Slashdot Mirror


User: argent

argent's activity in the archive.

Stories
0
Comments
12,456
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 12,456

  1. Re:Window vs OS X on Windows vs. Linux Security, Once More · · Score: 1

    OK, I've got a copy of the article finally. El Reg's HTTP server was sending bad redirects.

    OS X has most of the same security advantages as Linux here. They do have some problems in their browser protocol handling that I wish they would fix, but it's nowhere near the gaping invitation IE advertises to would-be attackers. The configuration is actually better, since OS X admin tools mostly run unprivileged only only "sudo" to root when needed. Their network services are all "default closed" and are only run when you explicitly enable them.

    It's not perfect, but it's definitely near the top of any list that includes Windows and Red Hat.

  2. Re:Same old arguments.. on Windows vs. Linux Security, Once More · · Score: 1

    For the third, they mention that flaws Microsoft will NEVER fix.

    Including ones that are still there in XP post SP2. When SP2 came out, I predicted that variants of the known "security zone" attacks would be found within weeks. I didn't have to wait that long... there had actually been one found but not announced at that time.

    Does Red Hat issue patches for version 1.0 anymore?

    I can patch Red Hat 1.0 myself, if for some reason I need to run it. I can't patch an Internet Explorer hole in Windows 2000, I have to wait for Microsoft to do it... and Windows 2000 is a LOT more current than Red Hat 1.0.

  3. Re:Does security really matter? on Windows vs. Linux Security, Once More · · Score: 1

    wait a few weeks/months for the next remote exploid, compile programm, run programm and welcome to your new root shell

    In Windows your attacker doesn't need to wait a few weeks or months for the next remote exploit. On UNIX your potential target finds out about the exploit and how to fix it about as fast as the attacker, AND he doesn't need to wait for Microsoft to fix it.

    Plus, your potential target can run the server inside a chrooted environment that doesn't contain a compiler. Or if you add an exploit for chroot as well as local root to the rootkit, the target can use a FreeBSD jail, so the attacker can GET local root and he wouldn't be able to do anything to the system or sniff the network until he broke out of the jail.

    UNIX can be made increasingly more secure by adding layers of protection that don't exist in UNIX, if the default protection isn't good enough.

    Unix provides you a nice way to sidestep them all (ie. the root account)

    The Windows LOCALSYSTEM account has more privileges than the root account on UNIX. And I was able to break into LOCALSYSTEM from Power User within five minutes of sitting down at a Windows NT box for the first time in my life, just trying analogs of security holes that had been found and fixed in UNIX fifteen years before.

    Yes, that was several years ago. But there's security holes in Windows that existed back then that still haven't been fixed.

  4. Re:Don't expect your tools to do you job... on Windows vs. Linux Security, Once More · · Score: 1

    What this report does is focus on the default potential for abuse by looking at recient publically known issues.

    Where "recent" is "within the last decade". The problems caused by the integration of IE and the desktop, for example, were known seven years ago and Microsoft STILL hasn't even announced a credible plan for fixing them. The relative insecurity in IIS, well, he's looking at systems with five-year uptimes, and the statistics the last time I looked at the Netcraft survey almost that long ago were similar: IIS serves a fraction of the sites, but suffers from the majority of the incidents.

    None of the material in this paper is new. It could have been written any time in the past five to seven years and the only difference would have been the names of the systems on teh Windows and UNIX teams.

  5. Re:Great another one of these. on Windows vs. Linux Security, Once More · · Score: 1

    Can you be specific?

    There are a few comments in the article that I'm not sure I agree with, but dismissing it as "another cheerleader piece" seems a little much. Can you provide some more explicit examples of what's wrong with it?

  6. Re:The MS take on it on Windows vs. Linux Security, Once More · · Score: 1

    Nice.

    Linked.

  7. Re:Window vs OS X on Windows vs. Linux Security, Once More · · Score: 1

    OSes. Sure, Microsoft has there "Shared Source" stuff, and OS X is based on Open Darwin

    There's a HUGE difference here.

    Shared Source: "Sign this NDA and we'll let you look. No, you can't modify and compile this and use the result, or give us patches..."

    Open Darwin: "here's the code. Here's how you build it. Here's how to submit changes."

    Ryan Rempel: "thanks, hey guys, apply these patches and you can run OS X on machines Apple doesn't support any more!"

    Can you imagine someone shipping a patch kit to modify the boot sequence of NT like that, based on Microsoft's "Shared Source" code?

    OS X is basically like running one of the BSD variants with a proprietary GUI toolkit on top of it. All the core OS considerations are similar to any other free UNIX. I can't say how the article applies to OS X... it seems to be slashdotted.

  8. Re:Windows just might be ahead of *NIX here... on Windows vs. Linux Security, Once More · · Score: 1

    When will this buffer enforcement be available for gcc!?!?

    Has been available for at least five years now. There are open source UNIX systems already available that take advantage of it.

  9. Re:Does security really matter? on Windows vs. Linux Security, Once More · · Score: 4, Informative

    Does security really matter?

    YES

    I mean neither Windows nor Linux are secure, we see new ways to exploid them every few weeks or even days

    Um, no, there is a huge difference. UNIX applications are usually designed in an inherently secure manner, UNIX file permissions really do make a difference, and UNIX contains mechanisms that can be used to lock the system down to the point where you can give a user "root" access and they still can't modify anything outside the sandbox you set them up in.

    Windows does not, in practice, provide some of these kinds of security at all... and others are purely nominal protections at the same level of asking people "are you going to rob the bank" and letting them into the vault if they say "no".

    So where on Linux an error that lets someone break out of a CHROOT environment is listed as an "exploit", Windows doesn't even provide that kind of environment so you don't need an exploit to compromise it. When a Windows exploit is listed, it far more often means there's a way of completely compromising your computer and taking it over, rather than just letting the attacker from one locked room to another.

    That is, if I was running an "anonymous FTP server", and the server application has a buffer overflow in it, on Windows that exploit would let them inject a backdoor and take over my machine at will, and modify the boot sequence to restart the backdoor if the computer is rebooted. On Linux, they would be able to run the backdoor as an unprivileged user, they wouldn't be able to even see any executable files that could be used to restart the backdoor, and in some configurations they wouldn't even have network access. They would need to find and run two more exploits... one to break out of the CHROOT environment and one to get root privileges... before they could do anything.

    This is called "defense in depth". UNIX systems and applications, developed in an environment where you had to give mutually untrusting users access to the same computer at the same time in a timesharing environment, don't break down and give up with one attack.

    SO...

    Linux, like all UNIX systems, is built around inherent security and defense in depth, which means that it's MUCH harder to get in and MUCH harder to do anything once you are in.

    AND...

    It's not just a matter of relative popularity... for one example: back when 2/3 of the domains out there were running Apache on Linux, the less than 1/3 remaining IIS servers still represented 2/3 of the domains on the "defaced sites" list.

  10. The Murphy myth: what really happened? on Murphy's Law Rules NASA · · Score: 2, Funny

    Summary of The fastest man on Earth:

    George Nichols: "The Law's namesake, was Capt. Ed Murphy Jr., a development engineer... Frustrated with a strap transducer which was malfunctioning due to an error in wiring the strain gauge bridges caused him to remark-- 'if there is any way to do it wrong, he will'-- referring to the technician who had wired the bridges. I assigned Murphy's Law to the statement and the associated variations..."

    David Hill: "Murphy was kind of miffed off. And that gave rise to his observation: 'If there's any way they can do it wrong, they will.' I kind of chuckled and said, that's the way it goes. Nothing more could be done really."

    John Paul Stapp: "we do all of our work in consideration of Murphy's Law. [defined as] the idea that you had to think through all possibilities before doing a test."

    Dr. Dana Kilanowski: "at the time I believe Stapp said something like, 'If anything can go wrong he'll do it.' A couple days later there was a press conference in Los Angeles and Stapp said something like, 'it was Murphy's Law -- if anything can go wrong, it will go wrong.' [...] I have heard that Murphy claimed he invented Murphy's Law, but Stapp is the one noted for his witticisms, his haikus, and his plays on words."

    Ed Murphy: "I didn't tell them that they had positively to orient them in only one direction. So I guess about that time I said, 'Well, I really have made a terrible mistake here, I didn't cover every possibility.' And about that time, Major Stapp says, 'Well, that's a good candidate for Murphy's Law'. I thought he was going to court martial me, but that's all he said. [Stapp reeled off a host of other Laws, and said] 'from now on we're going to have things done according to Murphy's Law'."

    Chuck Yaeger: "Look, what you're getting into here is like a Pandora's Box. Goddamn it, that's the same kind of crap...you get out of guys who were not involved and came in many years after."

    And in the end it wasn't as extreme a failure as Genesis:

    According to Nichols the failure was only a momentary setback --"the strap information wasn't that important anyway," he says -- and regardless good data had been collected from other instruments. The Northrop team rewired the gauges, calibrated them, and did another test. This time Murphy's transducers worked perfectly, producing useable data. And from that point forward, Nichols notes, "we used them straight on" because they were a good addition to the telemetry package. But Murphy wasn't around to witness his devices' success. He'd returned to Wright Field and never visited the Gee Whiz track ever again.

  11. Original press release without Physorg spam. on World's First Single-Atom-Thick Fabric · · Score: 1

    Physorg's page is just the original press release with the original contact information removed and no link back to it. And really broken HTML apparently to prevent the browser from letting you select the story text as a bonus.

    Physorg is useful as a place to find stories, but its "link trap" design is really getting annoying... if you're going to link them, at least include a link to the original story as well.

  12. Re:Software monsters... on Big Day For Browser Vulnerabilities · · Score: 1

    What is this "own time" that you speak of? I am not familiar with this phrase. I went to bed at 12:30 last night (working at home) and got up at 5:30 this morning to go to work.

    Hope you get THAT under control. It can kill you.

    No smileys here.

  13. When I visited the "Microsoft Museum" in 2000... on Will Your Next Car Run Windows? · · Score: 1

    When I visited the "Microsoft Museum" in 2000 they had Windows CE automotive edition on display. It was basically the same as this: a control system for the audio systems, GPS, maps, all the usual suspects, using an LCD and joystick control. They also showed a film about using voice control and universal wireless contact so you could talk to your personal agent (presumably running on a server somewhere that Microsoft/MSN gets a cut from) through your PDA, your car, your entertainment center.

    This is not news, they just think they have voice control that's good enough to actually implement another piece of the puzzle. My experience with voice control on Microsoft Pocket PCs has been less than impressive, so I don't expect much useful to come from this.

  14. MP3/WMA/AAC vs FLAC/OGG on MP3 Going the Way of the 8-Track? · · Score: 1

    People who care about the format their music is in are going to use FLAC or keep their permanent archives on audio CDs, then whether they use OGG, MP3, or "whatever is easiest" (AAC / WMA) provides pretty much zero interesting statistical information.

    As Michael Gartenberg says, people who don't care may well rip their CDs to WMA or AAC and think they're cutting MP3s. MP3 is turning into a generic term for "lossy compressed digital audio". I've heard someone refer to their Sony player as an "MP3 player" even though it didn't play MP3, he hadn't noticed that Sony's music player was converting MP3s to ATRAC.

  15. Re:Not at all what I expected! on MP3 Going the Way of the 8-Track? · · Score: 1

    AAC files are not inherently DRMed. If you rip a CD into AAC, you're not going to encrypt the resulting files, are you?

    When I buy a song from iTunes in AAC format, I burn it onto a CD as plain audio. As far as I'm concerned, that CD copy is my copy of the song: the encrypted AAC version is just too fragile. But that doesn't stop me from ripping my commercial CDs in AAC, MP3, or FLC.

    Really, for archive, FLC is the way to go anyway.

  16. Re:Payola on Bootlegged Music in Russia · · Score: 1

    I listen to the local news on the local FM radio in English.

    I never heard any song but in English. [...] there are nice songs in Italian, French, etc.


    How many French or Italian record labels are likely to pay thousands of dollars to get Clear Channel Radio to add a song to their playlist? The it's-not-Payola-really "promotion" system is there to promote album sales, nothing more.

  17. Payola on Bootlegged Music in Russia · · Score: 1

    There's no secret conspiracy to keep foreign music off US radio: it's a public conspiracy, an "open secret", something "everyone knows". Basically, the way for a record label to get airtime for a track is to pay for it. Oh, it's not as straightforward as the '60s-era Payola, they call it "promotions" as if the money was going to advertising and marketing efforts, but it goes straight into the radio station's pockets and the "advertisement" is the song itself.

    It's not just foreign music that gets left out, it's a lot of great local music that doesn't have a big label behind it. And in the end it's the artists that pay for it, because that promotional budget is treated as an advance against royalties... eventually, they'll get some of that back from the BMI and ASCAP payments by the radio stations, but commercial radio in the US is basically a 24/7 advertising channel whether you think what you're listening to is an ad or not.

  18. Russian piracy doesn't hurt the west. BUT... on Bootlegged Music in Russia · · Score: 1

    For products that are selling and selling for a high price, piracy is a minor problem at most. The fact that they are selling for high margins is proof enough... if piracy were seriously hurting their bottom line, they'd be forced to cut the price to compete with it.

    And in some cases, it may actually be a benefit. Why? Because the people who are most hurt by piracy are the people who would be selling to the pirates if the pirates couldn't buy "big name" products instead. The classic example is in software, where piracy of Microsoft Office helped killed competing word processors and spreadsheets.

    It doesn't matter whether it's software, music, or any other product where the reproduction and distribution cost is negligable: So... it doesn't hurt any western musicians when Russians pirate their music. What it hurts is the Russian musicians for whom these CDs are unfair competition.

  19. Software monsters... on Big Day For Browser Vulnerabilities · · Score: 1

    This monster is my own creation. I didn't know as much when I started building this as I do now.

    Oh, boy, have you ever had the "we can add this to the current design, and then spend six months finding problems and fixing them, or we can spend three months on a new design that incorporates the lessons we learned" discussion? And lost?

    Have you ever gotten bawled out for doing the redesign in your own time anyway?

  20. Question: What about local Russian talent? on Bootlegged Music in Russia · · Score: 1

    How does the Russian music business operate? Do Russian artists sell CDs through the same networks, or do they make their living from performances?

  21. Re:Options 4 and 5. on Big Day For Browser Vulnerabilities · · Score: 1

    The major problem was the what I was dealing with was a large and pretty complicated web application. Frames nested 3 deep. Documents could be linked to from pretty much anywhere in the application, which just added to the complications. So unless I was willing to rebuilt it with a new frameset, this wasn't a real option.

    Gah. OK, I've been there. Still, if you didn't have popups and dialog boxes you could have backed out and started over. Sometimes you just have to start over because the current design has lead you to a dead end.

    Which is where IE is right now.

  22. Re:Options 4 and 5. on Big Day For Browser Vulnerabilities · · Score: 1

    I have two comments here.

    First, that's clearly a bug in IE. The IE security model is utterly broken and can't be fixed without some fundamental redesign, and over time there have been more and more of these bugs where some perfectly legitimate behaviour is trapped and blocked. We ran into a similar problem where we wanted to let a user point to alarm sounds in WAV files on their local disk. When an alarm went off, IE would prevent the load because it interpreted it as an attempt to open an untrusted document in the trusted zone. Of course the real solution is not to have a concept of "zones" at all.

    The second point is that I ran into the same problem, so...
    I did something similar, but what I did was make the frame that the error was going to show up into a "control panel" for the window, like an extra toolbar. It looked similar to the framing that about.com and the google image search does.

  23. Re:One reason why... on 10 Years of OpenStep · · Score: 1

    They're moving it into the videocard now, with Quartz Extreme. And hopefully they'll set up a real cache hierarchy into the video card that will make it unnecessary to do any rendering in the CPU... however, Mac OS X and Quartz has to run on a lot of machines that don't have a GPU capable of taking over from the G3 or G4 on the motherboard: the low end models still supported, like the iMac G3/266, have a Rage II chipset and 2-6M SGRAM. Even if it's capable of running the Quartz rendering engine in the GPU, it doesn't have enough video RAM.

  24. Omniremote and a selection of remotes... on The Universal Off Button · · Score: 1

    It's no difficulty to program Omniremote for the Palm Pilot with codes from each remote you run across as you wander up and down in the world. I've found it a really handy tool when there's an annoying TV just out of reach.

  25. Here's the software for Palm... on The Universal Off Button · · Score: 1