SELinux was added to Fedora with Fedora Core 2, with FC3 they now use 'targeted' policies (like theres a policy for what Apache can do, and other services to prevent what can happen even if there is a f'in massive security hole in it).
And how many people do you think use the feature every day?
You are thinking of security in the mode of 'how secure can I make it', that is an important and useful mode for people to think about.
What I am talking about is 'how secure can we make the typical machine whose user has no intention of becomming a computer expert'.
SELinux is a wonderful example of an academic security solution to a boutique security problem.
Also I believe that it was found that it took in the months range for a *nix box to be compromised.
What you are measuring there is the length of time between attacks. In other words you are claiming that the windows box is seeing approximately 6000 times as many viable attacks as the Unix box.
You are analyzing the static, I don't much care about that, I am analyzing the dynamic. The bad guys are profit seeking, they will attack whichever box does the work for them at lowest cost. That is a function of the intrinsic vulnerability of the machine, the number of the machines, the availablility of attack tools and the value of the result.
I don't have to spend any time convincing Microsoft to take security seriously. They are aware that there are serious issues that we are all facing. Bill is constantly asking their top security people how they are going to solve the problem.
What I hear from the Linux community on security is almost entirely complacency.
Its a very welcome update from MS for users with a clean machine, but its been a nightmare for any dirty ones.
The problem is, people install service pack 2 expecting it to solve all their spyware problems, but it works best at keeping nasties at bay, not fixing pre-existing software issues.
The windows update installer downloads an anti-virus scrubber as part of update since Jan 2005. That disinfects most machines.
The problem is no longer ordinary trojans, its rootkits that install as drivers.
The Linux world really needs to stop being so complacent about computer security. The level of the attacks is massively more sophisticated and determined than what was seen in the 1990s. Sure there is a version of Linux that has been secured by the NSA. Well whoopdeedo, how many people run it every day? answer almost none. They gave Carl Deutch, Director of the CIA a B-secure O/S to use, he refused to use it because it was unusable.
Take Windows XP gold, unpatched and put it on a public network, it will be compromised in 15 minutes and a bot within an hour. But do the same think with the contemperaneous release of Red Hat and OS/X, do the same thing and guess what they will all be compromised within a couple of days. If you do the same thing with the latest releases of the O/S and get them up to the latest patches they all survive.
Zombies are traded on the open market. Linux bots tend to fetch a higher price since they are more likely to be on a broadband connection. Apples are not too popular as bots because most apples being sold are laptops. Even the most determined hacker can't do anything with a machine that has been switched off.
When Joe Montana was quarterback for the 49ers they were unbeatable. Same thing with the Chicago Bulls when Jordan was playing. There is a tendency for folk on Slashdot to consider security in terms of the present only, as if Linux was the computer version of the New York Yankees and Windows is the Boston Red Sox.
Guess what, its not just the present team that matters, its how hard you are working on the next season. The whole field of computer security was dominated for 30 years by military security issues. The current problems of cybersecurity bear almost no relationship.
There are linux users in all the computer security events that I attend, but almost none of those people are wired into the Linux development process. At one time I had the idea of persuading the Firefox folk to build new features into their code as a way to put pressure on Microsoft. Today I am attempting the reverse strategy, using Microsoft to get changes into Firefox.
Big companies move slowly but they have hundreds of bodies they can throw at problems. That is not the case with FOSS.
You vill download zee program and you vill love it!"
No, you lazy IT folk will not be able to stop your users from downloading and installing it.
I run an absolutely plain XP system on my laptop. The only company provided programs I use are office, Visio and occasionally Visual Studio. There is absolutely no reason why I shouldn't have used XP SP2 the day it was released. I can't download it and run it on my machine because IT is still checking out a bunch of apps they wrote that I never use.
The current direction of Windows reminds me of that old quote, "Those who don't understand UNIX are doomed to reinvent it - badly", although all things considered it may not be entirely accurate.
The joke is on Thompson, he reinvented VMS badly.
For many years now Microsoft has been patching NT, a single-user system only really suitable for small local networks, into a multi-user system that can cope with many large networks.
Windows NT has always been at core a multi-user operating system. The kernel architecture is derived from VMS which is itself heavily influenced by Multics and ITS. This is not really a surprise since there are not all than many people who have designed O/S and pretty much everything has its roots ultimately in Multics and project MAC.
The problem that faces both UNIX and Windows NT when it comes to networking is that multi-user security and network security are two absolutely different things. The features you need for one do not help much with the other.
Most production Apache servers run on a system that has at most three active accounts. Root, apache and maintenance. To all intents and purposes the separation of apache and root does little more than help prevent the system partion being corrupted, it does not really do much for security since all the data assets of the machine are going to be accessible from the apache account.
If you wanted to actually use the O/S security mechanisms to bear in a meaningful way you would have to configure the Web server to respond to data access requests by spawning off a new process and locking it down with the appropriate system privs each time a privileged access was performed. This is technically possible in both Unix and Windows but it will grind the machine down if you try it with any appreciable load.
For Windows any level of Mandatory Access Controls is still in the hazy future, to be implemented, at best, in the release after Longhorn. By the time Windows secures all its holes UNIX may well have moved a quantum leap ahead.
You obviously do not know what Mandatory Access Controls are. Butler Lampson certainly does since he invented the idea. so does David Cutler since he implemented them in VMS long before they arrived in any Unix variant. They have both worked for Microsoft for over a decade.
Windows NT had MACs built in from day one. They are not quite the same as the VMS implementation - and for very good reason, the VMS implementation of ACLs was too complex for most people to grasp, particularly when you got into the propagation rules. But they certainly are there and are built into the O/S at a much more fundamental level than they are in Linux.
The problem with Windows security has absolutely nothing to do with lack of security features. The problem is the exact reverse, the problem is too many damn features and applications that can't make use of them.
Then again, this only works with people who know what they hell they are doing.
Which goes the same for pretty much any O/S. If you have a pinhead they will configure the machine insecurely.
No matter what I would never recommend Windows as a internet-facing server. I run a Windows 2003 server here in my home but it is just to learn it and host a small site with little traffic.
You mean even if the figures say that Windows is more secure you will never choose it? Or are you only referring to the current release?
Whatever, I think that Linux advocates should take a lesson from history, it is really hard to maintain an O/S distinction in the security area. The only reason Linux is any better is that UNIX machines have been Internet connected by default for about 15 years while with windows its only about 8. Read the CERT advisories from the 90s, they are almost all reports of UNIX vulnerabilities.
UNIX got cleaned up, Windows will be cleaned up. Back in the 90s UNIX was a byword for insecurity, people still used SUID scripts and shadow passwords were only used by a minority.
What is more interesting here is the derrivative. The perception of Windows is improving rapidly, the perception of Linux is pretty static. I don't see a heck of a lot of new security action going on in the Linux world. There is a heck of a lot going on in the Windows world.
Or more to the point, they're probably someone who feels reasonably confident that, if they want to get laid, they can do in the short to medium term. If someone is a lot less sure when (or if) they'll get another off, I think they're a helluva lot less likely to be in any way picky.
I think you yankee types are have fallen for the British sense of humour. Toothing was a wind up from the beginning. If you think about it toothing pretty much amounts to going up to a stranger and saying 'wanna fuck'.
This does not work too well in email, why would it work better over bluetooth? Plus you have the problem that if this is going to work for the heterosexual crowd you need to attract opposite sexes for it to work.
Think for a moment how many phones would have to be bluetooth enabled for this to work, plus think of the number of folk who would be receiving (and complaining about) the solicitations.
That said, the UK is way less uptight than the US. Prostition is effectively legal and there is a public sex scene known as dogging.
The kernel of truth in this hoax is that bluetooth does provide an additional medium to chat someone up that you might not otherwise talk to. I doubt that sending a message 'U wanna fuck me?' would be optimally effective as a conversation starter but you could easily imagine starting off with chat and ending up with a quickie.
Of course none of this would work in the US because trains are not exactly a common mode of transportation.
>It's simple... Refuse to read PDFs that require the technology.
You'd have trouble convincing more than about 2% of users to refuse.
No, simply block out connection to the tracking protocol. If Personal Internet firewalls were not so dufus designed they would make it easy to say 'this program has no business connecting to the Internet, silently disable all connection attempts without notice'.
IE has the same bug in the active X scheme. There should be an option that allows downloading of active-x components to be refused unless they come from a small number of trusted sources. today the choice is disable activex entirely or allow sites to pester with 20 or more demands to install spyware.
And your argument of using style for structured communication is bunk. What does colors and fonts have to do with your message, and how are they going to render in pine? Bullet points? What's wrong with an asterik?
Whats wrong with punch cards?
Plaintext is not as effective a means of communication as formatted text. Typography was invented in the first place to improve readability. People who use plaintext limit the effectiveness of their message.
If Pine does not render the emails in an acceptable fashion get a new mail client. The vast majority of Internet users have richtext capable clients, the only people who don't are the very people who think they are on the bleeding edge of technology.
If you never go beyond the line mode you will be locked into the computing technology of the 1980s. You may think that you are on the bleeding edge but you are actually in a technology ghetto. Line mode users are the Amish of the Internet.
I can state publicly, in print, that I am a very violent person and an anarchist. That does NOT give the FBI the right to seize my computer equipment, or even question me.
But if as seems likely from your statement either you yourself or an associate ends up being suspected of a violent crime then the FBI is more than entitled to go to a court and argue that they need to collect information from Slashdot that demonstrates your attitude towards violent and criminal behavior.
Why is it so difficult to believe that someone involved with infospace is under suspicion of criminal activity? If you have a thousand people posting the chance that one of them is up to no good is pretty high.
You seriously think that some terrorists were using infoshop.org and there is any chance at all that this was part of a legitimate investigation? That site is used by basically white non-violent anti-war types... it's not a recruitment area for alqaeda.
McVeigh was white, so are Bader, Meinhof, Gerry Adams, Martin McGuinness, come to think of it most terrorists that have attacked Western targets are white.
Al Q'aida is not the only terrorist organization that has attacked the US. McVeigh's friends in the Montana Militia still engage in para-military 'training' exercises. Infoshop is an anarchist site, anarchism is not generally considered to be a pacifist ideology.
Lol, some thugs demand a server administrators logs at gun point while claiming they are serving a greater, yet unrevealable, good and we have to actually CONSIDER what they are saying to us? It's safe to call bullshit on that one immediately.
The FBI might be doing the bidding of Bush and Rove but I doubt it, and if they did I think that the news would leak quickly. This particular administration has not exactly cultivated loyalty amongst the rank and file of the CIA, FBI or Secret Service and it has not exactly suceeded in intimidating them either. The CIA are pissed because their agency was used to launder 'intelligence' reports from a source they had warned was an Iranian spy in 1997. The FBI are pissed because the real 'war on terror' has been given a third rank priority. Pertty much everyone suspects that Bush may have deliberately allowed Bin Laden to escape in order to maintain the excuse to keep the apparatus of the faux 'war on terror' in place.
Bush and Rove are much more interested in what the press and the Democrats are up to than a bunch of anarchists that at most are planning to blow something up. An administration that can't be bothered to finish the job on Bin Laden evan after the 9/11 bombing is not going to be bothered with the anarchists. Heck no, their interests are served far better by allowing the attack to go ahead so that they have a fresh excuse for Patriot II.
Thus does Slashdot discuss matters of social importance.
The FBI could be interested in the logs for legitimate or illegitimate reasons. If they are investigating a crime and someone is known to have contacted the site then they have every right to demand the logs under the law.
When I exchanged email with Timothy McVeigh before he murdered 300 people in Oaklahoma City I handed over the correspondence to the FBI as soon as I heard that he was a suspect. I would have handed them over to the FBI even earlier if I had thought they could take any action, the guy was a whacko.
If on the other hand the FBI is just engaged in a fishing expedition looking for dissidents then there is a serious problem.
The big problem with the actions of the administration is that it is very difficult to trust them when they say that their interest is of the first type rather than the second. The Attorney General has provided legal opinions to facilitate torture. 23 prisoners have died during interogation. The only criminal proceedings have been taken against low level grunts who are exceptionally unlikely to have re-invented procedures that exactly match the R2I protocol of their own accord.
So instead of calling people morons or running around in tin foiul hats perhaps people should take note of the fact that yes there are real terrorists and no the administration does not have a clue how to deal with the problem. They have repeated every one of the mistakes that the British government made in Northern Ireland only on a much larger scale and to a much greater degree.
I don't think this has any significance, it is certain to be appealed all the way to the SCOTUS.
Interesting issue though. It may be fair for NY to tax in some telecommuting cases. But I don't see why CA should be able to tax me on my income because I telecommute from Massachusetts. I have never worked in CA.
25% seems to low a fraction to claim the right to tax. NY is not providing any services to the employee and that is the basis on which taxation should be decided. If they want to recover the costs of providing services to the company they should tax the company.
ReplayTV's can be programmed from the internet. You can't easily add storage, but you can emulate on on your computer and move your content to that box.
I have close to 150 electronic devices in the house that are complex enough to have their own CPU.
I really cannot cope with anything that requires maintenance, let alone hackery. I want this to be all done for me.
I just bought a new DVD player and disconnected the home theatre because I was fed up of everyone else in the house asking me for instructions.
I personally don't think that showing a single image of an add for the product that you are fast forwarding over is a problem. The advertisers payed of the spot, so they should get something. The problem is if these pop-ups are interfering with normal viewing of the show.
I see two big problems. First the advertisers have not paid ME a dime for the ad. I want zero ad television. I pay $800 a year for TV service and I am not watching any ads whatsoever.
The second problem is that Tivo has the ability to make this change unilaterally, where do the changes end? At what point does Tivo simply become a new form of Adware?
I don't have Tivo and I don't want it. All I want is the ability to remote program my existing DVR from the Internet and the ability to add additional external storage units to it. No DVR manufacturer will consider either feature. Every PC/Mac based manufacturer considers these a no-brainer. Unfortunately it is not possible to get a PC based unit for Dish-TV.
If I had a better user Interface and enough disk space I would not need any Tivo functions. I would simply buy 250Gb drives as needed and hook them into the daisy chain. Incidentally why don't the doofus drive enclosure manufacturers get a clue and produce a low cost RAID option? It should not cost an arm and a leg to put a RAID together. I would happily buy a unit that allowed me to RAID 0 two drives for $200, but $1500 is just extortion.
If I could program the machine from the computer then someone will come up with an interface that is waaay better than Tivo. It would allow me to interact with the selection process and it would keep track of what I have already watched and recorded. So I could tell it to record every copy of the New Yankee workshop and it would suggest that I also record David Marks Wood works. I could tell it to record The Matrix and it would also suggest a menu of 20 odd other movies like it. Tivo is slightly different, it is making the choice, the whole choice for me with no real interaction in the process.
But you can't really sell something like a Windows web browser anymore, you have to give it away. As a result, it's harder to make money on something like this.
Netscape began giving away the browser, not Microsoft. They did it to drive Spyglass and Mosaic under and in order to establish proprietary control over the Web.
I don't think it matters what the reduced media edition is called, nobody is ever going to buy it. The difference in cost is never going to justify the difference in functionality.
I certainly would not buy a machine with RealPlayer installed on it. Whether the current version is spyware or not they certainly produced shitware in the past. Where shitware is software produced by a bunch of shits.
It is somewhat ironic that the three companies that have had such a problem with Microsoft are the three who have been busy trying to establish their own monopoly.
no, the reason RMS wants linux distro's to be Debian GNU/Linux, Mandrake GNU/Linux etc is because the userspace applications are mostly GNU. I read once that about a third of all software in the average linux distro is GNU written software.
No, the reason RMS want it to be called GNU/Linux is that RMS is an egocentric jerk. The fact that Linux contains 1/3 GNU is merely the justification he gives.
I don't think that his claim is justified. The GNU utilities are pretty peripheral to the core of Linux. Linux could have started under a different license without any real problems. Very little that links into the Linux binary is from FSF.
Umm no. Courts routinely distinguish between the two. Appeals courts do not normally examine matters of fact at all - only whether or not the lower court applied the proper law and procedure in making their determination
Without facts there is no case. What Grockster is up to is beyond dispute.
The only questions that are in doubt here are whether the 'non-infringement uses' identified meet the standard for fair use under the law. That is a question of law, not fact, the question is what the standard should be.
I have read the Betamax ruling, don't make the mistake of thinking that people who disagree with you must do so because they are ignorant. We had this whole argument years ago over Napster. Napster deserved what they got and so do Grockster. People made the same arguments you are making in the Napster case and also claimed that everyone who disagreed with them must be wrong.
I don't think that running a pirate to pirate network is fair use by any stretch of the imagination.
I think it just means that after 6 years, every major program blocks most executable attachments.(Outlook, OE, Thunderbird etc.)
I don't quite understand what claim the article is trying to make. is the claim that viruses are no longer making use of the address book or that email viruses in general are no longer a threat?
The first interpretation is kinda duuhh! That type of virus disappeared years ago after access to the address book was locked out. These days most viruses are blasted out from a botnet using a spam list.
If the guy was really saying that mass mailed viruses in general are on the decline then that is a good thing, it is about time.
The thing I don't get is that pretty much everyone I know thinks that email programs are 'stupid' for allowing executeable attachments. But when I suggest just blocking all executeable attachments outright people start screaming 'you can't doooo that'.
Sure blocking executeables would be bad for A-V vendors, it would kill the need for their product dead. Sure there might be a few more JPEG like situations but the number of possible vectors is not that large and can be fixed by autoupdate.
If the linux propaganda that the only reason for viruses is Windows bugs then we should not expect them to be a permanent fixture.
No, that's not true. The questions of fact were dealt with and decided by the lower court, are undisputed (read the plaintiffs briefs, and the oral arguments - they try very hard to claim to dispute the facts, but were clearly unable to do so. The Supremes, furthermore, rarely address questions of fact - the vast majority of their cases, like this one, are appeals, and appeals generally do not involve issues of fact, but rather of law and procedure.
I think that people are reading Betamax way too literally. What Grokster is doing is a matter of fact, they are running a network whose primary purpose and intent is to pirate copyright material but which may be capable of being used for non infringing purposes even if there are better ways of serving those purposes which do not support piracy.
The interpretation of the facts is a matter of law, not fact. In Betamax the issue of intent, other ways to realie the same end etc. did not occur. The principle use of the VCR was manifestly a fair use in the sense that it did not negatively affect the copyright owners interests.
I think that it is pretty clear that the facts determined by the trial court indicate that the principle use of Grokster is for piracy. At the SCOTUS level the litteral question of whether some theoretical non-infringinguse exists is not relevant.
The Betamax shield doesn't necessarily fit the circumstances. With the analog VCR tech, there are generational losses and the machines aren't conducive to easy affordable mass-distribution because of their 1x record rates. One reason SCOTUS gave Betamax their blessings was that people at the time weren't trying to build libraries of videos, but rather watch TV shows at a more convenient time, but my impression of P2P users is that they are trying to build libraries, and of material that wasn't necessarily licenced for broadcast anyway. Even when the material was licenced for broadcast, the ads are often removed.
I agree, the Betamax shield is not at risk at all, the question is whether it is relevant which is entirely different. There is absolutely no risk that the SCOTUS is going to prohibit VHS recorders, DVD recorders or for that matter DVRs. It is almost certain that a DVR with a firewire port to plug in extra hard drives gets through.
The question in Grokster is whether there are genuine, substantial non-infringing uses or whether the theoretical and hypothetical uses being proposed are spurious and the only substantial use is to pirate stuff. Grockster can cease to exist tommorow and none of the copyright use I do is threatened in the least.
I think that it is very likely that either SCOTUS decides that pirate-to-pirate networks are illegal or Congress does. The RIAA and MPAA bought Orin Hatch long ago.
When you are dealling with a bunch of corrupt skunks like Hatch and co it is a good idea to choose something other that a sewer to stand in. Expecting to be able to get any music you want for free is simply not a reasonable or sustainable demand.
I don't think the RIAA demands are fair or reasonable, but they are sustainable. If people want to prevent the RIAA and MPAA getting away with more corrupt copyright grabs they better choose a more realistic set of demands.
Sounds like you haven't put an unpatched windows XP machine on the internet. Generally, you get blaster or a variant within the first 20 minutes, unless your ISP is actively blocking inbound connections on those ports.
The blaster vulnerability was patched some time ago.
Any machine connected to the Internet will receive a penetration attempt within 20 minutes of connection. That is not the same as being vulnerable to the infection.
Some of us have been around long enough to remember when UNIX was notorious for its instability and insecurity.
They were talking about a Mac out of the box, where Apache and other server programming is disabled.
Which is the stupidest hacking contest imaginable. My point was that pretty much ANY machine will pass that test. To be fair they should have a controlled experiment, stick a Windows XP, Linux and MacOS box next to each other, configure them all with the absolute default installation with NO options turned on. I would be surprised if any of the machines were compromised after six months.
The only mechanism likely to cause a problem would be a ping 'o death type situation that had not been thought up.
Machines usually only become vulnerable once you put a USER or a SERVER on them.
If the test is going to mean anything that is what you would have to do.
DVforge is owned by one Jack Cambell, a known con artist and admirer of publicity stunts. This is exactly that and nothing more: a publicity stunt.d I'd be very surprised if 1) either of the two computers actually exist, 2) the prize money exists, 3) if the computers exist and the prize money exists, then Jack will ever pay up if someone wins.
From the site: More importantly, I have been convinced that there may be legality issues stemming from such a contest, beyond those determined by our own legal counsel, prior to announcing the contest.
My first reaction was to reach for a loaded lawyer, I would guess that Apple and Symantec would do exactly the same thing. Thought it best to read the thread for some comtext first...
This is a really bad idea for a large number of reasons. First off there are pleny of Apples that have been recruited into botnets. All the user needs to do is to run a buggy version of Apache, or something layered on top and they are vulnerable.
Oh you say, no fair pointing at third party software bugs, they don't count. Well sure they do, the criminals don't care, they will take a machine any way they can. If you take stock Windows load it onto a machine and never use it for anything, guess what you are pretty secure. In fact you can use unpatched Win 3.1 if you never turn the machine on.
The thing that is more worrying about these schemes is that there is a definite barrier effect in hacking. Take phishing for example, the recent spate of phishing began when people worked out that they could create an ATM card from the stolen information aqnd pull cash directly out of an ATM. Now that we have that loophole pretty much closed they are working on the much harder problem of setting up carding operations.
As a example look at the 40 bit encryption used by TI for RFID tags that was recently broken by a bunch of university students. If those students had been malicious they could have broken it and not told anyone. They could have then exploited the weakness for years because the cipher isn't widely studied so it is unlikely that someone else would have bothered to crack it. If TI had simply gone with 3DES there would have been no problem. The moral of the story: stick to the standards people.
Whenever a 40 bit cipher turns up the most likely reason is the export restrictions. When TI was doing its work they could not stick to the standard.
Plus 3DES is not exactly a great cipher, the small block size means that certain attacks become possible after 2^32 blocks of ciphertext, that is only 32 Gb of data which is not a lot of data.
The TI problem was due to using the same cipher for 15 years without periodic security reviews.
Slashdot Mirror
And how many people do you think use the feature every day?
You are thinking of security in the mode of 'how secure can I make it', that is an important and useful mode for people to think about.
What I am talking about is 'how secure can we make the typical machine whose user has no intention of becomming a computer expert'.
SELinux is a wonderful example of an academic security solution to a boutique security problem.
Also I believe that it was found that it took in the months range for a *nix box to be compromised.
What you are measuring there is the length of time between attacks. In other words you are claiming that the windows box is seeing approximately 6000 times as many viable attacks as the Unix box.
You are analyzing the static, I don't much care about that, I am analyzing the dynamic. The bad guys are profit seeking, they will attack whichever box does the work for them at lowest cost. That is a function of the intrinsic vulnerability of the machine, the number of the machines, the availablility of attack tools and the value of the result.
I don't have to spend any time convincing Microsoft to take security seriously. They are aware that there are serious issues that we are all facing. Bill is constantly asking their top security people how they are going to solve the problem.
What I hear from the Linux community on security is almost entirely complacency.
The windows update installer downloads an anti-virus scrubber as part of update since Jan 2005. That disinfects most machines.
The problem is no longer ordinary trojans, its rootkits that install as drivers.
The Linux world really needs to stop being so complacent about computer security. The level of the attacks is massively more sophisticated and determined than what was seen in the 1990s. Sure there is a version of Linux that has been secured by the NSA. Well whoopdeedo, how many people run it every day? answer almost none. They gave Carl Deutch, Director of the CIA a B-secure O/S to use, he refused to use it because it was unusable.
Take Windows XP gold, unpatched and put it on a public network, it will be compromised in 15 minutes and a bot within an hour. But do the same think with the contemperaneous release of Red Hat and OS/X, do the same thing and guess what they will all be compromised within a couple of days. If you do the same thing with the latest releases of the O/S and get them up to the latest patches they all survive.
Zombies are traded on the open market. Linux bots tend to fetch a higher price since they are more likely to be on a broadband connection. Apples are not too popular as bots because most apples being sold are laptops. Even the most determined hacker can't do anything with a machine that has been switched off.
When Joe Montana was quarterback for the 49ers they were unbeatable. Same thing with the Chicago Bulls when Jordan was playing. There is a tendency for folk on Slashdot to consider security in terms of the present only, as if Linux was the computer version of the New York Yankees and Windows is the Boston Red Sox.
Guess what, its not just the present team that matters, its how hard you are working on the next season. The whole field of computer security was dominated for 30 years by military security issues. The current problems of cybersecurity bear almost no relationship.
There are linux users in all the computer security events that I attend, but almost none of those people are wired into the Linux development process. At one time I had the idea of persuading the Firefox folk to build new features into their code as a way to put pressure on Microsoft. Today I am attempting the reverse strategy, using Microsoft to get changes into Firefox.
Big companies move slowly but they have hundreds of bodies they can throw at problems. That is not the case with FOSS.
No, you lazy IT folk will not be able to stop your users from downloading and installing it.
I run an absolutely plain XP system on my laptop. The only company provided programs I use are office, Visio and occasionally Visual Studio. There is absolutely no reason why I shouldn't have used XP SP2 the day it was released. I can't download it and run it on my machine because IT is still checking out a bunch of apps they wrote that I never use.
The joke is on Thompson, he reinvented VMS badly.
For many years now Microsoft has been patching NT, a single-user system only really suitable for small local networks, into a multi-user system that can cope with many large networks.
Windows NT has always been at core a multi-user operating system. The kernel architecture is derived from VMS which is itself heavily influenced by Multics and ITS. This is not really a surprise since there are not all than many people who have designed O/S and pretty much everything has its roots ultimately in Multics and project MAC.
The problem that faces both UNIX and Windows NT when it comes to networking is that multi-user security and network security are two absolutely different things. The features you need for one do not help much with the other.
Most production Apache servers run on a system that has at most three active accounts. Root, apache and maintenance. To all intents and purposes the separation of apache and root does little more than help prevent the system partion being corrupted, it does not really do much for security since all the data assets of the machine are going to be accessible from the apache account.
If you wanted to actually use the O/S security mechanisms to bear in a meaningful way you would have to configure the Web server to respond to data access requests by spawning off a new process and locking it down with the appropriate system privs each time a privileged access was performed. This is technically possible in both Unix and Windows but it will grind the machine down if you try it with any appreciable load.
You obviously do not know what Mandatory Access Controls are. Butler Lampson certainly does since he invented the idea. so does David Cutler since he implemented them in VMS long before they arrived in any Unix variant. They have both worked for Microsoft for over a decade.
Windows NT had MACs built in from day one. They are not quite the same as the VMS implementation - and for very good reason, the VMS implementation of ACLs was too complex for most people to grasp, particularly when you got into the propagation rules. But they certainly are there and are built into the O/S at a much more fundamental level than they are in Linux.
The problem with Windows security has absolutely nothing to do with lack of security features. The problem is the exact reverse, the problem is too many damn features and applications that can't make use of them.
Which goes the same for pretty much any O/S. If you have a pinhead they will configure the machine insecurely.
No matter what I would never recommend Windows as a internet-facing server. I run a Windows 2003 server here in my home but it is just to learn it and host a small site with little traffic.
You mean even if the figures say that Windows is more secure you will never choose it? Or are you only referring to the current release?
Whatever, I think that Linux advocates should take a lesson from history, it is really hard to maintain an O/S distinction in the security area. The only reason Linux is any better is that UNIX machines have been Internet connected by default for about 15 years while with windows its only about 8. Read the CERT advisories from the 90s, they are almost all reports of UNIX vulnerabilities.
UNIX got cleaned up, Windows will be cleaned up. Back in the 90s UNIX was a byword for insecurity, people still used SUID scripts and shadow passwords were only used by a minority.
What is more interesting here is the derrivative. The perception of Windows is improving rapidly, the perception of Linux is pretty static. I don't see a heck of a lot of new security action going on in the Linux world. There is a heck of a lot going on in the Windows world.
I think you yankee types are have fallen for the British sense of humour. Toothing was a wind up from the beginning. If you think about it toothing pretty much amounts to going up to a stranger and saying 'wanna fuck'.
This does not work too well in email, why would it work better over bluetooth? Plus you have the problem that if this is going to work for the heterosexual crowd you need to attract opposite sexes for it to work.
Think for a moment how many phones would have to be bluetooth enabled for this to work, plus think of the number of folk who would be receiving (and complaining about) the solicitations.
That said, the UK is way less uptight than the US. Prostition is effectively legal and there is a public sex scene known as dogging.
The kernel of truth in this hoax is that bluetooth does provide an additional medium to chat someone up that you might not otherwise talk to. I doubt that sending a message 'U wanna fuck me?' would be optimally effective as a conversation starter but you could easily imagine starting off with chat and ending up with a quickie.
Of course none of this would work in the US because trains are not exactly a common mode of transportation.
You'd have trouble convincing more than about 2% of users to refuse.
No, simply block out connection to the tracking protocol. If Personal Internet firewalls were not so dufus designed they would make it easy to say 'this program has no business connecting to the Internet, silently disable all connection attempts without notice'.
IE has the same bug in the active X scheme. There should be an option that allows downloading of active-x components to be refused unless they come from a small number of trusted sources. today the choice is disable activex entirely or allow sites to pester with 20 or more demands to install spyware.
This adobe crap is spyware BTW
Whats wrong with punch cards?
Plaintext is not as effective a means of communication as formatted text. Typography was invented in the first place to improve readability. People who use plaintext limit the effectiveness of their message.
If Pine does not render the emails in an acceptable fashion get a new mail client. The vast majority of Internet users have richtext capable clients, the only people who don't are the very people who think they are on the bleeding edge of technology.
If you never go beyond the line mode you will be locked into the computing technology of the 1980s. You may think that you are on the bleeding edge but you are actually in a technology ghetto. Line mode users are the Amish of the Internet.
But if as seems likely from your statement either you yourself or an associate ends up being suspected of a violent crime then the FBI is more than entitled to go to a court and argue that they need to collect information from Slashdot that demonstrates your attitude towards violent and criminal behavior.
Why is it so difficult to believe that someone involved with infospace is under suspicion of criminal activity? If you have a thousand people posting the chance that one of them is up to no good is pretty high.
McVeigh was white, so are Bader, Meinhof, Gerry Adams, Martin McGuinness, come to think of it most terrorists that have attacked Western targets are white.
Al Q'aida is not the only terrorist organization that has attacked the US. McVeigh's friends in the Montana Militia still engage in para-military 'training' exercises. Infoshop is an anarchist site, anarchism is not generally considered to be a pacifist ideology.
Lol, some thugs demand a server administrators logs at gun point while claiming they are serving a greater, yet unrevealable, good and we have to actually CONSIDER what they are saying to us? It's safe to call bullshit on that one immediately.
The FBI might be doing the bidding of Bush and Rove but I doubt it, and if they did I think that the news would leak quickly. This particular administration has not exactly cultivated loyalty amongst the rank and file of the CIA, FBI or Secret Service and it has not exactly suceeded in intimidating them either. The CIA are pissed because their agency was used to launder 'intelligence' reports from a source they had warned was an Iranian spy in 1997. The FBI are pissed because the real 'war on terror' has been given a third rank priority. Pertty much everyone suspects that Bush may have deliberately allowed Bin Laden to escape in order to maintain the excuse to keep the apparatus of the faux 'war on terror' in place.
Bush and Rove are much more interested in what the press and the Democrats are up to than a bunch of anarchists that at most are planning to blow something up. An administration that can't be bothered to finish the job on Bin Laden evan after the 9/11 bombing is not going to be bothered with the anarchists. Heck no, their interests are served far better by allowing the attack to go ahead so that they have a fresh excuse for Patriot II.
Thus does Slashdot discuss matters of social importance.
The FBI could be interested in the logs for legitimate or illegitimate reasons. If they are investigating a crime and someone is known to have contacted the site then they have every right to demand the logs under the law.
When I exchanged email with Timothy McVeigh before he murdered 300 people in Oaklahoma City I handed over the correspondence to the FBI as soon as I heard that he was a suspect. I would have handed them over to the FBI even earlier if I had thought they could take any action, the guy was a whacko.
If on the other hand the FBI is just engaged in a fishing expedition looking for dissidents then there is a serious problem.
The big problem with the actions of the administration is that it is very difficult to trust them when they say that their interest is of the first type rather than the second. The Attorney General has provided legal opinions to facilitate torture. 23 prisoners have died during interogation. The only criminal proceedings have been taken against low level grunts who are exceptionally unlikely to have re-invented procedures that exactly match the R2I protocol of their own accord.
So instead of calling people morons or running around in tin foiul hats perhaps people should take note of the fact that yes there are real terrorists and no the administration does not have a clue how to deal with the problem. They have repeated every one of the mistakes that the British government made in Northern Ireland only on a much larger scale and to a much greater degree.
Interesting issue though. It may be fair for NY to tax in some telecommuting cases. But I don't see why CA should be able to tax me on my income because I telecommute from Massachusetts. I have never worked in CA.
25% seems to low a fraction to claim the right to tax. NY is not providing any services to the employee and that is the basis on which taxation should be decided. If they want to recover the costs of providing services to the company they should tax the company.
I have close to 150 electronic devices in the house that are complex enough to have their own CPU.
I really cannot cope with anything that requires maintenance, let alone hackery. I want this to be all done for me.
I just bought a new DVD player and disconnected the home theatre because I was fed up of everyone else in the house asking me for instructions.
I see two big problems. First the advertisers have not paid ME a dime for the ad. I want zero ad television. I pay $800 a year for TV service and I am not watching any ads whatsoever.
The second problem is that Tivo has the ability to make this change unilaterally, where do the changes end? At what point does Tivo simply become a new form of Adware?
I don't have Tivo and I don't want it. All I want is the ability to remote program my existing DVR from the Internet and the ability to add additional external storage units to it. No DVR manufacturer will consider either feature. Every PC/Mac based manufacturer considers these a no-brainer. Unfortunately it is not possible to get a PC based unit for Dish-TV.
If I had a better user Interface and enough disk space I would not need any Tivo functions. I would simply buy 250Gb drives as needed and hook them into the daisy chain. Incidentally why don't the doofus drive enclosure manufacturers get a clue and produce a low cost RAID option? It should not cost an arm and a leg to put a RAID together. I would happily buy a unit that allowed me to RAID 0 two drives for $200, but $1500 is just extortion.
If I could program the machine from the computer then someone will come up with an interface that is waaay better than Tivo. It would allow me to interact with the selection process and it would keep track of what I have already watched and recorded. So I could tell it to record every copy of the New Yankee workshop and it would suggest that I also record David Marks Wood works. I could tell it to record The Matrix and it would also suggest a menu of 20 odd other movies like it. Tivo is slightly different, it is making the choice, the whole choice for me with no real interaction in the process.
Netscape began giving away the browser, not Microsoft. They did it to drive Spyglass and Mosaic under and in order to establish proprietary control over the Web.
I don't think it matters what the reduced media edition is called, nobody is ever going to buy it. The difference in cost is never going to justify the difference in functionality.
I certainly would not buy a machine with RealPlayer installed on it. Whether the current version is spyware or not they certainly produced shitware in the past. Where shitware is software produced by a bunch of shits.
It is somewhat ironic that the three companies that have had such a problem with Microsoft are the three who have been busy trying to establish their own monopoly.
No, the reason RMS want it to be called GNU/Linux is that RMS is an egocentric jerk. The fact that Linux contains 1/3 GNU is merely the justification he gives.
I don't think that his claim is justified. The GNU utilities are pretty peripheral to the core of Linux. Linux could have started under a different license without any real problems. Very little that links into the Linux binary is from FSF.
Without facts there is no case. What Grockster is up to is beyond dispute.
The only questions that are in doubt here are whether the 'non-infringement uses' identified meet the standard for fair use under the law. That is a question of law, not fact, the question is what the standard should be.
I have read the Betamax ruling, don't make the mistake of thinking that people who disagree with you must do so because they are ignorant. We had this whole argument years ago over Napster. Napster deserved what they got and so do Grockster. People made the same arguments you are making in the Napster case and also claimed that everyone who disagreed with them must be wrong.
I don't think that running a pirate to pirate network is fair use by any stretch of the imagination.
I don't quite understand what claim the article is trying to make. is the claim that viruses are no longer making use of the address book or that email viruses in general are no longer a threat?
The first interpretation is kinda duuhh! That type of virus disappeared years ago after access to the address book was locked out. These days most viruses are blasted out from a botnet using a spam list.
If the guy was really saying that mass mailed viruses in general are on the decline then that is a good thing, it is about time.
The thing I don't get is that pretty much everyone I know thinks that email programs are 'stupid' for allowing executeable attachments. But when I suggest just blocking all executeable attachments outright people start screaming 'you can't doooo that'.
Sure blocking executeables would be bad for A-V vendors, it would kill the need for their product dead. Sure there might be a few more JPEG like situations but the number of possible vectors is not that large and can be fixed by autoupdate.
If the linux propaganda that the only reason for viruses is Windows bugs then we should not expect them to be a permanent fixture.
I think that people are reading Betamax way too literally. What Grokster is doing is a matter of fact, they are running a network whose primary purpose and intent is to pirate copyright material but which may be capable of being used for non infringing purposes even if there are better ways of serving those purposes which do not support piracy.
The interpretation of the facts is a matter of law, not fact. In Betamax the issue of intent, other ways to realie the same end etc. did not occur. The principle use of the VCR was manifestly a fair use in the sense that it did not negatively affect the copyright owners interests.
I think that it is pretty clear that the facts determined by the trial court indicate that the principle use of Grokster is for piracy. At the SCOTUS level the litteral question of whether some theoretical non-infringinguse exists is not relevant.
I agree, the Betamax shield is not at risk at all, the question is whether it is relevant which is entirely different. There is absolutely no risk that the SCOTUS is going to prohibit VHS recorders, DVD recorders or for that matter DVRs. It is almost certain that a DVR with a firewire port to plug in extra hard drives gets through.
The question in Grokster is whether there are genuine, substantial non-infringing uses or whether the theoretical and hypothetical uses being proposed are spurious and the only substantial use is to pirate stuff. Grockster can cease to exist tommorow and none of the copyright use I do is threatened in the least.
I think that it is very likely that either SCOTUS decides that pirate-to-pirate networks are illegal or Congress does. The RIAA and MPAA bought Orin Hatch long ago.
When you are dealling with a bunch of corrupt skunks like Hatch and co it is a good idea to choose something other that a sewer to stand in. Expecting to be able to get any music you want for free is simply not a reasonable or sustainable demand.
I don't think the RIAA demands are fair or reasonable, but they are sustainable. If people want to prevent the RIAA and MPAA getting away with more corrupt copyright grabs they better choose a more realistic set of demands.
The blaster vulnerability was patched some time ago.
Any machine connected to the Internet will receive a penetration attempt within 20 minutes of connection. That is not the same as being vulnerable to the infection.
Some of us have been around long enough to remember when UNIX was notorious for its instability and insecurity.
Which is the stupidest hacking contest imaginable. My point was that pretty much ANY machine will pass that test. To be fair they should have a controlled experiment, stick a Windows XP, Linux and MacOS box next to each other, configure them all with the absolute default installation with NO options turned on. I would be surprised if any of the machines were compromised after six months.
The only mechanism likely to cause a problem would be a ping 'o death type situation that had not been thought up.
Machines usually only become vulnerable once you put a USER or a SERVER on them.
If the test is going to mean anything that is what you would have to do.
From the site: More importantly, I have been convinced that there may be legality issues stemming from such a contest, beyond those determined by our own legal counsel, prior to announcing the contest.
My first reaction was to reach for a loaded lawyer, I would guess that Apple and Symantec would do exactly the same thing. Thought it best to read the thread for some comtext first...
This is a really bad idea for a large number of reasons. First off there are pleny of Apples that have been recruited into botnets. All the user needs to do is to run a buggy version of Apache, or something layered on top and they are vulnerable.
Oh you say, no fair pointing at third party software bugs, they don't count. Well sure they do, the criminals don't care, they will take a machine any way they can. If you take stock Windows load it onto a machine and never use it for anything, guess what you are pretty secure. In fact you can use unpatched Win 3.1 if you never turn the machine on.
The thing that is more worrying about these schemes is that there is a definite barrier effect in hacking. Take phishing for example, the recent spate of phishing began when people worked out that they could create an ATM card from the stolen information aqnd pull cash directly out of an ATM. Now that we have that loophole pretty much closed they are working on the much harder problem of setting up carding operations.
Whenever a 40 bit cipher turns up the most likely reason is the export restrictions. When TI was doing its work they could not stick to the standard.
Plus 3DES is not exactly a great cipher, the small block size means that certain attacks become possible after 2^32 blocks of ciphertext, that is only 32 Gb of data which is not a lot of data.
The TI problem was due to using the same cipher for 15 years without periodic security reviews.