BITS doesn't do installs, it only does rate-limited transfers. Malware downloaded by BITS would still need higher-level privs to install into the system. All BITS does is avoid the "XXX program is trying to use the internet" message that windows throws up.
It's a holdover from the physical world where those extra buttons cost more than screen real estate.
I'm not defending it, mind you... it's just that the guy you want to lynch may be in a retirement home somewhere forgetting everything he knew about engineering in the first place.
That "maybe people will wait" strategy had been going on for a year while they waited for the console to launch in the first place.
This isn't brilliant marketing, it's a company that's facing third and long on their own 10 yard line. Even punting is going to suck.
Even if they drop the PS/3 to $500 (and I think $550 is more likely) you can still get a Wii ($250), extra controller set ($60), and 4 decent games (Wario Ware, Rayman's Rabbids, Zelda, and Madden Football) for the price of just the console.
Price shouldn't be the reason you get a PS/3 instead of a Wii. Functionality should. And the public seems to be indicating that the functionality of the device doesn't support the weight of its price.
Personally, I'd probably buy it at $400 (that's what I paid for a 360), but they'll have to have a better console exclusive than Resistance for me to do even that.
Yet another stupid move on Sony's part. They were better off continuing to deny that a price drop was even being discussed, and then picking a random day and just lowering the price.
I certainly wouldn't buy a $600 console knowing that the price could be $500 in a month or two.
That's a free second controller and a game....
Which is the other way they could go, I guess... Bundle a second sixaxis and resistance:fall of man with every 60GB unit for the same price.
Owners of the Nintendo Wii reported that when they used the Nintendo remote and wrist strap, as instructed by the material that accompanied the Wii console, the wrist strap broke and caused the remote to leave the user's hand.
The owner's manual pretty clearly states not to let go of the thing.
"Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself. If an attacker constructs a Word document with a specially crafted value used to build this destination address, then that attacker may be able to overwrite arbitrary memory,"
There's no way to protect from these documents via group policy, short of a group policy that disallows word from running.
I'll admit I'm too lazy to read the exact detail of the exploit, but shouldn't this whole situation be alleviated by good, layered network security anyway?
Well, the latest vulnerability allows a malicious word doc to run code on the users machine. Assuming I wrote a userspace piece of malware, I could easy start sending stuff (anything the user has access to, theoretically) out port 80 to a collection point. Since windows will open documents with unknown extension but proper Word headers in word, filtering at the email level doesn't really cut it.
Now imagine that my malware starts appending the exploit to random internal word documents that the user has access to (and that other, more priviledged users will open) and you've got a pretty serious infection on your hand.
Oh, and the details of the exploit? So amazingly stupid you'll want to line up the design team responsible and take one long running smack, three stooges style.
"Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself. If an attacker constructs a Word document with a specially crafted value used to build this destination address, then that attacker may be able to overwrite arbitrary memory,"
As I've noted elsewhere, if you think your filter is protecting you, you are wrong:
"Do not rely on file-name extension filtering. In most cases, Windows will call Word to open a document even if the document has an unknown file extension. For example, if document.qwer contains the correct file header information, Windows will open document.qwer with Word. Filtering for common extensions such as.doc, and.dot will not detect all Word documents."
At least one of the three recent Word exploits affects Word for Mac as well.
Also, to the original question:
Scanning.doc and.dot files does little to no good for the most recent vulnerability. Windows is coded to open correctly formatted documents with unknown extensions with Word. So all I'd have to do to get around your filter is rename the document to: Exploit!.iamnotavir.us0 and if someone is silly enough to double-click it, they'll be subject to whatever maliciousness I can inflict on them.
From the e-week article: "Do not rely on file-name extension filtering. In most cases, Windows will call Word to open a document even if the document has an unknown file extension. For example, if document.qwer contains the correct file header information, Windows will open document.qwer with Word. Filtering for common extensions such as.doc, and.dot will not detect all Word documents."
I think the most damning part of the video is when the device responds identically to different stimuli. Particularly the "knocking on the table" portion of the video.
Believe me, as a rabid geek and original furby owner, I'd like nothing more than for this video to be wrong, it just doesn't look good at the moment, and these guys have been advertising this thing as "coming real soon now" for a few years.
IIS 6 uses xml for it's config files, it's not quite to the level of "copy one and have it work anywhere" but you can (very easily using either the GUI or a command line tool) export one or more configs from one IIS box and import them on another. The level of success you have with this depends on your particular application. Much like if you've chosen to define your virtual hosts under apache by IP address, you're gonna have to change those IPs to match the new box, for example.
As for logrotate, it's certainly a useful littel tool, but that's not going to change TCO much one way or another. I spent about an hour 4 years ago developing a perl script that yanks everything but the last weeks worth of log files for every website on a given server, names it appropriately and zips it up to a location that can be later be archived off. A year ago, when I moved into an environment that has standardized the names of the servers well enough, the script was updated to search the active directory for all the webservers on the network and automatically pull their logs.
As for NT scripting not being as powerful as bash scripting, sure... but no one uses NT anymore. Have you checked out MS's new powershell recently? fairly impressive stuff.
The is one the first shooter titles that I can't imagine playing with a keyboard and mouse, and I never got used to playing Halo because of the controls. Part of it is because Gears is largely NOT a "first person" shooter...
The standard camera view is more over the shoulder.
Other stuff that works really well about the controls: Cover-to-cover moves by pushing the stick in the direction you want followed by a button press. walk vs run based on how far you push the stick. They've put enemies in that can hear you, so you'll occasionally need to sneak around. Dodging Popping out of cover zooming in with any weapon
It's possible all these these could be done with a mouse and keyboard, but you'd need a TON of keys assigned in a very tight cluster to do it.
Istill think Kb+M is the best control setup for an FPS, but I really like the control system in GoW.
I agree with you that it's going to be a question of scale, but the dividing line may be lower than you think. I work in a company of only 25 and we've got Caller ID configured to push the extension the call was made from. While restaraunts and offices small enough not to need a "true pbx" solution don't get the opportunity to configure their caller ID, the barrier to entry if you _wanted_ to push caller ID on your own is very low. Even lower with roll-your-own solutions such as Asterix@home being so easy to setup.
In such a world, relying on your caller ID display to tell you the truth is pretty much a bad idea.
Much like SMTP relies on the sending email client/server to not lie about the originators email address, Caller ID relies on the PBX originating the call to set the caller ID value. There's no other way for the phone system to be able to deliver the correct direct-dial extension, only the PBX truly knows what the extension is, the phone company only knows the trunk id that the call comes from. As long as that's the case, there will never be a way to ensure that the originating PBX is telling the truth. DID ranges are (for the most part) not tied directly to outgoing phone lines, so they can't even be verified against those.
There is a component in Urchin that can make use of the javascript and webbugs, but it isn't required.
It's also incompatible with Google's Analytics product. We regularly run the logs without the UTM (that's what they call the javascript piece) and instead setup the Google Analytics tracker instead. This lets us get historical data for sites and gives us better bandwidth usage stats for individual websites, while still allowing the end users to see the pretty graphs and awesome filtering Google gives them.
The first time we tried to get both the UTM data and Google Analytics to work at the same time, it barfed hard.
The 1M page view limitation was for beta only. The current product has no limits.
Google Analytics is a good solution if you are looking for tracking based on javascript / web bug images.
Since they are looking for something that works off the server log files (such as LiveStats) maybe they should look at Urchin which runs locally and processes the log files. Google purchased Urchin to make their Analytics offering. Unlike Microsoft and LiveStats, however, Google still sells and supports the Urchin software through retail partners.
Pricing is fairly reasonable, and is based on log sources and websites monitored. $895 buys you 100 profiles with one log source each. $695 extra per additional log source (i.e. if you've got 3 servers serving one website you'd need 2 additional log sources) regardless of the number of profiles. $695 extra per 100 additional profiles, as well.
They also offer campaign tracking and ecommerce reporting modules.
One thing that's impressed me about the program is the speed. We're using it on 150 profiles (with a maximum of 6 log sources per profile, though only one profile actually uses that many. Most of our profiles use only one log source) and it takes about 8 hours to process the logs each day from a central box using smb/cifs to pull the data files.
Slashdot Mirror
BITS doesn't do installs, it only does rate-limited transfers. Malware downloaded by BITS would still need higher-level privs to install into the system. All BITS does is avoid the "XXX program is trying to use the internet" message that windows throws up.
It's a holdover from the physical world where those extra buttons cost more than screen real estate.
I'm not defending it, mind you... it's just that the guy you want to lynch may be in a retirement home somewhere forgetting everything he knew about engineering in the first place.
Missy Elliot's Work It lyrics:
This is a Missy Elliott one-time exclusive (Come on)
Is it worth it, let me work it
I put my thang down, flip it and reverse it
I put my thang down, flip it and reverse it
I'm not a huge rap fan, but I generally dig her stuff.
Ha! I love that guy.
Please, oh please oh please don't let there be a William Hung to spring from this.
Also, aren't we already in the 21st century? shouldn't it be "through" instead of "towards?"
That "maybe people will wait" strategy had been going on for a year while they waited for the console to launch in the first place.
This isn't brilliant marketing, it's a company that's facing third and long on their own 10 yard line. Even punting is going to suck.
Even if they drop the PS/3 to $500 (and I think $550 is more likely) you can still get a Wii ($250), extra controller set ($60), and 4 decent games (Wario Ware, Rayman's Rabbids, Zelda, and Madden Football) for the price of just the console.
Price shouldn't be the reason you get a PS/3 instead of a Wii. Functionality should. And the public seems to be indicating that the functionality of the device doesn't support the weight of its price.
Personally, I'd probably buy it at $400 (that's what I paid for a 360), but they'll have to have a better console exclusive than Resistance for me to do even that.
Bingo.
Yet another stupid move on Sony's part. They were better off continuing to deny that a price drop was even being discussed, and then picking a random day and just lowering the price.
I certainly wouldn't buy a $600 console knowing that the price could be $500 in a month or two.
That's a free second controller and a game....
Which is the other way they could go, I guess... Bundle a second sixaxis and resistance:fall of man with every 60GB unit for the same price.
WoW and the other mmorpgs discourage (and even prohibit through EULAs) the resale of ingame assets.
Second Life encourages the sale of ingame assets and the secondary market that has sprung up around it.
If Blizzard said it was OK to sell the Sword of a Thousand Truths on ebay for real cash dollars, I'm sure Ebay would allow it to be sold.
IANAL, but I did notice that the complaint included a statement regarding a Mr. Chewbacca.
"Let the Wookie win?"
Owners of the Nintendo Wii reported that when they used the Nintendo remote and wrist strap, as instructed by the material that accompanied the Wii console, the wrist strap broke and caused the remote to leave the user's hand.
The owner's manual pretty clearly states not to let go of the thing.
I hope this lawsuit fails.
The latest vulnerability doesn't require macros.
"Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself. If an attacker constructs a Word document with a specially crafted value used to build this destination address, then that attacker may be able to overwrite arbitrary memory,"
There's no way to protect from these documents via group policy, short of a group policy that disallows word from running.
I'll admit I'm too lazy to read the exact detail of the exploit, but shouldn't this whole situation be alleviated by good, layered network security anyway?
Well, the latest vulnerability allows a malicious word doc to run code on the users machine. Assuming I wrote a userspace piece of malware, I could easy start sending stuff (anything the user has access to, theoretically) out port 80 to a collection point. Since windows will open documents with unknown extension but proper Word headers in word, filtering at the email level doesn't really cut it.
Now imagine that my malware starts appending the exploit to random internal word documents that the user has access to (and that other, more priviledged users will open) and you've got a pretty serious infection on your hand.
Oh, and the details of the exploit? So amazingly stupid you'll want to line up the design team responsible and take one long running smack, three stooges style.
"Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself. If an attacker constructs a Word document with a specially crafted value used to build this destination address, then that attacker may be able to overwrite arbitrary memory,"
source
As I've noted elsewhere, if you think your filter is protecting you, you are wrong:
.doc, and .dot will not detect all Word documents."
"Do not rely on file-name extension filtering. In most cases, Windows will call Word to open a document even if the document has an unknown file extension. For example, if document.qwer contains the correct file header information, Windows will open document.qwer with Word. Filtering for common extensions such as
source
Reasonable or not, Microsoft's suggestion regarding the vulnerability is to "not open or save Word document files"
At least one of the three recent Word exploits affects Word for Mac as well.
.doc and .dot files does little to no good for the most recent vulnerability. Windows is coded to open correctly formatted documents with unknown extensions with Word. So all I'd have to do to get around your filter is rename the document to: Exploit!.iamnotavir.us0 and if someone is silly enough to double-click it, they'll be subject to whatever maliciousness I can inflict on them.
.doc, and .dot will not detect all Word documents."
Also, to the original question:
Scanning
From the e-week article:
"Do not rely on file-name extension filtering. In most cases, Windows will call Word to open a document even if the document has an unknown file extension. For example, if document.qwer contains the correct file header information, Windows will open document.qwer with Word. Filtering for common extensions such as
I think the most damning part of the video is when the device responds identically to different stimuli. Particularly the "knocking on the table" portion of the video.
Believe me, as a rabid geek and original furby owner, I'd like nothing more than for this video to be wrong, it just doesn't look good at the moment, and these guys have been advertising this thing as "coming real soon now" for a few years.
They've been criticized in the past for faking demonstrations. YouTube example here
IIS 6 uses xml for it's config files, it's not quite to the level of "copy one and have it work anywhere" but you can (very easily using either the GUI or a command line tool) export one or more configs from one IIS box and import them on another. The level of success you have with this depends on your particular application. Much like if you've chosen to define your virtual hosts under apache by IP address, you're gonna have to change those IPs to match the new box, for example.
As for logrotate, it's certainly a useful littel tool, but that's not going to change TCO much one way or another. I spent about an hour 4 years ago developing a perl script that yanks everything but the last weeks worth of log files for every website on a given server, names it appropriately and zips it up to a location that can be later be archived off. A year ago, when I moved into an environment that has standardized the names of the servers well enough, the script was updated to search the active directory for all the webservers on the network and automatically pull their logs.
As for NT scripting not being as powerful as bash scripting, sure... but no one uses NT anymore. Have you checked out MS's new powershell recently? fairly impressive stuff.
The is one the first shooter titles that I can't imagine playing with a keyboard and mouse, and I never got used to playing Halo because of the controls. Part of it is because Gears is largely NOT a "first person" shooter...
The standard camera view is more over the shoulder.
Other stuff that works really well about the controls:
Cover-to-cover moves by pushing the stick in the direction you want followed by a button press.
walk vs run based on how far you push the stick. They've put enemies in that can hear you, so you'll occasionally need to sneak around.
Dodging
Popping out of cover
zooming in with any weapon
It's possible all these these could be done with a mouse and keyboard, but you'd need a TON of keys assigned in a very tight cluster to do it.
Istill think Kb+M is the best control setup for an FPS, but I really like the control system in GoW.
The friendly AI isn't that bad. It's not great, mind you, but calling it "some of the worst ever seen" is just _not true_.
:-)
You're right. That honor is reserved for Daikatana.
I agree with you that it's going to be a question of scale, but the dividing line may be lower than you think. I work in a company of only 25 and we've got Caller ID configured to push the extension the call was made from. While restaraunts and offices small enough not to need a "true pbx" solution don't get the opportunity to configure their caller ID, the barrier to entry if you _wanted_ to push caller ID on your own is very low. Even lower with roll-your-own solutions such as Asterix@home being so easy to setup.
In such a world, relying on your caller ID display to tell you the truth is pretty much a bad idea.
Much like SMTP relies on the sending email client/server to not lie about the originators email address, Caller ID relies on the PBX originating the call to set the caller ID value. There's no other way for the phone system to be able to deliver the correct direct-dial extension, only the PBX truly knows what the extension is, the phone company only knows the trunk id that the call comes from. As long as that's the case, there will never be a way to ensure that the originating PBX is telling the truth. DID ranges are (for the most part) not tied directly to outgoing phone lines, so they can't even be verified against those.
There is a component in Urchin that can make use of the javascript and webbugs, but it isn't required.
It's also incompatible with Google's Analytics product. We regularly run the logs without the UTM (that's what they call the javascript piece) and instead setup the Google Analytics tracker instead. This lets us get historical data for sites and gives us better bandwidth usage stats for individual websites, while still allowing the end users to see the pretty graphs and awesome filtering Google gives them.
The first time we tried to get both the UTM data and Google Analytics to work at the same time, it barfed hard.
The 1M page view limitation was for beta only. The current product has no limits.
Google Analytics is a good solution if you are looking for tracking based on javascript / web bug images.
Since they are looking for something that works off the server log files (such as LiveStats) maybe they should look at Urchin which runs locally and processes the log files. Google purchased Urchin to make their Analytics offering. Unlike Microsoft and LiveStats, however, Google still sells and supports the Urchin software through retail partners.
Pricing is fairly reasonable, and is based on log sources and websites monitored. $895 buys you 100 profiles with one log source each. $695 extra per additional log source (i.e. if you've got 3 servers serving one website you'd need 2 additional log sources) regardless of the number of profiles. $695 extra per 100 additional profiles, as well.
They also offer campaign tracking and ecommerce reporting modules.
One thing that's impressed me about the program is the speed. We're using it on 150 profiles (with a maximum of 6 log sources per profile, though only one profile actually uses that many. Most of our profiles use only one log source) and it takes about 8 hours to process the logs each day from a central box using smb/cifs to pull the data files.