I keep seeing this "properly", and it frequently means "when done by inerrant and superintelligent entities"
If "properly" requires you to do anything that is Not-Obvious, for example to open a CLI, Registry Editor, ADSIEditor, or other Advanced Tool, to setup the environment which is not common practice OR not described clearly by the Vendor in a simple Setup or QuickStart Guide, then it's not really "Properly"; it's application of an Advanced Hack or Workaround, and the "Properly" is someone's personal opinion about what extra steps should be taken.
The problem with Windows environments is there are a million personal opinions, and 900,000 of them miss some aspect, or ignore some other thing, or blah blah blah, blah blah blah. There is no "properly" it don't exist, and any Windows environment is insecure, even if you think you have a clever workaround which you just call "Properly" setting it up, as opposed to what? Clicking through an AD setup Wizard, and "I should be done now"
For example, properly written C++ doesn't double-free memory, but can have a race condition or off-by-one error or use an element from an empty vector.
C and C++ are subject to errors even the best coders have difficulty avoiding.....
But learning professional, respectful communication should not be part of this endeavor?
What is "professional" is subjective; a matter of personal preference or opinion. As far as providing basic human respect, not badmouthing or throwing around insults, that's a fundamental skill people should have before being admitted to university.
As for respect as a high-level of reverence, such as ego stroking other people, using grandiose greetings in everyday language, politeness excessively above what is normal treatment of peers, admitting to mentors' preferences, treating professors as bosses or superiors instead of equals in everyday conversation, and avoiding use of slang...... no, that is not part of the endeavor, except perhaps, in a communications course where such skooling could be germane.
Some students would want this, But students come to school because they expectTo learn, which includes (1) Legitimate instruction, (2) Honest feedback, and (3) A valuable credential from an accredited school.
Assigning an improperly high grade would be dishonest feedback, and also, Because students are interested in earning a Valuable credential, there are some tradeoffs they HAVE to make; regionally accredited schools cannot award all students a 4.0 GPA without demonstrating the knowledge of the curriculum.
The proportions don't matter.... it is about absolute numbers of users. Where there are users, there is $$$$ to be made exploiting them. If there is not malware targetting these users, then there must be some barrier preventing it, such as better security, or better security awareness.
If there are a large number of users, then they are a target.
There are more than 60 million Mac users today. In 1996 there were only about 36 million computer users. There was no shortage of worms and viruses back in 1996.
So unless there's a security difference, there should be equally prevalent worms and viruses for Mac in 2017.
iCloud has 130 Million users.... So where are all the worms targetting iCloud devices?
Virus writers will target the largest market portion. If that's Windows, they'll write viruses for Windows.
Maybe. Where are all the worms targetting Non-Jailbroken iPhones over the network? Just because your software is a target, doesn't mean you get targeted as successfully, effectively, and broadly as Windows and Flash.
Just because you made one point does not mean the Opinion that switching to Linux will result in fewer worms/Ransomware is wrong.
At best you could say It is untested. Because we have not seen what would happen if a significant % of people used Linux. So for now it is just a thought experiment, BUT it is a thought experiment where we cannot determine for a fact what the result would be.
On the other hand, switching to Linux in itself may be only part of the solution.
The fact is, we can probably deploy Linux systems to meet all user requirements with a MUCH smaller attack surface than Windows. Crap like all desktops accepting SMB protocol connections by default is totally unnecessary.
One of the major design defects with Windows that leads to wormability is "Portmapped RPC" services and the Re-Use of port numbers, instead of sticking to one port number per protocol.
With Linux, you're much better off, as long as you don't deploy NFS or Samba on your client devices.
As for social engineering...... start with not running things as root. Use Chromium as the browser.
You're talking about Spyware-like behavior; I don't think the Facebook app does that. Even if it did; i've never run a Facebook phone app, only accessed it on a PC
That is not reliable, because not every user provides FB with a phone number. Some people also have multiple present or past phone numbers, e-mail addresses, and provided a different number to each service.
I'm sure Apple would foot the bill just out of spite for Qualcomm's bullshit. It would also pay off in 5 years, minimum.
If it will pay off so quickly, then that may mean the market value of the patent is more than I suggested. The true formula would be to actually perform a Net-Present-Value calculation against the expected Sales/licensing revenue minus costs for this patent over the number remaining years of its life. In the real world, that would be realized by putting the patent up for auction and taking the highest bid to be the value, or find independent appraisers to determine its value.
All the above said; I personally feel that the Profits to a creator for Intellectual Property should be capped, and after the cap is exceeded, those rights are depleted, and your solely remaining exclusive rights are Performance rights, Trademark, and Moral rights, only retained if you fully patented or copyrighted with full publication of source code, etc. If you are producing a product yourself, then you should be able to deduct your actual material costs, physical labor for assembling a product, and research and development (but no other costs), but if you are licensing to someone else, such as software IP, receiving royalties, or payments from a lawsuit or settlement, every $$$ received should count towards the cap, And the cap should be set at something like $10 Billion per Year.
Just Sorry... "You were sufficiently rewarded for your creation, or discovery," But sufficient reward for one act of invention does not mean Unlimited piles of cash with zero additional work, forever.
No, not buy, we Eminent Domain that shit as part of leasing the spectrum that We The People own.
Eminent Domain requires paying fair compensation, per the constitution, which means at least the fair market price, which is probably more than $10 billion the US government would have to pay to Qualcomm to "Eminent Domain that shit".
Who cares, as long as it brings all the Boys to the yard?
I understand NVidia has some products in this area, regarding machine learning, they are a chip maker after all. So the claim could just be the typical sort of self-serving thing CxO's say, -- marketing message trying to pique peoples' interest in AI Silicon.
system gets hacked and flies the plane into a mountain with the pilots powerless to do anything about it.
The system need not allow that, just like current flight automation systems could deny the pilots' from doing that.
I don't think there's a material change of risk in that. Commercial planes ALREADY rely on automated navigation systems and software -- the pilots are already dependent on the computer, and already rely on consent of the computer to do any manual flying.
At least by having a ground security crew with additional monitoring, there can be some Benefit added to go with the risks.
Well, if the terrorists are already in the cockpit, all bets are off. Obviously. Do you have a better idea?
Yes -- PIN+Biometric; a Two-Person rule for opening the security door, multiple automation and redundant systems, and ground crews monitoring commercial flights with an ability to remotely override a rogue pilot.
However, the pilots can simply block entry with a single switch. Since they have 30 seconds to do so, this is not really a big security risk either.
Ok... This is a good idea UNLESS the hostile force is Already in the Cockpit, OR the emergency is so imminent that everyone will be dead in 30 seconds. So if the terrorist is already in the cockpit, they can just take their time and keep everyone locked out, AND use the locked steel door to protect the terrorist from the passengers, Passengers who now know about 9/11 and would likely make any sacrifice needed to stop terrorists, while they plan where to crash the plane, And the steel door becomes the liability for everyone, that's not very re-assuring.....
Over the last few years, I have grown endlessly frustrated with Chrome's resource management,
Sorry..... SECURITY trumps resource management, and Chrome is much more secure than Opera thanks to being miles ahead in process sandboxing.
especially on MacOS. Admittedly, I open too many tabs, but I'd wager that a lot of you do, too.
So stop doing bad things. You've gotten into a lazy habit of holding too many tabs open. Yes, tabs have their place. Their place is not to have 10+ tabs open; if you find yourself opening more than 5 or 6, you need to concentrate efforts on bookmarking things to check back later and close tabs.
But I don't see this as a patent trolling. They invested to create those ideas.
Intellectual Property is not Ideas; it is the implementation of the Ideas....... Copyrightable code and Trade secrets.
If the product contains a copy of code owned by ZeniMax, then they're due royalties or an ability to deny Samsung the ability to make and/or profit from the product.
On the other hand, if there's no code in common, Samsung could potentially have a re-creation or an independent implementation not subject to their copyrights.
Very few professionals need to communicate with a large audience. "Yo!" will suffice in general if it is in common usage.
The professors are forgetting that their job is to provide the service their customer (Their student) is paying a lot of money for. If you want to dictate everything about this relationship, then become like Google and provide your service for free, take it or leave it.
So...Windows shouldn't be used by small or medium-sized business without IT workstation teams then?
If you're a SMB, then it is vanishingly unlikely that an Update-induced outage will cause a critical interruption of business. If it would, then either change your design, Develop a plan to mitigate Update-induced outage, OR else, it really is worth paying for the team to do this right.
ON THE OTHER HAND, a Security-breach-induced-outage could very well put you out of business; if Uptime of this application is as critical as you would like to suggest.
Makes sense, but not an excuse for turning off Updates.
How about your company's team (with the prod. servers) does their job, then? And tests and Rolls out the updates BEFORE Windows update automatically installs it.
Leave Windows Update Enabled, schedule all new updates to install on X Day; However, If Windows updates rolls out the patch its own, then YOUR TEAM failed to conduct its job appropriately, which was to perform a controlled rollout in a timely manner (BEFORE The update is a week old, And the failsafe triggers to protect your organization's security).
This could also be viewed as PR protection for Microsoft. If they didn't help these users, then this would dirty Windows' name even further, and many of these users would probably switch to something else, realizing MS doesn't have their back.
throw a bunch of lobbying money at world governments to get laws passed to stop the hoarding.
If not world governments, then Cybercriminals. They're all the same.
How about putting that money towards making software that is actually secure, starting with network protocols?
This SMBv1 bug would have been a non-issue had the SMB service been sandboxed such that arbitrary code running as the SMB service cannot initiate an outbound connection or Modify files except after passing through a user credential for a particular Instance of the service process.
the odds that it is taken are so minuscule that you wouldn't bother checking
Yep.... Odds are it was quick and dirty. If it wasn't, then they'd probably have used algorithmically-generated domain names, try 3 URLs at random from a list, and require the URL attempted to present a digitally-signed file for the switch to take affect. Badware authors have done things like that in the past, etc, etc.
First, make students read the book outside of class, rather than in class. If your lecture merely covers the material in the textbook, why make students buy the textbook?
No..... Students don't need your class to read the Textbook. Why don't you just say "Read this book as a pre-requisite before taking this class" then,
and then just give them the A after they do a book report? People take courses, because Textbooks aren't engaging either --- they're even dryer than the lectures often, AND it is difficult to maintain attention to the task of reading material, which you may be overwhelmed by surely by the wall of text.
If you assign students to read something, make sure it is 5 pages per day or less --- Bite-sized pieces.
It's totally valid to have Lectures where you teach All the material in the book in a relatable fashion, and that is what should be done.
Don't try to make your students to DO something different, or something massive to teach every topic --- that is unreasonable and will wear them out.
A good lecture should be "spiced up" though with humor and flavors, involve asking students questions, and require active participation.
Slashdot Mirror
I keep seeing this "properly", and it frequently means "when done by inerrant and superintelligent entities"
If "properly" requires you to do anything that is Not-Obvious, for example to open a CLI, Registry Editor, ADSIEditor, or other Advanced Tool, to setup the environment which is not common practice OR not described clearly by the Vendor in a simple Setup or QuickStart Guide, then it's not really "Properly"; it's application of an Advanced Hack or Workaround, and the "Properly" is someone's personal opinion about what extra steps should be taken.
The problem with Windows environments is there are a million personal opinions, and 900,000 of them miss some aspect, or ignore some other thing, or blah blah blah, blah blah blah. There is no "properly" it don't exist, and any Windows environment is insecure, even if you think you have a clever workaround which you just call "Properly" setting it up, as opposed to what? Clicking through an AD setup Wizard, and "I should be done now"
For example, properly written C++ doesn't double-free memory, but can have a race condition or off-by-one error or use an element from an empty vector.
C and C++ are subject to errors even the best coders have difficulty avoiding.....
But learning professional, respectful communication should not be part of this endeavor?
What is "professional" is subjective; a matter of personal preference or opinion.
As far as providing basic human respect, not badmouthing or throwing around insults, that's a fundamental skill people should have before being admitted to university.
As for respect as a high-level of reverence, such as ego stroking other people, using grandiose greetings in everyday language, politeness excessively above what is normal treatment of peers, admitting to mentors' preferences, treating professors as bosses or superiors instead of equals in everyday conversation, and avoiding use of slang......
no, that is not part of the endeavor, except perhaps, in a communications course where such skooling could be germane.
All paying students should receive a 4.0 GPA!
Some students would want this, But students come to school because they expectTo learn, which
includes (1) Legitimate instruction, (2) Honest feedback, and (3) A valuable credential from an accredited school.
Assigning an improperly high grade would be dishonest feedback, and also,
Because students are interested in earning a Valuable credential, there are some tradeoffs they HAVE to make;
regionally accredited schools cannot award all students a 4.0 GPA without demonstrating the knowledge of the curriculum.
The proportions don't matter.... it is about absolute numbers of users.
Where there are users, there is $$$$ to be made exploiting them.
If there is not malware targetting these users, then there must be some barrier preventing it,
such as better security, or better security awareness.
If there are a large number of users, then they are a target.
There are more than 60 million Mac users today. In 1996 there were only about 36 million computer users.
There was no shortage of worms and viruses back in 1996.
So unless there's a security difference, there should be equally prevalent worms and viruses for Mac in 2017.
iCloud has 130 Million users.... So where are all the worms targetting iCloud devices?
A properly setup and secured Windows network would not be open to most of this junk.
Can you name 3 companies with 100% Properly setup and correctly-secured Windows networks?
(HINT: The number that actually exist in the real world is 0.)
Virus writers will target the largest market portion. If that's Windows, they'll write viruses for Windows.
Maybe. Where are all the worms targetting Non-Jailbroken iPhones over the network?
Just because your software is a target, doesn't mean you get targeted as successfully, effectively, and broadly as Windows and Flash.
Just because you made one point does not mean the Opinion that switching to Linux will result in fewer worms/Ransomware is wrong.
At best you could say It is untested. Because we have not seen what would happen if a significant % of people used Linux.
So for now it is just a thought experiment, BUT it is a thought experiment where we cannot determine for a fact what the result would be.
On the other hand, switching to Linux in itself may be only part of the solution.
The fact is, we can probably deploy Linux systems to meet all user requirements with a MUCH smaller attack surface than Windows.
Crap like all desktops accepting SMB protocol connections by default is totally unnecessary.
One of the major design defects with Windows that leads to wormability is "Portmapped RPC" services and the Re-Use of port numbers, instead of sticking to one port number per protocol.
With Linux, you're much better off, as long as you don't deploy NFS or Samba on your client devices.
As for social engineering...... start with not running things as root. Use Chromium as the browser.
You're talking about Spyware-like behavior; I don't think the Facebook app does that.
Even if it did; i've never run a Facebook phone app, only accessed it on a PC
That is not reliable, because not every user provides FB with a phone number.
Some people also have multiple present or past phone numbers, e-mail addresses, and provided a different number to each service.
I'm sure Apple would foot the bill just out of spite for Qualcomm's bullshit. It would also pay off in 5 years, minimum.
If it will pay off so quickly, then that may mean the market value of the patent is more than I suggested. The true formula would be to actually perform a Net-Present-Value calculation against the expected Sales/licensing revenue minus costs for this patent over the number remaining years of its life.
In the real world, that would be realized by putting the patent up for auction and taking the highest bid to be the value, or find independent appraisers to determine its value.
All the above said; I personally feel that the Profits to a creator for Intellectual Property should be capped, and after the cap is exceeded, those rights are depleted, and your solely remaining exclusive rights are Performance rights, Trademark, and Moral rights, only retained if you fully patented or copyrighted with full publication of source code, etc. If you are producing a product yourself, then you should be able to deduct your actual material costs, physical labor for assembling a product, and research and development (but no other costs), but if you are licensing to someone else, such as software IP, receiving royalties, or payments from a lawsuit or settlement, every $$$ received should count towards the cap, And the cap should be set at something like $10 Billion per Year.
Just Sorry... "You were sufficiently rewarded for your creation, or discovery," But sufficient reward for one act of invention does not mean Unlimited piles of cash with zero additional work, forever.
No, not buy, we Eminent Domain that shit as part of leasing the spectrum that We The People own.
Eminent Domain requires paying fair compensation, per the constitution, which means at least the fair market price, which is probably more than $10 billion the US government would have to pay to Qualcomm to "Eminent Domain that shit".
AI will drink software's milkshake
Who cares, as long as it brings all the Boys to the yard?
I understand NVidia has some products in this area, regarding machine learning, they are a chip maker after all.
So the claim could just be the typical sort of self-serving thing CxO's say, -- marketing message trying to pique peoples' interest in AI Silicon.
system gets hacked and flies the plane into a mountain with the pilots powerless to do anything about it.
The system need not allow that, just like current flight automation systems could deny the pilots' from doing that.
I don't think there's a material change of risk in that. Commercial planes ALREADY rely on automated navigation systems and software -- the pilots are already dependent on the computer, and already rely on consent of the computer to do any manual flying.
At least by having a ground security crew with additional monitoring, there can be some Benefit added to go with the risks.
Well, if the terrorists are already in the cockpit, all bets are off. Obviously. Do you have a better idea?
Yes -- PIN+Biometric; a Two-Person rule for opening the security door, multiple automation and redundant systems, and ground crews monitoring commercial flights with an ability to remotely override a rogue pilot.
I would suggest two-factor with a Biometric + Personal code for each authorized person across the fleet, synchronized from a source database.
However, the pilots can simply block entry with a single switch. Since they have 30 seconds to do so, this is not really a big security risk either.
Ok... This is a good idea UNLESS the hostile force is Already in the Cockpit, OR the emergency is so imminent that everyone will be dead in 30 seconds. So if the terrorist is already in the cockpit, they can just take their time and keep everyone locked out, AND use the locked steel door to protect the terrorist from the passengers, Passengers who now know about 9/11 and would likely make any sacrifice needed to stop terrorists, while they plan where to crash the plane, And the steel door becomes the liability for everyone, that's not very re-assuring.....
Over the last few years, I have grown endlessly frustrated with Chrome's resource management,
Sorry..... SECURITY trumps resource management, and Chrome is much more secure than Opera thanks to being miles ahead in process sandboxing.
especially on MacOS. Admittedly, I open too many tabs, but I'd wager that a lot of you do, too.
So stop doing bad things. You've gotten into a lazy habit of holding too many tabs open. Yes, tabs have their place. Their place is not to have 10+ tabs open; if you find yourself opening more than 5 or 6, you need to concentrate efforts on bookmarking things to check back later and close tabs.
But I don't see this as a patent trolling. They invested to create those ideas.
Intellectual Property is not Ideas; it is the implementation of the Ideas....... Copyrightable code and Trade secrets.
If the product contains a copy of code owned by ZeniMax, then they're due royalties or an ability to deny Samsung the ability to make and/or profit from the product.
On the other hand, if there's no code in common, Samsung could potentially have a re-creation or an independent implementation not subject to their copyrights.
Very few professionals need to communicate with a large audience. "Yo!" will suffice in general if it is in common usage.
The professors are forgetting that their job is to provide the service their customer (Their student) is paying a lot of money for.
If you want to dictate everything about this relationship, then become like Google and provide your service for free, take it or leave it.
So...Windows shouldn't be used by small or medium-sized business without IT workstation teams then?
If you're a SMB, then it is vanishingly unlikely that an Update-induced outage will cause a critical interruption of business.
If it would, then either change your design, Develop a plan to mitigate Update-induced outage, OR else, it really is worth paying
for the team to do this right.
ON THE OTHER HAND, a Security-breach-induced-outage could very well put you out of business;
if Uptime of this application is as critical as you would like to suggest.
Makes sense, but not an excuse for turning off Updates.
How about your company's team (with the prod. servers) does their job, then? And tests and Rolls out the updates BEFORE Windows update automatically installs it.
Leave Windows Update Enabled, schedule all new updates to install on X Day; However, If Windows updates rolls out the patch its own, then YOUR TEAM failed to conduct its job appropriately, which was to perform a controlled rollout in a timely manner (BEFORE The update is a week old, And the failsafe triggers to protect your organization's security).
This could also be viewed as PR protection for Microsoft. If they didn't help these users, then this would dirty Windows' name even further, and many of these users would probably switch to something else, realizing MS doesn't have their back.
throw a bunch of lobbying money at world governments to get laws passed to stop the hoarding.
If not world governments, then Cybercriminals. They're all the same.
How about putting that money towards making software that is actually secure, starting with network protocols?
This SMBv1 bug would have been a non-issue had the SMB service been sandboxed such that arbitrary code running as the SMB service cannot initiate an outbound connection or Modify files except after passing through a user credential for a particular Instance of the service process.
the odds that it is taken are so minuscule that you wouldn't bother checking
Yep.... Odds are it was quick and dirty. If it wasn't, then they'd probably have used algorithmically-generated domain names, try 3 URLs at random from a list, and require the URL attempted to present a digitally-signed file for the switch to take affect. Badware authors have done things like that in the past, etc, etc.
As somebody who uses Google Search, you are not the consumer, you are the consumed.
Nonsense. Of course you are the consumer for the Google Search Service, which is a free service with some strings.
You are also at the same time providing the Audience Google is selling through a different service called AdSense.
First, make students read the book outside of class, rather than in class. If your lecture merely covers the material in the textbook, why make students buy the textbook?
No..... Students don't need your class to read the Textbook. Why don't you just say "Read this book as a pre-requisite before taking this class" then,
and then just give them the A after they do a book report? People take courses, because Textbooks aren't engaging either --- they're even dryer than the lectures often, AND it is difficult to maintain attention to the task of reading material, which you may be overwhelmed by surely by the wall of text.
If you assign students to read something, make sure it is 5 pages per day or less --- Bite-sized pieces.
It's totally valid to have Lectures where you teach All the material in the book in a relatable fashion, and that is what should be done.
Don't try to make your students to DO something different, or something massive to teach every topic --- that is unreasonable and will wear them out.
A good lecture should be "spiced up" though with humor and flavors, involve asking students questions, and require active participation.