I don't see any difference at all between
fix to Apache bundled with RedHat or fix to IIS bundled with XP, fix to Mozilla bundled with RedHat or fix to IE bundled with XP, fix to PHP bundled with RedHat or fix to ASP bundled with XP.
Yeah, most of the XP updates are not for core XP components either (only one updates NTDLL AFAIK). Others are for "commonly used software": IE, IIS, Outlook Express
:)
Re:What technology are they going to hold hostage?
on
Microsoft Longhorn Delayed
·
· Score: 2, Insightful
No ??? in Windows XP
Don't worry that you can't fill out ??? now - you will be able to replace ??? with some new technology in two or three years when it appears, and blame MS for not supporting it in OS which was released 3-5 years before the technology.
After all, NT was released long before first USB devices appeared on the market, and Windows 2000 released long before first HT-enabled processors appeared (although contrary to the parent HT works under W2K - after all it is hardware feature, not software. Lack of special optimization for HT does not prevent it from working). Since all this does not stop you, it should not prevent you from blaming MS for not supporting ???.
That's not true. Yes, nVidia does distribute optimized closed-source driver for its cards. But the distribution (Mandrake and SuSe) also came with their own open-sourced drivers. Yes, they were not optimized drivers and lacked 3-d acceleration, so I did not expect much. But supposedely they should at least work and allow me to use X. In reality they could not even set appropriate v-sync, so I did not get stable picture at all. nVidia drivers were not any better though
I did not even think before installing Linux that v-sync could be a problem for DVI interface, I thought digital interface is free from these problems. Linux proved otherwise.
What an amazingly simplisitic viewpoint, do you work for MS support? Your blaming hardware that worked fine before a patch...
My NVidia card worked fine (under Windows) before I installed Linux, and still all Linux people blamed the hardware, saying there is some known problem with DVI support in old NVidia cards.
Obviously, if you are developing OS (whether it is Windows or Linux) and don't have the benefit of being able to blame Gates or Linus for your bugs, there is still last chance: blame hardware!
Yeah, I remember a similar popular joke in [Soviet] Russia in the end of 80's:
- what is the solution for all our problems?
1. declare a war with U.S.
2. surrender next day
Why would anyone in this country worry about that? After all, we gave $95 mil to N. Korea for their nuclear programs after naming them as part of the "Axis of Evil".
I think the deal was that US payed North Korea for not developing their nuclear programs. It was a significant source of income for N. Korea. So after U.S. stopped this program and exited the treaty, the obvious choice for N. Korea was to resume their nuclear program - looks like they use it mostly to force the treaty back.
After U.S. goverment approved so-called "Patriot Act" which allows it to spy what you write in your e-mails, what you read in a library,... I'm waiting for Iranian goverment to fund Anonymiser for U.S. citisens so they can browse the Web anonymously without fear of being spied by U.S. goverment.
Nobody beats netscape in the area of objective search: try searching for 'hotmail' at netscape.com. First result is... Netscape Mail. They claim it is 'powered by Google', but obviously they "tweak" google results to promote their own and probably other's paid services.
(I've discovered this recently when using internet kiosk with netscape browser).
People who just bought a new computer got it with Windows XP. Given correctly configured network wizard (and no NT domain), XP will turn on personal firewall, and the computer will not be vulnerable.
You think it's right that marketing and not development/QA should determine when a product is shipped to customers?
Somehow I've never seen marketing to tell "we ship it tomorrow" if devs/qa say the products is crappy. But too often I saw devs making great presentation of how good the products they developed is, hiding real problems and making false impression that the product quality is OK. Then marketing go and ship it tomorrow. Who to blame?
Stop blaming somebody else for crappy software, look at who really owns the code and makes decisions.
Do you think that average Joe who buys cheap Linux computer from Walmart thinks "that he is helping the project by finding bugs and providing support to the authors"? I think that he wants a cheap computer to browse the Web, does not care about community, and no more agrees to be a free tester than another customer buying computer with Windows XP.
J. Consumer would not do this, because neither bulb nor toilet were designed by programmer.
If they were, the programmer would think that it is much easier for him to reuse bulb socket for toilet water supply socket, and the customer would be trapped.
Unfortunately today marketing drives almost all of the product cycle, from what features go into the design to when it has to be shoved out the door.
Why is this unfortunately? Do you want engineers who don't know neither who his customers are, nor how customers use the product, to define what features go into the design?
After that they go to the customer and present arguments why they need to buy the product that has feature XYZ.
Well, at least marketing know the customer, designed feature XYZ for the customer, and are in better position to do this.
"The programmer wants the construction process to be smooth and easy.
The user wants the interaction with the program to be smooth and easy.
These two objectives almost never result in the same program."
- Alan Cooper. The Inmates are running the Asylum
In car use? No. Real in-car GPS with larger screen is much more convinient, and already integrated with car's audio and power supply.
Hiking trip? Again no. I surely would not take this GPS to a hiking trip - if I am lost at night, and need both GPS and backlight, its batterries will be dead in couple of hours.
The attack described in the article is dictionary attack, i.e. you take lots of [alphanumeric in the article] passwords, hash them, and compare your password hash with the huge database of hashes.
Switching to MD5 without salt would not stop this attack, since you don't have to do MD5 -> String convertion, just lots of String -> MD5 hash conversions, and these are very fast.
Yes, it is absolutely no different from practical point of view than the venerable old l0phtCrack (and that one used to come with sniffer too). The only difference is advance in math, which makes new algorithm 10 times faster.
Of course, this performance improvement does not matter from practical point of view since everybody stopped using LANMAN passwords long time ago and switched to NTLMv2 or Kerberos which are so easy to crack.
Windows really badly needs sudo, and no, "Run As..." doesn't work well enough to count.
How it does not work well enough?
The only issue I had with Run As... is that some rare components, e.g. Control Panels don't have this menu. Still it only takes a two more clicks to use them - open Explorer as Admin and start Control Panel there.
but there is a big difference between getting a site licence for MS Office and paying M$ jillions of dollars for MSDN subscriptions, ongoing support etc etc etc because your entire back end runs on their software
Wrong. Most probably they would not just use some existing distribution. Neither they will create their own distribution. Most probably they will sign a contract with a company like RedHat to get "ongoing support etc etc etc."
Last time I checked RedHat it was $90/year for the subscribtion with minimal support contract. Most probably they will want better support, and end up paying much more - maybe even more than they are paying to Microsoft.
They could save lots by avoiding this contract, but it never happens - goverments usually like to have a support contract just as companies do (e.g. because goverment bureacrates want to cover their asses). So I doubt government would really save any money.
If future commercial software relies on the law for its security rather than actual software security, this may be a good thing for open source.
This is not about security, this is about DRM. No "actual software security" would get you DRM - there is simply no way a software application can extract and display some text from a file in such a way that a user having full admin rights on this machine can't get this text.
When that happens, we really can then say that OSS is truly more secure.
I don't think this fact benefit OSS in anyway - I have not seen any OSS digital right management application, and don't think one will appear one day, since any software-based DRM is finally based on obscurity, and OSS lacks it.
It's a lot less effort to sic the lawyers on people than actually PATCH the vulnerability. Security through obscurity
There is nothing Adobe can do to fix this "vulnerability". Any software-based Digital Rights Management scheme is expected to be broken. Remember this is not "security through obscurity" but "DRM through obscurity." Good security is done through good math, but no math would get you good DRM. Any DRM app is finally based on obscurity and can be broken, the only difference between one app and another is the amount of effort it takes to break it.
Of course Palladium can change it, but until it, any DRM is expected to be cracked some day. Reporting their crack as "vulnerability" is just cheap publibity for Elcom Soft.
Slashdot Mirror
Not true.
What do you mean? They come on XP Pro CD and can be easily installed.
IE is the only browser bundled with XP. RedHat comes with several choices.
How does it change things when it comes to patching?
I don't see any difference at all between
fix to Apache bundled with RedHat or fix to IIS bundled with XP,
fix to Mozilla bundled with RedHat or fix to IE bundled with XP,
fix to PHP bundled with RedHat or fix to ASP bundled with XP.
Don't worry that you can't fill out ??? now - you will be able to replace ??? with some new technology in two or three years when it appears, and blame MS for not supporting it in OS which was released 3-5 years before the technology.
After all, NT was released long before first USB devices appeared on the market, and Windows 2000 released long before first HT-enabled processors appeared (although contrary to the parent HT works under W2K - after all it is hardware feature, not software. Lack of special optimization for HT does not prevent it from working). Since all this does not stop you, it should not prevent you from blaming MS for not supporting ??? .
There are 44 security fixes for RedHat 9 (https://rhn.redhat.com/errata/rh9-errata-security .html), still it does not look like they are planning any service pack.
I did not even think before installing Linux that v-sync could be a problem for DVI interface, I thought digital interface is free from these problems. Linux proved otherwise.
My NVidia card worked fine (under Windows) before I installed Linux, and still all Linux people blamed the hardware, saying there is some known problem with DVI support in old NVidia cards.
Obviously, if you are developing OS (whether it is Windows or Linux) and don't have the benefit of being able to blame Gates or Linus for your bugs, there is still last chance: blame hardware!
Yeah, I remember a similar popular joke in [Soviet] Russia in the end of 80's:
- what is the solution for all our problems?
1. declare a war with U.S.
2. surrender next day
I think the deal was that US payed North Korea for not developing their nuclear programs. It was a significant source of income for N. Korea. So after U.S. stopped this program and exited the treaty, the obvious choice for N. Korea was to resume their nuclear program - looks like they use it mostly to force the treaty back.
After U.S. goverment approved so-called "Patriot Act" which allows it to spy what you write in your e-mails, what you read in a library, ...
I'm waiting for Iranian goverment to fund Anonymiser for U.S. citisens so they can browse the Web anonymously without fear of being spied by U.S. goverment.
Nobody beats netscape in the area of objective search: try searching for 'hotmail' at netscape.com. First result is ... Netscape Mail. They claim it is 'powered by Google', but obviously they "tweak" google results to promote their own and probably other's paid services.
(I've discovered this recently when using internet kiosk with netscape browser).
People who just bought a new computer got it with Windows XP. Given correctly configured network wizard (and no NT domain), XP will turn on personal firewall, and the computer will not be vulnerable.
Somehow I've never seen marketing to tell "we ship it tomorrow" if devs/qa say the products is crappy. But too often I saw devs making great presentation of how good the products they developed is, hiding real problems and making false impression that the product quality is OK. Then marketing go and ship it tomorrow. Who to blame?
Stop blaming somebody else for crappy software, look at who really owns the code and makes decisions.
Do you think that average Joe who buys cheap Linux computer from Walmart thinks "that he is helping the project by finding bugs and providing support to the authors"? I think that he wants a cheap computer to browse the Web, does not care about community, and no more agrees to be a free tester than another customer buying computer with Windows XP.
If they were, the programmer would think that it is much easier for him to reuse bulb socket for toilet water supply socket, and the customer would be trapped.
Why is this unfortunately? Do you want engineers who don't know neither who his customers are, nor how customers use the product, to define what features go into the design?
Well, at least marketing know the customer, designed feature XYZ for the customer, and are in better position to do this.
"The programmer wants the construction process to be smooth and easy. The user wants the interaction with the program to be smooth and easy. These two objectives almost never result in the same program."
- Alan Cooper. The Inmates are running the Asylum
In car use? No. Real in-car GPS with larger screen is much more convinient, and already integrated with car's audio and power supply.
Hiking trip? Again no. I surely would not take this GPS to a hiking trip - if I am lost at night, and need both GPS and backlight, its batterries will be dead in couple of hours.
So what is the target for these devices?
Switching to MD5 without salt would not stop this attack, since you don't have to do MD5 -> String convertion, just lots of String -> MD5 hash conversions, and these are very fast.
Of course, this performance improvement does not matter from practical point of view since everybody stopped using LANMAN passwords long time ago and switched to NTLMv2 or Kerberos which are so easy to crack.
How it does not work well enough?
The only issue I had with Run As... is that some rare components, e.g. Control Panels don't have this menu. Still it only takes a two more clicks to use them - open Explorer as Admin and start Control Panel there.
Wrong. Most probably they would not just use some existing distribution. Neither they will create their own distribution. Most probably they will sign a contract with a company like RedHat to get "ongoing support etc etc etc."
Last time I checked RedHat it was $90/year for the subscribtion with minimal support contract. Most probably they will want better support, and end up paying much more - maybe even more than they are paying to Microsoft.
They could save lots by avoiding this contract, but it never happens - goverments usually like to have a support contract just as companies do (e.g. because goverment bureacrates want to cover their asses). So I doubt government would really save any money.
This is not about security, this is about DRM. No "actual software security" would get you DRM - there is simply no way a software application can extract and display some text from a file in such a way that a user having full admin rights on this machine can't get this text.
I don't think this fact benefit OSS in anyway - I have not seen any OSS digital right management application, and don't think one will appear one day, since any software-based DRM is finally based on obscurity, and OSS lacks it.
There is nothing Adobe can do to fix this "vulnerability". Any software-based Digital Rights Management scheme is expected to be broken. Remember this is not "security through obscurity" but "DRM through obscurity." Good security is done through good math, but no math would get you good DRM. Any DRM app is finally based on obscurity and can be broken, the only difference between one app and another is the amount of effort it takes to break it.
Of course Palladium can change it, but until it, any DRM is expected to be cracked some day. Reporting their crack as "vulnerability" is just cheap publibity for Elcom Soft.
They will make him use all his guides about increasing both penis and breasts, using verb viagra and getting rich online.