Slashdot Mirror


User: argent

argent's activity in the archive.

Stories
0
Comments
12,456
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 12,456

  1. Absolut Hot on Is There Such a Thing As Absolute Hot? · · Score: 1

    For a second there I thought this was about vodka.

  2. Re:The market share myth... on Army Buys Macs to Beef Up Security · · Score: 1

    Doesn't a virus have to self-replicate by definition?

    OK, back in 1997 I used to get all picky about the distinction between viruses and worms, but todat the terminology is completely corrupted.

    It used to be that a virus was malware that piggybacked on another transaction, and a worm was malware that performed active attacks.

    It used to be that a trojan was malware that left a backdoor for later exploits, not a worm that uses social engineering to propagate. Both definitions seem to be common now. I try not to use the term, it's too confusing.

    Technically few of the really effective email malware attacks have been viruses, since they mostly send their own mail rather than waiting for you to send mail and attaching themselves.

    So while I may agree that the guy you're quoting is being slack in his terminology, that battle's been long lost. :(

  3. Re:The market share myth... on Army Buys Macs to Beef Up Security · · Score: 1

    I'm not sure around 40 qualifies as "flourishing"

    Back in the '80s, before Apple started cracking down and stopped automatically running code in resource forks and running applications on floppies when you slotted them, the amount of malware on Macs was easily proportionate with their market share.

    at least not compared to the 10s of thousands you have on Windows.

    There weren't any viruses specifically for Windows back then. There were hardly any applications specifically for Windows, even.

    You can't compare Mac then to Windows now.

  4. Re:Read the fine article, friend. on Should Apple Give Back Replaced Disks? · · Score: 1

    Yes, most large companies have their own support guys, and I've had the fights with accounts receivables over paying for replacement drives instead of getting them replaced under warranty, too, but if someone's getting his laptop repaired at an Apple Store he's NOT working at a place that has that kind of resources, and he's not a security geek, and at least he's aware of the problem... compared to most of the non-security-geek people I've worked with, including people working on software where that matters, he seems ahead of the pack to me.

    If the stuff on his disk was as critical as you're talking about, I would expect it to be encrypted, but that's a whole other ball of flames.

    And for that matter I've taken my computer to retail outfits for warranty repair, and I haven't had them get in a tizzy over them working on it where I can see them, or my removing the hard drive ahead of time. When I took my Macbook to the Apple store for warranty replacement of the hard drive I had already wiped it and had to boot it from an external drive to show them the SMART output, and they didn't have a problem with that.

    So having them right at the end refuse to give the drive back when it's not a warranty return, that's not expected and not anticipated and if I'd actually paid for the new drive I'd be pissed that they hadn't given me the old one back even if the most important data on it was my music collection.

  5. Re:I'm shocked at CFL's low longevity on US To Extinguish (Most) Incandescent Bulb Sales By 2012 · · Score: 1

    Hopefully if there's a LOT more people using them, because they're forced to, this kind of thing will get shaken out in the wash.

    How do you tell if the CFL has protection against brownouts? Just buying a more expensive one is probably not going to be a good strategy.

  6. Permutation City and the ethics of simulation on Researchers Simulate Building Block of Rat's Brain · · Score: 1

    This is like the early stages of the back-story for Permutation City by Greg Egan.

    The ethics of simulation are kind of sidestepped in Permutation City, though the experience of the first self-aware "copy" of a person does seem to be a bit of a cautionary tale, and his later stories do get into the question of whether it's ethical to make copies at all, and what it's ethical to do with them.

    This is of course a long way from Permutation City style "Copy", but I think it's not to early to open the whole issue to debate.

  7. Read the fine article, friend. on Should Apple Give Back Replaced Disks? · · Score: 1

    He didn't "send it to them". He carried it to the Apple store, gave the laptop to the guy to diagnose. The tech said the drive was bad, replaced it not under warranty, and refused to give him the drive back.

    He PAID the $160, straight up. There's no question of this being a warranty situation where he was trying to avoid paying for the drive. He needed his laptop working and had *no idea* that Apple was going to do this. Why would he expect that... this wasn't a warranty drive replacement, this was a drive he was flat out buying.

  8. Re:I'm shocked at CFL's low longevity on US To Extinguish (Most) Incandescent Bulb Sales By 2012 · · Score: 2, Insightful

    They seem to be more sensitive to bad power and vibration. I'd like to see some statistics on CFL lifetimes under more typical conditions.

  9. If they want to attack cause and effect... on Wisconsin Mulls an Earmarked Video Game Tax · · Score: 1

    Add it to the booze tax, or the gasoline tax, or something else that's got a relationship to the problem.

  10. Boy, did you ever miss the point.... on Tcl/Tk 8.5.0 Released · · Score: 1

    Why the heck do Tk always looks like total crap on linux?

    Because it was based on the state of the art in 1992 or so.

    Who cares?

    Because the new widget set is themable and doesn't have to look like total crap.

    It's not the way I would have solved the problem, personally, but it does solve it.

  11. Re:The market share myth... on Army Buys Macs to Beef Up Security · · Score: 1

    mshtml.dll (Microsoft's HTML rendering engine) doesn't have anything to do with the creation of dialog popups...

    Don't be a literal minded idiot. You know what I'm talking about, and I know you know what I'm talking about.

    Warning dialogs don't pop up for most file formats, only files that have been downloaded and are known to be executable.

    They pop up *when* the files are downloaded and *ask* you if you want to open it *right then*.

    I'm not even talking about "smart technical guys". These kind of people generally do not get viruses on their systems in the first place.

    Oh yes they bloody do. You haven't lived until you've had to explain to some bloody contractor who thinks he's too smart to get a virus that no, he can't be an exception to your "no Outlook, no IE" rule even if he *does* have a system that dual-boots to FreeBSD or Linux or BeOS or whatever else he can tell you that he thinks will impress you, ESPECIALLY not while you're in there cleaning up his computer because he thought he could be an exception to your bloody rule and he was using Outlook or IE and clicked "Open" at the wrong time.

    I've had users use Thunderbird under windows... And due to being rather naive in nature, opened malware and got themselves infected with viruses anyway.

    I'm sure you have, so have I... as I just said. Once. I have only had one bloke do it more than once. I've had, though, users click on a link and get that damn "Do you want to open this now?" dialog (whatever it looks like this week... it mutates over time as Microsoft tries to "fix" it) and click the wrong thing...

    Timing is everything.

    Microsoft is making their new outlook client use Microsoft Word's HTML rendering engine...

    Yes, and I'm bloody glad of that. It means that just possibly they've realized what a total fucking mess they've made of security in the regular HTML control. If only I could believe that they would dump ActiveX and "security" zones and the idea that it's OK to violate every sensible rule of basic software security if they can get it to just *smell* secure with enough dialogs and certificates and so on.

    Finally:

    I haven't seen the method you're speaking of for the past decade to be honest.

    Since 1997 is when Microsoft introduced the desktop/browser integration with "Active Desktop" that really *started* the whole problem, and it's still 2007 now, I suspect you're dissimulating or exaggerating for rhetorical effect. I'm not sure that I'd describe either as "honest".

  12. Kernel address space and memory mapping on Notebook Makers Moving to 4 GB Memory As Standard · · Score: 1

    The limit is in kernel address space and the inability of the kernel to address memory beyond 4GB. With video cards taking up 512M or more, plus the rest of the memory space taken up by other devices in the system, it's not uncommon for PC chipsets to simply map out the top half gig or so for I/O. The only way to access the memory that's been mapped out is by addressing it over the 4GB limit, or (if the chipset supports it) remapping it sequentially through some window. If the kernel doesn't support memory over 4GB and doesn't include a driver to do something useful with the extra 512M of RAM that it can't address directly, it might as well not be there.

  13. Re:The market share myth... on Army Buys Macs to Beef Up Security · · Score: 1

    My belief is that there are no real malicious virus writers for OS X.

    The fact is, there are. There have been a few cases of viruses on OS X now, and they all worked by having people opening files after they were downloaded.

    Couple of things, though.

    First, Microsoft's HTML engine makes it much much more likely that people WILL open attachments or downloaded files by popping up a dialog asking people if they want to do so... and that was added as a security measure... originally it didn't ask. Safari started out doing the same thing, and then tried adding approval dialogs like Microsoft, but now it's turned that off by default. I don't think they're going far enough - that option shouldn't even be there - but at least they're heading in the right direction.

    Which is why it's only a handful of cases. Having to depend on people downloading and opening the virus on the desktop is far less effective: it makes it too easy for people to learn not to be stupid. Automatic execution is a huge amplifier for the whole class of attacks you're talking about, because it makes running a program something you do by clicking on a link. Yes, there's a dialog asking what you want to do, but you get so many dialogs like that on Windows that it's all too easy to just click on the infection button. Even if you've been burned before: in my years as a system admin, out of over 500 users (all smart technical guys, we're talking engineers with PhDs), I only had *one* get in trouble by downloading and then as a separate step opening an application after being burned once. I had several come to me multiple times because they'd clicked the wrong button in a dialog "and now my computer's acting funny".

    And so the most effective security precaution I ever took as a system admin may have been to get Internet Explorer and Outlook banned at our site in 1997, when 'Active Desktop' showed up to usher in the virus storm. These applications, along with any others that use Microsoft's HTML engine, quickly proved to be huge security holes... and banning them was a big part of what kept us from having a single "virus scare" over the following years. The guys who kept coming back? They were usually using IE or Outlook against our local rules.

    Back in 1997, I thought that Microsoft would back out of this broken design. I mean, it was so obviously wrong that there had been a joke about going around for some years by then... the "Good Times" virus hoax... because everyone knew that automatic execution was a bad idea. But somehow Microsoft seems to think they're immune.

    And as long as they keep trying to come up with workarounds that keep them from fixing the underlying problems, they aren't.

  14. The market share myth... on Army Buys Macs to Beef Up Security · · Score: 1

    Macs have fewer attacks and viruses than PCs because they only have a 5-10% userbase.

    Macs never had a huge market share, but they used to have a flourishing viral ecosystem. Even oddballs like the Amiga had their share of viruses. If it was just market share you'd still have hundreds of OS X viruses to Windows thousands.

    The surface area exposed to attacks is increased by market share, but Windows has a huge surface area independent of its market share, caused by their desktop/browser integration and their complex binary formats and configuration files.

    Apple was already systematically eliminating their virus problem even before OS X, removing rather than trying to protect avenues for automatic code execution. Microsoft declared that sandboxes were too slow, that automatic native code execution "protected" by certificates and security zones, was the only way to go. What we see now is the result of that.

  15. Re:Grr... on Army Buys Macs to Beef Up Security · · Score: 1

    Programmed in ADA.

  16. Re:Signed code is no solution. There is no code he on 'Extreme Security' Web Browsing · · Score: 1

    Since every web page you visit that contains Javascript will need to be signed, it needs to be easy for Joe Dokes to be able to sign his web pages. Every PDF document, Flash document, many movie formats, the list is endless. ALL need to be signed. In addition, there needs to be a mechanism to revoke certificates on a document by document basis, so that a document containing a flawed script can be blocked without blocking every document published by the signer. To make this workable, it must be so easy to get a certificate that anyone who wants an untraceable (or deceptive) one will be able to get one.

    This attack does not involve even a "command list". All it requires is the ability to get the browser to fetch a URL, for any purpose, from an untrusted web page. The browser doesn't even need to have any exploitable vulnerabilities related to the URL, and the attack will work using the most perfectly secure browser... all that is required is that it perform a "fetch" operation as documented.

    Perfect security is impossible. Restricting yourself to the use of tools that are secure by design is the best you can do. If the security model is based on protecting certificates then it will actually be weaker than one based on maintaining a secure sandbox. In fact, it's arguable that this is one of the fundamental flaws in ActiveX.

  17. Local security is good, but... on Vulnerability Numerology - Defective by Design? · · Score: 1

    Largely agree with you, but...

    Treating remote code execution the same when on one system it is as uid nobody, and on the other, it is as administrator

    Local security does need to be considered, but it shouldn't be depended on. A remote code execution vulnerability is still critical, whether it happens as LOCALYSTEM, root, Administrator, local user, nobody, or in a partial sandbox like a chrooted environment or Microsoft's new sandbox in Vista. Local privilege elevation attacks to exist, and even without privileged access a remote code exploit can launch secondary attacks, log user actions in the compromised application (eg passwords), or run a payload that doesn't require privileged access (eg, a botnet node).

  18. Re:The Gist on Tunguska Blast Was a Small Asteroid · · Score: 1

    Yes, every asteroid on television will undoubtedly hit over New York or Los Angeles. There must be some exceptionally high gravitational field at those locations.

    I'm too tired to come up with a joke about density.

  19. If the crater is a kilometer away... on Chance for a Tunguska Sized Impact on Mars · · Score: 2, Insightful

    If the crater is a kilometer away, then I'm sure it will be visited. If it's 10,000 km away, then it will have to wait for a completely new rover mission.

    If the crater is a kilometer away, then it's unlikely the rover will be in any state to visit it, or even report its state, and it will have to wait for a new rover mission anyway. :)

  20. Signed code is no solution. There is no code here. on 'Extreme Security' Web Browsing · · Score: 1

    If all code has to be signed, then it has to be easy to get a certificate to sign code. This makes it a very small hurdle for an attacker.

    In addition, the attack this is attempting to deflect does not require local execution privileges. It doesn't even require sandboxed Javascript. There's no executable code involved at all.

  21. The story is specifically about CSRF... on 'Extreme Security' Web Browsing · · Score: 1

    This is not a general technique for protecting against all possible vulnerabilities, it's for protection against cross-site request forgery.

    If a banking site does not use some kind of nonce in each request (or check referrers, or request confirmation, otherwise attempt to prevent this class of attack), then someone could stick <img src="http//bankingsite.example.com/account_management?req=transfer_funds&amt=5.00&target=badguy"> in a web page (say, as the avatar image for some throwaway account on some naive web forum) and bob's your uncle... a salami attack. I'm sure you can think of other possibilities.

    [url deliberately broken to keep /. from treating it as a url]

  22. Security by obscurity? on Diebold Election Results Released By AZ Judge · · Score: 4, Insightful

    If the security of the system depends on keeping the implementation secret, then it's not secure. Huckelberry's assertions are themselves an indictment of Diebold's product.

  23. The Ungoverned on Tiny, Morphing, Electricity-Stealing Spy Planes Developed · · Score: 1

    We're getting closer to Vinge's 1985 story The Ungoverned.

  24. Re:Is it ok to shine a laser on something... on Tiny, Morphing, Electricity-Stealing Spy Planes Developed · · Score: 1

    I guess they need to make sure not to fly these planes in Boston.

  25. I think we can dismiss this one... on Microsoft is the Industry's Most Innovative Company? · · Score: 1

    I think we have amply demonstrated, in many articles here, how little innovation is needed to get a patent. a large patent portfolio simply means that the company has spent a lot of money on patent lawyers.