And yeah, to stave off the responses, its tricky on what you call a "remotely exploitable" bug...
Take the trio of MS-039, MS-040, MS-042 (which my search missed while writing the above post). Yeah, they are remotely exploitable, but for most configurations, you need to have valid logon credentials to the machine... Again, its bad, but even if you had an upatched box unprotected on the net, those wouldn't enable remote code execution unless the attacker could already log onto the machine.
Truely remotely exploitable bugs are rare on any OS. As far as I can tell, Windows has had 3 in the last 5 years (MS03-001, MS03-049 and MS06-040). There was a remote DoS in 2005 (MS05-051), but everything else has been on the scale of "get the user to click open this malformed file/link/whatever". Bad, but an order of magnitude better than something where an attacker can just own you with no action on your part.
3 in 5 years is definitely worse than OpenBSD's 2 in 10 years record, but many linux fans seem to have the impression there's a remotely exploitable bug found in windows every month....
Hmmm, I would have titled this article as "72% of firefox patches come from people who's paid job it is to write them". But then that makes it too obvious that the open-source attitude of "anyone can fix anything" is, if not a lie, at least vastly overstated.
How is the parent comment in any way insightful? Vista RC1 was released 5 months ago, and there were very very few major changes from RC1 to RTM. And it would be one thing if thir software worked perfectly on Beta2 or RC1, but thats clearly not the case...
Well, thats wikipedia's definition of a "system call", which is a nice straw-man. Who knows what the author's definition is? I have no idea, and neither do you.
If they are indeed using "ring zero transitions" as a definition of "system call" (which I really doubt), than all this graph would show is that linux rolls more functionality into a single kernel-mode call, while windows requires multiple kernel-mode transitions.
As others have said, without much more information, these graphs are meaningless.
Oracle and M-K thoughtfully included $35,000 on top of the space trip itself in order to assist in the overall tax burden. As it turned out, the additional cash ended up being only slightly more than half of the actual tax burden I was being asked to pay.
Is everyone going to completely ignore the fact that this feature is one of Microsoft's very, very few that aren't developed in Redmond??? The Microsoft India Development Center in Hyderabad, is responsible for this whole feature area.
Draw your own conclusions, but at a minimum, it would increase the chances of mis-communication...
Finding -- Implementation -- Intent -- 1999 c 138: "The legislature declares that enhancing the effectiveness of child support enforcement is an essential public policy goal, but that the use of social security numbers on licenses is an inappropriate, intrusive, and offensive method of improving enforceability. The legislature also finds that, in 1997, the federal government threatened sanction by withholding of funds for programs for poor families if states did not comply with a federal requirement to use social security numbers on licenses, thus causing the legislature to enact such provisions under protest. Since that time, the federal government has delayed implementation of the noncommercial driver's license requirement until October 1, 2000.
The legislature will require compliance with federal law in this matter only at such time and in the event that the federal government actually implements the requirement of using social security numbers on noncommercial driver's license applications. Therefore, the legislature intends to delay the implementation of provisions enacted in 1998 requiring social security numbers be recorded on all applications for noncommercial driver's licenses." [1999 c 138 1.]
Although compared to Maine, WA state is still pretty weak... They totally caved in on RealID.
From the article: "The report, which first came to light in a U.S. newspaper, has since been posted on the website of the Federation of American Scientists, an organization that tracks the intelligence world and promotes government openness."
Well, I don't see it on fas.org (search), and if its in a "american newspaper", its one that google news doesn't search.
Something just doesn't sound right about this whole story.... It makes no sense, and there's no other cites for it.
as far as I know, FairUse4WM doesn't rely on known offsets as a key aspect of how it works. Even so, what you are referring to would be a combination of the module's base address and an offset. ASLR would just mean the module base address changes every boot. A program running on the machine would still be able to call kernel32!GetModuleHandle to determine the current base address, and obviously ASLR wouldn't have anything to do with the offset from that base.
However, it still prevents buffer overflows, since any shellcode wouldn't have gotten "fixed up" by the loader, and so wouldn't even be able to access any kernel32 functions, since the buffer overflow data would need to hard-code an absolute address.
This is a good thing to prevent viruses, without affecting anything else. Buffer overflow attacks need to rely on a known location in memory to jump to, typically kernel32!LoadLibrary/GetProcAddress, which will allow them to dynamically access the rest of the functions they need. Read more here: http://www.windowsecurity.com/articles/Analysis_of _Buffer_Overflow_Attacks.html
This is 100% completely unrelated to DRM bypass programs, which can actually link to the correct functions. Anyone who mods the parent up has no idea about how windows security or programming works.
It sounds like the parent might (just trying to be generous here) be confusing FairUse4WM with the Apple Fairplay hack tool, which does rely on known offsets within the fairplay module's memory layout. However, even that wouldn't be affacted by this, since an actual properly linked program can still determine the base address it needs.
True, the web is not the internet. But the issue here fundamentally _is_ a user-interface level issue. There's no reason that mail clients, etc couldn't support IDN by doing the punycode translation for you.
The point is, we have a system that addresses the problem currently, without breaking anything.
It exists currently and is supported in all major browsers. I would like to hear more about why IDN doesn't work for international users, and why native 16-bit DNS is needed.
I think we (slashdot readers) have just 'found out' who the (anonymous) submitter (of TFA) 'really' is (or at least their 'slashdot userid') based on the (unique) writing 'style'.
Diesel angines actually have a much flatter torque curve than gas engines. The reason they have always had more gears is because their RPM range is more limited.
It will not start a chain reaction in the water, converting it all to gas and letting all the ships on all the oceans drop down to the bottom. It will not blow out the bottom of the sea and let all the water run down the hole. It will not destroy gravity.
Slashdot Mirror
And yeah, to stave off the responses, its tricky on what you call a "remotely exploitable" bug...
Take the trio of MS-039, MS-040, MS-042 (which my search missed while writing the above post). Yeah, they are remotely exploitable, but for most configurations, you need to have valid logon credentials to the machine... Again, its bad, but even if you had an upatched box unprotected on the net, those wouldn't enable remote code execution unless the attacker could already log onto the machine.
Truely remotely exploitable bugs are rare on any OS. As far as I can tell, Windows has had 3 in the last 5 years (MS03-001, MS03-049 and MS06-040). There was a remote DoS in 2005 (MS05-051), but everything else has been on the scale of "get the user to click open this malformed file/link/whatever". Bad, but an order of magnitude better than something where an attacker can just own you with no action on your part.
3 in 5 years is definitely worse than OpenBSD's 2 in 10 years record, but many linux fans seem to have the impression there's a remotely exploitable bug found in windows every month....
DefectiveByDesign is referring to a campaign to end DRM. It's pointless and out-of-place on the non-drm related articles that get tagged with it, which I think is the grandparent's point.
http://www.frankwbaker.com/war_photo_challenges.ht m
Hmmm, I would have titled this article as "72% of firefox patches come from people who's paid job it is to write them". But then that makes it too obvious that the open-source attitude of "anyone can fix anything" is, if not a lie, at least vastly overstated.
Any comments on http://moniker.com/ ?
How is the parent comment in any way insightful? Vista RC1 was released 5 months ago, and there were very very few major changes from RC1 to RTM. And it would be one thing if thir software worked perfectly on Beta2 or RC1, but thats clearly not the case...
Well, thats wikipedia's definition of a "system call", which is a nice straw-man. Who knows what the author's definition is? I have no idea, and neither do you.
If they are indeed using "ring zero transitions" as a definition of "system call" (which I really doubt), than all this graph would show is that linux rolls more functionality into a single kernel-mode call, while windows requires multiple kernel-mode transitions.
As others have said, without much more information, these graphs are meaningless.
http://www.eminentbrain.com/2006/09/04/clipped-wi
Is everyone going to completely ignore the fact that this feature is one of Microsoft's very, very few that aren't developed in Redmond??? The Microsoft India Development Center in Hyderabad, is responsible for this whole feature area.
Draw your own conclusions, but at a minimum, it would increase the chances of mis-communication...
From the article:
"The report, which first came to light in a U.S. newspaper, has since been posted on the website of the Federation of American Scientists, an organization that tracks the intelligence world and promotes government openness."
Well, I don't see it on fas.org (search), and if its in a "american newspaper", its one that google news doesn't search.
Something just doesn't sound right about this whole story.... It makes no sense, and there's no other cites for it.
http://www.senseaboutscience.org.uk/
Not sure why this wasn't in the BBC article...
as far as I know, FairUse4WM doesn't rely on known offsets as a key aspect of how it works. Even so, what you are referring to would be a combination of the module's base address and an offset. ASLR would just mean the module base address changes every boot. A program running on the machine would still be able to call kernel32!GetModuleHandle to determine the current base address, and obviously ASLR wouldn't have anything to do with the offset from that base.
However, it still prevents buffer overflows, since any shellcode wouldn't have gotten "fixed up" by the loader, and so wouldn't even be able to access any kernel32 functions, since the buffer overflow data would need to hard-code an absolute address.
In what way does this prevent FairUse4WM?
f _Buffer_Overflow_Attacks.html
This is a good thing to prevent viruses, without affecting anything else. Buffer overflow attacks need to rely on a known location in memory to jump to, typically kernel32!LoadLibrary/GetProcAddress, which will allow them to dynamically access the rest of the functions they need. Read more here: http://www.windowsecurity.com/articles/Analysis_o
This is 100% completely unrelated to DRM bypass programs, which can actually link to the correct functions. Anyone who mods the parent up has no idea about how windows security or programming works.
It sounds like the parent might (just trying to be generous here) be confusing FairUse4WM with the Apple Fairplay hack tool, which does rely on known offsets within the fairplay module's memory layout. However, even that wouldn't be affacted by this, since an actual properly linked program can still determine the base address it needs.
True, the web is not the internet. But the issue here fundamentally _is_ a user-interface level issue. There's no reason that mail clients, etc couldn't support IDN by doing the punycode translation for you.
The point is, we have a system that addresses the problem currently, without breaking anything.
Something similar to what you are describing exists, and is called IDN ( http://en.wikipedia.org/wiki/Internationalized_do
It exists currently and is supported in all major browsers. I would like to hear more about why IDN doesn't work for international users, and why native 16-bit DNS is needed.
Actually, Microsoft was only determined to have a monopoly on x86-powered desktop computers (Leaving out PowerPC Apples and Linux-powered servers).
Umm, currently Customs & Border Patrol runs "interior checkpoints" throughout San Diego County, part of their "defense-in-depth" approach.
See
GAO report (pdf)
Northeast interior checkpoints to become permanent
CBP Border Patrol Checkpoint Seizes Arsenal of Weapons (google cache)
Compare the last sentence of this article to the last setence of Discovery's article on chinese sinkholes:
_ pla_02.html
http://dsc.discovery.com/news/2006/10/18/sinkhole
"I didn't figure there would be that much scientific value," he said. "It is interesting history."
WTF?
I think we (slashdot readers) have just 'found out' who the (anonymous) submitter (of TFA) 'really' is (or at least their 'slashdot userid') based on the (unique) writing 'style'.
Diesel angines actually have a much flatter torque curve than gas engines. The reason they have always had more gears is because their RPM range is more limited.
It will not start a chain reaction in the water, converting it all to gas and letting all the ships on all the oceans drop down to the bottom. It will not blow out the bottom of the sea and let all the water run down the hole. It will not destroy gravity.
And how is this any different from what Napster is doing currently?
http://code.google.com/faq.html#q7