What exactly was "stupid" about ActiveX aside from potential malicious code (either directly or via overflows) that was either enabled by default or presented to the user with a "just click yes so the website will work" style input box? Firefox "avoided" this by not implementing ActiveX but most or all of the functionality was recreated in Javascript, giving it basically the exact same level of "stupid" with the benefit of having learned from about 10 years of exploits.
How about the fact that scripts could invoke any ActiveX object on the system that was marked as "safe for scripting" without any user interaction? Bugs in those components have plagued IE users with drive-by installations of malware. This is why ActiveX killbits were developed and are updated all the time.
Letting an ActiveX control run is equivalent to giving that web page full control of your computer. The only sandbox is UAC, and that has been proven to be full of holes.
The property costs are minimal once you factor in how easy it is to get exceptional talent.
Millions and millions in unnecessary expenses? I have no clue what you're talking about.
The subway commute is usually much cheaper and easier for people than commuting by car in almost any other city.
Crime is extremely low; one of the lowest of any US city with a population above 100k.
Noise? My apartment, built in 1900, is quieter than my old house in a very quiet and secluded neighborhood in suburban Denver due to dogs, lawnmowers, etc. I rarely hear street noise.
Terrorism? Yeah, that happens ALL the time.... I'm so worried.
I'm guessing that the people who start up successful businesses in NYC know a little bit more than you do.
No they are not. They are all over the runtime and library: Libraries, Hotspot, JavaFX, AWT (many), 2D, serialization, reflection, JAXP, RMI, beans, JAX-WS, etc etc. They are amplified by the fact that many of them are indeed in a library/feature that can be accessed through applets from remote. But the vast majority of the vulnerabilities exists isolated from the applet and could be exploited through other channels.
Sorry, but that's not true. I check fairly often to see when it's time for us to update the JVM that we ship, and almost none of the vulnerabilities affect a standard application. They are almost 100% sandbox bypass bugs. It's very rare that I need to update due to a vulnerability.
And even so, there has been precious few vulnerabilities in ActiveX.
You're right, ActiveX has had few vulnerabilities because it doesn't even attempt to sandbox the object, whereas the Java vulnerabilities in Applets are getting around the sandbox. You let an ActiveX control run, it gets access to your system. There isn't much room for bugs because the entire concept is a vulnerability.
However, the ActiveX objects marked as "safe for scripting" have been riddled with holes since the beginning, which is why there have been so many "drive-by download" exploits that don't even require the user to allow an ActiveX control to run in a page.
I also like how they qualified the "June" opening record.
It reminds me of all of the crazy sports stats.... This is only the 3rd time a player has hit 2 home runs in the second game of a double-header, while away, on a Thursday, when the temperature was 75* and Marlon Brando was watching from home.
Not that it was "invented" by either of them, but Citrix added terminal server capabilities to NT 3.51, then Microsoft screwed them by putting in their own "terminal server" into NT 4.0, giving Citrix only the small market that needed extremely low bandwidth.
You posted an anecdote, I posted news stories from reputable sources.
I guess somehow in your little mind, opinions from people who happen to agree with your political disposition are more important than real evidence. Do you also believe in Santa Clause?
The sky isn't falling, it's just one long period of unemployment and economic malaise due to an incompetent president. Hopefully, the next one will be better.
Again with the lies! Do you realize that unemployment and the deficit are actually down since your sub-average IQ (R)-tard president was finally outed? Probably not, since you actually believe the ACA will destroy the economy.
The article gives real rates for actual payers. You can check them yourself if you like.
That means nothing. You may simply have been on an uncompetitive rate plan or have had too much coverage. (Given how financially inexperienced you seem to be, that is actually likely.)
Yes, my lower premiums are "uncompetitive", and my HDHP is too much coverage. Given that you've based your arguments solely on unsubstantiated numbers and lies, I can only imagine how "experienced" you must be. I posted fact, you posted lies.
Yes, it will work itself out: companies will fire employees, automate more, and move jobs overseas, where employees have full health care benefits at a fraction of the cost of Obamacare.
Ah, there it is. OMG THE SKY IS FALLING DUE TO OBAMACARE!!!11 Mindless drivel from yet another internet troll.
Uh, what? You start out with a bogus Obamacare dig, then you link an article which shows no evidence, just some numbers that/some/ economists are expecting people to pay. And still those numbers are far less than what many people are paying now. For example, my friend got laid off and was paying $1800/mo to cover his wife and newborn through COBRA. That's roughly 50% of the average household gross income spent directly on insurance.
I'm basing my viewpoint on real evidence, not the BS estimates you see all over the news. I'm mid-30's, healthy and working for a small company. Exactly the type of person who is "estimated" to pay more, and yet, I'm paying less.
Furthermore, the businesses that have a "100% increase in healthcare costs" will pass that on to consumers and employees, and will reduce staff to make ends meet.
If a company is too greedy to give health benefits to it's employees, then in my opinion, they deserve to fail. We're not talking about mom and pop shops, these are companies with more than 50 full-time employees. It also affects the entire market, so competitors all have to adjust and it works itself out.
No, right-wing news hosts are saying that. The only people who will pay more are companies who are only now required to provide insurance to their employees and therefore have a 100% increase in healthcare costs.
My empirical evidence was in the form of a rebate from United Healthcare because they exceeded the premium cap mandated by the ACA. That's right, money back and a lower premium because of Obamacare.
You typically don't top off an airplane's fuel tanks, especially while it is on the ground, because you don't know if that extra weight capacity is needed for something else on the next flight. There will be a lot of air, and associated moisture in the tank which is absorbed by the ethanol.
Also, fuel tanks have breathers so that temperature changes don't cause severe pressure changes within the tank, and so that consuming fuel doesn't leave a vacuum that the fuel pump can't overcome.
Ethanol is a very bad thing to put in avgas, which is why you won't find it at any airport pump. It has this terrible problem of absorbing moisture from the air while it's sitting in the tank, parked, then releasing it as water when you're at altitude. The water sinks to the bottom of the tank and gets sucked right into the engine.
It's the psychological effect of feeling helpless. As a passenger, you have absolutely no control over what happens and can't even see what's in front of you. You're just at the mercy of the plane, mechanics and pilot. For the most part, participants in adrenaline sports are completely in control of what happens.
I was on a flight last year and during take-off with a gusty crosswind our plane skidded to the side probably 20 feet. All of the passengers were bouncing around, and people were grabbing on to their armrests, freaking out. The lady sitting next to me was visibly scared, so I attempted to lighten the mood by putting my arms in the air and saying "wheeeeee!", as if I were on a roller coaster. She did not like that one bit.
I didn't lie, I proved you wrong on every one of your accounts. Republicans AND conservatives are more likely to infringe on personal freedoms than any liberal.
You probably still believe that Iran is not conservative.
Firstly getting in at that level is hard. The kernel is not monolithic, and the different parts have different permissions. That's why you don't see many viruses that actually do that any more - all the attack vectors that are exposed are for stuff that runs outside the core kernel level we are talking about.
It is typically hard, but this exploit runs at ring-0.
Even if you can get in at that level it still isn't easy to just install your driver. The driver management code won't accept unsigned code even from the inner kernel. You would have to replicate those routines yourself and patch it directly into the driver system. Bypassing the driver loading system, as you say. Hardly trivial.
I don't think you understand what it means to "install your driver". I'm not talking about adding a.dll and.inf file, I'm talking about actually executing driver/shellcode in the kernel. This exploit executes code in ring-0 which gives full access to the kernel memory, hardware, OS, filesystem, registry... everything. There is no need to bypass anything. You've already "installed the driver" and anyone with the skill to exploit a kernel vulnerability will have no trouble overwriting the crypto check function in program space with a "return success" stub. Since this attack does not require the exe to be signed, it can permanently install itself by adding a startup entry in the registry. SecureBoot won't protect against that.
What SecureBoot does protect against is some malware permanently installing itself on the system/after/ the OS has been patched.
You still only mentioned one thing soda... Big fucking deal. You still vote for conservatives that undermine peoples freedoms far worse than liberals, which was my point, and I've proven that very well now since you haven't come up with 2 examples.
That is why viruses often try to trick the user into granting them admin level permissions via a UAC warning prompt. In this case a way has been found to take those permissions without a prompt, giving the user a false sense of security and not alerting them to potentially dangerous behaviour.
You described a trojan. Viruses exploit a vulnerability to install themselves and spread.
As for drivers even a kernel level exploit usually won't be able to install them these days. Drivers need to be signed before Windows will allow them to be installed. On Windows 7 you can installed unsigned code after the user gives permission, but Windows 8 flat out refuses to install unsigned binaries as drivers.
I haven't written shellcode for Windows since XP (I work on the defensive side of security now), but I do suspect you are not correct here. If you can get your shellcode to execute in kernel space, it can do anything. You could read a driver file from the network, copy it into kernel space and execute it, completely bypassing the signature check. You could also disable the signed-driver requirement so that a rootkit is loaded on every boot.
Here's another way to look at it: This exploit effectively bypasses the driver loading mechanism, loading code into kernel space. That code could be a keylogger, or a USB camera driver.
Quote please, I'm not aware of any lies. You must realize that there are different interpretations of the 2nd Amendment. Someone making a statement of their opinion when it differs from yours does not make it a lie.
Since you didn't disagree with anything in my post, I'll assume you agree that when it comes to protecting personal freedoms, conservatives are not on our side.
Slashdot Mirror
What exactly was "stupid" about ActiveX aside from potential malicious code (either directly or via overflows) that was either enabled by default or presented to the user with a "just click yes so the website will work" style input box? Firefox "avoided" this by not implementing ActiveX but most or all of the functionality was recreated in Javascript, giving it basically the exact same level of "stupid" with the benefit of having learned from about 10 years of exploits.
How about the fact that scripts could invoke any ActiveX object on the system that was marked as "safe for scripting" without any user interaction? Bugs in those components have plagued IE users with drive-by installations of malware. This is why ActiveX killbits were developed and are updated all the time.
Letting an ActiveX control run is equivalent to giving that web page full control of your computer. The only sandbox is UAC, and that has been proven to be full of holes.
Having a copy of the private key doesn't help you when using Perfect Forward Secrecy through ephemeral Diffie-Hellman session keys.
Though I suppose that if you disable everything but the EDH and DHE ciphers in your browser, many sites will not work.
Are you saying that Dr. Strangelove was a shit movie?
Even worse: This building that stays empty just to display ads over Times Square.
You obviously don't know NYC very well.
The property costs are minimal once you factor in how easy it is to get exceptional talent.
Millions and millions in unnecessary expenses? I have no clue what you're talking about.
The subway commute is usually much cheaper and easier for people than commuting by car in almost any other city.
Crime is extremely low; one of the lowest of any US city with a population above 100k.
Noise? My apartment, built in 1900, is quieter than my old house in a very quiet and secluded neighborhood in suburban Denver due to dogs, lawnmowers, etc. I rarely hear street noise.
Terrorism? Yeah, that happens ALL the time.... I'm so worried.
I'm guessing that the people who start up successful businesses in NYC know a little bit more than you do.
They all have offices here, and why do you need a sprawling campus when all of the things a campus can provide are right outside the front door?
You forgot about everyone who lives above 14th st. Oh, and those below Canal. All B&T :)
No they are not. They are all over the runtime and library: Libraries, Hotspot, JavaFX, AWT (many), 2D, serialization, reflection, JAXP, RMI, beans, JAX-WS, etc etc. They are amplified by the fact that many of them are indeed in a library/feature that can be accessed through applets from remote. But the vast majority of the vulnerabilities exists isolated from the applet and could be exploited through other channels.
Sorry, but that's not true. I check fairly often to see when it's time for us to update the JVM that we ship, and almost none of the vulnerabilities affect a standard application. They are almost 100% sandbox bypass bugs. It's very rare that I need to update due to a vulnerability.
And even so, there has been precious few vulnerabilities in ActiveX.
You're right, ActiveX has had few vulnerabilities because it doesn't even attempt to sandbox the object, whereas the Java vulnerabilities in Applets are getting around the sandbox. You let an ActiveX control run, it gets access to your system. There isn't much room for bugs because the entire concept is a vulnerability.
However, the ActiveX objects marked as "safe for scripting" have been riddled with holes since the beginning, which is why there have been so many "drive-by download" exploits that don't even require the user to allow an ActiveX control to run in a page.
I also like how they qualified the "June" opening record.
It reminds me of all of the crazy sports stats.... This is only the 3rd time a player has hit 2 home runs in the second game of a double-header, while away, on a Thursday, when the temperature was 75* and Marlon Brando was watching from home.
Hah, you must mean Citrix, right?
Not that it was "invented" by either of them, but Citrix added terminal server capabilities to NT 3.51, then Microsoft screwed them by putting in their own "terminal server" into NT 4.0, giving Citrix only the small market that needed extremely low bandwidth.
You posted an anecdote, I posted news stories from reputable sources.
I guess somehow in your little mind, opinions from people who happen to agree with your political disposition are more important than real evidence. Do you also believe in Santa Clause?
The sky isn't falling, it's just one long period of unemployment and economic malaise due to an incompetent president. Hopefully, the next one will be better.
Again with the lies! Do you realize that unemployment and the deficit are actually down since your sub-average IQ (R)-tard president was finally outed? Probably not, since you actually believe the ACA will destroy the economy.
The article gives real rates for actual payers. You can check them yourself if you like.
That means nothing. You may simply have been on an uncompetitive rate plan or have had too much coverage. (Given how financially inexperienced you seem to be, that is actually likely.)
Yes, my lower premiums are "uncompetitive", and my HDHP is too much coverage. Given that you've based your arguments solely on unsubstantiated numbers and lies, I can only imagine how "experienced" you must be. I posted fact, you posted lies.
Yes, it will work itself out: companies will fire employees, automate more, and move jobs overseas, where employees have full health care benefits at a fraction of the cost of Obamacare.
Ah, there it is. OMG THE SKY IS FALLING DUE TO OBAMACARE!!!11 Mindless drivel from yet another internet troll.
Take off your partisan glasses and face reality:
Uh, what? You start out with a bogus Obamacare dig, then you link an article which shows no evidence, just some numbers that /some/ economists are expecting people to pay. And still those numbers are far less than what many people are paying now. For example, my friend got laid off and was paying $1800/mo to cover his wife and newborn through COBRA. That's roughly 50% of the average household gross income spent directly on insurance.
I'm basing my viewpoint on real evidence, not the BS estimates you see all over the news. I'm mid-30's, healthy and working for a small company. Exactly the type of person who is "estimated" to pay more, and yet, I'm paying less.
Furthermore, the businesses that have a "100% increase in healthcare costs" will pass that on to consumers and employees, and will reduce staff to make ends meet.
If a company is too greedy to give health benefits to it's employees, then in my opinion, they deserve to fail. We're not talking about mom and pop shops, these are companies with more than 50 full-time employees. It also affects the entire market, so competitors all have to adjust and it works itself out.
Thanks for that. It showed me that my salary was effectively cut in half by moving to Manhattan.
Still, I think it's worth it.
No, right-wing news hosts are saying that. The only people who will pay more are companies who are only now required to provide insurance to their employees and therefore have a 100% increase in healthcare costs.
My empirical evidence was in the form of a rebate from United Healthcare because they exceeded the premium cap mandated by the ACA. That's right, money back and a lower premium because of Obamacare.
You typically don't top off an airplane's fuel tanks, especially while it is on the ground, because you don't know if that extra weight capacity is needed for something else on the next flight. There will be a lot of air, and associated moisture in the tank which is absorbed by the ethanol.
Also, fuel tanks have breathers so that temperature changes don't cause severe pressure changes within the tank, and so that consuming fuel doesn't leave a vacuum that the fuel pump can't overcome.
Ethanol is a very bad thing to put in avgas, which is why you won't find it at any airport pump. It has this terrible problem of absorbing moisture from the air while it's sitting in the tank, parked, then releasing it as water when you're at altitude. The water sinks to the bottom of the tank and gets sucked right into the engine.
It's the psychological effect of feeling helpless. As a passenger, you have absolutely no control over what happens and can't even see what's in front of you. You're just at the mercy of the plane, mechanics and pilot. For the most part, participants in adrenaline sports are completely in control of what happens.
I was on a flight last year and during take-off with a gusty crosswind our plane skidded to the side probably 20 feet. All of the passengers were bouncing around, and people were grabbing on to their armrests, freaking out. The lady sitting next to me was visibly scared, so I attempted to lighten the mood by putting my arms in the air and saying "wheeeeee!", as if I were on a roller coaster. She did not like that one bit.
Since you decided to use the term "blue state", you should know that these are New York City laws from Guiliani/Bloomberg... Both Republicans.
And just like Rihanna, we all suffer.
I didn't lie, I proved you wrong on every one of your accounts. Republicans AND conservatives are more likely to infringe on personal freedoms than any liberal.
You probably still believe that Iran is not conservative.
I'm done here.
Firstly getting in at that level is hard. The kernel is not monolithic, and the different parts have different permissions. That's why you don't see many viruses that actually do that any more - all the attack vectors that are exposed are for stuff that runs outside the core kernel level we are talking about.
It is typically hard, but this exploit runs at ring-0.
Even if you can get in at that level it still isn't easy to just install your driver. The driver management code won't accept unsigned code even from the inner kernel. You would have to replicate those routines yourself and patch it directly into the driver system. Bypassing the driver loading system, as you say. Hardly trivial.
I don't think you understand what it means to "install your driver". I'm not talking about adding a .dll and .inf file, I'm talking about actually executing driver/shellcode in the kernel. This exploit executes code in ring-0 which gives full access to the kernel memory, hardware, OS, filesystem, registry... everything. There is no need to bypass anything. You've already "installed the driver" and anyone with the skill to exploit a kernel vulnerability will have no trouble overwriting the crypto check function in program space with a "return success" stub. Since this attack does not require the exe to be signed, it can permanently install itself by adding a startup entry in the registry. SecureBoot won't protect against that.
What SecureBoot does protect against is some malware permanently installing itself on the system /after/ the OS has been patched.
My god, can I at one point in my life talk to an intelligent, informed conservative? You keep spewing nonsense and misinformation.
Iran, led by Ahmadinejad, political party: Alliance of Builders of Islamic Iran, Ideology: Conservatism, Political position: right-wing.
https://en.wikipedia.org/wiki/Alliance_of_Builders_of_Islamic_Iran
You still only mentioned one thing soda... Big fucking deal. You still vote for conservatives that undermine peoples freedoms far worse than liberals, which was my point, and I've proven that very well now since you haven't come up with 2 examples.
That is why viruses often try to trick the user into granting them admin level permissions via a UAC warning prompt. In this case a way has been found to take those permissions without a prompt, giving the user a false sense of security and not alerting them to potentially dangerous behaviour.
You described a trojan. Viruses exploit a vulnerability to install themselves and spread.
As for drivers even a kernel level exploit usually won't be able to install them these days. Drivers need to be signed before Windows will allow them to be installed. On Windows 7 you can installed unsigned code after the user gives permission, but Windows 8 flat out refuses to install unsigned binaries as drivers.
I haven't written shellcode for Windows since XP (I work on the defensive side of security now), but I do suspect you are not correct here. If you can get your shellcode to execute in kernel space, it can do anything. You could read a driver file from the network, copy it into kernel space and execute it, completely bypassing the signature check. You could also disable the signed-driver requirement so that a rootkit is loaded on every boot.
Here's another way to look at it: This exploit effectively bypasses the driver loading mechanism, loading code into kernel space. That code could be a keylogger, or a USB camera driver.
Quote please, I'm not aware of any lies. You must realize that there are different interpretations of the 2nd Amendment. Someone making a statement of their opinion when it differs from yours does not make it a lie.
Since you didn't disagree with anything in my post, I'll assume you agree that when it comes to protecting personal freedoms, conservatives are not on our side.