Slashdot Mirror


User: MillionthMonkey

MillionthMonkey's activity in the archive.

Stories
0
Comments
4,122
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 4,122

  1. Outlook worms don't use vulnerabilities at all on Virus Cost Estimate For 2001 Tops $10 Billion · · Score: 2, Insightful
    This is how an Outlook worm spreads:
    1. The worm arrives in an email, containing a vague subject and body written in questionable English, urging the recipient to open the attachment which contains an executable copy of the worm itself.
    2. Outlook, with Windows in its default setting, hides the executable nature of the attachment, by removing the real extension of the filename (in a typical MS attempt to make its OS "friendlier" by withholding as much critically vital information as possible from users). So "clickonme.gif.vbs" is shown to the user as "clickonme.gif".
    3. Once the user opens the attachment, Outlook executes the attachment in a method appropriate for the (hidden) extension.
    4. The worm code opens the address book and harvests a list of email addresses from it.
    5. The worm constructs a new email message, containing a vague subject and body written in questionable English, urging the recipient to open the attachment which contains an executable copy of the worm itself.
    6. The worm emails this message to all the target recipients.
    7. At this point the worm is free to execute whatever payload it contains, which might do nothing, delete files, install a back door, etc.


    At no point in this process does it rely on anything in Outlook that can be really called an "exploit", like a buffer overflow bug. Outlook itself is the exploit. The worm doesn't need to do anything that Microsoft hadn't planned for people to be able to do. There is only one step in this process that relies on human frailty. The rest of it is simple API calls to functionality that Bill and Co. decided to make available to executable email attachments. Outlook (anything that uses Microsoft's "Windows Scripting Host") is excellently designed to host worms and provide services to them as they infect a network.

    Windows does give you a warning when you are about to open something that has executable content in it (HTML with JavaScript, Excel documents with VBA scripts, etc.). Microsoft has seen fit to cram executable content into so many different file types that every single attachment you ever open from anybody gives you this warning. It's like the boy who cried wolf. But this is the extent to Microsoft's approach to security. It doesn't stretch much further than the "hey, do you want me to run this?" dialog box (if they even give you that). They just don't take security seriously at all.

    Now Microsoft is not full of stupid people. The decision to include executable content in emails must have raised alarm bells concerning security. They must have realized the vulnerable state they were putting everyone in. And how did they handle it? By reprogramming their OS and application suites to properly implement security and handle code from unknown sources with the appropriate level of caution? No, that would be too much work, and then people might complain that the security was getting in their way. So this is how they handle it: they put in a dozen lines of code that show you that little ubiquitous dialog box (unless you've checked "never show this dialog box again" on it before), and they extract a boolean from your confused and sorry ass. Then they branch there. If anything bad happens now, it's your fault.
  2. Selling kitty litter online is a better idea on Future of Digital Music in Doubt · · Score: 4, Interesting

    We've all heard of that dumb dotcom that went broke after they found people would not buy kitty litter over the web. Now music is definitely easier to deliver over the internet than a 20 pound bag of kitty litter, which cannot be sent using TCP/IP. With kitty litter, your cat continues to make a mess while the UPS guy leaves little yellow notes on your door after not ringing the doorbell. This is the biggest advantage that online music has over online kitty litter. Is that enough to save online music from suffering the same fate?

    Well, maybe. The kitty litter doesn't suddenly refuse to clump up if you move it to another litterbox. It doesn't "lock up" and cease to cover odors if you get a new cat. You can use a batch of kitty litter for about twice the amount of time that you're "supposed" to (if there are no women in your household). And, you can stock up on kitty litter- getting 5 or 6 bags- without having to worry about the last few bags not working by the time you need them because of some stupid preprogrammed time limit that is backed up by the force of law. And you need kitty litter if you have a cat. Nobody really needs Britney Spears.

    What makes them think they're going to pull this off?

    I'm not going to pay money for anything that is more crippled than an MP3. (And if I find that I've bought a crippled CD, I will return it and give up on buying newly released CDs from then on unless I know it's a real Redbook CD.) I have enough crap to deal with in my life. I don't want to have to worry about timebombs and player restrictions on each of a thousand songs in a collection. Are they nuts? I'd have to hire someone to keep track of my frigging music collection! Can you imagine planning a party, or an outing to the beach, and having to worry about how many players each of your CDs has been played in, and whether or not it will refuse to play in your new Walkman CD player that you just bought? CDs would go the way of the laserdisc if they worked like that.

    I predict these greedy bozos will lose billions in their own version of a dotcom meltdown before they realize that people will simply not allow themselves to be sodomized for the privilege of buying music online.

  3. So you'd rather listen to a Clear Channel station? on Future of Digital Music in Doubt · · Score: 1

    With some tech making minimum wage, piping a broadcast signal of boy-band crap to transmitters in 50 different cities? Well at least they'll customize the radio commercials for you, so you can find out where all the failing discos and overpriced dating services are in your local area. Lucky bastard, you.

  4. Selling HAMMERS is not a civil right either on Sklyarov Indicted · · Score: 1

    What is a "burglary tool" anyway, genius? Are there no other uses for "burglary tools" (i.e. screwdrivers, crowbars, computers, etc.) than committing burglaries?
    I'm sure you could do something illegal, with, say, Windows XP. Ban it.

  5. Jesus must be rolling in his grave! on Controversial Cosmologist Fred Hoyle Dies At 86 · · Score: 1

    The real irony is that there is a commandment prohibiting lying, and Christians are the biggest liars on the planet when it comes to flat-out denial of simple (and subtle) truths. I bet more lies have been told on behalf of Jesus than anyone else in history.

    At least when Saudi religious officials declare a fatwa that the earth is flat because the Koran says so, you get the feeling that they're going through the motions and don't really believe this stuff.

  6. You don't know what a theory is, do you? on Constants Not Constant? · · Score: 1

    Wishful thinking has nothing to do with it.

  7. Straw Man Argument on Constants Not Constant? · · Score: 1

    The perceived "bias" of scientists against creationsim is strictly based on the profound lack of any supporting evidence for it. If anyone discovers something that can be considered "evidence" for creationism- like an ark on a mountain- then we will have to take creationism seriously! We wouldn't merely tell you that "you cannot use this new evidence". Science is not another religion. In fact this would be very exciting, because if creationsim has any truth in it at all, then an elaborate theoretical tapestry of hundreds of long-accepted scientific ideas would have to be discarded. Constructing a replacement framework to explain your new evidence would involve lots of papers and research funding. So this would be a good thing.
    But for science to just throw away centuries of established theories, you're going to have to fork over some real evidence. All we ever get are wishful thinking, appeals to emotion, appeals to ignorance, and Bible passages.

    What would stop me from doing the same thing to you with your "evidence" for evolutionism?
    A number of things will stop you. For example, the mere fact that the evidence exists is a huge blow to you. The sheer volume of it doesn't help you much either. :)

  8. Why I hate creationists on Constants Not Constant? · · Score: 1

    Here is a typical creationist argument:
    The earth's magnetic field has decayed 7% since 1829. Assuming that the decay is exponential, we find that the field energy becomes increasingly large the further back you go in time. We can set a rough maximum to the initial energy from basic physical considerations, which limits the age to roughly 10,000 years.
    Here is a similar argument:
    Today's minimum temperature was 25 degrees C. Yesterday's was 24 degrees C. Assuming the temperature increase is uniform with time, we see that the earth's temperature was absolute zero a mere 298 days ago, which is not as much time as evolution requires. So evolution is false. ANYWAY, SHOULDN'T THEY TEACH THE KIDS BOTH THEORIES AND THEN LET THEM MAKE THEIR OWN MORAL DECISION ABOUT WHICH ONE IS RIGHT?

    When people spout nonsense and are actually taken seriously by scientific illiterates, I get really upset.

  9. The codebase for men and women is the same on Constants Not Constant? · · Score: 1

    The differences between the sexes are mostly registry entries. Certain features of nipples are disabled in men.

  10. Who marked this as "Insightful"? on Stem Cell Research Moves Forward In The US · · Score: 1

    I'm sure that if I lost a child during gestation, it would be emotionally tough, but would not make me stupid enough to start believing that a 5-7 day old blastula, with a few dozen cells in it, is a person. You are seriously confused if you think this. It seems the more people believe things that are out-and-out nonsense, the more smug they are about their "morality". Science was never "sure" that the earth was flat. This may have been a common belief in the 15th century but it was not a framework that would be recognizable today as science. You are confusing science with dogma, like the right winger that you claim to be.

  11. Mod this guy up! on Gravitational Repulsion Effect Claimed · · Score: 1

    Oh wise, benevolent, and most temporarily powerful moderators... Best analysis in this thread I've seen.

  12. Unreasonable IDENTIFICATION is still not a search on Florida Surveillance Cameras Claim a Victim · · Score: 1

    IaNaL, but I don't think the 4th prevents police from employing weird technology merely to identify you if you appear in a public place. There is an implicit assumption in English common law that everybody already recognizes everybody else in a public place. Back when common law was still developing, there weren't so many people around as there are now. Entering a public place automatically forefeited your identity; with so few faces to remember, people recognized you easily. Now, we're used to being able to disappear and be no more than a nameless face in a crowd. But this is really a modern convenience, a small reward we get for having to live in a world overpopulated with so many jerks.
    From a guy who is a lawyer (John C. Hall, J.D., www.cwu.edu/~millerj/academic/methods/readings/hal l1.htm) :
    While granting police considerable latitude in taking warrantless action against suspected criminals when they are located in areas outside the residence, the U.S. Supreme Court has continued to afford the highest levels of fourth amendment protection to those privacy interests normally associated with one's home. Illustrative of this point is the Court's relatively recent application of a warrant requirement to police entries into private premises for the purpose of effecting arrests inside. In 1976, in Watson v. United States, the Court declined to impose a warrant requirement for felony arrests that occur in public places, holding that the validity of such arrests hinges on the existence of probable cause and not on whether the officers have an opportunity to acquire an arrest warrant.
    Being "secure in your person", I think, has more to do with whether the 4th allows warrantless searches of your purse, pockets, and body cavities.

  13. dumb idea for compression on Share The Pi! · · Score: 1

    Numbers in large bases require more bits for storing each digit. And if you're wanting to involve a computer in this, any base representation you pick will ultimately be converted to binary anyway.

  14. Not all irrationals do this on Share The Pi! · · Score: 1

    0.31331333133331333331333333133333331333333331... (where the ones get further apart each time) is irrational, but it isn't normal, and the digit positions are trivially predictable. You're confusing normal numbers with irrational numbers and thinking they're the same thing. Not every irrational number is normal.

  15. Re:Yahoo Mail does some weird stuff on Security Hole Lets Lycos Run Arbitrary JavaScript · · Score: 1

    OK, Mr. Coward, try this.
    Steps to reproduce:

    1. Open a Yahoo mail account, and log into it.
    2. Click on "Compose", to compose a message.
    3. Look for a link on the "compose" screen that says "Switch to Formatted Version", and click on it.
    4. Your screen should now have a link (in the same place) that says "Switch to Plain Version". You will also see a pretend MS-Word-type toolbar for bold, italic, background color, etc.
    5. Type a one-line email to yourself (meaning send it to your same Yahoo account). Make sure that the body contains "medieval" and "expression", e.g.

    Her expression was medieval

    6. Go back to your inbox, and click on "Check Mail".
    7. Read the email. The above sentence becomes

    Her statement was medireview

    8. Optionally, forward it from there to a real email account. The message will have no body, and come with an attachment. Open the attachment, and you will see it back in its original form:

    Her expression was medieval

  16. Yahoo Mail does some weird stuff on Security Hole Lets Lycos Run Arbitrary JavaScript · · Score: 1

    This reminds me of some stuff my wife encountered while receiving messages through Yahoo Mail. Whenever someone used the word "medieval" in the message body of an email, Yahoo replaced it with

    medireview

    and it would show up that way in the browser. So she thought nothing of it until she noticed that Yahoo also changed the word expression into statement! So if someone wrote

    Medieval art was limited in its expression

    in an email, Yahoo turned it into

    Mediereview art was limited in its statement

    So she wrote Yahoo asking them what was up. This was their response:

    Hello,
    Thank you for writing to Yahoo! Mail. To help ensure the highest level of security, words that can be interpreted as JavaScript commands are replaced by an alternate word (with the same or similar meaning) when using HTML formatted email. This also happens when viewing documents using our HTML file viewer.


    JavaScript should be taxed!

  17. Then STOP USING IIS on Security Hole Lets Lycos Run Arbitrary JavaScript · · Score: 1

    No code is flawless. That doesn't mean all code is equally flawed as you seem to be suggesting!

    You either knew you'd be working with IIS when you took the job, or you suggested IIS yourself, or you stood idly by and let your boss walk all over you and dictate that you install it. So quit complaining about your sad but entirely avoidable situation. Especially since you probably earn extra money for having to put up with Microsoft products instead of actually enjoying your work like many of us do. I mean, sure, it's tough if applying the weekly IIS patch is interfering with your "watching company information flow and user environments to look for ways to help it improve the company" [translation: configuring the firewall so you can play Quake from your office] but applying those hourly NT patches IS YOUR JOB, in a way that whining on Slashdot is not.

    Running NT on a public network of any kind is like bending over to pick up soap in the prison shower. I'm continually amazed at the outrage, incredulity, and disbelief I hear from people who have chosen to install server software that seems to have been written from the ground up to support remote execution of worm code by sociopathic teenagers.

  18. Which fast food chain will be shilling for it? on Fourth Indiana Jones Installment · · Score: 1

    A really annoying trend in advertising is the commercial that is for two things at once. You can tell immediately if a movie is going to be a Big Dumb Movie if a fast food chain starts promoting it in commercials that are both for the chain and the movie.
    "I speak Atlantean." Christ.

  19. Why you can't trust Monsanto on Biotech and the Environment · · Score: 1

    Unless a company deliberately inserts genes for known toxins, genetically modified corn is perfectly safe to eat! Most anti-GM sentiment amounts to simple hysterics over eating GM products, and that's a shame, because it's a side-issue. It's a distraction from the real problems with GM crops that not as many people are talking about.
    First of all, you just can't trust these guys. Monsanto created corn with the "terminator" gene- so the corn grows and produces sterile seeds. The idea is to flood Third World markets with cheap seed for "terminator" corn. For a year or two. Then, when all the farmers have none of their own viable seeds left, because they've been planting Monsanto corn, UP GOES THE PRICE! HAHAHA! Welcome to the subscription business model, suckers! That stuff you're eating has our intellectual property in it!
    They almost got away with that one but the public fury became too much for them and they withdrew from the terminator project. (It's a tactic that's similar to the stunt Nestle pulled- Nestle provided free baby formula to new mothers in the Third World. Except that the baby formula was free only for the first month! Once the mothers stopped lactating, the formula stopped being free, surprise surprise!)
    The problem with GM pesticide is that they screw the organic farmers who use the same pesticides themselves. GM corn with pesticide genes represents an abuse of pesticide that would never be tolerated with normal corn. It breeds insects resistant to the pesticide. When they're all immune to it, Monsanto inserts some other pesticide into the corn and keeps chugging along. Meanwhile everyone else is screwed.

  20. Re:how a supernova explodes on Star In A Jar · · Score: 1

    Yeah but I said it was over in minutes, not hours. Hours are longer than minutes.

  21. Re:how a supernova explodes on Star In A Jar · · Score: 2

    The "energy of the impact smashes into the core of the star" is a really inaccurate way of saying this.
    When fusion stops, the star cools and radiation pressure stops holding up the outer layers, like you say. The star gradually shrinks into a smaller and smaller volume, until it shrinks to the size of the earth and reaches white dwarf density, where it is only held up by electron degeneracy pressure.
    At this point there are so many electrons crammed into such a small space that all the quantum states with low energies are taken- there aren't enough available states at low energies for them all to fit. So most of the electrons are in very high energy states, and the energies get higher as the star shrinks. This is actually a manifestation of the Heisenberg Uncertainty Principle. As the physical position of all the electrons becomes more definite (since the star is shrinking), the uncertainties in energy become greater.
    This is how most stars end. But if the star is massive enough, electron densities and energies will get so high that some of the electrons will be able to overcome the energy barrier for URCA processes (proton + electron -> neutron + neutrino). This is when the explosion starts. The electrons with the highest energy combine with protons to form neutrons, which immediately sink to the center, and neutrinos, which are radiated away. This causes further contraction, elevating the energy states of all the remaining electrons, some of which now have enough energy to react too, and it's all over in a couple minutes. The star has to shrink to the size of a city before neutron degeneracy pressure begins to support it. (Neutrons are heavier than electrons so they pack better under these conditions.)
    99% of the energy is lost to all the neutrinos. Only 1% of the radiated photons are in the visible range. But even in the visible spectrum, a supernova will briefly outshine the rest of the galaxy it's in. Not the entire universe! Supernovas occur in the observable universe with a frequency of about 1 Hz and are routinely observed in other galaxies. The last Milky Way supernova was centuries ago, unless you count SN 1987A, which was in one of the Magellanic Cloud satellite galaxies.
    Nobody knows for sure how elements heavier than iron (lead, gold, iodine, uranium, etc.) are ever formed. The standard theories involve supernovas (you need a high neutron flux). Some research group recently said that supernovas cannot account for heavy element abundances seen on earth, and that a better explanation was a collision between two neutron stars or something.

  22. People who live in blackbody houses... on Supreme Court Limits High-Tech Snooping · · Score: 1

    ...shouldn't throw thermal photons. :)

  23. Re:My Favorite Lines on P2P vs. RIAA: RIAA Wins · · Score: 1

    They are currently powerless on the legal front. When legal strategies fail you go to your lobbyists. Expect the "Peer To Peer Intellectual Property Act" to be introduced in Congress any day now. Gnutella, Freenet, etc. can simply be declared to be illegal, placing them in the same boat as deCSS. This still won't stop people from using these programs or getting a hold of them, but the probability of such a law being introduced and signed into law is close to 1.

  24. Re:Do AVSs actually work? on Supreme Court To Review Child Online Protection Act · · Score: 1

    Some sites only claim they do not actually charge the card. You just have to hope that they aren't lying. So you have to trust some anonymous pornographer not to trash your entire credit rating if you want to see some pr0n.
    Not that the moralists in power care much about that.

  25. insulation, insulation, and insulation on Superconducting Power Cable in Detroit · · Score: 1

    If the insulation is sufficient, then only a very small amount of nitrogen would be necessary for the entire system because the superconductors themselves will not be contributing any I^2*R heating. Except for a larger amount of nitrogen consumed during the initial cooling-down process, the nitrogen cost during steady-state operation is directly proportional to the heat energy getting through your insulation. The insulation's heat conductivity can be made arbitrarily close to zero (although the better it gets, the more expensive it is). I would imagine that to reduce nitrogen costs they would use a structure analogous to a Dewar flask along the entire length of the line. If they did, then they would only need a slow trickle of liquid nitrogen along the entire length of the line.