Slashdot Mirror


User: argent

argent's activity in the archive.

Stories
0
Comments
12,456
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 12,456

  1. Why people trust Microsoft... on MS to Launch Paid Security Subscription Service · · Score: 1

    In the back of my mind though, it worries me however that my OS seems completely unbothered about any kind of self-protection for itself.

    Windows seems to be obsessive about security, it seems to be protecting itself.

    In fact, it's the UNIX model that Linux follows that actually bothers with protection. It evolved in an environment where security mattered.

    UNIX was developed when you had people who couldn't completely trust each other sharing the same computer. Once it got to academia you had professors writing papers, students working on their assignments, and lecturers writing and grading exams... all on the same computer. There's been problems with UNIX security, but they're well known and well understood problems and modern systems can avoid going anywhere near them.

    Windows was developed for an environment where youcomputer was locked up in your office or your house, and someone had to actually walk up with a floppy disk to get stuff into or out of it. Every time it's been exposed to infection, it's caught a cold.

    UNIX is a healthy mongrel, there's been a couple of big security scares like the Internet Worm that lasted a few days, but it's hardly ever been sick... because it washes its hands and takes care of itself, excersizes, and doesn't engage in dangerous activities. UNIX web browsers don't even have a mechanism to automatically download and execute foreign code... so they don't need web filters and spyware blockers. UNIX services can be shut off or restricted to the local computer, so they don't need firewalls and zone alarms.

    You're assuming that the guy who's got a medicine cabinet full of grey-market antibiotics and patent medicines, and used prophylactics and single-use needles in his trash, is the one who's taking care of himself.

    UNIX has been faced with a hostile evironment for over 30 years, and has been hardened at a deep level.

    Windows has created its own hostile environment, and has absolutely refused to shed even the most flagrantly outrageously dangerous behaviours no matter what. The way Internet Explorer, Windows Explorer, and ActiveX work together is the computer equivalent of running around snogging Ebola patients in the middle of an epidemic, and there's no way to fix it without backing out the whole internet-desktop integration and making IE just another program.

    Every time Microsoft's announced another layer of security band-aids over their broken design a bunch of people have crowed that THIS TIME they've got it right. There's no reason to believe that this time is any different from any of the previous "this time"s.

  2. Support? From Microsoft? FREE? on MS to Launch Paid Security Subscription Service · · Score: 2, Interesting

    My first support experience with Microsoft set the stage for later encounters.

    This was my first NT domain. Upgrading from NT 3.1 to the newly released NT 3.51.

    Microsoft changed the licensing mechnism in 3.51. I don't recall the details now, but the result was that my network of ~100 PCs was having itermittent login problems. It was annoying, but we were able to live with it while I figured it out.

    I called Microsoft, they made some suggestions, we went around a couple of times trying things, and on the third call they suggested it might be licensing and suggested I try making some changes to the licensing settings and call them back.

    The changes completely broke the network. Nobody could log in. I called them back. "I'm sorry, you've used up your three free support calls for a new install. You'll have to buy a support contract..."

    They wanted me to PAY for the damage THEY had done?

    I went ballistic at them, and did what I should have done in the first place... went to my free software support ... Usenet newsgroups. The kind of free software support you get for Linux. And was back up and running in a couple of hours.

    A week later I got a call from some muckymuck at Microsoft offering me another three free support calls. I'm afraid I got a mite sarcastic with him.

    Since then, well, there have been exceptional brief bright pockets of clue (the Pocket PC group when Derek Brown was there, Windows Services for UNIX after they bought Softway Systems, ...), but this has been my usual experience with Microsoft Support.

    Paying someone else for support on Microsoft products is much more cost-effective.

  3. Re:Throw out the bathwater; keep the baby on European Commission Reverses its Views on Patents · · Score: 1

    Any patent that could be implemented in a "couple of lines of code" should clearly have a high standard of "non-obviousness" prior to grant.

    Any patent should have a high standard of non-obviousness prior to grant. Whether it can be implemented in a couple of lines of software or a thousand. And the first software patent ever, the UNIX set-user-ID patent, was clearly non-obvious, and it doesn't take a lot of lines of code to implement. The "gold standard" for non-obvious code in the traditional UNIX kernel is this:
    /*
      * You are not expected to understand this.
      */
    if(rp->p_flag&SSWAP) {
                    rp->p_flag =& ~SSWAP;
                    aretu(u.u_ssav);
    } /* The value returned here has many subtle implications.
      * See the newproc comments.
      */
    return(1);

    Similarly, these two lines of PDP-11 code implement a most remarkable and highly UN-obvious concept.


    MOV (I)+,W
    JMP @(W)+


    Put aside for a moment, if you will, the question of whether these patents should have been granted.

    OK. Let's say all the patents granted are the result of perfect work bay patent examiners, they're things like the UNIX set-user-ID patent, the UNIX scheduler, the Forth inner interpreter. There are still thousands of patents that can be rationally considered valid and non-obvious, and yet are implemented in a couple of lines of code.

    More rational litigation would not only permit such evidence, it would appear in pre-trial disclosure, most likely leading to a settlement or the case being dropped.

    That hardly matters, when most software developers who are not backed by a large corporation with a patent portfolio of their own can find their resources drained just getting to that point.

    Suppose your product consists of 10,000 lines of code... Your revenue from this product is perhaps $3 million per year.

    *boggle*

    I'm sorry, you simply have no idea of the magnitude of the problem.

    A modestly successful shareware product, twice that size, might make 1/10th that money. 10,000 lines of code is a small product, a one-man startup class. And even under the most generous assumptions someone would need to examine thousands of patents to determine if they can safely release it.

    And your idea that the license fee should be pro-rated according to the proportion of the code that is patented would have the same effect as eliminating software patents. The revenue would be negligable, because even the most complex software patent can be encapsulated in a few hundred lines of code, and bloating a product to a million lines by including open source packages to pad it out is trivial.

    The music industry provide a means for anyone who wishes to use a copyrighted work to pay a simple fee by formula.

    There is no basis whatsoever for reasoning by analogy from copyright to patents. The situations are completely different... for one thing, if you're producing "Westside Story" you don't have to worry about someone showing up with a document showing Bacon really wrote Romeo and Juliet and thus you owe additional license fees. With patents, well, that's exactly what you DO have to worry about, and there are far too many cases of people really being blindsided by this kind of thing.

  4. Re:Consumer is the problem on Consumers Look For More Utilitarian Cellphones · · Score: 1

    But the customer, when offered the choice between feature-packed phone and a simple, robust cell phone, for some odd reason selects the one with most features.

    Decent standby time and reliability are features.

    It's just a matter of advertising them as features. If people are pissed off enough at the gadget phones, then maybe this is the time to try.

  5. Re:I thought I was the only one on Consumers Look For More Utilitarian Cellphones · · Score: 1

    Apart from not hating text messaging per se... I'm you. I didn't like to use text on my previous horrid phone because it didn't work worth a damn and it was genuinely too hard to navigate the menus. My new one is still too fancy, but it's closer.

    My daughter's new phone looks even better. Instead of a custom connector on the bottom, it's got a standard sized headset jack, a power jack, and a mini-USB port.

    Make the damn phones generic, simple, and reliable, and stop making the "free phone" part of the marketing for the 2 year contract. Let me plug it into my computer and have it show up as a USB mass storage device, with my address book and phone log as CSV files I can pull into a spreadsheet or do anything else with. Quit trying to make the phone part of my "style", it's just a damn phone.

  6. It's about bleeding time! on Consumers Look For More Utilitarian Cellphones · · Score: 1

    Ever since my company switched from Cingular to Verizon and gave us all godawful LG phones to replace the old reliable Nokia bars (monochrome displays, no web, no ringtones, but about a month of standby) I've been pining for a simple "it's just a goddamn phone" phone.

  7. Re:DRM and eBooks on Top 10 Strangest Gadgets of the Future · · Score: 1

    I don't want an eBook reader with a big screen.

    I want to separate the screen from my data. I just want the screen to be something between a web browser and an X terminal... but a browser model would work... that accesses my data in a repository that isn't tied to any screen.

    Let me stick the smarts in a keychain fob, or a credit-card PDA, or a full-sized PDA, or a smart card, something that I can pull out of... or disconnect from... the big eBook screen and use my cellphone, or a PDA-sized screen, or a full sized keyboard and monitor.

    SCreens that aren't basically fungible suck. I don't have to buy a new computer to switch from a 15" LCD to a 23" CRT to a HDTV tuner to a 9" car-PC screen. Just plug in a straight DVI or VGA connection.

    Handsets should be the same way. Right now we're stuck in the '70s where every monitor was tied to some brand of computer. I hate that.

  8. DRM and eBooks on Top 10 Strangest Gadgets of the Future · · Score: 1

    eBooks...

    Microsoft Reader was one of the things that Microsoft was hyping to us Palm users as a killer feature of the Pocket PC over the Palm.

    The problem was that the DRM in Microsoft Reader was really annoying, and the user interface was trying to emulate a paper book on a tiny screen.

    And where there are DRM-protected and unprotected versions of the same books, the unprotected ones cost under $5 and the protected ones cost around $20. It makes the choice really easy...

    http://fictionwise.com/

    http://webscriptions.net/

    Oh, and I'm using PalmOS to read my eBooks these days. :)

  9. Absolute statements are bad science. on Ozone Layer Improving Faster Than Expected · · Score: 1

    Mad parent -1 pseudoscience?

    There's too many statments in that post that should have been qualified with "probably".

    This is a problem with popular understanding of both sides of any politicised science debate.

  10. SSH-AGENT doesn't make a root level exploit worse on Overconfidence in SSH Protection · · Score: 2, Interesting

    If a bad guy has the ability to bypass local file permissions (whether because he's root or because you screwed up the permissions) then he can steal your credentials by putting a backdoor in the SSH client, the SSH server, the terminal driver, the file system, shared libraries (glibc, for example, is so huge and complex you could hide a trapdoor, magic hat, rabbit, three cages of pigeons, and a performing elephant there and nobody would notice).

    I've cleaned up boxes that had been rootkitted, and if you can't identify when it happened so you can restore from a known good backup you're best off reinstalling from scratch.

    The same thing is true, to a lesser extent, for local user privileges. Do you check that $PATH doesn't go through ~/bin before /usr/bin before you run ssh?

    Once someone can run unsandboxed code on your computer you're compromised, and any tool you use to examine your computer may be compromised, and ssh-agent make so little difference that it's simply not worth worrying about.

  11. Re:They haven't fixed the real security problems. on Windows Vista - Not So Bad? · · Score: 1

    Windows NT is at least 3 versions behind Vista, probably 4. I know MS's reputation as well as anyone, but it really does look to me like they are making attempts to fix up the user model with Vista.

    The particular exploit I used in NT 3.51 existed in NT 4, NT 5 / Windows 2000. I don't believe it's been changed in XP (since XP is basically a new shell on NT 5), but I haven't got an XP box here to check. I can't see it being changed in Vista, unless Windows adopts the UNIX setuid concept rather than simply creating more fine-grained privileges.

    At any rate, you still can't infer ANYTHING about the user model just by the fact that IE runs in a sandbox.

    The biggest security problem in Windows is the fact that IE (or rather the MS HTML control) is not, by itself, designed from the ground up as a closed sandbox without any mechanism for a document within the sandbox to even *request* access from outside the sandbox.

    That problem is manifestly NOT fixed in Vista. Until they fix that, creating finer grained permission or even fixing the design of the user security model isn't going to make a lot of difference.

  12. Re:They haven't fixed the real security problems. on Windows Vista - Not So Bad? · · Score: 1

    Do you similarly think chroot (and other equivalents) implies everything else runs as root ?

    If people were encouraged to routinely run Firefox or Konquerror chrooted so that malware couldn't infect the rest of the computer I would have similarly harsh words to say about Mozilla.org/KDE and/or whatever version of UNIX that this recommendation was made for.

    The primary purpose of a web browser is to download, parse and display data from untrusted, unverifiable sources.

    That's right, which is why no web browser should ever include a mechanism whereby, even with the user's approval, an untrusted document could request code be run with the privileges of the browser.

    Regardless of the security zone, whether it's an intranet site, a trusted site, or a local file. Regardless of whether it's signed by Microsoft, God, or the user themself.

    When Microsoft introduced this feature, around 1997, I was able to convince our CEO to ban the use of IE and Outlook and any other application that used the HTML control in Windows. Over the next several years we had no virus infections that got beyond a single infected computer, and that infection was almost always caused by the user running IE or Outlook despite the ban.

    So...

    That's almost 10 years now Windows apologists have been telling me that I'm wrong, that some doomed attempt by Microsoft to fix the problem without actually fixing the design that causes the problem is a great idea, and that everyone else will have to follow suit...

    And every time, their "improved security zones" fail within six months.

    I'd say bundling the web browser up into its own little isolated pocket of permissions is a damn good idea.

    It won't do anything to keep you from having your credit card numbers and passwords stolen, and it won't do anything to keep your computer from being exploited as part of a botnet to spam people and distribute viruses.

    It's a piss-poor attempt to deal with a deep problem that Microsoft has put too much reputation into to ever give up. I mean, they risked having the company broken up rather than lose face over their browser-desktop integration. They're not going to treat a mere few billion dollars in other people's lost money and time as worth worrying about.

    Expect to see OS X and "user friendly" Linux distros follow suit within 12 months.

    That's possible. They've been fooled into copying other stupid Microsoft ideas in the past. That doesn't make the idea any better.

  13. Re:They haven't fixed the real security problems. on Windows Vista - Not So Bad? · · Score: 3, Interesting

    I have been involved in computer security longer than Microsoft has been shipping an OS with any security at all. That includes Xenix. I've been watching this train wreck called the Microsoft HTML control for a decade now, and every time I point out how horrible it is some Microsoft apologist comes up and tells me I'm trolling, and that Micrsoft has got it right this time.

    So far they have never been correct.

    If you had bothered to read almost anything about Vista from the last year, you'd know that they are much bigger on the non-admin roles.

    Windows maze of interlocking privileges means that this doesn't matter. There's so many ways to boost privilieges that almost any combination of non-frustrating privileges is going to end up equivalent to root.

    The first time I used WIndows NT, I tried out several obvious attacks on the privilege model, and succeeded more often than I failed. I was even able to boost Power User to Local System, which actually has more privileges than Administrator.

    If you had done some more reading (say, some of the comments posted earlier on this story), you'd see that even if you are running as administrator you still don't have full root priviledges, and have to confirm certain changes.

    "You have to cofirm certain changes" says absolutely nothing about the privileges you have.

    Nothing.

    Confirmation and approval dialogs are almost worthless from a security standpoint. They operate at the application level, and the component that generates them has to have the privileges they're allegedly protecting, since Windows doesn't use UNIX's far more flexible and secure "setuid" mechanism. This means that not only do they they provide little protection for accidents by users, they provide NO protection from exploit code.

    None.

    Zip.

    Layered security is wonderful.

    Unfortunately, Microsoft has yet to implement it.

    One of the principles of layered security s that you design each layer as if it had to perform the whole of the security protection, then you implement the next layer *anyway*, and you design it under the assumption that the first layer will provide no protection.

    Microsoft designs each layer so that it's only as secure as they feel convenient, in the naive belief that the other layers will be used and will cover for them.

    Other operating systems allow you to bind services to unique ports and interfaces, so that local firewalls are an additional layer of security. Microsoft needs firewalls to prevent people from attacking insecure local services because they have no other way to limit them to listening only at localhost.

    Other browsers treat untrusted documents as untrusted, and assume that if their security fails the whole system is broken. Microsoft has the browser trust the HTML control to do the job, and doesn't give the HTML control enough information to do the job, and rather than GET RID OF the whole pile of ActiveX and "Security Zones" and "trusted sites" they're now pushing people to use "we got it right this time in .NET, honest".

    If I were to tell you exactly what I thought of this approach to "layered security" I'd be banned from slashdot for abusive language.

    Troll, forsooth, for nothing less than the simple truth.

  14. Re:Contrarian view on European Commission Reverses its Views on Patents · · Score: 1

    I'm a patent agent, and [...]

    Ah!

    Can you try explaining the problem to xkr, I don't seem to be connecting. :)

  15. Re:Public domain benefits bullies. on European Commission Reverses its Views on Patents · · Score: 1
    Techniques are not patentable. Only complete "devices."

    Hayes patented the technique of using timing to distinguish between a normal stream of data and a command.

    This "device" consists of a couple of lines of code buried in a command interpreter. If you use timing to distinguish between a command and a stream of data, whether you implement that as a subroutine or a couple of lines of code in a larger routine, you have violated the Hayes patent.

    This patent was not invalidated for being a "technique", even though that's exactly what it is.

    Another company had a patent on using a modifiable operation on a frame buffer to indicate the position of a cursor or mouse pointer. Costs of retroactively licensing this patent - that had been implemented in publicly available and public domain code long before most programmers had ever heard that it had been patented - were probably a factor in the collapse of Commodore.

    This is something that's been implemented in half a dozen machine instructions. A line of code in a high level language can expand to hundreds of instructions.

    A small program consisting of 1000 lines of code is potentially including 1000 such "devices". Computer programs are the most complicated creations of the human mind, and even small programs contain more potentially patented elements than all but the most complex physical devices.

    This isn't just a theoretical concern, companies have gone to court over this and have been found in violation of patents they didn't even know existed, that they had no reason to believe existed, that were encapsulated in code they wrote themselves sometimes even before the patent in question was granted. There's patents that have been upheld even though there were public domain

    Typically, if a customer purchases a subsystem, like a screw, the mfg provides a sublicense and indemnification for the customer.

    Typically a programmer doesn't "purchase a screw". Nobody buys "detect the timing of typed characters" or "XOR the image of the mouse pointer into the display". They write the code for this kind of patented device anew each time.
    read_character:
      t = get_clock();
      c = get_character();
      if (c == '+')
        plus_count = plus_count + 1;
      else if(plus_count == 3 && last_time < t - 1)
        goto escape_code;
      last_time = t;
      write_character(c);
      goto read_character;
    escape_code:
    There. I just violated the Hayes patent. I probably violated half a dozen more patents today. I have no idea. I have no way of knowing. It would take me a couple of weeks to figure out if I had to pay anything to make the code I wrote today legal.
  16. They haven't fixed the real security problems. on Windows Vista - Not So Bad? · · Score: 1

    Here's their big security upgrade...

    IE7 runs in Protected Mode, a low-rights security scheme that lets your standard user account browse as usual without giving spyware and malware access to the rest of the system.

    This means that (a) they apparently haven't fixed the "normal users have access to the whole system (ie, run as Administrator)" problem, and (b) they've given up on keeping IE from being a slutty little spyware freak, and assume that no matter what they do it's gonna get infected.

    Oh, and (c) when you do get infected, it might not infect the rest of the system but it'll still be able to steal your credit card number and send spam from your computer in your name.

  17. But, Dr Evil... on MS Proposes JPEG Alternative · · Score: 1

    I'd like to see better LOSSLESS compression than lossy comrpession.

    But, Dr Evil, we already have PNG...

  18. Re:Contrarian view on European Commission Reverses its Views on Patents · · Score: 1

    I picked up a used book that goes into excrutiating detail about the 1000s of patents that were filed regarding mundane things like bakeries (conveyor belt+oven=patent. obvious, no?).

    If this were 1910 and I were to build something like that, I might have to license two or three patents. Mandatory licensing might work.

    The simplest salable computer program is going to contain thousands of algorithms that would have to be licensed. Just finding out what they are would probably cost more than even a top selling product might earn back in a year.

    Under an actual, enforced, mandatory licensing regime it would be prohibitively expensive to comply with.

  19. Re:Public domain benefits bullies. on European Commission Reverses its Views on Patents · · Score: 1

    People aren't going to get a patent on "a few hours work."

    You so totally missed my point that I'm going to try writing slower, maybe you'll catch it this time.

    It's not the fact that someone in a few hours work tosses off a thousand patentable ideas (that he'll run off and presumably get patents for).

    It's that someone in a few hours work has used a thousand techniques that are each a possible patent violation.

    It's that every program in the world is in violation of so many patents that just figuring out what you've done that you have to take out a "fair and reasonable" license on to legally publish is man-years of work. The cost of the licenses themselves are irrelevant.

    You can't patent algorthims, so that doesn't leave a lot of room for software patents.

    That would be an excellent point if it were true, but since the whole point of this article, this thread, this topic is that you can effectively patent algorithms... frankly, it's completely irrelevant.

    As for Flash, it's basically a higher resolution version of NAPLPS combined with a scripting language. Kind of like NeWS in general concept, except inside a web browser instead of a smart terminal.

    So... are you astroturfing for Microsoft or Macromedia?

  20. It's not the bugs, it's the design flaws. on Why Buggy Software Gets Shipped · · Score: 1

    It's not the bugs that bother me, it's the design flaws that get baked in stone and cause the biggest computer security disaster ever, and when the DoJ tries to get Microsoft to do something for unrelated reasons that would solve the security problem, Microsoft doesn't go "Ok, we can use this as an out, and get great PR out of it", they fight the DoJ to the brink of getting the company broken up and beyond and only get saved by a change in administration...

    That's what bothers ms.

  21. The only possible fair license is public domain on European Commission Reverses its Views on Patents · · Score: 2, Insightful

    Patent law actually requires "fair licensing."

    When you build something out of belts and pulleys it takes you, at a minimum, months to create a relatively simple device with a few dozen components that is potentially violating a handful of patents, and man-years to set up production and ship significant quantity of product.

    When you build something out of software, in a day you can create a "device" that is a hundred times more complicated than that, containing thousands of components and thousands of potential patent violations. In a few hours you've created man-years of work for patent lawyers if you want to make any kind of reasonable attempt at even discovering whether you need to pay any fees... no matter how reasonable.

    Any kind of mandatory licensing regime would simply provide a windfall for lawyers, no protection for inventors, and turn the release of a $5.00 piece of shareware into a crippling nightmare.

  22. Re:FreeBSD, Linux, Mac OS X... on Best of the Free Anti-virus Choices? · · Score: 1

    Happy now? I got the coveted +0 Troll rating! :)

  23. Penicillin and RU586 ain't "safe sex" either. on Best of the Free Anti-virus Choices? · · Score: 1

    Yeah, that's like saying the best form of birth control is abstinence.

    Well, you know, there's all kinds of "safe sex" between total abstinence and dragging random users from a "shooting alley" and making out in the back of your chevy every night... which is where I'd rate Internet Explorer on the prophylaxis scale.

    You don't have to go cold turkey on the Internet. There's a variety of browsers and mail readers and music players that don't use the HTML control that you can use instead of IE and Outlook and Windows Media Player.

    Firefox.
    Opera.
    Kmelion.
    Thunderbird.
    Eudora.
    iTunes.
    Winamp.

    Not Lotus Notes, though. Damn thing sucks the HTML control in if you look at it screwy.

  24. Re:FreeBSD, Linux, Mac OS X... on Best of the Free Anti-virus Choices? · · Score: 1

    So, the parent post now has 60% insightful mods and 40% offtopic mods.

    Don't worry, I've gotten the "troll" rating for posting obvious truths before as well. Ratings on /. are pretty much a random walk through a karma minefield.

    Tossing a few SFnal references and some latin in can help, because quidquid latine dictum sit, altum viditur after all.

  25. Re:MS reaching for its dream on Microsoft Introduces Pay-as-You-Go Computing · · Score: 1

    Unfortunately you can't roundtrip through Open Office and keep the formatting that clients/vendors/employers/customers/whatever are using intact enough, often enough, for that to be any more viable an option than Office 97. :P