That's more likely because of MS subtly changing stuff in IE to break Java every release than some fault of Sun's. Java 1.4 applets in Konqueror and Mozilla are rock-solid on my Linux system. Yes, you're probably right- that does make a lot of sense. Mozilla doesn't have this problem on either OS. Except this version of IE was only updated last year and I downloaded Sun's new 1.4 J2SE SDK last week. I suspect it's a combination of Microsoft playing games with the rendering components, and Sun being too busy coming up with new APIs instead of fixing the ones people are already using.
IT people are idiots. OK, some are idiots. Some IT guys are in it because they like computers. But the job seems to attract a lot of "guardian" personality types who enjoy the power they have to enforce arbitrary rules that don't need to make any sense. And their rules seem to apply to everyone but them. (Because they're the only ones who can be "trusted" with extra services, of course.) Sometimes the rules make sense. I can see filtering out.scr attachments at the mail server, for example. But I keep hearing stories where the IT people have no clue what the hell they're doing. I know one guy who got canned because the IT department where he worked said the copy of ZoneAlarm on his computer was a "hacking tool". (!) I work at a great company- we have none of these pretender types around. We have one guy, and he doesn't go around uninstalling crap from people's machines and destroying their ability to get their job done just to satisfy a petty power trip. He has been dragging his feet a little on installing an Exchange server for management, but that's fine with us.:)
I can crash it by scrolling down to read the page, and then scrolling back up to play with the applet. It doesn't repaint correctly and I have to hit reload. This is with Sun's Java plugin, version 1.4, on IE 5.5. Incredible. It's been 6 years and they still can't make applets work.
Why is spam such a big deal? Why do Slashdotters go hog-wild and advocate violence against spammers, whose profession's name cannot be typed without heaps of disdain? They're just trying to make money, and it's really not that hard to delete the stuff.
I know you're trolling, but this is an argument I've heard from many people who are not trolls (such as legislators). Generally people confuse spam with a First Amendment issue, or view attacks on it as if laissez faire capitalism were at stake. Spam is a big deal because we are starting to drown in it. Spam traffic has been increasing exponentially. It doubles every X months (although I don't know offhand what X is). After 10X months, when you are receiving 1024 times as much of it as you are now, your ideological blinders might fall off.
Also, they're not "just trying to make money" if they're scamming people.
As soon as we start allowing the government to regulate commercial email, other, less welcome regulations are sure to follow, in the ostensible interest of national security, or justice, or any of the other stock government facades.
Unlike other "problems" the government is looking into (SSSCA, etc.), this is one that really does need fixing.
Ummm... SPAM is the most important issue? Yeah, to Slashdot geeks. Talk about limited perspective.
Yes, as opposed to those vitally important issues, like the fact that my computer lets me directly access bytes on my hard drive- even if this lets me use my computer to commit an intellectual property violation and share the latest Britney tracks with other freeloaders on the evil Internet. This is an unacceptable situation and needs a hamfisted legislative fix immediately. I certainly know my own life would be improved if I lived in a networked dystopia being nickel-and-dimed for every ounce of pleasure that enters my senses. This is a real hot issue with most voters who are seriously worried about not having access to a sufficient quantity of digitial pay-per-view content.
Any of those issues are more important to me than SPAM. For your information, despite decades of debate over drilling in ANWAR, it still hasn't happened.
The prospect of ANWR drilling only became a serious possibility quite recently, but I guess you're right- the fact that people have been gabbing about it for decades means it will never happen. I wish more people had debated the possibility that someone might smash an airliner into a building. The tragic events of last year could have been so easily prevented!
(We won't even bring up that Alaskans, the constituents most affected by drilling in ANWAR, are more for it than lower-48 types.)
And the people who live closest to the rain forests in Brazil are more for burning it down than we are. (This isn't exactly your strongest argument, so I guess that's why you didn't "bring it up".)
How does that fit in with your theory that "What laws the congress considers and passes are controlled by campaign contributions"?
Of course. Elected officials are never influenced by money. They're all wise saints who are only looking out for the interests of their constituents! Finally someone in Congress is doing something that will allow me to protect my intellectual property assets. And they say nobody gives the little guy a break. Why, just last year, they passed a bankruptcy reform law that voters really wanted! It was so hard to get a credit card offer before that law passed- now it's a lot easier! Thanks, Congress!
As much as I enjoy seeing Microsoft get negative publicity, maybe the Airforce should evaluate their own security practices... I mean, wasn't the Lovebug an email attachment virus? Couldn't a relevant security policy have changed this?
The Air Force shouldn't be using Outlook. How did the worst possible email client get deployed in the Air Force? It's a platform for launching viruses and worms. (You can also read your email with it.) Users should be able to click on an email attachment- hell, they should be able to view the email in a preview pane- without having to worry that it might propagate a worm. Period. Anyone who thinks otherwise shouldn't be let anywhere near a compiler.
Using Outlook is inherently risky. Our company has standardized on it for some reason (it comes with Office is why, I guess) and our network admin is resisting whiny requests from management for an Exchange server. Just last week someone using Outlook clicked on an.scr attachment he got from a guy he exchanged business cards with at a conference. Well, as soon as he did that, the.scr went out to every single one of our customers. ("Hey, c'mere, what's an.scr file supposed to do?") Serves us right, I guess.
If I were a four star general and that happened to me, I'd want to drop a daisy cutter on the Microsoft campus.
I have to agree- it's a great day for pi on Slashdot tonight. I think any transcendental constant can be proud that its post turned out to be someone trying to pound some sense into a creationist.
Of course, to be honest you should round up, because pi is actually closer to 3.141593 than it is to 3.141592. But post 3141593 was posted at 3:15 and not 3:14 AM, which clearly makes this one the winner.
What kind of dope are YOU SMOKING? The Magellanic clouds are 160,000 light-years from the earth.
I guessed 500000 light years would get you at least as far as the Magellanic clouds. If they're 160000 light years away then I pegged it within one order of magnitude, which is a hell of a lot better than being off by three. And the Milky Way has about a dozen dwarf satellite galaxies that are up to 830,000 light years away.
From the article: The next member of the gang expected to go supernova is Antares, which at almost 500,000 light-years away is too distant to rattle our planet, they say.
What kind of dope are these astronomers smoking? Antares is 500 light years away.
Still quite distant, but 500000 light years will place you well outside the Milky way. It's about as far as the Magellanic clouds.
If you've ever driven by houses with televisions near windows when the tv is on, you usually see a blue room.
It's trivially simple to figure out what someone is watching by looking at the glow coming out their window. The best place to see this is near a high rise retirement complex full of old people. I don't know what happens to you as you get older, but it seems that the older you get, the more likely you are to watch TV with no other lights on in the room. After watching for about thirty seconds, you can tell which rooms have TV sets tuned to the same channels. It's fascinating and depressing at the same time. The best observation times are Sunday evenings. When 60 Minutes and Touched by an Angel are on, almost all the windows in any retirement complex become synchronized and light up or go dark all at once.
This isn't a fatal flaw with the idea at all. In fact, if this happened, it would mean the guy who wrote the mail server was a nitwit because he didn't take the most obvious precautions to prevent loops. There are several trivial ways to do it:
Keep a list of servers that you're currently in the process of validating. If a relay check request arrives from one of them, send a response without bothering to send out a redundant second relay check request (this is just common sense). This would always stop the loop on its second hop.
OR
- Get request from server X - Check to see if X appears in local cached list of blacklisted servers. - If not on list, generate random number t between 0 and 1. - If t is below some fixed threshold, open connection to X to check for open relay. If t is above the threshold, just forward the email even though it might be spam. - If X is found to be an open relay, add X to blacklist. Otherwise forward the email.
Loops would still occur but they would go extinct fairly quickly. Some spam would get through at the beginning but a torrent coming from a single relay would get that relay added to the blacklist cache almost immediately.
From reading the article, it seems that this is a win32 worm that patches security components in the.NET runtime before running a damaging.NET application. A program similar to this written in Java would have several disadvantages:
1. It has no natural vector. Outlook serves well as a vehicle for socially engineered worms/viruses because it automates the execution of mobile code that arrives in attachments. The recipient only has to click on an attachment, and there is no way to know what it does unless you already know what it is. People using non-MS mail clients have to save an.EXE to disk and then manually run it.
2. The JRE doesn't have Microsoft's assistance in getting onto every shmoe's machine out there. While XP doesn't currently have.NET support, this situation won't last long. Soon everyone will have a.NET runtime on their machine whether they're aware of it or not. And, these will be the same machines that are running Outlook.
3. The security concerns surrounding Java and C# are quite similar. Either runtime can have a patch applied by wily native code. However, the average target machine will not have a JRE simply because it's a non-MS technology- it's not "part of the OS". (You won't find the old MS JVM on an XP machine.) If it does have a JRE, it will be deployed in the arbitrary directory that the user installed it into, which is unknown to the worm code unless it scans the disk. IIRC Microsoft puts the.NET runtime components in well-known places so this isn't a problem when making hostile C# patches. A worm written in Java would probably have to lug around its patched JRE with it- making it too heavy to spread very far.
4. The people who write worms won't pay any attention to Java as long as C# is around.:)
Of course, if the executable is running with no security manager in place, you can do whatever you want even if the runtime isn't patched. I can write a Java class that does a Runtime.exec() of anything I want, and send it to you. If you execute it as an application, it has no problems. I don't know personally what security constraints are placed on C# arriving in an Outlook attachment, but I can imagine they would be roughly similar to the constraints browsers place on applets. The fact that security constraints can't easily be placed on incoming native code, and the fact that the.NET runtime is so easy to patch using a little native code, means that MS has to seriously rethink its strategy of what types of mobile code are allowed to run.
lojack is to unix as an idling car in south central LA is to microsoft
That makes no sense. Car theft and security have no direct logical relationships with computer operating systems. Your analogy is twisted out of shape. You should have said "unix is to microsoft as lojack is to idling a car in south central LA."
Re:Should I send this to my congressmen?
on
SSSCA Hearing
·
· Score: 2
Currently-existing devices would not become illegal... just useless. Like owning a Betamax camcorder with no video-out jack. Sure, you could record a movie; but your new, Big Brother TV wouldn't allow you to play it back. So buy a TV before the law takes effect, and guard it like it's one of your children. TV repairmen everywhere are rejoicing! The SSSCA just might bring back the lost art of television repair.
Clearly, the idea of being able to add an extra few years to the lives of our lab PCs is very attractive... Just buy a really nice computer right before the SSSCA is signed into law. It will be state of the art technology for the next fifty years!
Yeah, selling software is great... from the perspective of someone who knows nothing about the business. First you have to employ programmers, who are known to be independent-minded and "difficult."
Difficult programmers? (That's a problem?) Please. I am a programmer, so I take offense at both your generalizations.:) You haven't refuted my point that selling software is better than selling airplanes. If an airplane comes apart in flight, and the flaw was even theoretically foreseeable, you expose yourself to incredible liability. I wouldn't want to be in the airplane business, or any "real" industry. It looks like a good way to get an ulcer. People in the software world like to fancy themselves as being in a real manufacturing business as opposed to a service-based one, until the topic of legal liability comes up. Then we suddenly view our position much more clearly.
Now... should software companies be liable for damages from bugs? I think it depends on the intended use of the product and the seriousness of the bug. Medical, military, and government software should at least be well-tested and well-written. But a bug that wipes out a user's save files for Bobo the Monkey III should not even be legally actionable.
Well that's reasonable, but those are two extremes. Nuclear, aerospace, medical, and military software is generally integrated into and viewed as a part of a larger physical system. If a microcontroller in an airplane has a software problem and feeds wrong information to an actuator on the plane causing a crash, you expose yourself to liability as a seller of a faulty airplane, not a faulty software program. Software that isn't sold as part of a larger machine with real physical parts doesn't have this problem. The shrinkwrap around a software box (and the EULA wrapper around the disk) is like an armor against lawsuits.
Microsoft products have various back doors like the buffer overflow that Code Red exploited, but they also have front doors and that's just incredible and inexcusable! Outlook has an intentional feature where it automatically executes VBA code contained in an attachment when you open it. This allows worms to flood the Internet on a regular basis, without even having to do hackish back-door stuff like overflowing a buffer. But it's not really a bug, it's a feature that wasn't well thought out. Someone wasn't using their head. All of Office suffers from feature creep and they don't think things through as they shovel thousands of questionable features into their software. (Maybe I lead a sheltered life, but I have yet to hear of anyone sending a legitimate VBA script via an Outlook attachment. Have you?) Incredibly, for all the monetary damage those worms have caused, Microsoft has suffered only a little humiliation. It has exposed itself to no product liability at all. If Microsoft sold airplanes, or medical equipment, or solid rocket boosters, they'd be out of business by now. Their workmanship is just too mediocre for anything except software.
Selling software is great. Compared to someone selling a real physical product like spark plugs, you legally retain much more extensive control over how your product can be used even after you've sold it. This is because of the enhanced rights you get as a holder of intellectual property as opposed to real property. But even though you can dictate to people the conditions under which they can use your software, if anything goes wrong, the product liability risk you expose yourself to as a seller of software is zero!
You missed my point. My point was: We're not generating anything more than what we already have.
If you're just going to bean-count atoms without giving any thought to the compounds they're in, that's correct. But it's not a meaningful perspective. Atoms can be in reactive or inert forms. There are a few elements that are environmentally dangerous in whatever form they're in (mostly the radioactive stuff). The great majority are OK in some forms and not in others. Only one element (helium) is never toxic. And it's the only one that eventually floats away and leaves the planet.
Phosphorous is 1-2% of your body weight, and forms part of the DNA backbone. But it's always in the form of phosphate (PO4---). Take the oxygens off it, and 50 mg will kill you. Oxygen in the form of ozone can kill you if you breathe it in. Nitrogen and oxygen can combine to create quite a few nasty gases. When it's in the form of cinnabar (HgS), mercury is certainly dangerous but at least it has low solubility and can sit around for billions of years without leaching. (In sulfur containing environments, HgS is an important sink for mercury.) Although mercuric salts are toxins and have long been used in detective stories to kill people, mercurous chloride can be used as a laxative! When elemental mercury sinks down into deep places at the bottoms of lakes and wells, bacteria there get rid of it by methylating it- and then it starts causing serious trouble.
Environmentally, a computer is probably the most dangerous thing you own. They're chock full of all kinds of weird metals and halogenated flame retardant crap. And no matter how nice it is, you're eventually going to throw it away. When recycling computers, I believe what they do is chop everything up in a grinder, and then they blast the stuff in a furnace until it's all oxides of things. Then they mix in a binder, and they make "cakes" out of it that look a bit like cinder blocks. When it's been bound up this way, its environmental impact is minimal.
Well, if they did it right, it would be a natural step to take to combat spam. Of course, though, if they do pass laws about spam, they'll do it wrong, with a law that: -Exempts a subset of spammers that includes all members of the DMA -Has intended or unintended consequences for other, legitimate uses of email -Has attached riders written by MPAA/RIAA lobbyists that criminalize a number of other things -Spells out details of what should be in a valid SMTP header, thus creating a specification for legal spam (like the "ADV" subject line) that gives spammers a free pass, and that prohibits any further development or modification of the protocol -Allows the government to snoop on port 25 traffic if they so choose (oh wait, we have that law already, don't we?) -Places limitations on an ISP's liability if it becomes a spamhaus (unless it's a small ISP with no significant campaign contributions) -Clamps down on alternative solutions that ire spamhauses ("now that we have these great laws, you shouldn't need those filters/blacklists/honeypots") -Allows spammers to sue for damages if their packets are blocked or they are "falsely accused" (as larger companies start showing interest in spamming, you can bet on this)
Such legislation would naturally be approached from the angle of "Hmm, how can we turn this into a gift to corporations?"
When you think about it, programming and legislating are a lot alike. Programs have bugs, and laws have loopholes. The people in Congress look like they would make lousy programmers.
I knew after I clicked "Submit" that the lack of a smiley face on that last statement would come back to bite me in the ass. It was a jooooke.
Everyone knows Ford makes dangerous cars. But you don't boycott a company because it makes inferior products- that isn't really a boycott. If you didn't drive a Ford because of the courtroom antics they play with the First Amendment, that would be more like it.
Ah. You just gave me a new idea. Instead of going after spammers, we pass a law that makes it a felony to respond to spam. Then the cops send out a spam email advertising credit repair, longer lasting orgasms, free DVD copy software, etc. When this "one person in a million" responds to the email, we get to watch the police bust down their doors on "COPS". This would not solve the spam problem but it would make for great TV.
This was an incredibly stupid miscalculation. If you run a company that makes a living off the disposable cash of geeks, you don't use the Digital Millenium Copyright Act to shut down a SourceForge project! They might as well shrinkwrap their games in flashy packaging that says "Boycott us!" Anybody who uses the DMCA for anything is getting lots of hostile attention. Using such a hated law to attack your own customers is pretty risky for such an easily boycottable company. I hope they've all been polishing their resumes.
I'm going to stick to the moral high ground, and never play another Blizzard game again unless it's a pirated version.
Yeah but that's ionic chloride. A "ban on all use of compounds containing chlorine" would not include chloride salts or inorganic chlorine like bleach. It would be more like a ban on covalent bonds between carbon and chlorine, which rarely if ever occur in nature and are stable enough to persist for centuries.
That's more likely because of MS subtly changing stuff in IE to break Java every release than some fault of Sun's. Java 1.4 applets in Konqueror and Mozilla are rock-solid on my Linux system.
Yes, you're probably right- that does make a lot of sense. Mozilla doesn't have this problem on either OS. Except this version of IE was only updated last year and I downloaded Sun's new 1.4 J2SE SDK last week.
I suspect it's a combination of Microsoft playing games with the rendering components, and Sun being too busy coming up with new APIs instead of fixing the ones people are already using.
IT people are idiots. OK, some are idiots. Some IT guys are in it because they like computers. But the job seems to attract a lot of "guardian" personality types who enjoy the power they have to enforce arbitrary rules that don't need to make any sense. And their rules seem to apply to everyone but them. (Because they're the only ones who can be "trusted" with extra services, of course.) Sometimes the rules make sense. I can see filtering out .scr attachments at the mail server, for example. But I keep hearing stories where the IT people have no clue what the hell they're doing. I know one guy who got canned because the IT department where he worked said the copy of ZoneAlarm on his computer was a "hacking tool". (!) :)
I work at a great company- we have none of these pretender types around. We have one guy, and he doesn't go around uninstalling crap from people's machines and destroying their ability to get their job done just to satisfy a petty power trip. He has been dragging his feet a little on installing an Exchange server for management, but that's fine with us.
I can crash it by scrolling down to read the page, and then scrolling back up to play with the applet. It doesn't repaint correctly and I have to hit reload. This is with Sun's Java plugin, version 1.4, on IE 5.5. Incredible. It's been 6 years and they still can't make applets work.
Why is spam such a big deal? Why do Slashdotters go hog-wild and advocate violence against spammers, whose profession's name cannot be typed without heaps of disdain?
They're just trying to make money, and it's really not that hard to delete the stuff.
I know you're trolling, but this is an argument I've heard from many people who are not trolls (such as legislators). Generally people confuse spam with a First Amendment issue, or view attacks on it as if laissez faire capitalism were at stake. Spam is a big deal because we are starting to drown in it. Spam traffic has been increasing exponentially. It doubles every X months (although I don't know offhand what X is). After 10X months, when you are receiving 1024 times as much of it as you are now, your ideological blinders might fall off.
Also, they're not "just trying to make money" if they're scamming people.
As soon as we start allowing the government to regulate commercial email, other, less welcome regulations are sure to follow, in the ostensible interest of national security, or justice, or any of the other stock government facades.
Unlike other "problems" the government is looking into (SSSCA, etc.), this is one that really does need fixing.
Ummm... SPAM is the most important issue? Yeah, to Slashdot geeks. Talk about limited perspective.
Yes, as opposed to those vitally important issues, like the fact that my computer lets me directly access bytes on my hard drive- even if this lets me use my computer to commit an intellectual property violation and share the latest Britney tracks with other freeloaders on the evil Internet. This is an unacceptable situation and needs a hamfisted legislative fix immediately. I certainly know my own life would be improved if I lived in a networked dystopia being nickel-and-dimed for every ounce of pleasure that enters my senses. This is a real hot issue with most voters who are seriously worried about not having access to a sufficient quantity of digitial pay-per-view content.
Any of those issues are more important to me than SPAM. For your information, despite decades of debate over drilling in ANWAR, it still hasn't happened.
The prospect of ANWR drilling only became a serious possibility quite recently, but I guess you're right- the fact that people have been gabbing about it for decades means it will never happen. I wish more people had debated the possibility that someone might smash an airliner into a building. The tragic events of last year could have been so easily prevented!
(We won't even bring up that Alaskans, the constituents most affected by drilling in ANWAR, are more for it than lower-48 types.)
And the people who live closest to the rain forests in Brazil are more for burning it down than we are. (This isn't exactly your strongest argument, so I guess that's why you didn't "bring it up".)
How does that fit in with your theory that "What laws the congress considers and passes are controlled by campaign contributions"?
Of course. Elected officials are never influenced by money. They're all wise saints who are only looking out for the interests of their constituents! Finally someone in Congress is doing something that will allow me to protect my intellectual property assets. And they say nobody gives the little guy a break. Why, just last year, they passed a bankruptcy reform law that voters really wanted! It was so hard to get a credit card offer before that law passed- now it's a lot easier! Thanks, Congress!
As much as I enjoy seeing Microsoft get negative publicity, maybe the Airforce should evaluate their own security practices... I mean, wasn't the Lovebug an email attachment virus? Couldn't a relevant security policy have changed this?
.scr attachment he got from a guy he exchanged business cards with at a conference. Well, as soon as he did that, the .scr went out to every single one of our customers. ("Hey, c'mere, what's an .scr file supposed to do?") Serves us right, I guess.
The Air Force shouldn't be using Outlook. How did the worst possible email client get deployed in the Air Force? It's a platform for launching viruses and worms. (You can also read your email with it.) Users should be able to click on an email attachment- hell, they should be able to view the email in a preview pane- without having to worry that it might propagate a worm. Period. Anyone who thinks otherwise shouldn't be let anywhere near a compiler.
Using Outlook is inherently risky. Our company has standardized on it for some reason (it comes with Office is why, I guess) and our network admin is resisting whiny requests from management for an Exchange server. Just last week someone using Outlook clicked on an
If I were a four star general and that happened to me, I'd want to drop a daisy cutter on the Microsoft campus.
I have to agree- it's a great day for pi on Slashdot tonight. I think any transcendental constant can be proud that its post turned out to be someone trying to pound some sense into a creationist.
Of course, to be honest you should round up, because pi is actually closer to 3.141593 than it is to 3.141592. But post 3141593 was posted at 3:15 and not 3:14 AM, which clearly makes this one the winner.
What kind of dope are YOU SMOKING? The Magellanic clouds are 160,000 light-years from the earth.
I guessed 500000 light years would get you at least as far as the Magellanic clouds. If they're 160000 light years away then I pegged it within one order of magnitude, which is a hell of a lot better than being off by three. And the Milky Way has about a dozen dwarf satellite galaxies that are up to 830,000 light years away.
From the article:
The next member of the gang expected to go supernova is Antares, which at almost 500,000 light-years away is too distant to rattle our planet, they say.
What kind of dope are these astronomers smoking? Antares is 500 light years away.
Still quite distant, but 500000 light years will place you well outside the Milky way. It's about as far as the Magellanic clouds.
If you've ever driven by houses with televisions near windows when the tv is on, you usually see a blue room.
It's trivially simple to figure out what someone is watching by looking at the glow coming out their window. The best place to see this is near a high rise retirement complex full of old people. I don't know what happens to you as you get older, but it seems that the older you get, the more likely you are to watch TV with no other lights on in the room. After watching for about thirty seconds, you can tell which rooms have TV sets tuned to the same channels. It's fascinating and depressing at the same time.
The best observation times are Sunday evenings. When 60 Minutes and Touched by an Angel are on, almost all the windows in any retirement complex become synchronized and light up or go dark all at once.
I think they settled it this way: Whenver B&N makes a sale through a one-click, Amazon loses money.
This isn't a fatal flaw with the idea at all. In fact, if this happened, it would mean the guy who wrote the mail server was a nitwit because he didn't take the most obvious precautions to prevent loops. There are several trivial ways to do it:
Keep a list of servers that you're currently in the process of validating. If a relay check request arrives from one of them, send a response without bothering to send out a redundant second relay check request (this is just common sense). This would always stop the loop on its second hop.
OR
- Get request from server X
- Check to see if X appears in local cached list of blacklisted servers.
- If not on list, generate random number t between 0 and 1.
- If t is below some fixed threshold, open connection to X to check for open relay. If t is above the threshold, just forward the email even though it might be spam.
- If X is found to be an open relay, add X to blacklist. Otherwise forward the email.
Loops would still occur but they would go extinct fairly quickly. Some spam would get through at the beginning but a torrent coming from a single relay would get that relay added to the blacklist cache almost immediately.
From reading the article, it seems that this is a win32 worm that patches security components in the .NET runtime before running a damaging .NET application. A program similar to this written in Java would have several disadvantages:
.EXE to disk and then manually run it.
.NET support, this situation won't last long. Soon everyone will have a .NET runtime on their machine whether they're aware of it or not. And, these will be the same machines that are running Outlook.
.NET runtime components in well-known places so this isn't a problem when making hostile C# patches. A worm written in Java would probably have to lug around its patched JRE with it- making it too heavy to spread very far.
:)
.NET runtime is so easy to patch using a little native code, means that MS has to seriously rethink its strategy of what types of mobile code are allowed to run.
1. It has no natural vector. Outlook serves well as a vehicle for socially engineered worms/viruses because it automates the execution of mobile code that arrives in attachments. The recipient only has to click on an attachment, and there is no way to know what it does unless you already know what it is. People using non-MS mail clients have to save an
2. The JRE doesn't have Microsoft's assistance in getting onto every shmoe's machine out there. While XP doesn't currently have
3. The security concerns surrounding Java and C# are quite similar. Either runtime can have a patch applied by wily native code. However, the average target machine will not have a JRE simply because it's a non-MS technology- it's not "part of the OS". (You won't find the old MS JVM on an XP machine.) If it does have a JRE, it will be deployed in the arbitrary directory that the user installed it into, which is unknown to the worm code unless it scans the disk. IIRC Microsoft puts the
4. The people who write worms won't pay any attention to Java as long as C# is around.
Of course, if the executable is running with no security manager in place, you can do whatever you want even if the runtime isn't patched. I can write a Java class that does a Runtime.exec() of anything I want, and send it to you. If you execute it as an application, it has no problems. I don't know personally what security constraints are placed on C# arriving in an Outlook attachment, but I can imagine they would be roughly similar to the constraints browsers place on applets. The fact that security constraints can't easily be placed on incoming native code, and the fact that the
lojack is to unix as an idling car in south central LA is to microsoft
That makes no sense. Car theft and security have no direct logical relationships with computer operating systems. Your analogy is twisted out of shape. You should have said
"unix is to microsoft as lojack is to idling a car in south central LA."
Currently-existing devices would not become illegal... just useless. Like owning a Betamax camcorder with no video-out jack. Sure, you could record a movie; but your new, Big Brother TV wouldn't allow you to play it back.
So buy a TV before the law takes effect, and guard it like it's one of your children. TV repairmen everywhere are rejoicing! The SSSCA just might bring back the lost art of television repair.
Clearly, the idea of being able to add an extra few years to the lives of our lab PCs is very attractive...
Just buy a really nice computer right before the SSSCA is signed into law. It will be state of the art technology for the next fifty years!
Yeah, selling software is great... from the perspective of someone who knows nothing about the business. First you have to employ programmers, who are known to be independent-minded and "difficult."
:)
Difficult programmers? (That's a problem?) Please. I am a programmer, so I take offense at both your generalizations.
You haven't refuted my point that selling software is better than selling airplanes. If an airplane comes apart in flight, and the flaw was even theoretically foreseeable, you expose yourself to incredible liability. I wouldn't want to be in the airplane business, or any "real" industry. It looks like a good way to get an ulcer. People in the software world like to fancy themselves as being in a real manufacturing business as opposed to a service-based one, until the topic of legal liability comes up. Then we suddenly view our position much more clearly.
Now... should software companies be liable for damages from bugs? I think it depends on the intended use of the product and the seriousness of the bug. Medical, military, and government software should at least be well-tested and well-written. But a bug that wipes out a user's save files for Bobo the Monkey III should not even be legally actionable.
Well that's reasonable, but those are two extremes. Nuclear, aerospace, medical, and military software is generally integrated into and viewed as a part of a larger physical system. If a microcontroller in an airplane has a software problem and feeds wrong information to an actuator on the plane causing a crash, you expose yourself to liability as a seller of a faulty airplane, not a faulty software program. Software that isn't sold as part of a larger machine with real physical parts doesn't have this problem. The shrinkwrap around a software box (and the EULA wrapper around the disk) is like an armor against lawsuits.
Microsoft products have various back doors like the buffer overflow that Code Red exploited, but they also have front doors and that's just incredible and inexcusable! Outlook has an intentional feature where it automatically executes VBA code contained in an attachment when you open it. This allows worms to flood the Internet on a regular basis, without even having to do hackish back-door stuff like overflowing a buffer. But it's not really a bug, it's a feature that wasn't well thought out. Someone wasn't using their head. All of Office suffers from feature creep and they don't think things through as they shovel thousands of questionable features into their software. (Maybe I lead a sheltered life, but I have yet to hear of anyone sending a legitimate VBA script via an Outlook attachment. Have you?) Incredibly, for all the monetary damage those worms have caused, Microsoft has suffered only a little humiliation. It has exposed itself to no product liability at all. If Microsoft sold airplanes, or medical equipment, or solid rocket boosters, they'd be out of business by now. Their workmanship is just too mediocre for anything except software.
Selling software is great. Compared to someone selling a real physical product like spark plugs, you legally retain much more extensive control over how your product can be used even after you've sold it. This is because of the enhanced rights you get as a holder of intellectual property as opposed to real property. But even though you can dictate to people the conditions under which they can use your software, if anything goes wrong, the product liability risk you expose yourself to as a seller of software is zero!
Why does anyone even try to sell anything else?
You missed my point. My point was: We're not generating anything more than what we already have.
If you're just going to bean-count atoms without giving any thought to the compounds they're in, that's correct. But it's not a meaningful perspective. Atoms can be in reactive or inert forms. There are a few elements that are environmentally dangerous in whatever form they're in (mostly the radioactive stuff). The great majority are OK in some forms and not in others. Only one element (helium) is never toxic. And it's the only one that eventually floats away and leaves the planet.
Phosphorous is 1-2% of your body weight, and forms part of the DNA backbone. But it's always in the form of phosphate (PO4---). Take the oxygens off it, and 50 mg will kill you. Oxygen in the form of ozone can kill you if you breathe it in. Nitrogen and oxygen can combine to create quite a few nasty gases. When it's in the form of cinnabar (HgS), mercury is certainly dangerous but at least it has low solubility and can sit around for billions of years without leaching. (In sulfur containing environments, HgS is an important sink for mercury.) Although mercuric salts are toxins and have long been used in detective stories to kill people, mercurous chloride can be used as a laxative! When elemental mercury sinks down into deep places at the bottoms of lakes and wells, bacteria there get rid of it by methylating it- and then it starts causing serious trouble.
Environmentally, a computer is probably the most dangerous thing you own. They're chock full of all kinds of weird metals and halogenated flame retardant crap. And no matter how nice it is, you're eventually going to throw it away. When recycling computers, I believe what they do is chop everything up in a grinder, and then they blast the stuff in a furnace until it's all oxides of things. Then they mix in a binder, and they make "cakes" out of it that look a bit like cinder blocks. When it's been bound up this way, its environmental impact is minimal.
Well, if they did it right, it would be a natural step to take to combat spam. Of course, though, if they do pass laws about spam, they'll do it wrong, with a law that:
-Exempts a subset of spammers that includes all members of the DMA
-Has intended or unintended consequences for other, legitimate uses of email
-Has attached riders written by MPAA/RIAA lobbyists that criminalize a number of other things
-Spells out details of what should be in a valid SMTP header, thus creating a specification for legal spam (like the "ADV" subject line) that gives spammers a free pass, and that prohibits any further development or modification of the protocol
-Allows the government to snoop on port 25 traffic if they so choose (oh wait, we have that law already, don't we?)
-Places limitations on an ISP's liability if it becomes a spamhaus (unless it's a small ISP with no significant campaign contributions)
-Clamps down on alternative solutions that ire spamhauses ("now that we have these great laws, you shouldn't need those filters/blacklists/honeypots")
-Allows spammers to sue for damages if their packets are blocked or they are "falsely accused" (as larger companies start showing interest in spamming, you can bet on this)
Such legislation would naturally be approached from the angle of "Hmm, how can we turn this into a gift to corporations?"
When you think about it, programming and legislating are a lot alike. Programs have bugs, and laws have loopholes. The people in Congress look like they would make lousy programmers.
No wonder I think they're evil.
I knew after I clicked "Submit" that the lack of a smiley face on that last statement would come back to bite me in the ass. It was a jooooke.
Everyone knows Ford makes dangerous cars. But you don't boycott a company because it makes inferior products- that isn't really a boycott. If you didn't drive a Ford because of the courtroom antics they play with the First Amendment, that would be more like it.
Ah. You just gave me a new idea. Instead of going after spammers, we pass a law that makes it a felony to respond to spam. Then the cops send out a spam email advertising credit repair, longer lasting orgasms, free DVD copy software, etc. When this "one person in a million" responds to the email, we get to watch the police bust down their doors on "COPS". This would not solve the spam problem but it would make for great TV.
This was an incredibly stupid miscalculation. If you run a company that makes a living off the disposable cash of geeks, you don't use the Digital Millenium Copyright Act to shut down a SourceForge project! They might as well shrinkwrap their games in flashy packaging that says "Boycott us!" Anybody who uses the DMCA for anything is getting lots of hostile attention. Using such a hated law to attack your own customers is pretty risky for such an easily boycottable company. I hope they've all been polishing their resumes.
I'm going to stick to the moral high ground, and never play another Blizzard game again unless it's a pirated version.
Yeah but that's ionic chloride. A "ban on all use of compounds containing chlorine" would not include chloride salts or inorganic chlorine like bleach. It would be more like a ban on covalent bonds between carbon and chlorine, which rarely if ever occur in nature and are stable enough to persist for centuries.