Slashdot Mirror


User: argent

argent's activity in the archive.

Stories
0
Comments
12,456
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 12,456

  1. Re:Once you're penetrated... on PEBKAC Still Plagues PC Security · · Score: 1

    You could have a very secure OS that ran entirely in one ring with no hardware protection at all.

    Because if you're worrying about whether virus code is running in ring 0, 1, 2, 4, or 47... you've already been penetrated.

    And, as already noted, once you're penetrated...

  2. This license does nothing for open source on Open.NET — .NET Libraries Go "Open Source" · · Score: 1

    The license ONLY covers using the source to help you using Microsoft's own code.

    The rights to the code are not in any way transferrable. Not even for documentation purposes.

    In fact, given this license, I would recommend against any open source programmer even implying publicly they might be looking at that code.

    Because it just opens you up for a big old interface copyright case.

  3. Source code access is not "open source". on Open.NET — .NET Libraries Go "Open Source" · · Score: 1

    Open source means that the license is open-ended (the owner can't revoke it except if you violate specific terms explicitly spelled out in the license), transferrable (you can give someone else the code and pass on same rights you have), and permits unrestricted free redistribution (no license fees, no paperwork, if you get the code you get the license, no ifs, ands, or buts).

  4. The MS reference license is not "open". on Open.NET — .NET Libraries Go "Open Source" · · Score: 1

    The MS reference license is not an open source license, because it doesn't permit unrestricted redistribution and it leaves Microsoft the option of terminating it at will. Whoever write the subject line needs to go back to college (or maybe high school) to learn to read.

  5. Take your straw man somewhere else. on Open.NET — .NET Libraries Go "Open Source" · · Score: 1

    Um, Microsoft's license isn't "open source", not even Microsoft said it's "open source", and in fact there's no relation whatsoever between it and "open source".

    The OSI definition of an open source license won't allow ANY license that doesn't commit to free redistribution to qualify as an one.

    So take your straw man somewhere else.

  6. Once you're penetrated... on PEBKAC Still Plagues PC Security · · Score: 1

    The problem is that if the user can kill it, so can the virus.

    The virus shouldn't be able to start running so it can do that. The APIs and network protocols should be designed so that BY DEFAULT no untrusted content even has a mechanism to request that it be run, and to actually run any the user should need to explicitly navigate to the document through a separate user interface (eg, a file or download manager) and explicitly ask to run it.

    That is, the browser should not EVER automatically give you the opportunity to run a file that you just downloaded. Not though ActiveX, not through installers, not through a helper application, not through "open safe files after downloading", not through anything. The browser should not allow newly installed applications to enable helper applications or plugins... the user should request that. There should not be any path by which, from normal browsing of the internet, you can execute newly downloaded code or previously downloaded code that the user has not explicitly requested be run.

    Period.

    There are ways to do this without making things inconvenient. Hell, I can't imagine any reasonable API that's more inconvenient than what nativirus code and other non-solutions puts you through.

    Because...

    Security is like sex, once you're penetrated you're fucked.

    Once that virus is on your computer, and running, you've lost. You're owned. Your antivirus MIGHT catch it a few million clock periods later, but only by putting so much extra code in the critical path on your computer that it's amazing it runs at all.

    The place to fix the problem isn't the figurative "next morning" after the virus has already run. It's to keep the virus from running. Only Windows and IE put out the welcome mat and nail it down so that the morning after pill is the only solution people can imagine using.

  7. Why are you proud of using broken tools? on PEBKAC Still Plagues PC Security · · Score: 2, Insightful

    To all of those who are crowing that they haven't run virus protection or spyware scanners in xx years. Why are you proud of this fact.

    Because I've been a network administrator herding a 100-400 programmers plus their administrators and secretaries and sales guys and so on, for 20 years. And I do protect myself.

    * Don't use Windows at all unless you have to.
    * If you have to, don't use any application that uses the HTML control on untrusted content.
    * If you have to, don't run any services on it you don't need.

    THAT is "protection".

    If you don't do that, you're having unprotected sex with the Internet.

    Using Antivirus software is like taking prophylactic antibiotics and interferon and RU486 every morning. And like taking drugs you don't need, antivirus software can cause problems just by running it. It can crash your programs, lose your data, and false positives can cause you to waste time.

    When someone new to our network was having problems, first thing I typically did was turn off ZoneAlarm on their computer. That gave me an opportunity to make sure they had a recent non-IE browser and a non-Outlook mail program, and let them know of our corporate policy on IE and Outlook (which was 'you don't use these programs on our network').

    We had no virus outbreaks until we were forced by the parent company to standardize on Macafee antivirus and IE, turn on the Microsoft remote administration tools, and so on... and when the company got hit by the next worm we got it too. First time that had happened since we started seeing the virus storms come through five years earlier.

    Do you drive your car without insurance? Do you drive without buckling your seatbelt and leave all of the windows down so that you will be "thrown clear" in the accident?

    Nope, and I don't drive my computer without a real OS, and I don't use Windows without disabling as much IE as I can, and I don't run antivirus software so that when I'm infected it'll tell me it's deleting critical system files because they can't be repaired.

    Sticking your head in the Windows may make you feel good, but don't kid yourself that it's safe.

  8. Thanks, I was just about to post that... on PEBKAC Still Plagues PC Security · · Score: 1

    TEN years now since Microsoft deliberately introduced an inherently insecure design to try and make an end run around their agreement with the DoJ and nobody at Microsoft has gone to jail for it. And that's despite the zillions of dollars and man-years and sanity points that have been wasted by people trying to patch it and deal with it and who just plain suffer from it. I'm still amazed.

  9. Software Radio? on AT&T Welcomes Programmers for All Phones Except the iPhone · · Score: 1

    I've read several places that the iPhone would give you a lot of ability to hack the software radio that you can't get from a Pocket PC, Palm, or Java based platform. If that's the case, then that's a pretty obvious reason to keep people out of the iPhone.

    So, what's the scoop there?

  10. Re:The slogan of bad user interfaces everywhere... on Blender Compared To the Major 3D Applications · · Score: 1

    theres nothing that can be done to fix it without people who have the skill, and the will to change it.

    That's what I just said.

    And you get people with the will and skill to fix it by getting them interested enough in using it to make it worthwhile fixing it.

    When you have people looking at Blender and then writing programs to generate objects directly because it's easier to write a one-off program than to figure out the way Blender does things, you're driving away the people who have the skill and the will, but who don't like the Blender UI. The reality is that there are more than enough projects hungry for EVERYONE's time that you gotta spend what you have on projects that get you the most bang for the buck. And when the feedback from the Blender community is stuff like "if you can't handle the user interface you're not ready to do 3d" one finds it hard to come back with "that's a community I really want to contribute to".

    The bottom line is that you have lots of good reasons why the user interface sucks so badly, but the fact remains that it IS really really bad, and one of the reasons is that attitude that the people who don't want to "get it" aren't worthy.

    I never once threw up my hands and said 'too hard' - i was too busy learning and creating stuff.

    Again, there's more than enough ways to learn and create stuff that don't involve beating your head against a user interface that seems designed to give developers an excuse to tell users "they're not good enough".

  11. I'd like to see their threat model for IE on Microsoft's Larry Osterman On Threat Modeling · · Score: 1

    Or rather for the use of ActiveX in the HTML control, particularly security zones.

    "Storing a file in the wrong place can lead to complete compromise... that's OK, if you download a file you really meant to run it anyway, so that's the user's fault."

  12. The slogan of bad user interfaces everywhere... on Blender Compared To the Major 3D Applications · · Score: 1

    If you don't have the patience and skill to learn the UI and get results from Blender, youre simply not cut out for 3D modelling/animation.

    If you don't have the patience and skill to learn JCL and get results from OS/360, you're simply not cut out for using a computer.

    You know, when people criticize the "Gimp" for being less user friendly than Photoshop, what happens? Well, sure, there was some grumbling about it, but there's also been a concerted effort to improve it over the years, including some outright lookalike variants.

    I've used a number of 3d tools, starting with "edit these text files" in PoVRAY and working up through pretty much all the open source tools and a number of the commercial ones, and I have to say that using Blender didn't make me think "this needs polishing", it made me think "the guy who designed this program actively hates his users". Even for an open-source program, Blender is particularly obscure.

    With all of these whiners complaining about the UI, you'd think there would be some who might be prepared to contribute [...]

    I'm sure there are. I can only speak for myself, though, and I have to say that in general you're only going to get contributions to an open source project from people who find value in the project. If the user interface dissuades people from using it, then that is going to act as a pretty strong filter keeping out the people who might be interested in providing the kind of help it most needs.

  13. Can you explain the linkage here? on Nokia responds to iPhone by Promoting 'Open' · · Score: 1

    I think any support Apple had for the open source concept went out the window when they started making sweetheart deals with companies in other industries. iTunes was hugely successful--but in order to make it work with the RIAA, Apple put in DRM.

    Since iTunes was never in the open source bag, and Apple has made no effort to create a "trusted audio path" for iTunes to use, and iTunes DRM is basically "honor system", I'm not sure what relationship you're trying to establish between iTunes and Open Source. Are you saying that the DRM in iTunes keeps them from releasing parts of Darwin they could otherwise release? What parts of Darwin do you believe they're embargoing to protect iTunes DRM, keeping in mind that they don't even try to keep you from intercepting digital audio coming out of itunes just using the published APIs (let alone the source code)?

    The iPod is an appliance, it's always been an appliance... you might as well ask for the source code to your bluetooth keyboard or your hard drive.

  14. You can't get there from here... on Microsoft's Larry Osterman On Threat Modeling · · Score: 1

    Put another way, imagine that instead of just setting up a computer for your parents, you had to set one up for *everybody's* parents. All at once.

    I'd get them a Mac.

    Unfortunately, Microsoft can't get there from here.

  15. Replace the rest of the words... on Class-Action Lawsuit Over iPhone Locking? · · Score: 1

    Replace Apple with PC World, OK.

    Replace Firmware with software, because the laptop's firmware hadn't been modified.

    Replace firmware update with a broken hinge, because it wasn't a software problem.

    Replace Laptop with Cellphone, because laptops are normally expected to run user-installed software, and cellphones aren't.

    Replace everything, in fact, because it's a completely different story.

    I've got an old iPaq. I replaced the firmware in it. I don't expect to be able to upgrade it to the next version of Windows CE without replacing the original firmware, and I didn't even consider replacing the firmware until the folks who came up with the hack had a working mechanism to reverse it.

    If it still hadn't worked, that wouldn't be Microsoft's fault or Compaq-I-Mean_HP's fault. I knew I was doing something that was dangerous, and unsupported. Installing another operating system on a laptop is a completely different situation.

    And even so, in the example you give, the guy was an idiot. I wiped the drive on my Thinkpad before I sent it in for repair, and I wiped the drive on my Macbook Pro before I handed it over to the "Genius Bar" (god, I hate that name) for them to replace the drive. And I wasn't even running unsupported software on either of them. That's just something you do when you get a laptop repaired... it should be routine.

    what has Apple really done to benefit the world

    Ship a version of UNIX that doesn't suck too much and you can actually get third party applications for.

    Seriously. Their hardware is overpriced and poorly designed, but there's no alternative if you want software that doesn't suck like a jet engine.

  16. Re:Not SPF, and similar to what I use... on Novel Method for Universal Email Authentication · · Score: 1

    why is it someone else's responsibility to filter your mail for you, especially if that person is only involved because your filter decided to believe that a message with a high level of spamminess really did come from him or her?

    You seem to write well, so I assume you're fluent in English. This is only applied to mail that has already passed the spam filters (that is, it's NOT mail with "a high level of spamminess") but is from an unknown sender.

    I've pointed this out three times now. If you don't get it this time I wash my hands of you.

  17. Re:Not SPF, and similar to what I use... on Novel Method for Universal Email Authentication · · Score: 1

    I have yet to see a reasonable challenge-response system that handles the scenario where you fill out a web form and an automated process sends you a wanted email.

    This isn't a challenge-response system. This is a token tagging system that uses challenge-response when the token's missing.

    If you're filling out a form, you put the token in the "to" address.

  18. Re:Not SPF, and similar to what I use... on Novel Method for Universal Email Authentication · · Score: 1

    There is nothing that "makes it OK" for any mechanism you use to mitigate spam. Your choices are either throwing away legitimate mail without notifying the sender, or notifying some senders inappropriately. Neither of these are "OK". There's no alternative that's "OK". The responsibility for this situation belongs to the spammers, not the people who are trying to find a balance that minimizes the amount of "not OK" stuff they have to do to keep email actually functional.

    Did you stop reading after the first sentence, by the way, or did you get through to the part where I pointed out that this was the last step in the filter chain, and that nobody ever gets more than one bounce? Anyone who's getting mail from me is already getting a hundred times as much from initial conversation bounces. I know that, for sure, because I'm also a victim, I get to see both sides.

  19. Re:Not SPF, and similar to what I use... on Novel Method for Universal Email Authentication · · Score: 1

    And thus you are spamming the people whose email addresses have been forged, well done.

    That's true for pretty much any sender verification mechanism, or any mechanism that operates during the initial conversation exchange (like, say, SPF or DNSRBLs) because of secondary bounces. I got one of my domains forged a bunch, and by far the most common secondary spam isn't people running sender verification systems... it's bounces from intermediate servers that were rejected by the destination, and next come messages from anti-spam or anti-virus software telling me "my" message is spam or a virus. THAT kind of bouncage is bizarre, since viruses and spam have had almost universally forged addresses since last century.

    At only one message per address, ever (modulo lossage in the database of people who've been already seen), and only if they haven't been handled on the server (which takes care of the vast majority of spam during the initial conversation or via simplistic content filters).

  20. What the hell does that have to do with anything? on Debian Refuses To Push Timezone Update For NZ DST · · Score: 1

    Simply put, a *Nix system should have the system clock set to GMT and synchronized to a time server

    What does that have to do with anything? The system clock *is* set to GMT, and the CMOS clock doesn't matter because the CMOS clock doesn't implement daylight savings time changes at all... so it doesn't matter if the offset for the clock is DST or not, since the system has to adjust it by the offset it believes it was at when it shut down.

    The actual problem is that the displayed time and the time used for periodically scheduled events, policy changes, and so on will still be based on local time, and local time will still be wrong whether the system clock is in DST, GMT, UT, sidereal time, Swatch Beeps, or based on decimal fractions of Martian Sols.

  21. Not SPF, and similar to what I use... on Novel Method for Universal Email Authentication · · Score: 4, Interesting

    This is just an additional layer over automatic whitelisting of addresses using tagged responses.

    Some years ago I set up for my family a pretty simple set of procmail rules and scripts that bounced messages that hadn't otherwise been classified as spam or been whitelisted with requests that they be resent with a certain keyword in the subject line. For example:

    "Hello, you just sent me the following message. Could you send me the message again with the word 'leisure' in the subject line? You can reply to this message if you like, just be sure to add 'leisure' to the subject line."

    Over a period of several years the only spam that's gotten through this has been from a 419er.

    The advantage of a subject line token like this is that you can tell people the token to use, or put the token in the subject line when you send the message so it's usually there when the recipient replies.

    Whether you take the resulting message and whitelist the sender address, or some other information in the header that you consider reasonable, that's up to you. It's not really the same thing as the SPF database, though, even if you choose to make the same kind of information the key you use for whitelisting. The point of SPF is that it's supposed to be authoritative for the organizations involved, and doesn't include things like "I sent something with my work address from Earthlink and now you're accepting mail from my work domain through Earthlink's servers".

    And using this to whitelist the sender rather than their whole domain gives you a lot finer control.

  22. Amazon one-click only, even if you turned it off. on Amazon MP3 Vs. iTunes Music Store · · Score: 1

    Amazon doesn't seem to have an option to use a shopping cart for MP3 downloads even if you disabled one-click in your Amazon profile. this works just fine in iTunes.

    This is annoying.

  23. Guess the labels are still not convinced... on Amazon DRM-Free Music Store Goes Beta · · Score: 1

    I guess the labels are still not convinced that DRM-free music is the only way to go.

  24. I think Apple understand this... on Review of Amazon's DRM-Less Music Download Store · · Score: 1

    Apple better act quick if it wants to keep up because, as of today, all that's going for the iTunes Store is its popularity. DRM on music is dead, and any company that doesn't understand that is going to get left in the dust.

    I think this quote from Jobs in Rolling Stone back when the iTMS was introduced suggests that they know that: "When we first went to talk to these record companies -- you know, it was a while ago. It took us 18 months. And at first we said: None of this technology that you're talking about's gonna work. We have Ph.D.'s here, that know the stuff cold, and we don't believe it's possible to protect digital content. [...] What's new is this amazingly efficient distribution system for stolen property called the Internet -- and no one's gonna shut down the Internet. And it only takes one stolen copy to be on the Internet. And the way we expressed it to them is: Pick one lock -- open every door. It only takes one person to pick a lock. Worst case: Somebody just takes the analog outputs of their CD player and rerecords it -- puts it on the Internet. You'll never stop that. So what you have to do is compete with it." -- Steve Jobs

    Jobs has been on record from the start as saying that DRM is only there in iTunes to mollify the copyright owners. EMI acquiescing to reality was a change in EMI. If Bezos has managed to get the rest of them to accept this, everyone will benefit... including Apple.

  25. Their README is interesting... on Amazon DRM-Free Music Store Goes Beta · · Score: 1
    The README isn't a document about how cool they are, or a guide to installing, or a list of requirements. Nope, it's...

    AMAZON MP3 MUSIC SERVICE LICENSOR ACKNOWLEDGMENTS
    Portions of the software used in connection with the Amazon Mp3 Music Service
    may utilize the following copyrighted material, the use of which is hereby
    acknowledged.

    CVTUTF
    Copyright 2001-2004 Unicode, Inc.
    [...]

    libcurl
    Daniel Stenberg, et al. ( libcurl )
    Copyright (c) 1996 - 2003, Daniel Stenberg,
    The libcurl software is released under a MIT/X derivate license.
    [...]

    OpenSSL
    Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.

    Redistribution and use in source and binary forms, with or without
    modification, are permitted provided that the following conditions are met:
    [...]


    MOD AMAZON UP +1 FOR OPEN SOURCE CHOPS :)