I think what he was asking if you installed Windows XP while your computer was connected to a network. The proper method is to install Windows XP on box with *no* network access, patch it fully, then connect it to the network. I would do the same with a several year old Linux distrubution before I was able to patch all the vulnerabilities. It's just good network citizenship.
Haven't used a recent version of Outlook, have you? I understand that even when Microsoft fixes a problem they've had in the past critics will still deride them for their past mistakes, but seriously; Outlook has becomes orders of magnitude better at keeping scripts at bay. This just reminds me a few days ago the discussion about all the security patches released, yet only a small percentage applied to SP2. One does Microsoft a service by ignoring their progress and attacking their past because it's hard to compete against them when one's target is outdated.
Also, the Electrovaya Scribbler SC800 and Electrovaya Scribbler SC2100 have finger print scanners as well. [1] They've had them for years. I guess they are just becomming more mainstream.
http://www.electrovaya.com/product/scribbler_pro du ct.html
Your analogy is a little flawed in my view. The pickle GM was in during the mid-80's is a different beast. GM did not have to deal with a changing operating environment. In the software world, and especially the internet-connected software world, the external environment can change drastically and effect performance of software. It is hardly fair to compare a manufacturing flaw which could have been tested for and discovered at the time to a software bug for which a viable scenario at the time was not plausible. Are you suggesting that companies go and fix their old DOS applications to make sure they handle UNC paths correctly when UNC paths did not exist when the application was written and tested?
If players of on-line poker were led to believe that they were playing in an unfair environment, they would take their gambling bankroll elsewhere. The on-line poker rooms make their profit through a rake no matter who plays how well. Though the bots won't hurt the poker room directly, it might have players moving to other poker rooms.
"Thank god other OS's such as Linux aren't stupid enough to allow user-level apps or their installers to install/replace shared libraries directly in the OS, or change the way the OS is configured (registry)."
Sure they do. If you run the installer as root, there's nothing to stop an installer from replacing shared libraries or changing configuration files. It's just that the Unixes are heterogenous enough that it would be hard to write such an installer that works on any flavor or architecture, so other methods are used. But the OS doesn't per se restrict it. I mean, even on Windows, if you run the installer as non-admin, it can't do what you suggest it can.
You're last statement seems odd to me. What does performance degredation have to do with Microsoft protecting themself adequately? Have you called PSS and tried to identify the cause of the 60 second delay prior to context menus appearing on "My Computer"? I have seen SP2 run on a variety of hardware and driver configurations and have never seen this sort of performance. It might just be a driver which makes assumptions that SP2 invalidates and needs and update.
Well, go ahead and do that, if the software is running with access to those things. If, for example, the software is running with only write access to the user's home directory, then what?
Isn't that what it's all about? Each participant crafts their argument how they please, then they back it up with facts. They need only include facts which support their claim, although the better ones might preempt attacks on their argument by including some opposing facts and supplying a plausible rebuttal. Each participant does the same, and observers can then make informed descisions.
I might use Prolog or another logic programming language to go about proving that one statment implies another, but only if the statements may be codified using set theory. If by "purely structural" you mean procedural, then my suggestion is invalid, but if you mean simply deterministic, then try out Prolog.
Could you point me to an exploit where a midi attachment compromises a Windows box? I'll even run Outlook if you want. I'll even click on the attachment for you. But, I won't run as Administrator. Nor will I change my ACLs to allow world write to any system file. Just's just dumb. I bet you don't run as root with world write in/etc on a Linux box, do you?
"They can start with a kernel that really keeps track of memory usage, has real PIDs, users and file based permissions for user, group, world, read, write, execute and force it on applications."
- keeps track of memory usage: check - has real PIDs: check - users: check - file based permissions for user, group, world, read, write, execute, forced upon applications: check. Windows ACLs are a little better than what's built into the kernel. Read up on it, you'll see.
"Other nifty ideas would be not running email clients and web browsers that auto-open anything as close to root with permissions to overwrite system files."
Email clients and web browsers don't auto-open anything "as close to root with permissions to overwrite system files," they run as the user. Try running a web broswer and email client on Linux as root, it's quite the same.
Care to make a zealot-less point which actually attacks a real design flaw?
"In ten years Winblows will still be the easiest to exploit OS around."
I'll just ignore this speculation.
"Three years ago, they promissed to make security "job #1" more important than new features. Yesterday, they promissed new features for a new OS that will be out two years from now, but are here saying that security may be here in 10 years."
Saying that security is more like a ten-year plan does not imply no security for ten years, nor that security will just happen at one instant in ten years. It's a gradual process of refining your design principles.
Security is not a feature. It's a design principle first and implementation principle second. Applying those principles to software that has already shipped, although a worthwhile goal, is not as viable as applying them for future products. Look at what happened to Netscape when they decided to scrap their code and rewrite the browser: they lost to IE. What would happen to Windows if it was stagnant while every line of code was scrutinized: it'll lose. It makes sense to educate developers, and do things right in the next release. (XP is not the next release after that announcement, 2003 was. Compare (honestly) the security of 2003 against XP, it's a staggering improvement and the competition should be watchful that they don't get too arrogant).
I think the bigger issue is, no matter how secure the network, someone on it has authorization to view any email going across it. A vote should be made in private.
I would also like to tell my story. I've been a Windows user since 1990, a Linux user since 1995, a SunOS/Solaris user since 1995, an Irix user since 1995, an OpenVMS user since 1997, and an AIX user since 1997. I don't run all of these concurrently anymore but I've administered each of them for quite some time. I keep abreast of security issues in each OS I'm running, even if it's only getting the latest patches. On Windows, I run an up-to-date virus scanner. I had to do a lot more work to secure Linux than I did to secure Windows XP. I have *never*, not *once* had a serious issue with any of my machines running any OS unless it was a hardware fault. By serious I mean anything beyond a virus caught by the scanner or an application crash due to a bug. I may, or may not, help that I don't run any software beyond the business apps I need, a few games, and some IM client. I don't download much software, beyond perhaps putty, Java run-time, and well, perhaps something else. I did, in college witness many people have problems with Windows, and they did not run AVS, used Kazaa liberally, and liked to install little apps that web pages offered. There is no technological solution today that trumps educating users. I'm rambling, so I'll stop.
Re:Not running as admin is all that matters? Not s
on
XP2 Spotted In The Wild
·
· Score: 2, Informative
Actually, under XP, many programs take advantage of NETWORK SERVICE and LOCAL SERVICE accounts, which are not quite the same as SYSTEM. I believe IIS is one of these programs.
The will is a powerful agent. It does exist for those that are certain they experience it. So I second your opinion that he or she would be better off ridding himself or herself of the belief.
While those are all valid reasons, they are not necessary. When submitting a reimbursment, your name is on the itinerary, ticket, etc. That the airline checked your ID doesn't prove anything else. As for people cheating on reimbursements, that's between the reimburser and the traveler, not the airline and the traveler. There are other methods to ensure cheating is curtailed. As for getting your ticket stolen, one can print a picture of the traveler on the ticket if they so choose, or print "ID required" on the ticket if they so choose. It should be up to the traveler if they want the insurance against ticket theft, not forced upon them. As for the manifest, it too can be opt in. As for keeping people in the gate area to a minimum, enforce a one ticket one person (plus assistants if needed) policy, no need to match names or ID.
Slashdot Mirror
I think what he was asking if you installed Windows XP while your computer was connected to a network. The proper method is to install Windows XP on box with *no* network access, patch it fully, then connect it to the network. I would do the same with a several year old Linux distrubution before I was able to patch all the vulnerabilities. It's just good network citizenship.
Haven't used a recent version of Outlook, have you? I understand that even when Microsoft fixes a problem they've had in the past critics will still deride them for their past mistakes, but seriously; Outlook has becomes orders of magnitude better at keeping scripts at bay. This just reminds me a few days ago the discussion about all the security patches released, yet only a small percentage applied to SP2. One does Microsoft a service by ignoring their progress and attacking their past because it's hard to compete against them when one's target is outdated.
Also, the Electrovaya Scribbler SC800 and Electrovaya Scribbler SC2100 have finger print scanners as well. [1] They've had them for years. I guess they are just becomming more mainstream.
o du ct.html
http://www.electrovaya.com/product/scribbler_pr
I believe it is up to the parents to decide what their children may read, not the government (as most public libraries are government funded).
Your analogy is a little flawed in my view. The pickle GM was in during the mid-80's is a different beast. GM did not have to deal with a changing operating environment. In the software world, and especially the internet-connected software world, the external environment can change drastically and effect performance of software. It is hardly fair to compare a manufacturing flaw which could have been tested for and discovered at the time to a software bug for which a viable scenario at the time was not plausible. Are you suggesting that companies go and fix their old DOS applications to make sure they handle UNC paths correctly when UNC paths did not exist when the application was written and tested?
If players of on-line poker were led to believe that they were playing in an unfair environment, they would take their gambling bankroll elsewhere. The on-line poker rooms make their profit through a rake no matter who plays how well. Though the bots won't hurt the poker room directly, it might have players moving to other poker rooms.
Picasa looked inspired by iPhoto long before Google bought it.
"Thank god other OS's such as Linux aren't stupid enough to allow user-level apps or their installers to install/replace shared libraries directly in the OS, or change the way the OS is configured (registry)."
Sure they do. If you run the installer as root, there's nothing to stop an installer from replacing shared libraries or changing configuration files. It's just that the Unixes are heterogenous enough that it would be hard to write such an installer that works on any flavor or architecture, so other methods are used. But the OS doesn't per se restrict it. I mean, even on Windows, if you run the installer as non-admin, it can't do what you suggest it can.
You're last statement seems odd to me. What does performance degredation have to do with Microsoft protecting themself adequately? Have you called PSS and tried to identify the cause of the 60 second delay prior to context menus appearing on "My Computer"? I have seen SP2 run on a variety of hardware and driver configurations and have never seen this sort of performance. It might just be a driver which makes assumptions that SP2 invalidates and needs and update.
Well, go ahead and do that, if the software is running with access to those things. If, for example, the software is running with only write access to the user's home directory, then what?
Isn't that what it's all about? Each participant crafts their argument how they please, then they back it up with facts. They need only include facts which support their claim, although the better ones might preempt attacks on their argument by including some opposing facts and supplying a plausible rebuttal. Each participant does the same, and observers can then make informed descisions.
I might use Prolog or another logic programming language to go about proving that one statment implies another, but only if the statements may be codified using set theory. If by "purely structural" you mean procedural, then my suggestion is invalid, but if you mean simply deterministic, then try out Prolog.
I know BC required MAC address registration in 1996.
The problems that 802.11 and Bluetooth solve, although they might overlap in some areas, are really two different classes of problems.
Could you point me to an exploit where a midi attachment compromises a Windows box? I'll even run Outlook if you want. I'll even click on the attachment for you. But, I won't run as Administrator. Nor will I change my ACLs to allow world write to any system file. Just's just dumb. I bet you don't run as root with world write in /etc on a Linux box, do you?
I think the "the" before "music" is important. He's speaking about a particular instance.
"They can start with a kernel that really keeps track of memory usage, has real PIDs, users and file based permissions for user, group, world, read, write, execute and force it on applications."
- keeps track of memory usage: check
- has real PIDs: check
- users: check
- file based permissions for user, group, world, read, write, execute, forced upon applications: check. Windows ACLs are a little better than what's built into the kernel. Read up on it, you'll see.
"Other nifty ideas would be not running email clients and web browsers that auto-open anything as close to root with permissions to overwrite system files."
Email clients and web browsers don't auto-open anything "as close to root with permissions to overwrite system files," they run as the user. Try running a web broswer and email client on Linux as root, it's quite the same.
Care to make a zealot-less point which actually attacks a real design flaw?
"In ten years Winblows will still be the easiest to exploit OS around."
I'll just ignore this speculation.
"Three years ago, they promissed to make security "job #1" more important than new features. Yesterday, they promissed new features for a new OS that will be out two years from now, but are here saying that security may be here in 10 years."
Saying that security is more like a ten-year plan does not imply no security for ten years, nor that security will just happen at one instant in ten years. It's a gradual process of refining your design principles.
Security is not a feature. It's a design principle first and implementation principle second. Applying those principles to software that has already shipped, although a worthwhile goal, is not as viable as applying them for future products. Look at what happened to Netscape when they decided to scrap their code and rewrite the browser: they lost to IE. What would happen to Windows if it was stagnant while every line of code was scrutinized: it'll lose. It makes sense to educate developers, and do things right in the next release. (XP is not the next release after that announcement, 2003 was. Compare (honestly) the security of 2003 against XP, it's a staggering improvement and the competition should be watchful that they don't get too arrogant).
I think the bigger issue is, no matter how secure the network, someone on it has authorization to view any email going across it. A vote should be made in private.
Your logic is flawed.
I would also like to tell my story. I've been a Windows user since 1990, a Linux user since 1995, a SunOS/Solaris user since 1995, an Irix user since 1995, an OpenVMS user since 1997, and an AIX user since 1997. I don't run all of these concurrently anymore but I've administered each of them for quite some time. I keep abreast of security issues in each OS I'm running, even if it's only getting the latest patches. On Windows, I run an up-to-date virus scanner. I had to do a lot more work to secure Linux than I did to secure Windows XP. I have *never*, not *once* had a serious issue with any of my machines running any OS unless it was a hardware fault. By serious I mean anything beyond a virus caught by the scanner or an application crash due to a bug. I may, or may not, help that I don't run any software beyond the business apps I need, a few games, and some IM client. I don't download much software, beyond perhaps putty, Java run-time, and well, perhaps something else. I did, in college witness many people have problems with Windows, and they did not run AVS, used Kazaa liberally, and liked to install little apps that web pages offered. There is no technological solution today that trumps educating users. I'm rambling, so I'll stop.
Actually, under XP, many programs take advantage of NETWORK SERVICE and LOCAL SERVICE accounts, which are not quite the same as SYSTEM. I believe IIS is one of these programs.
Music is not data? Bizarre. I'll willing to conjecture that it's possible to infect a PC with a CD Audio disc.
The will is a powerful agent. It does exist for those that are certain they experience it. So I second your opinion that he or she would be better off ridding himself or herself of the belief.
While those are all valid reasons, they are not necessary. When submitting a reimbursment, your name is on the itinerary, ticket, etc. That the airline checked your ID doesn't prove anything else. As for people cheating on reimbursements, that's between the reimburser and the traveler, not the airline and the traveler. There are other methods to ensure cheating is curtailed. As for getting your ticket stolen, one can print a picture of the traveler on the ticket if they so choose, or print "ID required" on the ticket if they so choose. It should be up to the traveler if they want the insurance against ticket theft, not forced upon them. As for the manifest, it too can be opt in. As for keeping people in the gate area to a minimum, enforce a one ticket one person (plus assistants if needed) policy, no need to match names or ID.