Yes, I guess that would be nice but you get the same effect by having a WEP/WPA password set or not. That's simply not true. The ignorance of users (in failing to set a WEP password, but still wanting their access point to be private) precludes this. If I'm out and about, I don't know if the failure to set a password is due to ignorance or due to a willingness to share. A flag (off by default) which indicates a willingness to share would be express permission to use the access point.
Just because your bandwidth is unmetered doesn't mean that it's not valuable and that using it isn't causing harm. It's all well-and-good that you want to share your bandwidth--heck, I do to*. But that doesn't mean that everyone does.
It's really a shame that no part of the 802.11 standards allow for a bit that identifies that the user of the access point intends to share his access.
You can take that to the extreme to show how gray it can get.
Login: root Password: root Wrong username or password.
Login: root Password: toor Wrong username or password.
Login: root Password: admin Last login: Wed Mar 19 18:03:09 2008 from blah.example.org boa#
Hey. I asked and it let me in!
We still deal largely with human-to-human contact. Most access points aren't set up explicitly with the intent of letting random people connect to them (compare to most web servers, which are set up explicitly to let random people connect to them.)
That said, I'd love to see a ruling stating that if the AP grants access without requesting a password, it must be assumed that the owner of the AP intended for the access to be granted. Let people take responsibility for their ignorance!
Rather than making such a statement (and getting modded informative, to boot!) could you explain why you think that it's a dumb idea?
The biggest problem I have with it is that it's going to be fairly hard to prove that it was done intentionally if the access point was open, and if the access point was closed, it's very obviously already illegal under computer abuse laws.
Nonetheless, I'd love a clarification of the law in this matter, if for no other reason than I'm tired of armchair lawyers (and I'm guilty of this, myself) debating the issue on Slashdot.
If an application contains a . in it's filename (except in the.app), then the show/hide extension setting is always disabled for that file. Try it yourself, rename any app on your system to ".doc", it will suddenly appear as ".doc.app". Wow, that's really quite spiffy. I'm constantly amazed by the little touches that OS X has. The warning for opening an application from the Internet is good, too (I noted this earlier in another thread when it was pointed out.)
You're correct that people are in danger without typing any password. A spam mailer or key-logger does not need admin privileges to run on OS X. It does need admin to run while you're not logged in though, and also if it wants to hide effectively, which it will need to do if you decide to install an anti-virus after you've been infected (or, if Apple releases a security update to detect the malware). As long as we're both aware of this, I'm glad. Too many people complain about Windows "letting you run as admin" and how that "exposes you to viruses." As you point out, it doesn't--it exposes you to viruses which do a better job of hiding.
Of course, the culture of the Mac being that antivirus products aren't necessary will allow the first few viruses (if they ever hit) to have a larger impact. That said, even on Windows, I'm not particularly fond of Antivirus products. They're always playing catch-up, and in some cases, they do a really poor job of it[1].
OS X is not perfect, but the underlying architecture is structured to make anything but the most trivial malware quite difficult It's definitely doing some things right. I don't know how far I'd go to say that the structure is that much better than Windows. Vista, particularly, got some security things right--I just wish that they'd gotten that right in a less bloated and user-malicious OS. For example, I believe that Vista also notifies you if you try to open files that you downloaded from the Internet, and it warns you if an application tries to do something that requires advanced privileges--that is, until you get so annoyed with the prompts that you disable them or stop reading them.
[1] Anecdotally, at least. When Storm was ramping up, we got ahold of some malware that we hadn't seen before. We started examining it and putting together some stuff to help our users clean it, and then a few days later, submitted the sample to virustotal.com. Several days after the initial infection, more than half of the antivirus software hadn't been updated to detect it. It turned out to be a Storm variant.
I won't say that I necessarily disagree with you--my comment was not as well thought out as it could have been.
As you may have noticed in other comments, my primary complaint is that certain security-related bits of metadata (executability, for the specific example that we've been using in this thread) should be blindingly obvious to even the most casual observer in the default view of the OS--Finder in OS X, Explorer in Windows, Nautilus in Gnome, whatever is used in KDE, etc. It's essential from a security aspect--it helps to keep the executable FiscalReports.doc.app from being run by a clueless Mac user. It's also nice from a usability perspective--determining which icon is the one you double-click on to open the program in this folder which includes lots of weird little files.
Yes, you can run commands through the shell to get the relevant metadata in OS X and Linux, but if you think that's good enough, you're pretty much an elitist with whom it isn't worth continuing this discussion.
None of these views is the default. It's all well and good that these are available to the user who knows to think about these sorts of things, but the default view for most folders in Leopard doesn't provide this data.
To play Devil's Advocate, Windows has features that make it more secure, but are not the defaults (things like the ability to run as a non-admin user, and the same "Detail" view that shows that Reports.doc.exe is actually an executable, I believe) but it still gets black marks by most Slashdot commenters.
Oh, incidentally, the.com file is a really good example of unfortunate coincidences. I don't think that this type of security pitfall was commonly a concern around the time that TLDs were invented and the DOS executable standards were being written. Hell, around that time, even major services on the network were largely trust-based--something that wasn't obviously an unacceptable level of security for years, and which we were coping with as little as a decade ago.
I think that's a good step. I've mentioned elsewhere in the thread that I think things can be improved, but I'm glad to see that OS X doesn't blindly and silently let the user run a.app that is disguised as a.doc.
First the user needs to double click the file, which might be displaying a.app extension if the user has extensions visible.(Meaning they'd realise it wasn't a.doc file.) It doesn't take much for this--it appears to be the default setting (just looked on a very new Mac Mini.)
Secondly they'd need to not realise that their.doc file isn't opening in Word or a similar program, but rather in a new program that is for some reason asking them to authenticate. This is... somewhat fair. It doesn't take much imagination to come up with bad things that it could do without administrative rights, though, all the while silently waiting for an authentication box to pop up, which it can immediately replace (after authentication) with a "failed password" prompt, re-requesting credentials that it can scrape. Does OS X have a facility to prevent fake dialog boxes such as these?
Thirdly they'd then need to enter in a username and their password(if they are even the account holder who knows it/remembers it) to give the software permission to alter critical files on their system - all while not seemingly realising that their file isn't opening in Word/text editor. Most home users will be the primary user of the machine, but you've repeated a lot of the issues from point two in point three.
If you're comparing Vista to Mac OS 10.5, then the moment you received this ".doc" file, whether from an email attachment, chat or website, the OS will alert you when you're opening it to where the file has come from, what time you received it, from what program and even what user sent it to you - and most importantly what kind of file it -really- is. This particular attack vector has been addressed extensively. It will as a minimum stall or prevent the creation of a botnet using Mac OS computers. I like that it does this, and I do think that it's a good safeguard. I just think that things in all three of the current major operating systems (four if you count XP separately) could be better.
Actually, my basic complaint is that in the default view for each OS, it's not intuitively obvious which icons represent files or links to files which are directly executable. None of the three OS has this as a feature, to the best of my knowledge.
Sure, there are ways to figure it out, but it's a lot harder to get my family to perform a series of operations to find out if a file is actually a document or if it's a disguised executable than to just say, "Hey, look, if there's a red halo around it, don't click it unless you know for sure what it is!" Yes, it's a security issue because the easier you make security, the more people will make use of it.
I use Linux almost full-time--and I still feel that this should be a standard in operating systems.
It doesn't affect me much because I can't remember the last time that I lauched an executable from the GUI, but I still think that it would be a good idea to clearly delineate executable files in the default view.
But the Mac OS is the only one I always do run as admin, since 1987 in fact, and never once have I had any malware or been hacked. That's twenty-one years without a breach in security! ...that you know of. I'm not trying to troll, here, but it's not possible to prove that you had no infections or hacks.
Hey, that's interesting. I didn't know that was the case with Macs (it's absurd, in my opinion--files should have extensions which indicate what they do, and only certain extensions should imply executability.) Are there any safeguards against accidentally executing such a disguised program?
Re:Chapter 10 - Large Projects
on
Advanced Rails
·
· Score: 1
I also happen to think that PHP makes writing "powerful well-designed apps" a bit harder than necessary, but that's just me. I feel this way about Rails and PHP. PHP does pretty well at writing powerful apps, and Rails does pretty well at writing well-designed apps. Neither gets both powerful and well-designed simultaneously.
I think that you'll find this true of most frameworks.
Ultimately, what it boils down to is that Rails is a framework. Frameworks are never as flexible as the languages in which they're written. Because most of the paradigms which Rails was built for are well-understood and already have open-source projects available for them, Rails isn't much use to me (I don't want to write yet another CMS, I want to extend an already-written one.)
I think that just about any application can be better written in PHP than in Rails (and I really dislike PHP, too.) But it probably can't be written faster. As for the coward's skills, I really can't say.
I did have "originally meant" in parentheses in my original post.
Dilution of the language is a bit of a pet peeve of mine when a word takes on what is essentially the opposite meaning, or when the word conveys a subtle concept for which there isn't another good word. Factoid is a good example of the former--one meaning means that it's true, one means that it isn't. Irony is a good example of the latter--how do you distinguish between the classical definition of the word, and the Alanis Morisette definition of "a strange or amusing coincidence"?
Slashdot Mirror
It shouldn't prevent it, but it wouldn't connect automatically, I don't believe.
Just because your bandwidth is unmetered doesn't mean that it's not valuable and that using it isn't causing harm. It's all well-and-good that you want to share your bandwidth--heck, I do to*. But that doesn't mean that everyone does.
It's really a shame that no part of the 802.11 standards allow for a bit that identifies that the user of the access point intends to share his access.
* But I don't, for legal reasons.
Mess around with gconf-editor for awhile--it should be in there. Alternatively, edit ~/.gconf/system/networking/wireless/networks
I was clarifying why it's criminal rather than civil, not commenting on whether it should be legal in the first place.
You can take that to the extreme to show how gray it can get.
Login: root
Password: root
Wrong username or password.
Login: root
Password: toor
Wrong username or password.
Login: root
Password: admin
Last login: Wed Mar 19 18:03:09 2008 from blah.example.org
boa#
Hey. I asked and it let me in!
We still deal largely with human-to-human contact. Most access points aren't set up explicitly with the intent of letting random people connect to them (compare to most web servers, which are set up explicitly to let random people connect to them.)
That said, I'd love to see a ruling stating that if the AP grants access without requesting a password, it must be assumed that the owner of the AP intended for the access to be granted. Let people take responsibility for their ignorance!
Rather than making such a statement (and getting modded informative, to boot!) could you explain why you think that it's a dumb idea?
The biggest problem I have with it is that it's going to be fairly hard to prove that it was done intentionally if the access point was open, and if the access point was closed, it's very obviously already illegal under computer abuse laws.
Nonetheless, I'd love a clarification of the law in this matter, if for no other reason than I'm tired of armchair lawyers (and I'm guilty of this, myself) debating the issue on Slashdot.
I assume that it falls under the computer misuse laws--the same laws which prohibit hacking into a computer.
Of course, the culture of the Mac being that antivirus products aren't necessary will allow the first few viruses (if they ever hit) to have a larger impact. That said, even on Windows, I'm not particularly fond of Antivirus products. They're always playing catch-up, and in some cases, they do a really poor job of it[1]. OS X is not perfect, but the underlying architecture is structured to make anything but the most trivial malware quite difficult It's definitely doing some things right. I don't know how far I'd go to say that the structure is that much better than Windows. Vista, particularly, got some security things right--I just wish that they'd gotten that right in a less bloated and user-malicious OS. For example, I believe that Vista also notifies you if you try to open files that you downloaded from the Internet, and it warns you if an application tries to do something that requires advanced privileges--that is, until you get so annoyed with the prompts that you disable them or stop reading them.
[1] Anecdotally, at least. When Storm was ramping up, we got ahold of some malware that we hadn't seen before. We started examining it and putting together some stuff to help our users clean it, and then a few days later, submitted the sample to virustotal.com. Several days after the initial infection, more than half of the antivirus software hadn't been updated to detect it. It turned out to be a Storm variant.
I won't say that I necessarily disagree with you--my comment was not as well thought out as it could have been.
As you may have noticed in other comments, my primary complaint is that certain security-related bits of metadata (executability, for the specific example that we've been using in this thread) should be blindingly obvious to even the most casual observer in the default view of the OS--Finder in OS X, Explorer in Windows, Nautilus in Gnome, whatever is used in KDE, etc. It's essential from a security aspect--it helps to keep the executable FiscalReports.doc.app from being run by a clueless Mac user. It's also nice from a usability perspective--determining which icon is the one you double-click on to open the program in this folder which includes lots of weird little files.
Yes, you can run commands through the shell to get the relevant metadata in OS X and Linux, but if you think that's good enough, you're pretty much an elitist with whom it isn't worth continuing this discussion.
None of these views is the default. It's all well and good that these are available to the user who knows to think about these sorts of things, but the default view for most folders in Leopard doesn't provide this data.
To play Devil's Advocate, Windows has features that make it more secure, but are not the defaults (things like the ability to run as a non-admin user, and the same "Detail" view that shows that Reports.doc.exe is actually an executable, I believe) but it still gets black marks by most Slashdot commenters.
Oh, incidentally, the .com file is a really good example of unfortunate coincidences. I don't think that this type of security pitfall was commonly a concern around the time that TLDs were invented and the DOS executable standards were being written. Hell, around that time, even major services on the network were largely trust-based--something that wasn't obviously an unacceptable level of security for years, and which we were coping with as little as a decade ago.
I think that's a good step. I've mentioned elsewhere in the thread that I think things can be improved, but I'm glad to see that OS X doesn't blindly and silently let the user run a .app that is disguised as a .doc.
Actually, my basic complaint is that in the default view for each OS, it's not intuitively obvious which icons represent files or links to files which are directly executable. None of the three OS has this as a feature, to the best of my knowledge.
Sure, there are ways to figure it out, but it's a lot harder to get my family to perform a series of operations to find out if a file is actually a document or if it's a disguised executable than to just say, "Hey, look, if there's a red halo around it, don't click it unless you know for sure what it is!" Yes, it's a security issue because the easier you make security, the more people will make use of it.
I use Linux almost full-time--and I still feel that this should be a standard in operating systems.
It doesn't affect me much because I can't remember the last time that I lauched an executable from the GUI, but I still think that it would be a good idea to clearly delineate executable files in the default view.
Irrelevant--AV doesn't tend to protect against security holes, though it tries to protect against the largest one--uneducated users.
Hey, that's interesting. I didn't know that was the case with Macs (it's absurd, in my opinion--files should have extensions which indicate what they do, and only certain extensions should imply executability.) Are there any safeguards against accidentally executing such a disguised program?
I think that you'll find this true of most frameworks.
You've summed up my own issues with Rails.
Ultimately, what it boils down to is that Rails is a framework. Frameworks are never as flexible as the languages in which they're written. Because most of the paradigms which Rails was built for are well-understood and already have open-source projects available for them, Rails isn't much use to me (I don't want to write yet another CMS, I want to extend an already-written one.)
Not the original poster.
I think that just about any application can be better written in PHP than in Rails (and I really dislike PHP, too.) But it probably can't be written faster. As for the coward's skills, I really can't say.
Funny. Though arguing over the definitions of words isn't really covered within the realm of grammar, is it?
Never underestimate the power of buzzwords and glitzy technology? Managers love shiny things!
I did have "originally meant" in parentheses in my original post.
Dilution of the language is a bit of a pet peeve of mine when a word takes on what is essentially the opposite meaning, or when the word conveys a subtle concept for which there isn't another good word. Factoid is a good example of the former--one meaning means that it's true, one means that it isn't. Irony is a good example of the latter--how do you distinguish between the classical definition of the word, and the Alanis Morisette definition of "a strange or amusing coincidence"?