Umm.. you are aware that SP2 is a lot more than just a firewall and the security center, right? I don't even use those two technologies and I see a lot of improvement with SP2.
For example:
Popup blocker (yeah, you can install google toolbar or others as well)
No Execute protection (Yes, it's possible for an attacker to get around it, but so are door locks.. that doesn't mean i shouldn't lock my doors)
reworked RPC management (this is a biggie since it's going to prevent other kinds of RPC based worms if another vulnerability in RPC is found)
Manage Add-ons tool in IE (this lets you easily disable any IE extension, making it hard for spyware and adware to hide)
ActiveX improvements (Clueless users don't need to click yes to continue surfing when an activex dialog appears. Now you get the same yellow bar that Mozilla copied from IE)
And a whole lot more... frankly, I won't let any machine I manage NOT run SP2, it saves a lot of work in the spyware cleaning department.
That's may be what it is, but that doesn't seem to be what the spirit of the certifcaion is about. Check this out.
"EAL2 level is more detailed because it includes the high-level design and detail specifications of the target of evaluation. This level and its latter counterparts require developer testing and a vulnerability analysis. EAL3 analysis expands the testing coverage of the security functions and mechanisms and offers added security measures by ensuring that the target of evaluation is not tampered during development. EAL4 requires more design description, a subset of the implementation and improved mechanisms and/or procedures in ensuring that the target of evaluation will not be tampered with during development and delivery. "
Frankly, so much of this has to do with design documentation and precautions taken *DURING* the development of the OS that I don't see how an informal process like the Linux kernel could achieve it. This isn't FUD, I just don't understand how they're getting around this requirement.
The only thing I can think of is that SuSE defines the development process to be those things that SuSE themselves do to patch, build, and test the kernel and the rest of the OS, totally ignoring how the kernel itself is designed and built.
There's nothing in the EAL process that requires documentation to be public. As such, your comments seem a little strange.
I also did not suggest that Novell didn't put effort into the documentation. I said, I didn't understand how any Linux distro could meet design documentation that very likely didn't exist when the software was being designed.
I wouldn't think (and I could be wrong), that generating design documentation after the fact is evidence of proper design (which is what the EAL is trying to verify).
Otherwise, one could take a dike with 1000 holes in it and write a document that says those 1000 holes are part of the design and meet sound structural design guidelines. I just don't see it.
Hmm.. What I don't understand is how ANY version of linux achieved EAL3 or better. One of the criteria is that the OS have strict design documentation and that the implementation meets that design documentation. My understanding of the Linux development is that it's very informal and has no real design documentation (other than what a given hacker may create for themselves).
I'm not saying that Linux doesn't deserve it, just that I don't understand how they were able to meet that criteria.
It's not really that difficult. Althought the mechanisms used by David Hahn are probably closed off, the information is still out there. He almost succeeded in building a bomb using nothing more than Smoke Detectors and a few other sources.
While it's true that Windows 2003 was vulnerable to blaster as a DoS attack, the worm did not replicate on Windows 2003 because the offsets it used would cause the OS to crash.
The worm only propogated on Windows XP and 2000, and then only on either half the time because it chose an XP offset or a 2000 offset.
As such, none of the hits in your firewall logs are the result of a compromised Windows 2003 box, though that's not because of any special security in Windows 2003... the Blaster authors just didn't take 2003 offsets into account.
I'm not sure what you're saying here. Which worm exploited this vulnerability? My point was that the worm sign in your logs are from worms that Windows 2003 isn't vulnerable to, not that Windows 2003 doesn't have vulnerabilties.
As such, using logfiles that show compromised Windows 2000 and NT systems does little to invalidate a study that was based on Windows 2003.
To be fair, the study compared the security of Windows 2003, not Windows in general. To my knowledge, Windows 2003 isn't vulnerable to any of the attacks that are in your logs.
Hmm.. how many of those Worms effect Windows 2003? None that I know of. Even SQL doesn't count because Windows 2003 requires SQL Server 2000 SP3, which fixes the Slammer vulnerability.
As of right now, there isn't a single worm that's ever effected Windows 2003 AFAIK.
No, but he did more or less design Borland Turbo pascal. Philippe Kahn, one of the founders of Borland worked with Wirth and helped develop Pascal, Anders worked with Kahn to develop Turbo Pascal, a more "real world" version of Pascal that was useful for more things than teaching.
No. It's more like 50% of the.NET platform *IS* an open standard. You really need to look at the specifications for the CLI and C# to see how extensive they are.
Things like Windows Forms, ASP.NET, etc.. make up only a smaller portion of it, and you don't have to use any of those if you don't want to to make viable open source software.
Also, MS has not publicly stated they intend to defend their intellectual property, though that is implied.
Finally, MS has granted a royalty free license to any patents they hold on the ECMA and ISO standard C# and CLI specifications. So no, they can't sue you for infringing patents that are covered by those standards.
We all know that OS/2 was better than Windows. Guess who won?
We do?
OS/2 wasn't portable. The PPC version was never finished. It suffered from a lot of other problems. It made no attempt to be secure. The same can be said for Windows 3.x and 9x, but MS had an (arguably) secure and portable version (NT) for those that needed it.
Sure, it was better than Windows 3.1, but Microsoft won largely on making Windows 3.x apps and device drivers work transparently with Windows 95. OS/2 kept the Windows 3.x look and feel, used enormous resources to run said apps, and was generally slow doing it. Finally, it wasn't compatible with OLE and ODBC when running in "isolated" mode.
OS/2 felt like it was bolted together out of spare parts. It's UI was over complicated (though very powerful) and it also scared people off. Throw in problems like the OS2.ini corruption, the massive config.sys, the occasional reboot/crash cycle (where a bad app could crash the os and was reloaded at startup and caused the OS to crash again before you could do anything) and lots of people were left extremely frustrated by this "better" OS.
Then of course IBM itself wasn't committed to OS/2. Oh sure, it said it was, but various factions within IBM were not, specifically the PC division.
And finally, what OEM would buy an OS from their biggest competitor? Who wants to pay IBM to put themselves out of business? IBM would have been much better off to spin off OS/2 into it's own company. This finally happened when ECS bought it out, but by then it was too late. it's still early 90's technology.
It was a long string of failures on IBM's part, and successes (and certainly some questionable tactics as well, though they were only contributors to a rich tapestry of problems for OS/2) on MS's that cause OS/2 to become an also-ran.
While you're certainly within your right to criticize the quality of his work, and you're concern about the quality of submissions. I just don't think it's right to fabricate strawman excuses to back up your arguments.
If your argument is about quality, make it so. Don't blather about how he's making money in the process, since that's an entirely different issue, and one that there is largely nothing wrong with (when done legally within the rights of fair use).
The fact of the matter is,
a) he's bringing information to the attention of people that are interested in it, and probably wouldn't have found it otherwise.
b) So long as he's not violating fair use (and I'm not convinced that he is) then doing a) above is a service, even if he makes money in the process.
c) He is giving credit where credit is due, linking to the original articles, and generating traffic (and advertising revenue) fo them as well. Chances are, he's generating more revenue than he might be taking away (from people that don't bother to follow the links) and thus isn't costing them anything.
I understand that he hasn't always been this good at giving credit and linking, but he appears to be doing so now, and that's all that's important.
They contain original content from him, even if they also contain unoriginal content. That makes them his articles.
Why are you creating strawman arguments like this?
I'm also not convinced there is any connection between slashdot editors and Roland. Just because his stories get accepted doesn't mean anything. It simply could mean that he's discovered the trick to gaining a slashdot editors interest, and thus assuring approval.
In fact, nearly all of the articles i've submitted to Slashdot have been accepted as well. Maybe it's because a) I don't submit things that 100's of other people do. b) I word my submissions in such a way to pique interest and c) It contains content that is of interest to the editors.
Those 3 factors are enough to almost guarantee acceptance of any article that conforms to them, regardless of who they come from.
I still say, so long as he's not breaking copyright law (and it's not clear that he is, at least in the article we're talking about), and he's providing content of genuine interst to slashdot visitors that they might not find otherwise, and he can figure out a way to make money doing it, more power to him.
That's not true at all. The Copyright act makes no mention of whether commercial use is a factor in fair use. In fact, slasdhot reproduces exact text from other copyrighted sources all the time, and it's quite legal (and they make money off it).
You might want to read up on what fair use is before you jump to conclusions. Start here.
"In its most general sense, a fair use is any copying of copyrighted material done for a limited and "transformative" purpose such as to comment upon, criticize or parody a copyrighted work. Such uses can be done without permission from the copyright owner."
He's clearly commenting upon the information, adding his own comments, that falls in line with fair use. He is using a pretty large portion of the work, though, and it's possible that this would negate the fair use aspect, but that's largely a judgement call and I don't think anyone here is qualified to make that kind of legal judgement.
As far as I can tell, he only used a small portion of the articles from two different web sites, indicates that their quotes (by quoting them) and providing links to the original content.
Your claim doesn't appear to stand up to scrutiny, at least on this particular article. Fair use allows this sort of thing.
He doesn't need it. Copyright law has a concept known as "fair use", which allows the copying of some content for various uses, and his use of it seems like fair use to me.
No, actually, it doesn't stand to reason at all. In fact, i'm not even sure I can see how you can jump to that conclusion.
Maybe he's just good at formatting his articles in such a way that he piques the interest of the editor. Maybe he's good at chosing content the editors like.
Slashdot doesn't usually edit articles. They would be much more likely to just reject an article rather than go through the work to track down the originals and rewrite the submission. They rely (mostly) on use submission.
This whole conspiracy theory really makes no sense to me.
Frankly, I can't fathom why you're even concerned with this. Lots and lots of sites out there base their sole existence (and advertising revenue) from rehashing others work. Slashdot, is in fact one of those sites. Why should Cmdr Taco make so much money of merely linking to other sites information, using your logic. Oh, sure, they provide a useful discussion forum on the topics, but so what? I'm certain Slashdot makes far more money than Roland does.
Frankly, the fact that he actually DOES get a lot of hits tells me that he's providing a useful service, and $80 an article does not seem like a lot of money (considering it probably takes him at least an hour or more to organize, maintain, and submit them).
I'm not in any way connected to him, in fact this is the first i've even heard about it. It just seems like such a non-issue to me and I can't fathom why you and others get your panties in a bunch over it. There are much more important thing to worry about than whether some guy squeeks a few bucks off submitting articles that are clearly enjoyed by a large number of people visiting Slashdot.
Hell, I say good for Roland. If someone can make money AND provide a useful service to people like us, more power to you.
Umm.. you are aware that SP2 is a lot more than just a firewall and the security center, right? I don't even use those two technologies and I see a lot of improvement with SP2.
For example:
Popup blocker (yeah, you can install google toolbar or others as well)
No Execute protection (Yes, it's possible for an attacker to get around it, but so are door locks.. that doesn't mean i shouldn't lock my doors)
reworked RPC management (this is a biggie since it's going to prevent other kinds of RPC based worms if another vulnerability in RPC is found)
Manage Add-ons tool in IE (this lets you easily disable any IE extension, making it hard for spyware and adware to hide)
ActiveX improvements (Clueless users don't need to click yes to continue surfing when an activex dialog appears. Now you get the same yellow bar that Mozilla copied from IE)
And a whole lot more... frankly, I won't let any machine I manage NOT run SP2, it saves a lot of work in the spyware cleaning department.
That's may be what it is, but that doesn't seem to be what the spirit of the certifcaion is about. Check this out.
"EAL2 level is more detailed because it includes the high-level design and detail specifications of the target of evaluation. This level and its latter counterparts require developer testing and a vulnerability analysis. EAL3 analysis expands the testing coverage of the security functions and mechanisms and offers added security measures by ensuring that the target of evaluation is not tampered during development. EAL4 requires more design description, a subset of the implementation and improved mechanisms and/or procedures in ensuring that the target of evaluation will not be tampered with during development and delivery. "
Frankly, so much of this has to do with design documentation and precautions taken *DURING* the development of the OS that I don't see how an informal process like the Linux kernel could achieve it. This isn't FUD, I just don't understand how they're getting around this requirement.
The only thing I can think of is that SuSE defines the development process to be those things that SuSE themselves do to patch, build, and test the kernel and the rest of the OS, totally ignoring how the kernel itself is designed and built.
There's nothing in the EAL process that requires documentation to be public. As such, your comments seem a little strange.
I also did not suggest that Novell didn't put effort into the documentation. I said, I didn't understand how any Linux distro could meet design documentation that very likely didn't exist when the software was being designed.
I wouldn't think (and I could be wrong), that generating design documentation after the fact is evidence of proper design (which is what the EAL is trying to verify).
Otherwise, one could take a dike with 1000 holes in it and write a document that says those 1000 holes are part of the design and meet sound structural design guidelines. I just don't see it.
Hmm.. What I don't understand is how ANY version of linux achieved EAL3 or better. One of the criteria is that the OS have strict design documentation and that the implementation meets that design documentation. My understanding of the Linux development is that it's very informal and has no real design documentation (other than what a given hacker may create for themselves).
I'm not saying that Linux doesn't deserve it, just that I don't understand how they were able to meet that criteria.
It's not really that difficult. Althought the mechanisms used by David Hahn are probably closed off, the information is still out there. He almost succeeded in building a bomb using nothing more than Smoke Detectors and a few other sources.
Read this and this
No, my only point was that using firewall logs that show hits from infected 2000, XP, and NT boxes doesn't prove that 2003 is just as insecure.
In other words, I was saying the evidence is not sufficient to prove the point, not that the point is unproveable.
While it's true that Windows 2003 was vulnerable to blaster as a DoS attack, the worm did not replicate on Windows 2003 because the offsets it used would cause the OS to crash.
The worm only propogated on Windows XP and 2000, and then only on either half the time because it chose an XP offset or a 2000 offset.
As such, none of the hits in your firewall logs are the result of a compromised Windows 2003 box, though that's not because of any special security in Windows 2003... the Blaster authors just didn't take 2003 offsets into account.
I'm not sure what you're saying here. Which worm exploited this vulnerability? My point was that the worm sign in your logs are from worms that Windows 2003 isn't vulnerable to, not that Windows 2003 doesn't have vulnerabilties.
As such, using logfiles that show compromised Windows 2000 and NT systems does little to invalidate a study that was based on Windows 2003.
To be fair, the study compared the security of Windows 2003, not Windows in general. To my knowledge, Windows 2003 isn't vulnerable to any of the attacks that are in your logs.
Hmm.. how many of those Worms effect Windows 2003? None that I know of. Even SQL doesn't count because Windows 2003 requires SQL Server 2000 SP3, which fixes the Slammer vulnerability.
As of right now, there isn't a single worm that's ever effected Windows 2003 AFAIK.
Uhh.. Be wasn't multi-user. It's SMP support was kickass though.
No, but he did more or less design Borland Turbo pascal. Philippe Kahn, one of the founders of Borland worked with Wirth and helped develop Pascal, Anders worked with Kahn to develop Turbo Pascal, a more "real world" version of Pascal that was useful for more things than teaching.
No. It's more like 50% of the .NET platform *IS* an open standard. You really need to look at the specifications for the CLI and C# to see how extensive they are.
Things like Windows Forms, ASP.NET, etc.. make up only a smaller portion of it, and you don't have to use any of those if you don't want to to make viable open source software.
Also, MS has not publicly stated they intend to defend their intellectual property, though that is implied.
Finally, MS has granted a royalty free license to any patents they hold on the ECMA and ISO standard C# and CLI specifications. So no, they can't sue you for infringing patents that are covered by those standards.
Where's ANSI/ISO C#?
.NET
Right here
Where's ANSI/ISO
Right Here
You were saying?
We all know that OS/2 was better than Windows. Guess who won?
We do?
OS/2 wasn't portable. The PPC version was never finished. It suffered from a lot of other problems. It made no attempt to be secure. The same can be said for Windows 3.x and 9x, but MS had an (arguably) secure and portable version (NT) for those that needed it.
Sure, it was better than Windows 3.1, but Microsoft won largely on making Windows 3.x apps and device drivers work transparently with Windows 95. OS/2 kept the Windows 3.x look and feel, used enormous resources to run said apps, and was generally slow doing it. Finally, it wasn't compatible with OLE and ODBC when running in "isolated" mode.
OS/2 felt like it was bolted together out of spare parts. It's UI was over complicated (though very powerful) and it also scared people off. Throw in problems like the OS2.ini corruption, the massive config.sys, the occasional reboot/crash cycle (where a bad app could crash the os and was reloaded at startup and caused the OS to crash again before you could do anything) and lots of people were left extremely frustrated by this "better" OS.
Then of course IBM itself wasn't committed to OS/2. Oh sure, it said it was, but various factions within IBM were not, specifically the PC division.
And finally, what OEM would buy an OS from their biggest competitor? Who wants to pay IBM to put themselves out of business? IBM would have been much better off to spin off OS/2 into it's own company. This finally happened when ECS bought it out, but by then it was too late. it's still early 90's technology.
It was a long string of failures on IBM's part, and successes (and certainly some questionable tactics as well, though they were only contributors to a rich tapestry of problems for OS/2) on MS's that cause OS/2 to become an also-ran.
While you're certainly within your right to criticize the quality of his work, and you're concern about the quality of submissions. I just don't think it's right to fabricate strawman excuses to back up your arguments.
If your argument is about quality, make it so. Don't blather about how he's making money in the process, since that's an entirely different issue, and one that there is largely nothing wrong with (when done legally within the rights of fair use).
The fact of the matter is,
a) he's bringing information to the attention of people that are interested in it, and probably wouldn't have found it otherwise.
b) So long as he's not violating fair use (and I'm not convinced that he is) then doing a) above is a service, even if he makes money in the process.
c) He is giving credit where credit is due, linking to the original articles, and generating traffic (and advertising revenue) fo them as well. Chances are, he's generating more revenue than he might be taking away (from people that don't bother to follow the links) and thus isn't costing them anything.
I understand that he hasn't always been this good at giving credit and linking, but he appears to be doing so now, and that's all that's important.
They contain original content from him, even if they also contain unoriginal content. That makes them his articles.
Why are you creating strawman arguments like this?
I'm also not convinced there is any connection between slashdot editors and Roland. Just because his stories get accepted doesn't mean anything. It simply could mean that he's discovered the trick to gaining a slashdot editors interest, and thus assuring approval.
In fact, nearly all of the articles i've submitted to Slashdot have been accepted as well. Maybe it's because a) I don't submit things that 100's of other people do. b) I word my submissions in such a way to pique interest and c) It contains content that is of interest to the editors.
Those 3 factors are enough to almost guarantee acceptance of any article that conforms to them, regardless of who they come from.
I still say, so long as he's not breaking copyright law (and it's not clear that he is, at least in the article we're talking about), and he's providing content of genuine interst to slashdot visitors that they might not find otherwise, and he can figure out a way to make money doing it, more power to him.
That's not true at all. The Copyright act makes no mention of whether commercial use is a factor in fair use. In fact, slasdhot reproduces exact text from other copyrighted sources all the time, and it's quite legal (and they make money off it).
You might want to read up on what fair use is before you jump to conclusions. Start here.
"In its most general sense, a fair use is any copying of copyrighted material done for a limited and "transformative" purpose such as to comment upon, criticize or parody a copyrighted work. Such uses can be done without permission from the copyright owner."
He's clearly commenting upon the information, adding his own comments, that falls in line with fair use. He is using a pretty large portion of the work, though, and it's possible that this would negate the fair use aspect, but that's largely a judgement call and I don't think anyone here is qualified to make that kind of legal judgement.
As far as I can tell, he only used a small portion of the articles from two different web sites, indicates that their quotes (by quoting them) and providing links to the original content.
Your claim doesn't appear to stand up to scrutiny, at least on this particular article. Fair use allows this sort of thing.
He doesn't need it. Copyright law has a concept known as "fair use", which allows the copying of some content for various uses, and his use of it seems like fair use to me.
No, actually, it doesn't stand to reason at all. In fact, i'm not even sure I can see how you can jump to that conclusion.
Maybe he's just good at formatting his articles in such a way that he piques the interest of the editor. Maybe he's good at chosing content the editors like.
Slashdot doesn't usually edit articles. They would be much more likely to just reject an article rather than go through the work to track down the originals and rewrite the submission. They rely (mostly) on use submission.
This whole conspiracy theory really makes no sense to me.
Frankly, I can't fathom why you're even concerned with this. Lots and lots of sites out there base their sole existence (and advertising revenue) from rehashing others work. Slashdot, is in fact one of those sites. Why should Cmdr Taco make so much money of merely linking to other sites information, using your logic. Oh, sure, they provide a useful discussion forum on the topics, but so what? I'm certain Slashdot makes far more money than Roland does.
Frankly, the fact that he actually DOES get a lot of hits tells me that he's providing a useful service, and $80 an article does not seem like a lot of money (considering it probably takes him at least an hour or more to organize, maintain, and submit them).
I'm not in any way connected to him, in fact this is the first i've even heard about it. It just seems like such a non-issue to me and I can't fathom why you and others get your panties in a bunch over it. There are much more important thing to worry about than whether some guy squeeks a few bucks off submitting articles that are clearly enjoyed by a large number of people visiting Slashdot.
Hell, I say good for Roland. If someone can make money AND provide a useful service to people like us, more power to you.
The yellow bar for popups and and blocked XPI came before SP2.
Umm.. no. It came before the final release of SP2, but not before the beta releases, which is where the Mozilla devs got the idea from.
Well, that's just it. Once you go to JNI, all cross platform bets are off anyways so why not take advantage of machine architecture?
But that wasn't really the point anyways, I was simply providing a possible reason for going to native code for array or other kinds of processing.
Why the hell would you use JNI for array manipulation, java actually competes with native code quite well at this sort of thing.
Integerwise, sure. But what if you want to use SIMD instructions (Altivec, SSE, etc..)?