This guy did not provide an exploit. The file he attached would just crash IE, not execute code. He only showed how to overwrite EIP.
Yeah -- I noticed that in the snippet I read. This tends to help his "case" -- however, this is not a court of law, it's a court of public opinion. I believe that he could have just submitted a bug report to the variety of places where these can be made, and not written any code to help script kiddies along.
Notifying MS would be nice too -- but I think we're getting ahead of ourselves. There's three levels of bastard (or lack thereof) to work with here:
1. Notify Microsoft and give them x amount of time before you go public
2. Just post the vulnerability -- watch 'em scramble for a fix
3. Just post an exploit -- watch 'em squirm.
This writer is on "level 3" (or maybe the grey area between levels 2 and 3). Sure, giving Microsoft some time would have been a nice thing to do, but justthe same, I'd take a straight vulnerability release over any code that will give script kiddies a leg up.
I think you are full of it. The poster has done a lot of folks a HUGE favor. If he had sat on this, and allowed MS to sit on this, possibly millions of unsuspecting IE users put their computers at risk, waiting for someone else with the knowledge to find this exploit who would use it in the wrong way.
I think you might have your terminology backwards. Posting the vulnerability is a favor to people. Posting an exploit is a different story altogether. Since you have a hard time differentiating, let me try to help you out:
Vulnerability: "Hey, look -- I've found this hole in IE. Here it is, fix it. Everyone else -- this software sucks. Use something else."
Exploit: "Hey, everyone (script kiddies included) -- here's some code that I put together that exploits vulnerable boxes. You don't have to know a damn thing to root a vulnerable box. You can use this for anything, spamming, DDoS attacks, mining for credit card numbers -- it doesn't matter -- crack away, oh 31337 ones."
Now can you tell me which is more constructive? The exploit or vulnerability. Now rememeber that nobody finds an exploit -- they're all written. Vulnerabilities are found. I completely agree that vulnerabilities should be made public -- but as far as exploits -- you're dead wrong.
Now, if you didn't have you terminology backwards, your logic is just irresponsible. How is an exploit any more helpful than a vulnerability report to bugtraq? How could it possibly benefit anyone other than the script kiddies who will eventually get their hands on this code? People need another exploit in the wild like they need another hole in the head. You will still have an opporitunity to tell your friends and family about your disscovery -- only you'll have time to tell them to update their browser...not that they've probably been rooted.
PS -- next time, if you're less confrontational in your replies -- you will likely receive more friendly responses...ass.
There are certainly other ways to go about reporting bugs (not that Microsoft will listen to any of them), but blaming the messenger for pointing out that the castle wall is full of holes is a bit misdirected if you ask me.
Maybe there's something that I'm misunderstanding here. You're suggesting that he's just a messenger -- nothing more? I completely disagree. This person posted an exploit. I'm not sure how it is where you're from, but from where I sit, posting an exploit is on an entirely different level from simply telling someone that their software is full of holes (including how and where).
To use your analogy, rather than being a messenger telling the king that his castle walls are full of holes, this is a little more like designing a weapon to destroy your castle walls, and posting the plans in every neighboring town (which somehow manage to automatically build the weapon, provided you have the right tools). All the recipients have to do is tell the device to build itself, point, and fire.
The point is that this guy was downright irresponsible and should be treated as such. Any sane king would have beheaded this person in a royal heartbeat.
whole "if you've seen any Unix code you're contaminated" thing?
I'm not sure how it went down, but I'd believe it. Any company with an interest in developing "like" software has to take "clean-room" precautions or they're open to some sort of litigation. Win or lose, when it goes to court, a defendant usually hurts financially (unless there's an agreement otherwise).
Guess what! The "Music Industry" isn't a single entity
Yeah, but they sure have a face and a voice...in more than one country (RIAA, CRIA, ARIA, etc). These are the people responsible for the lobbying. I think that these are the organizations that people are referring to.
What occured here looks like corporate espionage and theft, plain and simple. Whoever leaked this should be caught, and sent to Federal pound-you-in-the-ass prison. I know everyone here loves to hate on M$ (hahah funny), but nobody deserves to have their hard earned work lifted without their permission.
That's one way to look at this. Another is that it's nice to be able to say "I told you so". Especially when you're taking a stand against conventional wisdom.
From where I sit -- "security through obscurity" is just plain dumb. I've been saying it for a long time. Now, folks are preparing for an onslaught of worms from new exploits found. Well, now is my chance to say "I told you so".
If you'll excuse me, I need to start closing ports on the Windows side of our corporate firewall.
I do believe that science is a religion...to an extent.
Science is a religion in the attempts made to use science to explain our origins, as well as the world around us. However, where science differs from every organized religion (that I can think of) is that science is based upon observation and repeatable experimentation (for independant verification) -- the objective. Organized religion is neither based upon observation nor experimentation. Organized religion is typically based upon faith -- which is not, and will never be independantly verifyable (hence the subjective). There are no repeatable experiments to prove that the "meta-physical" exists. Does it mean that it is not there? No. It just means that science does not typically recgonize it -- it's not a flaw in the scientific method. This is it's primary strength. The meta-physical is immeasurable, and to recgonize what is impossible to ever prove as a truth (by definition) goes against the "nature" of science. Does it mean that science is better than religion? No -- that's for you to decide (the subjective part). Science's objectivity is what makes it what it is.
This being said, religion, politics, philosophy, and science are decidely not the same thing. I'm not sure where you're getting that from. These things are all abstractions of another (except for politics -- maybe you're equating this with religion as another form of control over the masses). Having similar origins does not equate anything.
Finally, it's my opinion that your argument is somewhat backwards. Science does not fail to recgonize the subjective or meta-physical. Science (generally) does not deal in unobservable phonomena. However, I have not seen anything "scientific" denying the existance of the metaphysical. On the contrary, religion has consistently denounced science through time, and those supporting organized religion have burned those seeking an alternate truth at the stake as heretics. While the goal of religion is to seek the truth, once organized, these goals change significantly.
That is, of course, if we keep testing it and trying to see if it is true. (Or the closest approximation of 'true' we have been able to come up with.)
You're absolutely correct. If we accepted theory as fact without any repeatable testing it would be religion, not science.
We may never fully understand the nature of our universe, and almost certainly will never understand it in our lifetimes. But the question raised in the topic is actually a fundamental one that spans far beyond dark matter to all forms of theoritical science. Many theories are based heavily upon other theories. The "root" theories (with any luck) will eventually be proven or disproven, affecting all research and theories which follow that "root".
What is important is for scientists to fully understand the theories that they base their work upon, and knowing the risks involved. Not doing so is irresponsible, and can lead to misinformation and confusion.
With the above in mind, it's also important to note that many theories have been disproven throughout and entire scientific disciplines have crumbled around the fall of these theories. However, from those ashes, new disciplines have arisen (the first that comes to mind is chemistry rising from the "ashes" of alchemy). I'm sure that in 100 years, many if our current ideas will be laughable, but this failure has proven fundamental to our growth (how's that for rhetoric!?)
(I haven't played UT in a few years, so I don't know what's what with the UT community as of late)
When I played UT, all of the best servers ran CSHP. There's a little more info here. (Sorry, I didn't have time to find better links -- the CSHP home page seems to have gone away.) CSHP stands for Client Side Hack Protection. This is a aimbot/cheat protection mod that makes sure that everybody is playing on a level field. All of the servers running is, advertised it.
I just don't get it. What's the point of playing an online game if you have to cheat to win? What a way to ruin a game for everyone. (eyeroll)
Wearing a digital watch with teleconferencing and web browsing is one of the surest ways to not get laid that I've heard of in a long time.
I'm responding to your post because I didn't think you were being serious and I didn't want to attack anyone specific. Hopefully, you won't view it as an attack on you.
I tend to look at the "timepiece" discussion the same way I look at classic cars. There are people who drive old cars because they appreciate the quality of a hand-crafted car. Some of these are people who love the elegant simplicity of these older machines (or in some cases, the complexity of them). Some even drive old cars because a true "sports car" has not been built in 30 years -- they want to get back to these roots. Some think these older cars just have an intangible coolness to them. There are others who drive these cars because of the image. These people think that their classic car will earn them respect and get them laid.
The latter group, whatever "obselete" material they possess for image reasons, neither deserve to get laid, nor do they deserve any specific respect for simply owning such items.
Most people don't want a keyboard and mouse sitting in their living room, nor the awkward use that would come from it.
Saying "that's why I have a remote" doesn't work either -- you get no more functionality from an HTPC remote than a component remote.
I understand your point, as was the jist of the article...but this is Slashdot. I'm sure that there are a significant amount of Slashdot readers who feel that it's perfectly natural to use a keyboard and mouse in their living room.
Secondly, I have a wireless remote for my computer from ATI, and it *does* provide more functionality than a component remote. It works as a wireless mouse, and has multiple buttons that will act as macros to do whatever I want (as well as each button behaving differently for different applications). I'm psyched to get my updated version in the mail -- it should offer even greater functionality.
While this solution (and ones like it) are clearly not for everyone, most geeks don't have a problem with it. Most people who are willing to put together a system like this probably feel the same way I do. I find it more flexible than the alternative (a component system).
The system should integrate itself seamlessly, and shouldn't force the user to think about it as a computer
Why? Obviously, if one has the know-how to build such a system, they probably won't find it inconvenient to use it like a computer. I know that I'm like the fact that me "HTPC" doesn't act like a component -- and I appreciate the flexibility that a computer offers me. Anybody who needs their "HTPC" to act like a component is probably better off saving time and money by just buying a component in the first place.
I dont care what your intentions are, you hack into a place like that you should be thrown in jail even if its just to show everyone else how serious you are.
I completely disagree. Furthermore, I think that yours may be the same kind of thinking that US legislators have when creating laws to cover new technology. Such black-and-white thinking seems pretty irresponsible to me. It does not allow for judges to use discretion, as this one has.
Let's take a look at it from a harm perspective. How much trouble did this really cause? Some kid cracking files to steal someone else's bandwidth -- this is akin to petty larceny -- maybe breaking and entry at worst. I can understand a judge opting for leniency in this case, the same way they may be inclined to opt for leniency for a breaking and entry case. Just because very few people understand the crime, doesn't necessarily mean that it should carry a requisite absolute punishment. That's just an overreaction -- no different from mandatory minimum sentencing for drug offenders. All that will do is overcrowd prisons and turn part-time petty criminals into full-time criminals. I don't know about English prisons, but I've seen US prisons -- from what I read in the article, this kid doesn't belong there.
Now, if McElroy had caused any real damage (like viewing classified material, etc) -- then an appropriate penalty shuold have been levied. However, unless our DoE computer centers are run by complete morons, there's probably a really good chance that classified materials were not available to McElroy. If this was apparent, it adds far more credibility to the argument that a 17-year-old kid (this was 2 years ago) was just screwing around.
On another note:
Fearing a terrorist attack, the computer was closed down for three days
If there actually was classified material at stake, it begs the question: What asshole puts a network like this on the public Internet? Isn't that asking for a terrorist attack? It brings to mind another law: In some US states, it's illegal to leave your car idling with the key in it. It's ticketable and adds points to your license. Sure, if some asshole steals the car, it's far more illegal -- but it shares some of the responsibility wity the operator. Shouldn't someone at Fermi lab be held responsible for this as well? This is a DoE computer that my tax dollars paid for. I say that we should forget about creating more anti-terrorism laws. If someone makes the collosal fuck-up of making a classified system accessible on the public Internet, in any way, they should be penalized for negligently putting millions of lives at risk (allowing for flexible sentencing as the judge sees fit, of course).
Considering the fact that EA has failed to go after any of these projects, some of which have been publicly announced for *years*, I doubt they'll choose to go after any of them now.
You make some really good points in your post. I sure hope you're right.
ELECTRONIC ARTS, ORIGIN, UltimaTM and Britannia are trademarks or registered trademarks of Electronic Arts Inc. in the U.S. and/or other countries. ORIGINTM is an Electronic ArtsTM brand. Lord British is a trademark or registered trademark of Richard Garriott in the U.S. and/or other countries.
It sounds like EA's got their bases covered on the trademarks. Fortunately, since the project is pretty low-key, it would be really easy to just change the name(s) if it ever came up. I am glad that it got Richard Gariott's blessing, and I hope that it is able to keep all of the original Ultima names. I do think that the names, places, titles, etc add alot to an Ultima game (famaliarity, authenticity, etc) and it would be a shame to see EA put a halt to this.
I wonder how EA will respond to the use of the Ultima name (ya know -- since they own it and all).
More importantly, why didn't EA think of this? I mean, (IMO) all of the recent Ultima games have sucked, and I don't think that any of the newfangled titles have been able to touch III, IV, and V in terms of fun and playability. EA did release all of the earlier Ultima titles (1-8 as well as both Underworlds, and Alakbeth) on a CD called the Ultima Collection, but I'm surprised that they haven't thought to do something like this themselves. I'll be more surprised if EA doesn't respond in some way to the use of their trademark.
Anyway, I can't wait to play. That game was probably the best of the Ultima series.
This is true simply because Linux users are likely to be running in root/Administrator
What you mention here is absolutely true for system-level attacks where root-level permissions are required (and a common exploit is not readily available). However, a wide-scale attack like MyDoom can still occur on a Linux machine in userland. Let's examine what (from my memory, I'm sure I'm leaving something out) what MyDoom does and how it would work in userland Linux:
First, the worm propigates itself via a self-contained mailer. This mailer can be (or is) run at a user level -- this is perfectly possible within "normal" userland Linux. Second, the worm launches a DDoS attack via simple http calls. Again, this is completely possible from any user account. Finally, the worm installs a trojan on the system. This is where your point tends to stand better, however, with a caveat. The trojan will never have superuser permissions unless it exploits an existing security hole -- for example a buffer overflow on a suid root application (not the best example anymore with new kernel security mods in some distros protecting the stack...but whatever). However, a user account can still be trojaned, and it is possible to hijack that account for spamming purposes -- or even simply be used for cracking from. There are some limitations to opening a socket connection in user mode (I forgot the specific rules), but this particular worm could easily be implemented to infect a Linux machine with identical results (possibly faster spreading if you believe that every part of Linux is that much faster than its Windows counterpart). A trojan would only be limited by what one could do with a user account.
Your point, however, is not completly lost on me. I agree that less "serious" mistakes can be made from userland than in superuser mode (and I've made them...d'oh!). Further, in user mode, damage control and sanitization is far easier: delete compromised user account (including the crontab and all files owned by the user and their member groups, as well as any file which the user had write permission to), and do a sanity check to ensure that all documented exploits were patched before and during the period of exposure.
As for Linux overtaking Windows on the desktop, I can only hope that Linux is developed to that point soon (so that non-technical users can use desktop Linux with ease), and it receives mainstream acceptance (especially in the workplace). As far as I know, nobody has ever built a dominantly used desktop GUI without many-millions of dollars of corporate backing and a gigantic development team all under one roof. (Don't get me wrong...I still believe that the Windows tax on PC's can end.)
Slashdot Mirror
Yeah -- I noticed that in the snippet I read. This tends to help his "case" -- however, this is not a court of law, it's a court of public opinion. I believe that he could have just submitted a bug report to the variety of places where these can be made, and not written any code to help script kiddies along.
Notifying MS would be nice too -- but I think we're getting ahead of ourselves. There's three levels of bastard (or lack thereof) to work with here:
1. Notify Microsoft and give them x amount of time before you go public
2. Just post the vulnerability -- watch 'em scramble for a fix
3. Just post an exploit -- watch 'em squirm.
This writer is on "level 3" (or maybe the grey area between levels 2 and 3). Sure, giving Microsoft some time would have been a nice thing to do, but justthe same, I'd take a straight vulnerability release over any code that will give script kiddies a leg up.
I think you might have your terminology backwards. Posting the vulnerability is a favor to people. Posting an exploit is a different story altogether. Since you have a hard time differentiating, let me try to help you out:
Vulnerability: "Hey, look -- I've found this hole in IE. Here it is, fix it. Everyone else -- this software sucks. Use something else."
Exploit: "Hey, everyone (script kiddies included) -- here's some code that I put together that exploits vulnerable boxes. You don't have to know a damn thing to root a vulnerable box. You can use this for anything, spamming, DDoS attacks, mining for credit card numbers -- it doesn't matter -- crack away, oh 31337 ones."
Now can you tell me which is more constructive? The exploit or vulnerability. Now rememeber that nobody finds an exploit -- they're all written. Vulnerabilities are found. I completely agree that vulnerabilities should be made public -- but as far as exploits -- you're dead wrong.
Now, if you didn't have you terminology backwards, your logic is just irresponsible. How is an exploit any more helpful than a vulnerability report to bugtraq? How could it possibly benefit anyone other than the script kiddies who will eventually get their hands on this code? People need another exploit in the wild like they need another hole in the head. You will still have an opporitunity to tell your friends and family about your disscovery -- only you'll have time to tell them to update their browser...not that they've probably been rooted.
PS -- next time, if you're less confrontational in your replies -- you will likely receive more friendly responses...ass.
Maybe there's something that I'm misunderstanding here. You're suggesting that he's just a messenger -- nothing more? I completely disagree. This person posted an exploit. I'm not sure how it is where you're from, but from where I sit, posting an exploit is on an entirely different level from simply telling someone that their software is full of holes (including how and where).
To use your analogy, rather than being a messenger telling the king that his castle walls are full of holes, this is a little more like designing a weapon to destroy your castle walls, and posting the plans in every neighboring town (which somehow manage to automatically build the weapon, provided you have the right tools). All the recipients have to do is tell the device to build itself, point, and fire.
The point is that this guy was downright irresponsible and should be treated as such. Any sane king would have beheaded this person in a royal heartbeat.
I'm not sure how it went down, but I'd believe it. Any company with an interest in developing "like" software has to take "clean-room" precautions or they're open to some sort of litigation. Win or lose, when it goes to court, a defendant usually hurts financially (unless there's an agreement otherwise).
Yeah, but they sure have a face and a voice...in more than one country (RIAA, CRIA, ARIA, etc). These are the people responsible for the lobbying. I think that these are the organizations that people are referring to.
That's one way to look at this. Another is that it's nice to be able to say "I told you so". Especially when you're taking a stand against conventional wisdom.
From where I sit -- "security through obscurity" is just plain dumb. I've been saying it for a long time. Now, folks are preparing for an onslaught of worms from new exploits found. Well, now is my chance to say "I told you so".
If you'll excuse me, I need to start closing ports on the Windows side of our corporate firewall.
While you and I believe this, only time will tell whether or not the court system feels the same way (ala SCO).
I'd say good riddance. I fucking hate autoplay. It's a security liability and an annoyance.
Not like Microsoft has any chance of losing though. This is a really old technology with dozens of examples of prior art(s).
Yeah, but one side never burned the other at the stake -- calling those who questioned "truths" heretics.
In any case, I never claimed that one was better than the other -- this is the subjective and personal part.
Absolutely correct. If the theocrats had their way, religion would still control science.
I do believe that science is a religion...to an extent.
Science is a religion in the attempts made to use science to explain our origins, as well as the world around us. However, where science differs from every organized religion (that I can think of) is that science is based upon observation and repeatable experimentation (for independant verification) -- the objective. Organized religion is neither based upon observation nor experimentation. Organized religion is typically based upon faith -- which is not, and will never be independantly verifyable (hence the subjective). There are no repeatable experiments to prove that the "meta-physical" exists. Does it mean that it is not there? No. It just means that science does not typically recgonize it -- it's not a flaw in the scientific method. This is it's primary strength. The meta-physical is immeasurable, and to recgonize what is impossible to ever prove as a truth (by definition) goes against the "nature" of science. Does it mean that science is better than religion? No -- that's for you to decide (the subjective part). Science's objectivity is what makes it what it is.
This being said, religion, politics, philosophy, and science are decidely not the same thing. I'm not sure where you're getting that from. These things are all abstractions of another (except for politics -- maybe you're equating this with religion as another form of control over the masses). Having similar origins does not equate anything.
Finally, it's my opinion that your argument is somewhat backwards. Science does not fail to recgonize the subjective or meta-physical. Science (generally) does not deal in unobservable phonomena. However, I have not seen anything "scientific" denying the existance of the metaphysical. On the contrary, religion has consistently denounced science through time, and those supporting organized religion have burned those seeking an alternate truth at the stake as heretics. While the goal of religion is to seek the truth, once organized, these goals change significantly.
You're absolutely correct. If we accepted theory as fact without any repeatable testing it would be religion, not science.
We may never fully understand the nature of our universe, and almost certainly will never understand it in our lifetimes. But the question raised in the topic is actually a fundamental one that spans far beyond dark matter to all forms of theoritical science. Many theories are based heavily upon other theories. The "root" theories (with any luck) will eventually be proven or disproven, affecting all research and theories which follow that "root".
What is important is for scientists to fully understand the theories that they base their work upon, and knowing the risks involved. Not doing so is irresponsible, and can lead to misinformation and confusion.
With the above in mind, it's also important to note that many theories have been disproven throughout and entire scientific disciplines have crumbled around the fall of these theories. However, from those ashes, new disciplines have arisen (the first that comes to mind is chemistry rising from the "ashes" of alchemy). I'm sure that in 100 years, many if our current ideas will be laughable, but this failure has proven fundamental to our growth (how's that for rhetoric!?)
(I haven't played UT in a few years, so I don't know what's what with the UT community as of late)
When I played UT, all of the best servers ran CSHP. There's a little more info here. (Sorry, I didn't have time to find better links -- the CSHP home page seems to have gone away.) CSHP stands for Client Side Hack Protection. This is a aimbot/cheat protection mod that makes sure that everybody is playing on a level field. All of the servers running is, advertised it.
I just don't get it. What's the point of playing an online game if you have to cheat to win? What a way to ruin a game for everyone. (eyeroll)
I just hang out with women and if we're both cool with each other, I just sorta ask. It tends to work.
The fact is, I tend to avoid having sex with women who would want me because of my watch or car. I think that's just lame.
Does it have more to do with the fancy watch, or the fact that it boosts your self-confidence?
I'm responding to your post because I didn't think you were being serious and I didn't want to attack anyone specific. Hopefully, you won't view it as an attack on you.
I tend to look at the "timepiece" discussion the same way I look at classic cars. There are people who drive old cars because they appreciate the quality of a hand-crafted car. Some of these are people who love the elegant simplicity of these older machines (or in some cases, the complexity of them). Some even drive old cars because a true "sports car" has not been built in 30 years -- they want to get back to these roots. Some think these older cars just have an intangible coolness to them. There are others who drive these cars because of the image. These people think that their classic car will earn them respect and get them laid.
The latter group, whatever "obselete" material they possess for image reasons, neither deserve to get laid, nor do they deserve any specific respect for simply owning such items.
Which part of "significant amount" did you take to mean "all" or "you"?
I understand your point, as was the jist of the article...but this is Slashdot. I'm sure that there are a significant amount of Slashdot readers who feel that it's perfectly natural to use a keyboard and mouse in their living room.
Secondly, I have a wireless remote for my computer from ATI, and it *does* provide more functionality than a component remote. It works as a wireless mouse, and has multiple buttons that will act as macros to do whatever I want (as well as each button behaving differently for different applications). I'm psyched to get my updated version in the mail -- it should offer even greater functionality.
While this solution (and ones like it) are clearly not for everyone, most geeks don't have a problem with it. Most people who are willing to put together a system like this probably feel the same way I do. I find it more flexible than the alternative (a component system).
Why? Obviously, if one has the know-how to build such a system, they probably won't find it inconvenient to use it like a computer. I know that I'm like the fact that me "HTPC" doesn't act like a component -- and I appreciate the flexibility that a computer offers me. Anybody who needs their "HTPC" to act like a component is probably better off saving time and money by just buying a component in the first place.
I completely disagree. Furthermore, I think that yours may be the same kind of thinking that US legislators have when creating laws to cover new technology. Such black-and-white thinking seems pretty irresponsible to me. It does not allow for judges to use discretion, as this one has.
Let's take a look at it from a harm perspective. How much trouble did this really cause? Some kid cracking files to steal someone else's bandwidth -- this is akin to petty larceny -- maybe breaking and entry at worst. I can understand a judge opting for leniency in this case, the same way they may be inclined to opt for leniency for a breaking and entry case. Just because very few people understand the crime, doesn't necessarily mean that it should carry a requisite absolute punishment. That's just an overreaction -- no different from mandatory minimum sentencing for drug offenders. All that will do is overcrowd prisons and turn part-time petty criminals into full-time criminals. I don't know about English prisons, but I've seen US prisons -- from what I read in the article, this kid doesn't belong there.
Now, if McElroy had caused any real damage (like viewing classified material, etc) -- then an appropriate penalty shuold have been levied. However, unless our DoE computer centers are run by complete morons, there's probably a really good chance that classified materials were not available to McElroy. If this was apparent, it adds far more credibility to the argument that a 17-year-old kid (this was 2 years ago) was just screwing around.
On another note:
If there actually was classified material at stake, it begs the question: What asshole puts a network like this on the public Internet? Isn't that asking for a terrorist attack? It brings to mind another law: In some US states, it's illegal to leave your car idling with the key in it. It's ticketable and adds points to your license. Sure, if some asshole steals the car, it's far more illegal -- but it shares some of the responsibility wity the operator. Shouldn't someone at Fermi lab be held responsible for this as well? This is a DoE computer that my tax dollars paid for. I say that we should forget about creating more anti-terrorism laws. If someone makes the collosal fuck-up of making a classified system accessible on the public Internet, in any way, they should be penalized for negligently putting millions of lives at risk (allowing for flexible sentencing as the judge sees fit, of course).You make some really good points in your post. I sure hope you're right.
According to this page:
It sounds like EA's got their bases covered on the trademarks. Fortunately, since the project is pretty low-key, it would be really easy to just change the name(s) if it ever came up. I am glad that it got Richard Gariott's blessing, and I hope that it is able to keep all of the original Ultima names. I do think that the names, places, titles, etc add alot to an Ultima game (famaliarity, authenticity, etc) and it would be a shame to see EA put a halt to this.
I wonder how EA will respond to the use of the Ultima name (ya know -- since they own it and all).
More importantly, why didn't EA think of this? I mean, (IMO) all of the recent Ultima games have sucked, and I don't think that any of the newfangled titles have been able to touch III, IV, and V in terms of fun and playability. EA did release all of the earlier Ultima titles (1-8 as well as both Underworlds, and Alakbeth) on a CD called the Ultima Collection, but I'm surprised that they haven't thought to do something like this themselves. I'll be more surprised if EA doesn't respond in some way to the use of their trademark.
Anyway, I can't wait to play. That game was probably the best of the Ultima series.
It's not about his name. It has nothing to do with that. Read all of my comments in this thread -- I think I've been over it enough.
What you mention here is absolutely true for system-level attacks where root-level permissions are required (and a common exploit is not readily available). However, a wide-scale attack like MyDoom can still occur on a Linux machine in userland. Let's examine what (from my memory, I'm sure I'm leaving something out) what MyDoom does and how it would work in userland Linux:
First, the worm propigates itself via a self-contained mailer. This mailer can be (or is) run at a user level -- this is perfectly possible within "normal" userland Linux. Second, the worm launches a DDoS attack via simple http calls. Again, this is completely possible from any user account. Finally, the worm installs a trojan on the system. This is where your point tends to stand better, however, with a caveat. The trojan will never have superuser permissions unless it exploits an existing security hole -- for example a buffer overflow on a suid root application (not the best example anymore with new kernel security mods in some distros protecting the stack...but whatever). However, a user account can still be trojaned, and it is possible to hijack that account for spamming purposes -- or even simply be used for cracking from. There are some limitations to opening a socket connection in user mode (I forgot the specific rules), but this particular worm could easily be implemented to infect a Linux machine with identical results (possibly faster spreading if you believe that every part of Linux is that much faster than its Windows counterpart). A trojan would only be limited by what one could do with a user account.
Your point, however, is not completly lost on me. I agree that less "serious" mistakes can be made from userland than in superuser mode (and I've made them...d'oh!). Further, in user mode, damage control and sanitization is far easier: delete compromised user account (including the crontab and all files owned by the user and their member groups, as well as any file which the user had write permission to), and do a sanity check to ensure that all documented exploits were patched before and during the period of exposure.
As for Linux overtaking Windows on the desktop, I can only hope that Linux is developed to that point soon (so that non-technical users can use desktop Linux with ease), and it receives mainstream acceptance (especially in the workplace). As far as I know, nobody has ever built a dominantly used desktop GUI without many-millions of dollars of corporate backing and a gigantic development team all under one roof. (Don't get me wrong...I still believe that the Windows tax on PC's can end.)
D'oh! I'm such a dork. LOL