And Verizon should be shamed for this asinine handling of the situation. Not only was he actively serving and quite busy... but he fucking died for Christ's sake. Assholes
Devil's advocate time.
Michaela Brummund canceled Michaela Brummund's cell phone contract with Verizon because Michaela Brummund decided to move somewhere Verizon didn't service.
So why is it unreasonable to assess an ETF? Oh. Because of why she decided to move. Her husband is dead.
So if someone's spouse dies and they decide to up and move, contractual obligation cease? Oh. It's because of why her husband was dead.
So if my wife dies of cancer and I decide to become a hermit and live in a cave, I should pay an ETF but if she dies employed by the military I shouldn't? What if she's a school-bus driver and dies in an accident after decades of serving children? Because one death is inherently more important than another. No. I'm sorry, it's not.
I'm glad that Verizon cut her a break. That's great. But there's nothing inherently right in doing so. It's just a PR gesture.
When the commander in chief tell you to jump, you ask "how high". In other words, when serving the military, you don't decide whether or not to engage in warfare. If you can't handle active duty, don't join the military. It's a service, not welfare.
No.
The moment "I was following orders" stopped being a valid excuse for actions taken it immediately became the responsibility of each and every soldier to evaluate the moral and legal ramifications of every order he or she is given. It instant you make military individually liable for what they do you entitle and mandate them to weigh, judge, and potentially disobey your orders. You can't have it both ways.
You are totally misrepresenting this. He decided that waiting to release the vulnerability was reasonable if, and only if, it was being worked on for a quick fix. Once he decided that he wasn't convinced that the fix was being worked on fast enough to deny the knowledge from people needed to defend themselves he decided to release.
He decided 60 days was a reasonable schedule. More, he decided 5 days was too long for a corporate entity to tell him what they were going to do. He set not one but two bars, and decided that if MS wasn't going to meet his second bar, he was going to lower his first bar to the same point. How is this not childish?
In this particular case, there's no need for a patch. There's a simple registry edit which disables the function. rapid dissemination of that solution allows people to stop being vulnerable whilst keeping the rest of their computer functional. Not distributing the information quickly would be irresponsible
In this particular case, that registry hack remains useless to anyone who's got a box likely to be vulnerable. You and I, and everyone else who ignore the part of every KB article that warns us how dangerous registry editing is are more likely to follow best practices and have generally secure systems than Joe Wait-For-Patch-Tuesday. Well, it's Joe who just got screwed because Joe won't ever know about any registry edits until his system is screwed over (perhaps tomorrow). Great.
And that's hyperbole. He is demanding nothing for his own profit.
Wait. There are no smilies or other indications that you're making a big joke. Nothing for his own profit. A Google security engineer opting for early disclosure doesn't profit more than if he'd kept his mouth shut for a reasonable amount of time? Sorry, but if he'd waited... say until a patch was actually released, we'd never have heard of this guy's name. Instead he - and Google - are in the press as white knights protecting Joe from the evil Microsoft. Yeah. No profit at all. Just a pat on the back and a nice write-up in his personnel file in HR.
60 days was a reasonable maximum IFF he knew that Microsoft was willing to work hard on the problem. They failed to convince him. Next time they should try harder.
Nonsense. 60 days was a reasonable maximum for a patch to be released. It doesn't matter if he thought they were going to make that deadline, or if he thought elephants could fly. He was willing to give them 60 days. He should have given them 60 days. It's not relevant to anyone's safety (in a positive way) how confident he personally feels about the deadline being met. Hello, narcissist.
We have a contract in place. MS should be fixing flaws like this in our systems no matter who reports them to them.
We who? Joe? Show me where Joe's EULA entitles him to patches with X days of disclosure of exploit? Your company as perhaps a subscriber to Software Assurance or something similar? Please clarify.
It's always nice to blame someone else for your own faults. In this case, you know how to disable the function whilst leaving everything else running. If the PCs get owned you are to blame.
That's awesome. I've got a support infrastructure in place for the couple thousand PCs I support across about a hundred customers. They range from small shops with one or two PCs and zero budgeted IT funds through a couple multi-office customers where I can reasonably use things like GPO to make registry changes. Included are customers who have potentially fifty or more PCs scattered one-to-a-location over 50km diameter of land.
Get this. Relying on Microsoft Update for small businesses is reasonable. Until Captain Awesome at Google decides to increase the risk to those machines from unknown to guaranteed. I assure you the small shops appreciate the unex
How do we know some black hat didn't discover it eight years ago and kept it to himself and used it for his own gain?
We don't know that. We strongly suspect that. Why? Because we've got a lot of companies out there that reverse engineer and analyze known threats. I'm not saying they're infallible, but when random system-owning executables start showing up, they get ripped apart to find out how they replicate and spread.
Given that there's an entire industry dedicated to blocking known threats, Occam's Razor tells us that it's more likely there isn't a secret exploit in use than that there is.
Again it's not a guarantee, but disclosure at the five day mark is a guarantee, which is my point.
Do you think all those Windows machines tethered to giant botnets got there because each owner refused to install the available security updates? Is it just remotely possible that some of those machines got owned by exploiting vulnerabilities that haven't been published yet? I will never 'til my dying days understand the logic that results in "I didn't know about it therefore I was safe until someone told me."
Actually, I know that the vast majority of owned WinXP boxes I've encountered have been owned because they users clicked all over the place. I've seen very few drive-by attacks.
Ever since the advent of Fake AV attacks, users have lost their minds. And now that user-mode infections (ie. things that just drop in the local user profile and don't modify the PC), you don't even need admin rights.
User browses to a compromised web site. User sees a warning that they're in deep, deep trouble. User clicks on the "save me now" button. User screws self.
This gives Windows users a fix months earlier. Or did you expect the bug to actually be fixed within 60 days anyway?
Because Microsoft blew off a 60-day commit, they were forced to a 3-day remedial fix.
In effect, responsible admins are now safer -- the attack time has been reduced by 57 days (ok, there was the 5 day grace, so really only 52). Still, the response time from Microsoft is AN ORDER OF MAGNITUDE better.
This gives users an guaranteed exploit that they otherwise only had a potential risk of having. Instead of maybe someone else finding this exploit that's been lurking in the code for nine years, we now have the glorious option of knowing about and implementing an out-of-schedule fix, or definitely being exposed.
That's right. The risk has gone from trivial (no known exploit) to significant (known exploit). Orders of magnitude? No. Effectively zero to arbitrarily non-zero is basically infinitely worse.
Where the word "negotiate" clearly implies that there was more than one back and forward after the point where demand for a deadline was given
"We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week,"
Which clearly admits that they weren't even willing to give a conditional / tentative deadline within the timeline which the responsible disclosure guidelines suggest they should.
So actually, given the facts we have, it seems that a) grandparent's reading is probably at least as close to the truth as yours and b) we can't be sure about almost anything without clearer statements from both sides.
That makes any of this okay? The guy who found the exploit felt 60 days was reasonable and tried to negotiate a commitment to that time window for a repair. He couldn't get that commitment, so he decided 60 days was no longer reasonable and that 5 days from original contact was plenty - despite knowing there wasn't a patch ready. That's blackmail. Worse, it's irresponsible. If 60 days was a reasonable time window in the start of negotiations, it should've remained.
"I feel you should be able to release a patch within two months. As such, I am disclosing what I have found in 60 days. If you have a patch ready, great. If you don't, well... you should rethink this outcome."
If he had done that, there'd be no complaint.
Since when does Microsoft (or any other developer) promise anyone fixes within a specific time-frame unless there's an existing contract in place?
When and if my customers' PCs get owned by this, I will blame the exploit discoverer. The exploit had remained unknown for nine years and he decided five days was too long to work towards a commitment to fix within 60 days. Meh. If he'd shut his mouth for a reasonable period of time we'd all be better off.
Wow, what a quandary. Let's see. I'm the guy in charge of the company that's going to print a Yellow Pages and send it to every house. I've decided to no longer send a White Pages to every house, but I want people to be able to contact me to ask for one.
What to do?
Um... I could... maybe print the number on the front of the Yellow Pages?
Of course. Everyone's grandma is knowledgeable enough to be asked when it comes to internet legislation. Want to introduce new sorts of internet censorship? New data retention laws? Do a poll in some home for old people. Result? 90% 'of course we need to regulate the evil internet'.
So I expect everyone's grandma to be able to look up numbers on the internet.
Okay, even if we didn't bother to read the fine article and find out that anyone who wants one can simply request one...
Ask yourself how often septuagenarians and up need to look up new numbers. Their friends and family are either static or capable of telling Grandma when their numbers change. A little cheat-sheet beside the phone suffices nicely. The commercial Yellow pages are still being printed and delivered as they're paid for by advertisement. Even if that wasn't the case, again, how often does someone elderly need or even want to look up something new to call? Once they've got a cheat-sheet of their favorite plumber, roofer, landscaper, pest removal expert, pizza place, TV repair guy, they're pretty much set for life... such as it is.
It's the young who are more likely to develop sudden needs for commercial contacts they've never had before. "Holy crap, my roof is leaking. I guess I need to find a roofer." Two text messages later they've got a reference from a friend AND a number.
Its three inches wider and five inches longer (around forty percent either way). You can bet thats noticeable.
What? A4 is 210mm × 297mm which is 8.27 inches by 11.7 inches. That's less than a quarter inch narrower and less than a third of an inch shorter than 8.5" x 11" Letter size.
I just wished the iPhone and Android let me have a background easy scripting language like python.
It's what I missed when I finally had to switch away from the Nokia platform. Being able to write a small script that sent a position update to MY SERVER every 5 minutes.
It was cool to see the lights come on and the garage door open when I pulled in the driveway and got off the bike. It was typically a 2.5 minute delay from when I pulled in the driveway and when the system detected I was home from the gps reporting to activate everything. Perfect timing as I then had my helmet off, took off the jacket and unstrapped the backpack from the seat.
Come on Google and Apple, let us do cool stuff with our phones!
Option #2. A phone with Wifi. When you get within range, your DHCP server hands out the static reservation (based on MAC), a script running on your server notices that pings to the appropriate IP suddenly come back and POW... do whatever you like.
Sure. It's not got a lot of range so you can't trigger things to happen minutes before you arrive, but from what you describe it sounds like you were basically home by the time things happened anyway.
How is a single online account signup, your key is then bound to this account, any real form of DRM?
Windows XP activation.
You only have to do it once, to prove that you've bought a legitimate copy for your computer. If you change hardware, thereby changing your computer then you may have to do it again, depending on how severe your changes are.
Strange. We - the IT community - freaked out when Microsoft introduced online activation in WinXP. We bitched and moaned and complained and the sky was falling down on us. Here we are nearly a decade later and things have gotten so bad in DRM that we're looking at a video game that has effectively the same scheme and declaring it "good".
You know you suck when your company is playing catchup with Microsoft on security and patching.
Seriously. I don't like to swear much on Slashdot, but I'd like to tell Adobe "fuck you!"
This isn't about an operating system. It isn't even about a productivity suite like Office. It's a reader. Stop patching every damned month and secure the bastard. Right now. One patch and you're done. I do not condone any corporate plan to regularly trickle out tiny fixes here and there when they're discovered because that's Good Enough. It's not good enough.
Adobe needs to change their product plan.
Adobe Reader - views PDFs and that's it Adobe Reader Pro - views PDFs, has all the scripting and form-filling features that are vulnerable and buggy Adobe Acrobat - makes PDFs
Strip Reader down to as few features as possible. We know that 99% of what Reader is used for is flat basic text reading. So either make a product that does that and only that, or at least make a MODE where turning on all the other features for X minutes requires a UAC-style prompt.
No but now your folder of com files will require a butt load of runtime files on every single workstation. Now personally I would smack it out as a stand alone executable in delphi, but that is just me.
Those runtimes are now called "The.NET Framework". They're hardly rare, exotic, or hard to distribute.
VB is commercial, VB Express is crippleware in the sense that he'll have to distribute his compiled solutions via either a web site or a.exe (which is no impediment) and in every other way will do the job he describes.
Try to keep a perspective. The OP isn't trying to rewrite Office or AutoCAD.
You seriously need to ask? Because their personal views being (in my examples) strongly against the purpose of the job you simply can't trust them to be doing their jobs well. You can't trust the secret service agent to take a bullet for a President he hates. Not the way you'd trust an agent who was devoted to said President. One employee is ideal, one is contrary to ideal. No matter what psychological tests she/he passes, his team-mates will always doubt her/him. The President would always be a little more nervous when that person is on duty. Not good.
As for the other example, someone - even not in sales - who actively discourages people to use your services? They should be fired.
Here's the point in a nutshell:
It's one thing to be neutral. It's no big deal to have contrary opinions even. It does become a big deal, and important to your employer when you become evangelical. When you're announcing your views.
Hate the President if you like. Disagree with abortion if you like. Be vegetarian and work at a slaughterhouse if you like. Just don't go spouting off about it.
You're right. As much as I hate what's happened to her, this can't be a black & white situation.
What if an employee at an abortion clinic spends her evenings and weekends attending anti-abortion rallies? What if she spends her time organizing those sorts of rallies? What if a secret service agent assigned to keeping the President alive spends his personal time popping off about how much he hates the President?
Two examples. Extremes, yes. But they show that there are circumstances where private actions are so radically inappropriate for an employee that continued employment is... inadvisable. I'm not saying her case is one of those, but as much as it rubs me the wrong way, I can see the shape of the argument behind her dismissal.
Sounds like a business opportunity to start a rock climbing facility in Windsor.
Ha. Yeah. We had one until August. The facility it was in was expropriated to make way for a future expanded border crossing. Seriously.
There's a long story, but the short version is that replacing the old gym would involve $100,000+ and wouldn't likely pay for itself for a decade. Nobody has the cash or the will to deal with that what with climbers being a generally mellow sort.
Living in a border city, we cross several times a year from Windsor to Detroit (shopping, sporting events, etc) and each and every time we enter the US my ass puckers up. I HATE entering the states even though I have absolutely nothing to hide... it's brutal.
Brutal? What are you subject to? I'm curious to see if your experiences are much different than mine when I fly domestic.
It's hyperbole. But still. Considering the circumstances, it's absurd. I too am a Windsorite who occasionally crosses into Detroit (these days to do indoor rock-climbing). At the minimal these days I'm subjected to an hour wait to manage to enter a city that has been part of "my" skyline for 37 years. 45 of those minutes are spent sitting in a tunnel under the river. Say goodbye to a gallon of gas. Once I finally emerge into the light once again I get to admire the parking lot that is the waiting area for processing. Then my vehicle and I get to pass through a bewildering array of scanners, cameras, and I-don't-know-what that pretty much looks like a war zone. Finally I get a nice 5 to 10 minute interview with a border guard with a gun wherein I justify to his or her satisfaction that I am who my papers say I am, and that I have a good enough reason to enter the U.S. The entire time I am painfully aware that if I appear too nervous, not nervous enough, or my story triggers any sort of profile I can and will be detained, potentially for hours. My car (which I quite adore) may be literally disassembled while I am not permitted to watch. I may be personally searched, permanently flagged as suspicious, and the future process may become significantly more difficult for me.
Why?
What the hell is the justification for this absurdity? Please understand... if I want to get into the U.S. to do anything malicious, all I need to do is rent a canoe or Jet-ski. I can bring in whatever quantity of whatever I want with me. Get this... there's a "party" island in the middle of the river. People from both countries can dock there and hang out on the beach, without passing customs. I can get off my boat and onto someone else', with or without weapons, drugs, nuclear armaments, dirty bombs, bio-weapons, or child pornography.
The border is a feel-good joke that makes nobody feel good except those American voters who don't have to use it. It will not keep Americans safe. It will not inconvenience theoretical terrorists. It will not prevent attacks.
I have lived in Windsor for 37 years. I've been crossing this border periodically for most of them. I've been driving the same car for two years. I've been going to the same climbing facility for nine months. WAVE ME THE FUCK THROUGH. I'd love to answer the 20 questions like "where do you work" with "same place as three weeks ago", but I don't want my asshole probed. I am afraid. That is just plain wrong. Know the saying "if you've got nothing to hide you've got nothing to be afraid of"? In this case it's totally inaccurate.
I am not he psychotic American-hating vengeful, spiteful, angry, bomb-toting, murderous boogieman you are afraid of. But on a scale of zero to a million, where I was at zero most of my life, I'm now at a strong one on the scale of ending the last sentence with "yet".
This is why I still don't own a "reader". I'm willing to go as far as PDF readers, i.e. some tablet device. But if I can't get it as a PDF, fine, I'll buy the paper product.
You know, there are readers that are just readers. I picked up a Sony PRS-300 recently and am very happy. No WiFi, no Bluetooth, no 3G cellular service. Just a USB cable. I use Calibre to manage my books, not their software. There's no annotation, no searching, no document editing, no highlighting. It's just a reader. And it works really, really well.
Here's a cool thing. My wife and I are going to be going on vacation soon. We're going to load up our Readers with a tonne of material, stick them in zip-lock bags and not worry about water, or sand. Plus we don't have to worry about weight that the airlines will freak out about.
I often thought that Yahoo and Microsoft just violated the KISS rule. Yahoo.com comes from the "web portal" days of AOL and seems determined to die with it. Bing.com, to their credit, seems to have learned the lesson finally that people like Google's minimalism and just slaps a background image on it to differentiate their service somehow, but I don't like their results that much and what they do well isn't that different from what Google delivers. Damned if they do, damned if they don't.
Unless Bing starts behaving like Apple and delivering what I don't even know I want yet, I don't see it heading much anywhere.
That background image is a huge part of why I set all my customers' search engines to Google by default. I do a lot of remote technical support. Pretty bitmaps make my job harder to do. Google makes a great homepage and search engine for its simplicity. Even better: my customers like it too!
The Internet was designed so that any computer could connect to any other computer. This is evident in the design of things like FTP, etc.
Every phone, watch, fridge, TiVo, computer, and printer should have a public IP address. Imagine if you didn't need to port forward for Bittorrent, if Skype could connect right to your friend's computer, or you could print to your home printer by just entering its address. That's how the internet was/is supposed to work.
NAT breaks this. Behind a NAT box, nobody can address a specific computer - only the NAT itself. This happens to lend some security, but is essentially accidental. With IPv6, your home router will instead be a firewall. Each computer will be addressable, but will still need to pass through.
Plus, there's enough address to give each subscriber many thousand. And they don't need to change. No more charging for a static IP...
Also, routing is more efficient since it can be done properly by hierarchy.
So there's a bunch of reasons. Pick some.
No, no, no, and more no. There is zero justification for every appliance or gizmo we have being public-accessible. I do not want my fridge even theoretically accessible from the outside. Given that day after day we keep finding vulnerabilities and exploits in some of the simplest code, I simply don't trust anyone else. Screw with my fridge and you can cost me a load of food. Screw with my heating/cooling and you can cost me a lot of electricity billing. Screw with my stove and you can potentially burn my house down.
If and when we reach the point of home automation actually being appealing, we can have a single gateway device which is common, well-understood, and heavily code-reviewed. Joe Average can safely plug an RJ45 cable into his fridge without worrying... it's secure by default. No fiddling with firewalls, no requirement to understand networking.
I'm not arguing against IPv6 (this time). But I am arguing against the wisdom of issuing important devices in our lives a public IP that can even accidentally be accessed from the outside. With something like NAT, the odds of forwarding the right port to the right internal IP are way higher than that of ignorantly screwing up one's firewall.
Please don't talk about public IP assignment to devices that don't benefit from it as though it were a panacea or attractive goal. It's not. It's a bad idea. Further, anyone responsible enough to assess the risks involved will by definition understand how to make their IP-enabled fireplace link to their FaceBook page.
Why do I hold this control? because its my information to start with.
The following is me playing devil's advocate but I think it's worthwhile.
No. DNA is not your information. It's you (at least your physicality). I still say too bad. Ownership of self is an illusion. It's the result of social convention, no more.
If an individual was determined to carry the cure for cancer in their blood and they allowed a sample to be taken for confirmation of this theory but specifically refused researchers the "right" to synthesize or reproduce/culture that sample, what do you think would happen? A lot of people would end up cured of cancer because someone with a clue would suddenly realize that they're really an animal and act the part.
You are food. That you aren't eaten on a daily basis is luck, pretty well.
Personally I find the idea that an individual or small group of individuals could - let alone would - allow a sample to be taken but try to limit it's potential benefit utterly and completely repugnant. This isn't about a sample being taken illegally. This isn't about a needle when you've said "no". It's about artificially limiting potential learning for arbitrary internal reasons. Disgusting, really. We are all hungry, starving for knowledge and these people had the ability to share universally, without personal cost but instead elected to dictate who and how we can feed.
We need to keep bringing up this stupid behaviour. We need to talk about it, think about it, and most importantly share this idiotic stories with those we know who don't read Slashdot.
Why? Because this isn't okay. Like copyright extensions to infinity and like DMCA issues, Joe Average simply doesn't know what bad stuff is going on. The only way to cause change is by votes. Those votes might be at a ballot box, or at a cash register.
You and I know what's going on. Each of these stories is a new bit of ammunition to us. Or would you rather we just accept corruption, bias, and philosophically repugnant behaviour so we don't need to hear about it anymore?
Slashdot Mirror
And Verizon should be shamed for this asinine handling of the situation. Not only was he actively serving and quite busy... but he fucking died for Christ's sake. Assholes
Devil's advocate time.
Michaela Brummund canceled Michaela Brummund's cell phone contract with Verizon because Michaela Brummund decided to move somewhere Verizon didn't service.
So why is it unreasonable to assess an ETF? Oh. Because of why she decided to move. Her husband is dead.
So if someone's spouse dies and they decide to up and move, contractual obligation cease? Oh. It's because of why her husband was dead.
So if my wife dies of cancer and I decide to become a hermit and live in a cave, I should pay an ETF but if she dies employed by the military I shouldn't? What if she's a school-bus driver and dies in an accident after decades of serving children? Because one death is inherently more important than another. No. I'm sorry, it's not.
I'm glad that Verizon cut her a break. That's great. But there's nothing inherently right in doing so. It's just a PR gesture.
When the commander in chief tell you to jump, you ask "how high". In other words, when serving the military, you don't decide whether or not to engage in warfare. If you can't handle active duty, don't join the military. It's a service, not welfare.
No.
The moment "I was following orders" stopped being a valid excuse for actions taken it immediately became the responsibility of each and every soldier to evaluate the moral and legal ramifications of every order he or she is given. It instant you make military individually liable for what they do you entitle and mandate them to weigh, judge, and potentially disobey your orders. You can't have it both ways.
You are totally misrepresenting this. He decided that waiting to release the vulnerability was reasonable if, and only if, it was being worked on for a quick fix. Once he decided that he wasn't convinced that the fix was being worked on fast enough to deny the knowledge from people needed to defend themselves he decided to release.
He decided 60 days was a reasonable schedule. More, he decided 5 days was too long for a corporate entity to tell him what they were going to do. He set not one but two bars, and decided that if MS wasn't going to meet his second bar, he was going to lower his first bar to the same point. How is this not childish?
In this particular case, there's no need for a patch. There's a simple registry edit which disables the function. rapid dissemination of that solution allows people to stop being vulnerable whilst keeping the rest of their computer functional. Not distributing the information quickly would be irresponsible
In this particular case, that registry hack remains useless to anyone who's got a box likely to be vulnerable. You and I, and everyone else who ignore the part of every KB article that warns us how dangerous registry editing is are more likely to follow best practices and have generally secure systems than Joe Wait-For-Patch-Tuesday. Well, it's Joe who just got screwed because Joe won't ever know about any registry edits until his system is screwed over (perhaps tomorrow). Great.
And that's hyperbole. He is demanding nothing for his own profit.
Wait. There are no smilies or other indications that you're making a big joke. Nothing for his own profit. A Google security engineer opting for early disclosure doesn't profit more than if he'd kept his mouth shut for a reasonable amount of time? Sorry, but if he'd waited... say until a patch was actually released, we'd never have heard of this guy's name. Instead he - and Google - are in the press as white knights protecting Joe from the evil Microsoft. Yeah. No profit at all. Just a pat on the back and a nice write-up in his personnel file in HR.
60 days was a reasonable maximum IFF he knew that Microsoft was willing to work hard on the problem. They failed to convince him. Next time they should try harder.
Nonsense. 60 days was a reasonable maximum for a patch to be released. It doesn't matter if he thought they were going to make that deadline, or if he thought elephants could fly. He was willing to give them 60 days. He should have given them 60 days. It's not relevant to anyone's safety (in a positive way) how confident he personally feels about the deadline being met. Hello, narcissist.
We have a contract in place. MS should be fixing flaws like this in our systems no matter who reports them to them.
We who? Joe? Show me where Joe's EULA entitles him to patches with X days of disclosure of exploit? Your company as perhaps a subscriber to Software Assurance or something similar? Please clarify.
It's always nice to blame someone else for your own faults. In this case, you know how to disable the function whilst leaving everything else running. If the PCs get owned you are to blame.
That's awesome. I've got a support infrastructure in place for the couple thousand PCs I support across about a hundred customers. They range from small shops with one or two PCs and zero budgeted IT funds through a couple multi-office customers where I can reasonably use things like GPO to make registry changes. Included are customers who have potentially fifty or more PCs scattered one-to-a-location over 50km diameter of land.
Get this. Relying on Microsoft Update for small businesses is reasonable. Until Captain Awesome at Google decides to increase the risk to those machines from unknown to guaranteed. I assure you the small shops appreciate the unex
How do we know some black hat didn't discover it eight years ago and kept it to himself and used it for his own gain?
We don't know that. We strongly suspect that. Why? Because we've got a lot of companies out there that reverse engineer and analyze known threats. I'm not saying they're infallible, but when random system-owning executables start showing up, they get ripped apart to find out how they replicate and spread.
Given that there's an entire industry dedicated to blocking known threats, Occam's Razor tells us that it's more likely there isn't a secret exploit in use than that there is.
Again it's not a guarantee, but disclosure at the five day mark is a guarantee, which is my point.
Do you think all those Windows machines tethered to giant botnets got there because each owner refused to install the available security updates? Is it just remotely possible that some of those machines got owned by exploiting vulnerabilities that haven't been published yet? I will never 'til my dying days understand the logic that results in "I didn't know about it therefore I was safe until someone told me."
Actually, I know that the vast majority of owned WinXP boxes I've encountered have been owned because they users clicked all over the place. I've seen very few drive-by attacks.
Ever since the advent of Fake AV attacks, users have lost their minds. And now that user-mode infections (ie. things that just drop in the local user profile and don't modify the PC), you don't even need admin rights.
User browses to a compromised web site. User sees a warning that they're in deep, deep trouble. User clicks on the "save me now" button. User screws self.
This gives Windows users a fix months earlier. Or did you expect the bug to actually be fixed within 60 days anyway?
Because Microsoft blew off a 60-day commit, they were forced to a 3-day remedial fix.
In effect, responsible admins are now safer -- the attack time has been reduced by 57 days (ok, there was the 5 day grace, so really only 52). Still, the response time from Microsoft is AN ORDER OF MAGNITUDE better.
This gives users an guaranteed exploit that they otherwise only had a potential risk of having. Instead of maybe someone else finding this exploit that's been lurking in the code for nine years, we now have the glorious option of knowing about and implementing an out-of-schedule fix, or definitely being exposed.
That's right. The risk has gone from trivial (no known exploit) to significant (known exploit). Orders of magnitude? No. Effectively zero to arbitrarily non-zero is basically infinitely worse.
Users and admins both lose here.
Where the word "negotiate" clearly implies that there was more than one back and forward after the point where demand for a deadline was given
"We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week,"
Which clearly admits that they weren't even willing to give a conditional / tentative deadline within the timeline which the responsible disclosure guidelines suggest they should.
So actually, given the facts we have, it seems that a) grandparent's reading is probably at least as close to the truth as yours and b) we can't be sure about almost anything without clearer statements from both sides.
That makes any of this okay? The guy who found the exploit felt 60 days was reasonable and tried to negotiate a commitment to that time window for a repair. He couldn't get that commitment, so he decided 60 days was no longer reasonable and that 5 days from original contact was plenty - despite knowing there wasn't a patch ready. That's blackmail. Worse, it's irresponsible. If 60 days was a reasonable time window in the start of negotiations, it should've remained.
"I feel you should be able to release a patch within two months. As such, I am disclosing what I have found in 60 days. If you have a patch ready, great. If you don't, well... you should rethink this outcome."
If he had done that, there'd be no complaint.
Since when does Microsoft (or any other developer) promise anyone fixes within a specific time-frame unless there's an existing contract in place?
When and if my customers' PCs get owned by this, I will blame the exploit discoverer. The exploit had remained unknown for nine years and he decided five days was too long to work towards a commitment to fix within 60 days. Meh. If he'd shut his mouth for a reasonable period of time we'd all be better off.
Wow, what a quandary. Let's see. I'm the guy in charge of the company that's going to print a Yellow Pages and send it to every house. I've decided to no longer send a White Pages to every house, but I want people to be able to contact me to ask for one.
What to do?
Um... I could... maybe print the number on the front of the Yellow Pages?
Just a thought.
...up phone numbers on the Internet?
Of course. Everyone's grandma is knowledgeable enough to be asked when it comes to internet legislation. Want to introduce new sorts of internet censorship? New data retention laws? Do a poll in some home for old people. Result? 90% 'of course we need to regulate the evil internet'.
So I expect everyone's grandma to be able to look up numbers on the internet.
Okay, even if we didn't bother to read the fine article and find out that anyone who wants one can simply request one...
Ask yourself how often septuagenarians and up need to look up new numbers. Their friends and family are either static or capable of telling Grandma when their numbers change. A little cheat-sheet beside the phone suffices nicely. The commercial Yellow pages are still being printed and delivered as they're paid for by advertisement. Even if that wasn't the case, again, how often does someone elderly need or even want to look up something new to call? Once they've got a cheat-sheet of their favorite plumber, roofer, landscaper, pest removal expert, pizza place, TV repair guy, they're pretty much set for life... such as it is.
It's the young who are more likely to develop sudden needs for commercial contacts they've never had before. "Holy crap, my roof is leaking. I guess I need to find a roofer." Two text messages later they've got a reference from a friend AND a number.
Its three inches wider and five inches longer (around forty percent either way). You can bet thats noticeable.
What? A4 is 210mm × 297mm which is 8.27 inches by 11.7 inches. That's less than a quarter inch narrower and less than a third of an inch shorter than 8.5" x 11" Letter size.
So out of curiosity, what are you talking about?
I just wished the iPhone and Android let me have a background easy scripting language like python.
It's what I missed when I finally had to switch away from the Nokia platform. Being able to write a small script that sent a position update to MY SERVER every 5 minutes.
It was cool to see the lights come on and the garage door open when I pulled in the driveway and got off the bike. It was typically a 2.5 minute delay from when I pulled in the driveway and when the system detected I was home from the gps reporting to activate everything. Perfect timing as I then had my helmet off, took off the jacket and unstrapped the backpack from the seat.
Come on Google and Apple, let us do cool stuff with our phones!
Option #2. A phone with Wifi. When you get within range, your DHCP server hands out the static reservation (based on MAC), a script running on your server notices that pings to the appropriate IP suddenly come back and POW... do whatever you like.
Sure. It's not got a lot of range so you can't trigger things to happen minutes before you arrive, but from what you describe it sounds like you were basically home by the time things happened anyway.
How is a single online account signup, your key is then bound to this account, any real form of DRM?
Windows XP activation.
You only have to do it once, to prove that you've bought a legitimate copy for your computer. If you change hardware, thereby changing your computer then you may have to do it again, depending on how severe your changes are.
Strange. We - the IT community - freaked out when Microsoft introduced online activation in WinXP. We bitched and moaned and complained and the sky was falling down on us. Here we are nearly a decade later and things have gotten so bad in DRM that we're looking at a video game that has effectively the same scheme and declaring it "good".
Indeed we have become desensitized.
You know you suck when your company is playing catchup with Microsoft on security and patching.
Seriously. I don't like to swear much on Slashdot, but I'd like to tell Adobe "fuck you!"
This isn't about an operating system. It isn't even about a productivity suite like Office. It's a reader. Stop patching every damned month and secure the bastard. Right now. One patch and you're done. I do not condone any corporate plan to regularly trickle out tiny fixes here and there when they're discovered because that's Good Enough. It's not good enough.
Adobe needs to change their product plan.
Adobe Reader - views PDFs and that's it
Adobe Reader Pro - views PDFs, has all the scripting and form-filling features that are vulnerable and buggy
Adobe Acrobat - makes PDFs
Strip Reader down to as few features as possible. We know that 99% of what Reader is used for is flat basic text reading. So either make a product that does that and only that, or at least make a MODE where turning on all the other features for X minutes requires a UAC-style prompt.
No but now your folder of com files will require a butt load of runtime files on every single workstation. Now personally I would smack it out as a stand alone executable in delphi, but that is just me.
Those runtimes are now called "The .NET Framework". They're hardly rare, exotic, or hard to distribute.
VB is commercial, VB Express is crippleware in the sense that he'll have to distribute his compiled solutions via either a web site or a .exe (which is no impediment) and in every other way will do the job he describes.
Try to keep a perspective. The OP isn't trying to rewrite Office or AutoCAD.
You seriously need to ask? Because their personal views being (in my examples) strongly against the purpose of the job you simply can't trust them to be doing their jobs well. You can't trust the secret service agent to take a bullet for a President he hates. Not the way you'd trust an agent who was devoted to said President. One employee is ideal, one is contrary to ideal. No matter what psychological tests she/he passes, his team-mates will always doubt her/him. The President would always be a little more nervous when that person is on duty. Not good.
As for the other example, someone - even not in sales - who actively discourages people to use your services? They should be fired.
Here's the point in a nutshell:
It's one thing to be neutral. It's no big deal to have contrary opinions even. It does become a big deal, and important to your employer when you become evangelical. When you're announcing your views.
Hate the President if you like. Disagree with abortion if you like. Be vegetarian and work at a slaughterhouse if you like. Just don't go spouting off about it.
You're right. As much as I hate what's happened to her, this can't be a black & white situation.
What if an employee at an abortion clinic spends her evenings and weekends attending anti-abortion rallies? What if she spends her time organizing those sorts of rallies?
What if a secret service agent assigned to keeping the President alive spends his personal time popping off about how much he hates the President?
Two examples. Extremes, yes. But they show that there are circumstances where private actions are so radically inappropriate for an employee that continued employment is... inadvisable. I'm not saying her case is one of those, but as much as it rubs me the wrong way, I can see the shape of the argument behind her dismissal.
Sounds like a business opportunity to start a rock climbing facility in Windsor.
Ha. Yeah. We had one until August. The facility it was in was expropriated to make way for a future expanded border crossing. Seriously.
There's a long story, but the short version is that replacing the old gym would involve $100,000+ and wouldn't likely pay for itself for a decade. Nobody has the cash or the will to deal with that what with climbers being a generally mellow sort.
Living in a border city, we cross several times a year from Windsor to Detroit (shopping, sporting events, etc) and each and every time we enter the US my ass puckers up. I HATE entering the states even though I have absolutely nothing to hide... it's brutal.
Brutal? What are you subject to? I'm curious to see if your experiences are much different than mine when I fly domestic.
It's hyperbole. But still. Considering the circumstances, it's absurd. I too am a Windsorite who occasionally crosses into Detroit (these days to do indoor rock-climbing). At the minimal these days I'm subjected to an hour wait to manage to enter a city that has been part of "my" skyline for 37 years. 45 of those minutes are spent sitting in a tunnel under the river. Say goodbye to a gallon of gas. Once I finally emerge into the light once again I get to admire the parking lot that is the waiting area for processing. Then my vehicle and I get to pass through a bewildering array of scanners, cameras, and I-don't-know-what that pretty much looks like a war zone. Finally I get a nice 5 to 10 minute interview with a border guard with a gun wherein I justify to his or her satisfaction that I am who my papers say I am, and that I have a good enough reason to enter the U.S. The entire time I am painfully aware that if I appear too nervous, not nervous enough, or my story triggers any sort of profile I can and will be detained, potentially for hours. My car (which I quite adore) may be literally disassembled while I am not permitted to watch. I may be personally searched, permanently flagged as suspicious, and the future process may become significantly more difficult for me.
Why?
What the hell is the justification for this absurdity? Please understand... if I want to get into the U.S. to do anything malicious, all I need to do is rent a canoe or Jet-ski. I can bring in whatever quantity of whatever I want with me. Get this... there's a "party" island in the middle of the river. People from both countries can dock there and hang out on the beach, without passing customs. I can get off my boat and onto someone else', with or without weapons, drugs, nuclear armaments, dirty bombs, bio-weapons, or child pornography.
The border is a feel-good joke that makes nobody feel good except those American voters who don't have to use it. It will not keep Americans safe. It will not inconvenience theoretical terrorists. It will not prevent attacks.
I have lived in Windsor for 37 years. I've been crossing this border periodically for most of them. I've been driving the same car for two years. I've been going to the same climbing facility for nine months. WAVE ME THE FUCK THROUGH. I'd love to answer the 20 questions like "where do you work" with "same place as three weeks ago", but I don't want my asshole probed. I am afraid. That is just plain wrong. Know the saying "if you've got nothing to hide you've got nothing to be afraid of"? In this case it's totally inaccurate.
I am not he psychotic American-hating vengeful, spiteful, angry, bomb-toting, murderous boogieman you are afraid of. But on a scale of zero to a million, where I was at zero most of my life, I'm now at a strong one on the scale of ending the last sentence with "yet".
This is why I still don't own a "reader". I'm willing to go as far as PDF readers, i.e. some tablet device. But if I can't get it as a PDF, fine, I'll buy the paper product.
You know, there are readers that are just readers. I picked up a Sony PRS-300 recently and am very happy. No WiFi, no Bluetooth, no 3G cellular service. Just a USB cable. I use Calibre to manage my books, not their software. There's no annotation, no searching, no document editing, no highlighting. It's just a reader. And it works really, really well.
Here's a cool thing. My wife and I are going to be going on vacation soon. We're going to load up our Readers with a tonne of material, stick them in zip-lock bags and not worry about water, or sand. Plus we don't have to worry about weight that the airlines will freak out about.
Yeah, they should build in a flight simulator! Pilots could exercise their emergency skills. Just hope they don't get confused.
Ughh. No mod points, but you deserve up-modding.
I often thought that Yahoo and Microsoft just violated the KISS rule. Yahoo.com comes from the "web portal" days of AOL and seems determined to die with it. Bing.com, to their credit, seems to have learned the lesson finally that people like Google's minimalism and just slaps a background image on it to differentiate their service somehow, but I don't like their results that much and what they do well isn't that different from what Google delivers. Damned if they do, damned if they don't.
Unless Bing starts behaving like Apple and delivering what I don't even know I want yet, I don't see it heading much anywhere.
That background image is a huge part of why I set all my customers' search engines to Google by default. I do a lot of remote technical support. Pretty bitmaps make my job harder to do. Google makes a great homepage and search engine for its simplicity. Even better: my customers like it too!
The Internet was designed so that any computer could connect to any other computer. This is evident in the design of things like FTP, etc.
Every phone, watch, fridge, TiVo, computer, and printer should have a public IP address. Imagine if you didn't need to port forward for Bittorrent, if Skype could connect right to your friend's computer, or you could print to your home printer by just entering its address. That's how the internet was/is supposed to work.
NAT breaks this. Behind a NAT box, nobody can address a specific computer - only the NAT itself. This happens to lend some security, but is essentially accidental. With IPv6, your home router will instead be a firewall. Each computer will be addressable, but will still need to pass through.
Plus, there's enough address to give each subscriber many thousand. And they don't need to change. No more charging for a static IP...
Also, routing is more efficient since it can be done properly by hierarchy.
So there's a bunch of reasons. Pick some.
No, no, no, and more no. There is zero justification for every appliance or gizmo we have being public-accessible. I do not want my fridge even theoretically accessible from the outside. Given that day after day we keep finding vulnerabilities and exploits in some of the simplest code, I simply don't trust anyone else. Screw with my fridge and you can cost me a load of food. Screw with my heating/cooling and you can cost me a lot of electricity billing. Screw with my stove and you can potentially burn my house down.
If and when we reach the point of home automation actually being appealing, we can have a single gateway device which is common, well-understood, and heavily code-reviewed. Joe Average can safely plug an RJ45 cable into his fridge without worrying... it's secure by default. No fiddling with firewalls, no requirement to understand networking.
I'm not arguing against IPv6 (this time). But I am arguing against the wisdom of issuing important devices in our lives a public IP that can even accidentally be accessed from the outside. With something like NAT, the odds of forwarding the right port to the right internal IP are way higher than that of ignorantly screwing up one's firewall.
Please don't talk about public IP assignment to devices that don't benefit from it as though it were a panacea or attractive goal. It's not. It's a bad idea. Further, anyone responsible enough to assess the risks involved will by definition understand how to make their IP-enabled fireplace link to their FaceBook page.
Why do I hold this control? because its my information to start with.
The following is me playing devil's advocate but I think it's worthwhile.
No. DNA is not your information. It's you (at least your physicality). I still say too bad. Ownership of self is an illusion. It's the result of social convention, no more.
If an individual was determined to carry the cure for cancer in their blood and they allowed a sample to be taken for confirmation of this theory but specifically refused researchers the "right" to synthesize or reproduce/culture that sample, what do you think would happen? A lot of people would end up cured of cancer because someone with a clue would suddenly realize that they're really an animal and act the part.
You are food. That you aren't eaten on a daily basis is luck, pretty well.
Personally I find the idea that an individual or small group of individuals could - let alone would - allow a sample to be taken but try to limit it's potential benefit utterly and completely repugnant. This isn't about a sample being taken illegally. This isn't about a needle when you've said "no". It's about artificially limiting potential learning for arbitrary internal reasons. Disgusting, really. We are all hungry, starving for knowledge and these people had the ability to share universally, without personal cost but instead elected to dictate who and how we can feed.
We need to keep bringing up this stupid behaviour. We need to talk about it, think about it, and most importantly share this idiotic stories with those we know who don't read Slashdot.
Why? Because this isn't okay. Like copyright extensions to infinity and like DMCA issues, Joe Average simply doesn't know what bad stuff is going on. The only way to cause change is by votes. Those votes might be at a ballot box, or at a cash register.
You and I know what's going on. Each of these stories is a new bit of ammunition to us. Or would you rather we just accept corruption, bias, and philosophically repugnant behaviour so we don't need to hear about it anymore?