I've worked in places where local accounts were not allowed. This was enforced through an automated daily check of every workstation and server. The systems engineers didn't have the root passwords. Nobody knew what they were as they were randomly generated and NOT recorded. Everything was sudo as it was auditable in the logfiles, and we couldn't sudo su - or sudo/bin/bash, etc.. as a workaround. There were procedures if we had to actually BE root, usually involving booting into single user mode.
It's not as dire as you say it is, but sometimes it was terrible inconvenient.
The purchasable pets and mounts were a crass move.
I've played since vanilla, and for a while was a very hardcore raider, but eventually that wore thin. I stayed on because I had friends in the game and we enjoyed hanging out and running the occasional dungeon together, otherwise I would have left a long time before that.
I thought that the cross-realm dungeon finder would be a Good Thing, and I think for a while it was. Back when it first started, people were polite, said hello, etc... then after a while I've lost count of the number of 5-mans I've run through where not a single word was said, but rather a grim race to the end, collect your points and bail out. Then it got worse with the people bailing- "Oh, I don't want to run this dungeon" or the ragequits after a single wipe. Or the meter-sitters bitching that the DPS numbers are too low and trying to votekick people off. The relative anonymity and odds that you'll never see the same people again really brought out the inner asshole.. it got so bad that I eventually refused to group with anyone from a particular server in my realm because they had a reputation of being griefers that would wipe parties for the lols. The worst example was 2 hunters that joined as a group who would go and misdirect the healer, feign, wipe the party and call everyone n-ggers until they got kicked.
I recall being in a heroic Deadmines run, 3 guys were from the same guild on another server, myself and a random from another server. The party leader declared that he was going to boot the lowest DPS before the last boss so he could bring in a guildie for the kill and loot.
Raiding became a chore, and the social structure that comes from it became unbearable. Raiding no longer became a fun thing, but a way of gaining prestige and status on the server. This of course, required extreme dedication of time and effort, and having an "off day" would more than likely result in getting benched and replaced by the dozens of other raiding hopefuls looking for a slot.
The new raid bosses aren't very impressive. Even the Lich King fight was anticlimactic. The Vanilla and BC fights were much more intense. The fights now are pretty much "stand here, don't stand there" positioning fights. Lady Vashj was a pure bitch because of the fight mechanic with the cores, and it was an achievement to defeat her and make it to Hyjal before Blizzard removed the keying requirement to unlock that raid zone.
Note that I also said I was concerned that an outside party accidentally changes the settings on the pods. I think that is far more likely, but people aren't really going think that walking past the microwave or the 802.11 router is really a threat.
Just a followup to this, I posted a summary of the article on Facebook, and my wife predictably reacted the same way the press did.
Me: "Guy gives a talk about the *possibility* of hacking a wireless insulin pump" Wife filter: ZOMG HACKERS ARE GOING TO KILL US!
After answering questions of responsible disclosure and security through obfuscation, she asked why someone would want to do such a thing as try to kill a diabetic. She was unfamiliar with the term "for teh lulz"
I disagree. My wife is a brittle diabetic, and she's spent so much time in her childhood years at extreme highs and lows, she's become somewhat desensitized to low blood sugar until she's in the 50 range. There have been a few cases where she has felt a low coming on and collapsed before she could get to something to eat. Other times, she's acted drunk while hypoglycemic and refused to eat anything.
Of course, she's probably one of the exceptions for the "most diabetics" case, but it matters to me.
My wife uses the OmniPod disposable pumps. They are controlled by a wireless PDA-like device. When she was switching from a conventional pump to the Omnis, I wrote to the company and asked them to explain to me how their wireless technology works, what protocols are they using, what security measures they have taken to protect the pods from malicious activity. My concern was the possibility of an outside party either deliberately or accidentally messing with the pod settings, and minimizing insulin delivery or pushing a huge bolus.
I even offered to sign an NDA. Obviously, the company was less than willing to divulge their proprietary secrets, and I was shuffled off to a PR flack, who just reiterated the same marketing material over and over.
I've had to go through a BSA audit after we fired a former employee. The BSA sent their usual demand that we provide proof that we're fully licensed. We (I mean the Finanace and IT department) spent weeks going over years old receipts and license records. Countless hours lost to this bullshit while real work went uncompleted.... the BSA then said that out paperwork was insufficient, that that we would have to produce the original purchase orders. Round and round it went until the C-levels at the company finally bent over and begged "not too hard please". We wound up having to pay a fine for like a single copy of Visio or something. the most expensive copy of Visio anyone has every paid.
The BSA exists entirely to make money for itself. Everything you do will not satisfy them. They really should be stopped under RICO.
We made trillions on Tang and pressurized pens that write in zero-g, right?
This is -finally- a first step towards getting off the oil/coal tit. I'd rather spend 3/4 of a billion on this than on killing some more brown skinned people in foreign lands. Like in any business, there is no guarantee of profit or breakeven, but at least it's a fucking start for once.
Problem with this is that the auto companies will fight - and succeed- at getting their vehicles exempted from certain brackets, or will find new, exciting and creative ways to have their vehicles reclassified into more "attractive" classifications. That's how they managed to bypass all the regulations for SUVs. This will also jack up transportation costs, since big rigs travel hundreds and thousands of miles, carrying tons of material. The savings get passed on to the consumer!
People generally don't understand astrophysics. High school science classes generally concentrate on biology (baby pigs are cheap) and chemistry (most of the students probably understand how to make meth better than the teacher). Usually one or two experiments in physics, generally dropping things.
Secondly, people just understand that black holes are Bad Things, the "most destructive force in the universe" (thank you Disney) and that the universe will end with a Real Big One, because that's what they saw on the History Channel. I won't fault people too harshly for this, but it doesn't take a Einstein or Hawking to figure at least the basics out. I'm somewhat shocked that learned people are perpetuating this ballyhoo about black holes at the LHC.
People have a hard time with very small and very large things, so I usually put things in terms of the Sun. Yes, I know this is a very large thing, but they can at least see the sun and have an idea of its size. Should the Sun suddenly become a black hole, we won't get sucked in as most lay people think. A black hole with the mass of the Sun is still an object with the mass of the Sun and all the properties that go with it, such as gravitational pull. The earth will continue to orbit just as before, but it will become cold and dark. That's it. A black hole created at LHC from two particles will have the mass of those two particles.
And if I'm wrong, well we'll likely die so quickly that it wouldn't matter anyway.
Any financial institution that deploys a "bare metal" installation of ANY OS without any hardening, be it Windows, Linux or whatever, shouldn't be handling the public's money to begin with and needs to be slapped severely about the face and ears. I wouldn't deploy a stock install of Linux either without spending time hardening it. Anyone who thinks Linux is "Secure by default" has drunk a little too much of the Kool-Aid. Believe me when I say that Windows can be hardened to a point where it is rather difficult to break, and the amount of effort is no more than it takes to harden a Linux distro to a nice standard.
Autorun in a corporate environment? Disabled across the entire network with just a few clicks and refresh of Group Policy.
You mean you're challenged by the nice little GUI that says "Turn off Autoplay"? If a GUI is a challenge, how are you ever going to master the command line?
Secret Service was originally part of the Department of Treasury. Now part of DHS, they still have jurisdiction over counterfeiting and fraud investigations and share jurisdiction with the FBI on some areas such as computer crime. It's well within their baliwick.
Guarantees... not really any guarantees. Microsoft does have a driver signing program and a Quality Labs for hardware that will certify that the driver and hardware meet their standards (take your cheap shot here), but generally won't make any guarantees. So yeah, I can go to Fry's and get a mobo and 16GB of RAM, and find a copy of Windows Server Enterprise or Datacenter, and it will likely work, but nobody's going to gurantee that it works. If I spend the money buying a real enterprise-class server from a real systems vendor, you'll have better chances that the drivers and hardware have been WHQL certified, and they'll generally be of a better quality than the Fry's hardware.
Usually, the higher end you get, MS will start recommending particular hardware profiles known to run reliably. I'd think twice about any vendor that makes any kind of guarantee that everything will work unless it's been a tried and proven configuration.
Two different kernels. With the normal 32-bit kernel, you'll top out at 4GB of memory. Windows loads a PAE-enabled kernel if it sees PAE passed as a kernel argument (much like arguments in GRUB), or you're running on hardware that supports DEP, they system will load PAE-enabled kernel.
By default, on a 4GB system, 2GB is for userland and 2GB is for the kernel. Throw the/PAE switch and the kernel sacrifices a gig for user space. Not all apps can take advantage of the extra memory, but a very memory-hungry app like SQL Server can use the extra memory. Depending on what flavor or Windows Server you're using, you may have to throw/3GB,/PAE or both. Once you get over 16GB of RAM, you're generally looking at using/PAE only in boot.ini and running sp_configure in SQL to configure the use of AWE. MS says that generally you may wind up burning a gig of memory for AWE management. But otherwise, unless you're running an enterprise-class app, you won't get much of anything about of using/3GB or/PAE
32-bit Linux has to be compiled with or without PAE support, so your distro should make sure it installs a the right kernel version to correctly support your hardware. Some OSes (e.g. Solaris) can switch between PAE and non-PAE at boot time, so they only need one kernel image to support both modes. I don't know how Windows handles this.
Yes it can. In the boot.ini file you can specify the/PAE switch, which will load the PAE-enabled kernel at boot-time. In addition, you can specify the/3GB switch, which will enable allow user processes 3GB of memory to use rather than the usual 2.
Moxie's presentation was very enlightening. Out of all the presentations I saw over the last two days, his was easily the most interesting.
First, he went over his last presentation- that due to CA sloppiness, it is possible for an attacker to issue valid SSL certificates as an intermediary CA. No hack involved. Second, the null character exploit. This was the bulk of his presentation, and he went into detail why this works, and why Firefox pre-3.5 plus a bunch of other SSL stacks are vulnerable. Dont want to get a cert for every site you want to spoof? Get a wildcard \0 cert. Third, it is possible to defeat OCSP with the number 3. Fourth, he demonstrated how, due to these bugs in SSL and OCSP, it is possible to deploy your own "software updates" whenever Firefox or other program attempts to auto-update.
Slashdot Mirror
I've worked in places where local accounts were not allowed. This was enforced through an automated daily check of every workstation and server. The systems engineers didn't have the root passwords. Nobody knew what they were as they were randomly generated and NOT recorded. Everything was sudo as it was auditable in the logfiles, and we couldn't sudo su - or sudo /bin/bash, etc.. as a workaround. There were procedures if we had to actually BE root, usually involving booting into single user mode.
It's not as dire as you say it is, but sometimes it was terrible inconvenient.
Maybe they don't want to work for someone who can't even spell "MCSE" or use the correct "there".
The purchasable pets and mounts were a crass move.
I've played since vanilla, and for a while was a very hardcore raider, but eventually that wore thin. I stayed on because I had friends in the game and we enjoyed hanging out and running the occasional dungeon together, otherwise I would have left a long time before that.
I thought that the cross-realm dungeon finder would be a Good Thing, and I think for a while it was. Back when it first started, people were polite, said hello, etc... then after a while I've lost count of the number of 5-mans I've run through where not a single word was said, but rather a grim race to the end, collect your points and bail out. Then it got worse with the people bailing- "Oh, I don't want to run this dungeon" or the ragequits after a single wipe. Or the meter-sitters bitching that the DPS numbers are too low and trying to votekick people off. The relative anonymity and odds that you'll never see the same people again really brought out the inner asshole.. it got so bad that I eventually refused to group with anyone from a particular server in my realm because they had a reputation of being griefers that would wipe parties for the lols. The worst example was 2 hunters that joined as a group who would go and misdirect the healer, feign, wipe the party and call everyone n-ggers until they got kicked.
I recall being in a heroic Deadmines run, 3 guys were from the same guild on another server, myself and a random from another server. The party leader declared that he was going to boot the lowest DPS before the last boss so he could bring in a guildie for the kill and loot.
Raiding became a chore, and the social structure that comes from it became unbearable. Raiding no longer became a fun thing, but a way of gaining prestige and status on the server. This of course, required extreme dedication of time and effort, and having an "off day" would more than likely result in getting benched and replaced by the dozens of other raiding hopefuls looking for a slot.
The new raid bosses aren't very impressive. Even the Lich King fight was anticlimactic. The Vanilla and BC fights were much more intense. The fights now are pretty much "stand here, don't stand there" positioning fights. Lady Vashj was a pure bitch because of the fight mechanic with the cores, and it was an achievement to defeat her and make it to Hyjal before Blizzard removed the keying requirement to unlock that raid zone.
Note that I also said I was concerned that an outside party accidentally changes the settings on the pods. I think that is far more likely, but people aren't really going think that walking past the microwave or the 802.11 router is really a threat.
Just a followup to this, I posted a summary of the article on Facebook, and my wife predictably reacted the same way the press did.
Me: "Guy gives a talk about the *possibility* of hacking a wireless insulin pump"
Wife filter: ZOMG HACKERS ARE GOING TO KILL US!
After answering questions of responsible disclosure and security through obfuscation, she asked why someone would want to do such a thing as try to kill a diabetic. She was unfamiliar with the term "for teh lulz"
I disagree. My wife is a brittle diabetic, and she's spent so much time in her childhood years at extreme highs and lows, she's become somewhat desensitized to low blood sugar until she's in the 50 range. There have been a few cases where she has felt a low coming on and collapsed before she could get to something to eat. Other times, she's acted drunk while hypoglycemic and refused to eat anything.
Of course, she's probably one of the exceptions for the "most diabetics" case, but it matters to me.
My wife uses the OmniPod disposable pumps. They are controlled by a wireless PDA-like device. When she was switching from a conventional pump to the Omnis, I wrote to the company and asked them to explain to me how their wireless technology works, what protocols are they using, what security measures they have taken to protect the pods from malicious activity. My concern was the possibility of an outside party either deliberately or accidentally messing with the pod settings, and minimizing insulin delivery or pushing a huge bolus.
I even offered to sign an NDA. Obviously, the company was less than willing to divulge their proprietary secrets, and I was shuffled off to a PR flack, who just reiterated the same marketing material over and over.
I've had to go through a BSA audit after we fired a former employee. The BSA sent their usual demand that we provide proof that we're fully licensed. We (I mean the Finanace and IT department) spent weeks going over years old receipts and license records. Countless hours lost to this bullshit while real work went uncompleted.... the BSA then said that out paperwork was insufficient, that that we would have to produce the original purchase orders. Round and round it went until the C-levels at the company finally bent over and begged "not too hard please". We wound up having to pay a fine for like a single copy of Visio or something. the most expensive copy of Visio anyone has every paid.
The BSA exists entirely to make money for itself. Everything you do will not satisfy them. They really should be stopped under RICO.
What was the ROI on the Apollo program?
We made trillions on Tang and pressurized pens that write in zero-g, right?
This is -finally- a first step towards getting off the oil/coal tit. I'd rather spend 3/4 of a billion on this than on killing some more brown skinned people in foreign lands. Like in any business, there is no guarantee of profit or breakeven, but at least it's a fucking start for once.
I remember reading about plants like this on Slashdot a while ago. A lot of people said that was a good idea, and we should start building them!
Well now that we're actually doing it, suddenly it's a bad idea. Why is that?
Because all of national endeavors must make sense financially, yes? If so, so long space program...
Sometimes we have to do things for reasons other than making the almighty dollar.
Problem with this is that the auto companies will fight - and succeed- at getting their vehicles exempted from certain brackets, or will find new, exciting and creative ways to have their vehicles reclassified into more "attractive" classifications. That's how they managed to bypass all the regulations for SUVs. This will also jack up transportation costs, since big rigs travel hundreds and thousands of miles, carrying tons of material. The savings get passed on to the consumer!
I've seen some people at Wal-Mart that should have their own event horizon, so you may be right.
People generally don't understand astrophysics. High school science classes generally concentrate on biology (baby pigs are cheap) and chemistry (most of the students probably understand how to make meth better than the teacher). Usually one or two experiments in physics, generally dropping things.
Secondly, people just understand that black holes are Bad Things, the "most destructive force in the universe" (thank you Disney) and that the universe will end with a Real Big One, because that's what they saw on the History Channel. I won't fault people too harshly for this, but it doesn't take a Einstein or Hawking to figure at least the basics out. I'm somewhat shocked that learned people are perpetuating this ballyhoo about black holes at the LHC.
People have a hard time with very small and very large things, so I usually put things in terms of the Sun. Yes, I know this is a very large thing, but they can at least see the sun and have an idea of its size. Should the Sun suddenly become a black hole, we won't get sucked in as most lay people think. A black hole with the mass of the Sun is still an object with the mass of the Sun and all the properties that go with it, such as gravitational pull. The earth will continue to orbit just as before, but it will become cold and dark. That's it. A black hole created at LHC from two particles will have the mass of those two particles.
And if I'm wrong, well we'll likely die so quickly that it wouldn't matter anyway.
In between rounds of slurping up Theo's man-juice, you might want to enroll in the local community college's reading comprehension class.
I'd like to send this letter to the Prussian consulate in Siam by aeromail. Am I too late for the 4:30 autogyro?
Where do you think Cisco has all of its gear manufactured?
Now think just a few years back when the FBI release a warning about fake Cisco gear coming out of China with possibly some dodgy software loaded?
Any financial institution that deploys a "bare metal" installation of ANY OS without any hardening, be it Windows, Linux or whatever, shouldn't be handling the public's money to begin with and needs to be slapped severely about the face and ears. I wouldn't deploy a stock install of Linux either without spending time hardening it. Anyone who thinks Linux is "Secure by default" has drunk a little too much of the Kool-Aid. Believe me when I say that Windows can be hardened to a point where it is rather difficult to break, and the amount of effort is no more than it takes to harden a Linux distro to a nice standard.
Autorun in a corporate environment? Disabled across the entire network with just a few clicks and refresh of Group Policy.
You mean you're challenged by the nice little GUI that says "Turn off Autoplay"? If a GUI is a challenge, how are you ever going to master the command line?
Secret Service was originally part of the Department of Treasury. Now part of DHS, they still have jurisdiction over counterfeiting and fraud investigations and share jurisdiction with the FBI on some areas such as computer crime. It's well within their baliwick.
Guarantees... not really any guarantees. Microsoft does have a driver signing program and a Quality Labs for hardware that will certify that the driver and hardware meet their standards (take your cheap shot here), but generally won't make any guarantees. So yeah, I can go to Fry's and get a mobo and 16GB of RAM, and find a copy of Windows Server Enterprise or Datacenter, and it will likely work, but nobody's going to gurantee that it works. If I spend the money buying a real enterprise-class server from a real systems vendor, you'll have better chances that the drivers and hardware have been WHQL certified, and they'll generally be of a better quality than the Fry's hardware.
Usually, the higher end you get, MS will start recommending particular hardware profiles known to run reliably. I'd think twice about any vendor that makes any kind of guarantee that everything will work unless it's been a tried and proven configuration.
Two different kernels. With the normal 32-bit kernel, you'll top out at 4GB of memory. Windows loads a PAE-enabled kernel if it sees PAE passed as a kernel argument (much like arguments in GRUB), or you're running on hardware that supports DEP, they system will load PAE-enabled kernel.
By default, on a 4GB system, 2GB is for userland and 2GB is for the kernel. Throw the /PAE switch and the kernel sacrifices a gig for user space. Not all apps can take advantage of the extra memory, but a very memory-hungry app like SQL Server can use the extra memory. Depending on what flavor or Windows Server you're using, you may have to throw /3GB, /PAE or both. Once you get over 16GB of RAM, you're generally looking at using /PAE only in boot.ini and running sp_configure in SQL to configure the use of AWE. MS says that generally you may wind up burning a gig of memory for AWE management. But otherwise, unless you're running an enterprise-class app, you won't get much of anything about of using /3GB or /PAE
32-bit Linux has to be compiled with or without PAE support, so your distro should make sure it installs a the right kernel version to correctly support your hardware. Some OSes (e.g. Solaris) can switch between PAE and non-PAE at boot time, so they only need one kernel image to support both modes. I don't know how Windows handles this.
Yes it can. In the boot.ini file you can specify the /PAE switch, which will load the PAE-enabled kernel at boot-time. In addition, you can specify the /3GB switch, which will enable allow user processes 3GB of memory to use rather than the usual 2.
Moxie's presentation was very enlightening. Out of all the presentations I saw over the last two days, his was easily the most interesting.
First, he went over his last presentation- that due to CA sloppiness, it is possible for an attacker to issue valid SSL certificates as an intermediary CA. No hack involved.
Second, the null character exploit. This was the bulk of his presentation, and he went into detail why this works, and why Firefox pre-3.5 plus a bunch of other SSL stacks are vulnerable. Dont want to get a cert for every site you want to spoof? Get a wildcard \0 cert.
Third, it is possible to defeat OCSP with the number 3.
Fourth, he demonstrated how, due to these bugs in SSL and OCSP, it is possible to deploy your own "software updates" whenever Firefox or other program attempts to auto-update.
I hope he puts his presentation up sometime soon.
I sat in on his presentation at Vegas, he said that Firefox 3.5 was NOT vulnerable.