asked a question in a specific context, and it's important you understand that context. The person I was responding to had asserted that such software is very common, and as such, in that context, was asking for more than just a small number of examples of software for limited uses.
And you're still wrong about Winamp and Acrobat. Worst case scenario, if you use the features that require write access (which are optional), you only have to allow access to specific files/directories, not all of program files. The windows file system security is fine grained, there's never a need to make all of program files writable.
Even then, a user is warned that file xxx contains a program that wants to run for the first time and that it could be evil.
No warning is given for the examples I gave.
The problem in Windows is that the user is told NOTHING and the program executes and installs remote control back doors and who knows what.
And what difference does that make? If a user downloads a program, they're going to want to run it, so an admin password won't matter. If you're talking about executable attachments in e-mail, that's an issue for the e-mail software, not the OS and even OE has now disabled that by default.
If it CAN be done ot must ber VERY hard, since no one has done it yet.
No, your logic is warped. You've created a false dichotomy, that either it must either be a) be very hard or b) be compromised by now. You're ignoring the possibility that there just isn't much interest by the trojan/hacker community due to things such as LACK OF POPULARITY. I have yet to see a single MS-DOS worm, despite the fact that networking software exists for MS-DOS, does that mean it's secure?
I already gave examples of vulnerabilities that don't require any special intervention the part of the user. You can find even more by looking through vunnlerability lists. Hell, with the libpng vulnerability, you just needed to get someone to view a png image (on a website or in an e-mail or wherever) and BAM, they're compromised, no dialogs, no warnings.
It IS A MATTER OF UNCONTESTABLE FACT that vulnerabilities exist which can be exploited to spread without any kind of special dialogs to click through on the part of the user. It's just that no one has bothered to write a trojan/backdoor that exploits those vulnerabilities yet, due to lack of interest. It's security through obscurity.
As to be expected, another zealot replies to me without reading what I was replying to. Let me quote the person I was responding to: "because so much software for mostly stupid reasons will not run correctly if the user is not an adminsitrator."
Notice the "so much software" part. You, so far, have given an entirety of one (1) example (counting the scanning/OCR bundle as one). That hardly qualifies as 'so much software' and hardly makes Windows sooooooo much more insecure.
And uh, you don't need admin privileges to run Winamp nor Acrobat, as neither of them MANDATE their own updates. If you think you do, then you're configuring something very wrong.
Slashdot Mirror
Somehow, I'm not concerned with the theoretical possibility that MS is just going to suddenly blanket revoke the licenses for everyone and the speculation on what this patent covers, despite the fact that no one speculating has read the patent text.
"Out of context"? That is a quote directly from the license. The sentence is reproduced in it's entirety with no editing. It is a single sentence, contained entirely within it's own paragraph. How do you believe it is possible to quote a single stand-alone sentence out of context? It can not be out of it's own context.
I see the retard brigade has woken up this morning to troll Slashdot. You obviously don't know what 'out of context' means. Being out of context has nothing to do with editing or even being contained within a single sentence. It can be an entire sentence, even two or three or four, quoted verbatim and still be out of context. Your quote neglects to mention what those "rights" are in the first place. Your quote doesn't even mention the patent, let alone what it covers. That's the context that's missing.
It means that Microsoft grant you a royalty free licence to their patents when you agree to their licensing terms, but you are not able to transfer that right to others.
Wow, you got all that from "you are not licensed to sublicense or transfer your rights"? Funny, because that quote mentions nothing in the CONTEXT of patents or royalties, yet you somehow extracted those out of it. I suggest you go look up the meaning of context now.
That said, that quote and nothing you've said so far describes what the patent covers, which is a specific implementation of xml processing software, as outlined by the link I pasted, WHICH YOU DIDNT READ.
Lastly, why would you want to transfer those rights to anyone else? Microsoft is handing them out to everyone who wants them, what's the point in you trying to grant them?
Which is of course exactly what any Open Source program needs to be able to do in order for it to be distributed legally.
No, wrong, dead wrong. You're very confused. You're thinking specifically of a restriction of the GPL which doesn't apply to other Open Source licenses. And that's all assuming the patent covers what you think it does, which it doesn't.
Broad, non-specific. This could include any kind of use of the schemas.
That's just the patent summary. Patent summaries, being brief, are typically very broad sounding, even (especially?) when dealing with something that is very technical and complex. You need to read the actual patent text to see what it covers.
This has to be one of my bigges pet peeves when it comes to Slashdot readers. They get pissed off at patent applications based only on the patent summary.
No, and that pretty much pissed off everybody at W3C. They filed for the patent in secret while developing CSS with the other members of the W3C.
If that's the case and their patent is valid, why aren't they enforcing it against all implementations of CSS?
The issues are nothing to do with the schema itself, but rather to do with openness.
:(
:-(
Actually, in the interview, he WAS making it about the schemas. And XML is more than just a bunch of tags, there are actually quite a few requirements in the standard, but you wouldn't know that, being ignorant and all
If you want to write an application that speaks it, you have to ask Microsoft; they can charge you money for telling you, withhold bits if they see fit, and withdraw the privilege anytime. And if you do anything that Microsoft told you not to do, they can punish you.
Wow. Nope. Wrong. Stop spreading the FUD. Not only do you not know what MS' patents cover (a specifici implementation--which you wouldn't have to use), you also neglect to note that the patents are licensed "royalty free." You can download the XML Schemas and write fully compliant software for free. Wow. Totally closed. You're right.
You can expect the problem with Microsoft's format that only Microsoft -- and a chosen few appointed by Microsoft -- are allowed to write programs that can retrieve your data once it has been saved in Microsoft's proprietary format.
Nope, FUD-master is wrong again. Even if the patent covered that, the whole "royalty free" thing would have you there. Oh yeah, it's not proprietary when it's well documented, sorry if that concept is hard for you to understand
Now someone else's document converter may well not be able to handle Microsoft's proprietary format correctly. Your data might become inaccessible!
Uh, the same could be said of OpenDocument, that's not a valid argument.
There is also a very real possibility that Microsoft may not exist 10 years from now, and they may take their proprietary formats to the grave with them.
HAHAHAHAHA, " a very real possibility"? Now the fud-master has gone off the deep end. Even if they went out of business, that would mean their patents would become void and everyone would be free to use the XML Schemas as they please, making it a wide open format. So in other words, your "very real possibility" would actually be a positive.
No such guarantee can be made in respect of Microsoft's schema.
Why not? Are all the copies of MS' schema going to be wiped off of every hard drive in existence? For such a popular format, what are the chances of it just suddenly *poof* vanishing into thin air?
I'm sorry fud-master, but your arguments are not only totally illogical, but they're batshit insane.
That's a nice out of context quote that doesn't actually specify what the patent covers. Did you not understand "royalty free"? Perhaps you should read this.
Or am I just spreading FUD?
Yes. The XML Schemas are freely downloadable, you don't have to sign anything. They are just patenting their own software implementation that processes those XML documents. You can still make your own implementaiton.
if it's mixing in dynamic SQL queries there's a good chance it also has SQL injection holes.
I'll take that "if" to mean you haven't read the documentation and didn't actually watch the video. Stop frothing at the mouth about SQL injection holes. If you had bothered to watch the fucking video (which you didn't), you'd notice it has specific mechanisms to deal with them.
Also, its main purpose isn't to "catch bugs", it's to make things easier on the programmer. Abstraction toolkits like this are good. God forbid someone make things easier.
I call BS. First off, SQL is a set-based language. Very rarely do you need to loop over a result set (if you find yourself looping in SQL code, you're not thinking hard enough). Whatever "loop and operate" action you'd take with Python can be done quicker and more efficiently with SQL code than with app code.
And I call BS on your BS, because you didn't actually read what you were responding to. I'm beginning to notice a pattern here, first you start frothing at the mouth based on speculation from not having RTFV (video), then you do it for not reading the comment you're responding to. They specifically used the descriptive words "powerful" and "easier" not "faster." The issue isn't effeciency, no one is claiming that TurboGears produces the most effecient code. The whole purpose of TurboGears is to make things easier on the programmer, which is what this does. Designing the logic within python, which actually does allow you to do quite a bit more in terms of 'business logic', makes things easier.
Finally, while it may be "easier" for a developer proficient in Python and not the SQL dialect used by your chosen DBMS, that's a cop-out. As so many people are so fond of saying, you should use the right tool for the job
No, even for someone very proficient in SQL it's still easier in Python due to these bindings. Of course, not having actually read anything about TurboGears (e.g. the documentation) and engaging and rampant speculation and all, you wouldn't know that.
And they ARE using the right tool for the right job, you should follow your own damn advice. TurboGears is designed for jobs where EASE is a priority over effeciency. GUESS WHAT, effeciency isn't always the #1 priority, genius.
You speak boldly, but you can't read worth shit, excercise critical thinking skills nor even follow your own advice.
I've intentionally ignored the problem of database portability, because a) you should be using stored procedures, which means you'll want to port them yourself anyway for maximum benefit, b) you should be using a proper DBI layer such that you just have to tell it, "I'm using Oracle now instead of Postgres, do the right thing", and c) because you're using stored procedures, you won't be switching to a DBMS that doesn't support the
A isn't even a "reason", it's just a circular statement. "You'll want to do it because you'll want to."
B isn't valid either, which leads me to believe that you're not actually a database programmer, since DBI layers don't just magically translate from one proprietarism to another. If you DO use an sql stored procedure, you're forced to stick to strict standards, otherwise the DBI layer becomes useless.
C is just a lame excuse to bash MySQL, it's not even a real reason. Keep on frothing there, buddy.
Sure, if you want an uglier, single paradigm language that's harder to maintain, it's great. But us non-zealots prefer to use languages that are easier to read and don't think that a single programming paradigm is the end-all and be-all.
The "lines of code" argument is tired, old and bullshit, frankly. Anyone can write a minimal line version of practically anything, but that says nothing for maintainability, readinability or anything else. Someone's written a 3 line RSA utility in perl, but have you taken a look at it?
RTFA yourself. The article said nothing like that, it says the opposite. Escape analysis involves storing things on the stack because, AS THE ARTICLE STATES, stack allocation is very effecient.
At first I thought "wow, two women in [South] Korea have had stem cells heal their paralysis now." But then I thought it was probably just a dupe.
2 9/1412224&tid=191
Indeed it is: http://science.slashdot.org/article.pl?sid=04/11/
To be fair though, they didn't actually publish the result of the case study until September 2005, whereas the announcement was made in November 2004.
You act as if they're being generous or something. Most, if not all, of those licenses are already GPL compatible, so they could be combined with any GPL code anyway. So all they're doing is saying "hey, we're making a special 'exception' to allow you to do what you could already do wanyway."
So yes, the grandparent is right, you are forced to release it under a GPL license. All BSD/MIT/LGPL/whatever code can be safely licensed under the GPL regardless of any special exception.
You're also missing the point too, that anthing that is not under an open source license can't use those libraries, which is ridiculous. I don't even know why they bother doing it, since they're forcing people to right libraries under more lax licenses, which only delays the matter.
The only people who can complain about the MySQL licensing policy are freeloaders who want to benefit from free software without giving anything back to the developers or the community. You will, I trust, forgive me if I don't weep for such people.
Congratulations, you just described the vast majority of OSS software users. Most of them don't have the expertise to give anything back and most that do, give little or nothing. I'm betting that you yourself have given nothing back. Save your self-righteous indignation for someone else.
This goes against what the GPL was created for. The GPL was created to allow certain software to be 'free', which is what GPL'ing the MySQL daemon does. GPL'ing the library, however, is just being a control freak. The LGPL was created for the purpose of licensing unoriginal libraries that provide trivial or standard functionality (e.g. libc). If your philosophy were followed, things like libc would be GPL'ed and practically no one would use OSS, because they'd be forced to open source all their software just by the mere act of compiling it for an OSS platform.
Actually, they did find a correlation, they just dismissed it as cognitive decline as being due to age rather than marijuana use. They even admit the test they used isn't that sensitive to measuring cognitive decline. Guess you should read the study you paste :-(
Then you take a look and notice that they also created a "George W. Bush's Response to Hurricane Katrina" article. As if the title itself wasn't biased, the article contains a rather liberal biased perspective slanted towards shifting the blame on Bush.
Yes, Wikipedia does good with popular subjects that are non-controversial, but those are uncommon. Virtually eveything, including technical subjects, becomes controversial due to zealots. The problem is that the system is not designed to handle them really, since Wikipedia admins/arbitrartors aren't supposed to get involved in content/POV disputes (even though they actually do make thinly veiled attempts to do that). Inevitably one side of zealots wins, because the other side either tires out, is outnumbered and/or the side has the ideological backing of the dozen or so total arbitrators (whose decisions on Wikipedia can't be overturned).
The herd wins, pretty much always.
Yes, this technology has a lot of potential. It also has scary consequences, since it can also basically map (if that's the correct term) every gene in your DNA. Microfluidics has already been used to create chips that can detect specific genetic defects. Now think about the implications about it, Gattaca style. Being able to identify any diseases/conditions and genetic predisposition towards disease/conditions can potentially be used for discriminatory purposes, especially with health insurance companies denying policies due to PREDICTED conditions. I don't think it's really going to be a big, alarmist deal in the future, but it will be a significant issue nonetheless.
I myself have actually gotten tested with one of these "genetic chips" for a genetic disorder relating to metabolization of drugs by a company called Genelex (there are other companies that do it too, but I don't know their names off hand). It's pretty interesting stuff. I've been too lazy to really compile resources, but this Wikipedia seems like a good starting point: http://en.wikipedia.org/wiki/Microfluidics
Honestly, do you really think they would manage to overlook something so obvious? I find it stunning that a Slashdot reader thinks that they've managed to easily find a fatal, obvious flaw in a sophisticated technology developed by prestigious researchers. I'm fairly certain they have people working on this much smarter and who have much better credentials than you.
Microfluidics, the type of technology involved here, doesn't just measure the types of things encountered in the blood stream, it can also measure the amounts of them as well. Not just that, but they can use this technology to analyze individual cells to see what is and isn't there, ruling out the possibility of it being non-cancerous through other indicators too, although I don' think this particualar implementation does that.
Furthermore, if you RTFA, you'd note that this can be used to detect practically anything in the blood. That includes everything from specific gene sequences, to any kind of toxins, or anything else. There are ALREADY "genetic chips" on the market right now that can do testing for genetic defects using microfluidics technology. I know because I've actually gotten a test done with one. Think Gattica, only a lot more far reaching, as it can detect virtually anything that's blood borne in just a few minutes, making it a fast "lab in a chip."
is also preloaded as part of the operating system. Obviously it has an advantage here.
That's not a valid excuse, Firefox is slow due to poor optimization. MSIE doesn't have access to super magical rendering features that Firefox doesn't. It wasn't until Firefox 1.5 Beta that they got speeds comparable to IE's and before then all the apologists were stepping in to say that IE had some magical advantage.
Nor is it the fault of the Mozilla devteam that people are making, and using slow extensions.
The extensions aren't slow, Mozilla's Javascript interpreter is slow. The fact of the matter is, if you want certain functionality, you will inevitably slow down Firefox regardless of how well optimized the Javascript is. You want to know why you don't receive complaints concering speed for plugins for IE? Because they're all compiled--making them super fast. There's no reason why Mozilla couldn't at least compile to bytecode or JIT it.
There should be a name for this phenomenon. When there is a performance issue or other fundamental issue with some technology, apologists first shift the blame on third parties (e.g. people who develop stuff for it). Then years later when they finally get their act together and fix the problems and make it run well and the same exact third party stuff runs very fast, they suddenly say "oh yeah it was slow in the past, but now it's really totally awesome, which totally excuses our past dishonest behavior where we claimed it was everyone elses fault!"
I get sick of this intellectual dishonesty. People only admit it's a problem with the group that they're defending only AFTER it's all been fixed and is a thing of a past. While it's a problem, before it's a fixed, it's always someone elses fault. Whether it be performance, security or something elses, there's always something.
To people like ME, speed is itself useless - page download times massively eclipse time taken by the browser itself.
They do? Are you on dial-up? Because the page actually downloads faster than Firefox can render it for me for many pages and I'm on a 2Ghz P4. Most pages will download in a fraction of a second and with all the AJAX/javascript stuff out there, rendering time greatly increases. No, it's not because of spyware, stop using that BS excuse, this is a common problem reported by everyone. The fact that 1.5 beta managed to speed things up shows that it was, in fact, an issue with the developers of Firefox and not spyware.
The firefox developers can't be all things to all people.
So they must have a slow browser? You act as if speed is an unimportant feature, that's ludicrous. With the rising popularity of AJAX technology, optimizing their Javascript and rendering better damn well be a priority.
If speed is a priority over customisability and compatibility, perhaps you are better off using a different browser (like Opera, or maybe Lynx) instead.
That is the silliest false dichotomy I've ever heard. Why must either of those be sacrificed? There is ABSOLUTELY NO REASON why they can't optimize their code while maintain customizability and compatibility.
The difference is that a trojan can be disassembled, or be noticed by a heuristic scan or whatever.
... ... ... } ... }
The same applies to your proposed attack. Your attack requires that the insider insert specific malicious code into Q to properly switch between the 'good' and 'evil' versions of code based on whether A & B are present.
Seriously, you don't understand how this attack works. The executable differs ONLY by A & B, where A & B are random junk data that hash to the same value. Let me explain it again, this time in terms of how it's structured:
=Data section=
garbage_data = A or B
=Code section=
if garbage_data is A then do good()
otherwise do evil()
good() {
evil() {
END PROGRAM
Get it now? The only difference between the two versions is the random garbage data (A & B). The good() and evil() code exists in both versions, it's just that only one is called in each version.
If I plant BackOrifice in a library, someone might find it.
And if you plant the malicious code in Q, which you absolutely must, someone might find it.
If BackOrifice is B and I plant some random garbage A in advance, noone will find anything wrong with A.
Jesus H. Christ on a stick. You still don't get it. BO couldn't possibly be B. As I've said, A & B are random junk data, they don't represent anything meaningful.
The collisions found through this attack are found AT RANDOM. They are not found based on some data you created. That means A & B are random garbage. I will keep repeating that until eventually you get it.
If you could, in fact, generate A (junk data) that hashed to the same value as meaningful code, then that would mean you wouldn't actually need an insider in the first place. Also, even if you could do that and attempted to do so, you'd still need some added code in the executable which could be detected with heuristics.
Honestly, I have no idea what is going through your head, because you're not making any sense.
But you didn't read that. You just jumped in to karma-whore with the "but you can't fake H(Q)!!!" thing. Without even understanding what you're talking about.
I read it and it was wrong. You were under the mistaken impression that either A or B could be replaced with something meaningful. They can't. The executable is EXACTLY THE SAME aside from some junk data.
We're talking maths and security...
Which you don't seem to understand. Maybe you should take it as a hint that when everyone is telling you that you are wrong, maybe you are.
You ran out of arguments, didn't you?
No, I've presented mine very clearly. You, otoh, seem insistent on not listening to anything said.
If you can't make a coherent point, you just have to get someone to silence the bad man who dares disaggree with you.
Pot, kettle, black. You have yet to make a single coherent point. People are modding you down because you're wrong. You have made a common mistake that has been corrected many times in this post and yet you're one of the few who doesn't want to accept that they're wrong.
I'm saying it's possible for an insider to plant a seed in advance that they can replace later[...]No, you can't start from scratch, but basically it becomes feasible for one _hell_ of a lot of people to plant such pieces of padding in advance, for future use.
It's already possible without this MD5 attack. It's called modifying the code to put a trojan or subtle vulnerability in it. You're just proposing a needlessly complicated method of taking advantage of being on the inside.
Your initial posting didn't mention anything about inside jobs, it described the attack entirely as if some outsider could launch this on their own.
Please mod this guys posting down, "people on the inside can trojan executables" is not the slightest bit insightful, nor is it specific to MD5 attacks.
do you automatically trust everyone working at Blizzard? How about some disgruntled temp employee at the publisher? Do you trust everyone at the company who made the install program too?
You have no choice but to trust them, that's not the issue here.
As long as I control the A and B versions of the self-extractor module, Blizzard's own content is the Q in that equation.
A and B are random garbage data that form an MD5 collision, they aren't valid executable data. Q is the only valid executable data and that's the data you have no control over.
Look, you REALLY don't understand the article and many people here have misunderstood it just like you have and have been corrected, please just accept that you're wrong and move on.
I'll explain it in no uncertain terms here:
if H(A) = H(B), then H(A+Q) = H(B+Q)
A & B are pre-generated random collisions that hash to the same values. They are random data. Thus, in order to make a 'good' and an 'evil' version of an executable, you have to two that both contain the same code, with them only differing by that random chunk of data (A & B). There's a conditional statement at the beginning of the code, if it encounters random chunk A, it executes the good code, if it executes random chunk B, it executse the bad code. The problem is though, the code is the Q in the equation--the part that Blizzard created, which you don't have control over.
The hash for Blizzard's installer is actually H(Q), whereas you'd be creating H(A+Q)=H(B+Q). H(Q) is NOT the same hash as H(A+Q).
God, typical Slashdot posting without thinking.
Maybe, JUST MAYBE, it's news because this is the first publically released Firefox exploit that could be easily integrated into a webpage to take over their systems. Did you even RTFA? What part of NOT-run-of-the-mill don't you understand? Do you realize that means "atypical"? Do you realize that means "unique"?
Wow. Get over your damn blind zealotry for a moment and actually use your BRAIN. The news media reports it whenever a major virus/worm for Windows comes out, so why is it inconceivable that the they report it, on a less significant page (read: NOT FRONT PAGE), when a browser that is rapidly gaining in popularity has its first exploit that is easily adaptable to be put 'in the wild'?
And it's not like this is being reported left and right. The past reports about Firefox have been small opinion pieces in less popular computer publications like eWeek. Way to spread FUD and imply that major news sources are constantly covering Firefox vulnerabilities, WHEN NOTHING REMOTELY LIKE THAT IS HAPPENING.
You cannot attach an executeable file to an e-mail and expect it to run on a Mac upon opening the attachment or download from the web.
UNLESS THERE IS A VULNERABILITY, WHICH IS THE WHOLE DAMN POINT. Christ you're dense. You're basically saying "as long as soft package X is totally secure and operates 100% as expected, it will not run malicious code."
How do you think the most prolific e-mail attached viruses/worms spread on Windows? They spread by exploiting vulnerabilities in the e-mail software. Macs aren't magically immune to that.
On a Mac you have to put the various components of a program into a zip or dmg file which then can be unzipped into an application package.
Hello? Ever heard of a buffer overflow exploit? It immediately bypasses all of those restrictions, as it runs with the privileges and trust levels of the e-mail program.
Not just that, but the default settings for OE (the default windows e-mail client) now forbid users from running attachments directly from e-mail AND group policies on Windows allow administrators to forbid users from saving attachments completely (regardless of file type) if they like.
nasty files can only go into a few places where they can easily be found and trashed.
You obviously have practically no understanding of how viruses work. Viruses INFECT trusted executable files. They can 'piggyback' on legitimate programs, that means they can sit anywhere they want.
A determined non admin user can, with effort get a malware to run, but that will then only affect that users space but not the system and other users.
You do realize that in a business setting that Windows can be configured to restrict users in the SAME WAY, right? Windows has had ACLs (fine-grained file system controls) and fine grained security policies much longer than Mac OS has ever had. It's all up to the admin to configure it how they wish.
In windows there is a useless thing called the registry, which any malware can mess up and it requires an extremely knowledgeable person to repair a screwed up registry.
Wrong, wrong, WRONG. If you're going the "business setting" route, then you must acknowledge that Windows also has ACLs attached to the registry, meaning that the user is restricted to only the specific part of the registry that contains their personal settings. They can't clobber the registry settings of anything else.
There is no such single point of failure and attack in OSX unless the user has root access.
Hello? 99% of home users have root access and use it without a second thought, have you been paying attention? Your average users inclination, when prompted to do something, is to click 'yes' and type in whatever is needed, password protection for home users is pointless.
Not just that, but you don't need root access to spread a worm/virus and cause havoc. Regular users have full internet access, which is all that's needed to spread.
There are root kits for OSX, but they cannot be installed by any standard user or a program he/she may run.
Uh, the same applies to regular user accounts in Windows. Have you actually done anything with Windows administration? You obviously know very little about Windows security.
most users MUST run as administrator because Windows developers don't seem to heed MS guidelines and almost every user I know has at least one program that will not run unless the user has full root equivalent admin rights.
This has already been covered. Most software does not require administrator privileges and you can lock down the rest. For most home users, it's mostly games that require administrator privileges and you can easily switch users for that, it's not hard to maintain seperate accounts for that purpose.
When I was a system admin for our local school district, I was stymied again and again by the fact that a large number of Windows programs would not work correctly if I set up the
I'm certainly not suggesting that paleomacos is a shining paragon of security, just that it was consistently better than its Windows contemporaries.
Really? Even Win9x provided some level of memory protection. The NT based Windows OSes had provided ACLs for and full memory protection for a long time before than even. Windows security has long had it beat. Mac OS was playing catch-up.
This sounds interestingly unlike you providing a reference for your claim that "Apple admitted" that macos was less secure than Windows.
They admit that they had no memory protection and no file system security. They also admit what I already described above about Windows. The implication is obvious.
. How is that relevant to this discussion? The end result is still patched software installed on nearly all machines.
It's relevent because even if Apple was super-quick, they have to rely on others to fix bugs for them, which means that they are at the mercy of the expediency of others. So if the others are slow, Apple is slow by association.
And you know what? The faster spreading Windows worms set records in just matters of hours and hit massive numbers in days. It doesn't take long to spread a worm.
The overwhelmingly vast majority of users do not change the default settings of most software they use.
I don't think you understand how much fiddling end users do with their systems, seriously. End users have a tendency to play with things that they shouldn't, anyone in tech support can tell you that.
Helllooooo, ad hominem.
"Ad hominem" is not a synonym for "insult", please go look it up and get back to me, moron.
Specifically relevant to this conversation, their track record is consistently much better than Microsoft's.
Yeah, if you count security through obscurity as part of their track record. Please. OS X was their first consumer OS to ever include any kind of file system security and any kind of memory protection, Windows had already beaten them to the punch by YEARS.
And if such a person were in such a situation, why wouldn't they just set it to pre-download updates in the middle of the night or day, and have them queued up waiting for authorization when they're actually at the machine?
You make a lot of assumptions about the users making smart, educated decisions, which is really the last thing you want to do when it comes to security. Honestly, I can't help you with that.
Everything that an attacker could reliably expect to have on a target machine to use as a vector is covered by Apple's software update: the kernel, the Finder, Mail, Safari, itunes, Quicktime, sshd, apache, samba.
"Everything"? You have statistics on it? I wasn't aware that the only software on the majority of OS X machines was listed above. Hell, even at 10% of machines, that would be huge damage.
You sure have a strange definition of everything. Interesting that it didn't even include Firefox, but then again, what do I expect from someone who pulls statistics out of their ass and uses words like "everything" when they really mean "some things." Time to call the hyperbole police.
It's of course possible for users to manually install software that's outside the scope of what Apple's updates cover
Duh, that was the whole point.
but that drastically raises the odds that that user is comfortable with also upgrading that software as necessary.
HAHAHAHAHAHA. WOW. That is, BY FAR, the WORST security related assumption you've made so far. Numerous windows users will just download third party software like crazy, without a second thought and only update it when they hear about a new feature, *maybe*.
Assuming these people crossed over to OS X, how would it be any different?
Furthermore, even if the user is more educated, why are you excluding the possibility that they're lazy? In fact, lazy isn't even the right word, I shoul
I asked a question in a specific context, and it's important you understand that context. The person I was responding to had asserted that such software is very common, and as such, in that context, was asking for more than just a small number of examples of software for limited uses.
And you're still wrong about Winamp and Acrobat. Worst case scenario, if you use the features that require write access (which are optional), you only have to allow access to specific files/directories, not all of program files. The windows file system security is fine grained, there's never a need to make all of program files writable.
Even then, a user is warned that file xxx contains a program that wants to run for the first time and that it could be evil.
No warning is given for the examples I gave.
The problem in Windows is that the user is told NOTHING and the program executes and installs remote control back doors and who knows what.
And what difference does that make? If a user downloads a program, they're going to want to run it, so an admin password won't matter. If you're talking about executable attachments in e-mail, that's an issue for the e-mail software, not the OS and even OE has now disabled that by default.
If it CAN be done ot must ber VERY hard, since no one has done it yet.
No, your logic is warped. You've created a false dichotomy, that either it must either be a) be very hard or b) be compromised by now. You're ignoring the possibility that there just isn't much interest by the trojan/hacker community due to things such as LACK OF POPULARITY. I have yet to see a single MS-DOS worm, despite the fact that networking software exists for MS-DOS, does that mean it's secure?
I already gave examples of vulnerabilities that don't require any special intervention the part of the user. You can find even more by looking through vunnlerability lists. Hell, with the libpng vulnerability, you just needed to get someone to view a png image (on a website or in an e-mail or wherever) and BAM, they're compromised, no dialogs, no warnings.
It IS A MATTER OF UNCONTESTABLE FACT that vulnerabilities exist which can be exploited to spread without any kind of special dialogs to click through on the part of the user. It's just that no one has bothered to write a trojan/backdoor that exploits those vulnerabilities yet, due to lack of interest. It's security through obscurity.
As to be expected, another zealot replies to me without reading what I was replying to. Let me quote the person I was responding to: "because so much software for mostly stupid reasons will not run correctly if the user is not an adminsitrator."
Notice the "so much software" part. You, so far, have given an entirety of one (1) example (counting the scanning/OCR bundle as one). That hardly qualifies as 'so much software' and hardly makes Windows sooooooo much more insecure.
And uh, you don't need admin privileges to run Winamp nor Acrobat, as neither of them MANDATE their own updates. If you think you do, then you're configuring something very wrong.