Your dog certainly is yours, but if it craps in my yard, I am allowed to take recourse. If it barks all night, I can call the cops or animal control because you're infringing on my rights.
Corporations should have to play by the same rules. If I dumped a million tons of cancer causing chemicals in the Hudson, I'd go to jail. G.E. does it and... has to pay for PART of the cleanup.:|
You go to the user page (ask.slashdot.org/~heretic108 in this case) and read a few articles at random - you can usually find out where someone is from.
Heh... you know, it's funny... I thought Slashdot was the last bastion of privacy.:-)
No need to go namecalling. Some of us just prefer the (usually) far superior voice acting you get in the Japanese version of these soundtracks.
Yes, a good dub is good. However, there are a LOT more bad dubs than good dubs, so I'll stick with my subtitles with the occasional exception. I'd much rather have that option than be forced to listen to some of the dubs in existance.
I realize that it's only the monorail system and really has nothing to do with the individual manufacturing steps. That's why it's so damned funny. It's put in the article as though it's completely damn amazing.
Imagine you read the following sentance:
"The new Ford Mustang engine generates 100,000 bhp, gets 210 mpg and is painted red".
The "painted red" comment means nothing. Same as the millimeter comment.
Umm... since when is a millimeter a big unit of measurement? My CAR DOOR is built to millimeter precision specs. The engine had bloody well better be.001mm specs.
Silly author... don't quote units when they're meaningless.
I wasn't speaking of your "Sky is falling" remarks but of those of others who feel that this vuln represents something new and terrible on the Windows front.
As for DotNet, as much as I like C# (after working in it for almost a bloody year now) and appreciate the easy things being easy and the hard things being possible, I'll withold judgement on it's securability until it's been around for a few years.
I'm curious what you're suggesting with the timing issue.
As far as the WM_COPYDATA... well, yes. Programmers using WM_COPYDATA should ALWAYS be damned sure they know what they're getting when they get that message. And after they've checked that it's not dangerous, they should check again. And then they should probably go find another way to implement the desired funcitonallity. WM_COPYDATA has always been a terrible hack, as I recall.
Not to imply that those services are secure (IIS comes to mind) but I cannot think of a SINGLE one which interacts with the desktop directly. They all have management programs which go through the registry or other communication methods (Com interfaces, etc) to interact.
How dare you have a reasonable opinion on slashdot! My army of trained flamemeisters has been dispatched to beat you about the head and neck with copies of "The Road Ahead"
Windows is insecure. Linux is insecure. PROGRAMS are insecure.
I agree that secured platofms are important. Personally, though, I disagree that Dot Net is a panacea. It is possible to write insecure apps in any language or platform, and I can assure you that some.NET apps will be given admin privs.
As long as we programmers don't make security a priority, we will continue to have badly written apps.
You know... I usually don't defend Microsoft very much, but I guess all the "ARGH! The sky is falling" stuff got to me.
If you give the user access to a privledged UI, you trust them. (If you don't and you accidentally give them access to that UI, you shouldn't be admining or you shouldn't be using that program)
If you trust a user, they should have good habits.
Combine these two and you're back to just badly written applications are insecure, which is true everywhere.
If you give a guest user access to ANY program which runs as administrator (e.g. an antivirus UI) I have to say you deserve what you get.
Same with the TS "shatter"... TS isolates the window sets of each user. If the user has something in their "window space" then it can be attacked.
(BTW: Does anyone else find it funny when people insist on bringing up distances in networked problems? Of COURSE it works a hundred miles away! It's a bloody network!)
It can only receive messages if there is a window associated with it. (Which may be hidden)
As another poster said, administrator level programs that interact directly with the desktop of a non-privledged user are a big no-no. (Not to say they don't exist, but they shouldn't).
No OS design will keep a developer from creating an insecure app when their app runs as administrator.
Right... a non-priveleged user has access to a window running a more-priveleged account.
But the window must be in the user's workspace. You can impersonate the user, or, if the software in question has bugs in it (buffer overruns, etc), you can exploit those.
If the user doesn't have any access to these programs (which they probably shouldn't in a truly secure environment) it isn't an issue. Turn off the user component.
Look at it this way... if you have a X window to a SUID program running and you run arbitrary code... you could well be screwed. This isn't any different.
Still, I'm back to my "If the user runs unknown code, they're screwed". There will always be SOME bugs in ANY operating system which can be exploited if you can get a user to run arbitrary code. Which is why encouraging good user habits are so important.
So basically you're saying that if you can get a user to run arbitrary code and that user has access to applications with higher access rights, you can get those access rights.
If you can get the user to run arbitrary code, they're already dead.
Not to say that windows is secure, but this seems to be picking nits to me.
Yeah, we've got those where I'm at, too. The number of times I've caught up with the guy in front of me on my way in and said "Hey, I fogot my badge, can you scan me through?" is without number.
Also, those doors have malfunctioned at least 10 times in the past 10 months. Once it just sat there all day spinning. Anyone could have walked though.
The door is only as secure as the people who use it and how well it is maintained.
I hope I didn't seem to be jumping down your throat on the Notwithstanding thing... just trying to clear up confusion with the definition.
As for the any file on the computer, I would swear I read earlier a part of the bill which basically said if they had to do it to get the file off the P2P network, they could. I'll be damned if I can find it now, so you're probably right. Damned office plants must be putting off hallucinigenic chemicals again. 'Pologies.
Slashdot Mirror
It's important to note, however, the fact that the 525 lines is interlaced can make a HUGE difference in visual quality.
Of course, HDTVs with upsampling can take care of this, but most people have normal TVs still.
I don't like butterscotch, but I do like vanilla. You don't see friggin holy wars over pudding, though, do you?
YOU SWINE! HAVE AT YOU!
Your dog certainly is yours, but if it craps in my yard, I am allowed to take recourse. If it barks all night, I can call the cops or animal control because you're infringing on my rights.
:|
Corporations should have to play by the same rules. If I dumped a million tons of cancer causing chemicals in the Hudson, I'd go to jail. G.E. does it and... has to pay for PART of the cleanup.
Check please!
You go to the user page (ask.slashdot.org/~heretic108 in this case) and read a few articles at random - you can usually find out where someone is from.
:-)
Heh... you know, it's funny... I thought Slashdot was the last bastion of privacy.
No need to go namecalling. Some of us just prefer the (usually) far superior voice acting you get in the Japanese version of these soundtracks.
Yes, a good dub is good. However, there are a LOT more bad dubs than good dubs, so I'll stick with my subtitles with the occasional exception. I'd much rather have that option than be forced to listen to some of the dubs in existance.
Never. All the money that was spent on Voyager type probes would now be spent on finding a better way to kill people.
I realize that it's only the monorail system and really has nothing to do with the individual manufacturing steps. That's why it's so damned funny. It's put in the article as though it's completely damn amazing.
Imagine you read the following sentance:
"The new Ford Mustang engine generates 100,000 bhp, gets 210 mpg and is painted red".
The "painted red" comment means nothing. Same as the millimeter comment.
"tuned to millimeter-precision specs"
.001mm specs.
Umm... since when is a millimeter a big unit of measurement? My CAR DOOR is built to millimeter precision specs. The engine had bloody well better be
Silly author... don't quote units when they're meaningless.
OK, but that AV program (which needs rights to run) shouldn't have a privledged UI.
It isn't a Unix only problem. You can do the exact same thing with sprintf on any platform where you can find a version of it (e.g. almost any)
As the original poster said, snprintf is good, sprintf bad.
I wasn't speaking of your "Sky is falling" remarks but of those of others who feel that this vuln represents something new and terrible on the Windows front.
As for DotNet, as much as I like C# (after working in it for almost a bloody year now) and appreciate the easy things being easy and the hard things being possible, I'll withold judgement on it's securability until it's been around for a few years.
I'm curious what you're suggesting with the timing issue.
As far as the WM_COPYDATA... well, yes. Programmers using WM_COPYDATA should ALWAYS be damned sure they know what they're getting when they get that message. And after they've checked that it's not dangerous, they should check again. And then they should probably go find another way to implement the desired funcitonallity. WM_COPYDATA has always been a terrible hack, as I recall.
Huh?
If you run windows all users have access to priviledged programs....
What do you mean by that?
Not to imply that those services are secure (IIS comes to mind) but I cannot think of a SINGLE one which interacts with the desktop directly. They all have management programs which go through the registry or other communication methods (Com interfaces, etc) to interact.
They wouldn't be vulnerable to this exploit.
How dare you have a reasonable opinion on slashdot! My army of trained flamemeisters has been dispatched to beat you about the head and neck with copies of "The Road Ahead"
Windows is insecure. Linux is insecure. PROGRAMS are insecure.
I agree that secured platofms are important. Personally, though, I disagree that Dot Net is a panacea. It is possible to write insecure apps in any language or platform, and I can assure you that some .NET apps will be given admin privs.
As long as we programmers don't make security a priority, we will continue to have badly written apps.
You know... I usually don't defend Microsoft very much, but I guess all the "ARGH! The sky is falling" stuff got to me.
If you give the user access to a privledged UI, you trust them. (If you don't and you accidentally give them access to that UI, you shouldn't be admining or you shouldn't be using that program)
If you trust a user, they should have good habits.
Combine these two and you're back to just badly written applications are insecure, which is true everywhere.
If you give a guest user access to ANY program which runs as administrator (e.g. an antivirus UI) I have to say you deserve what you get.
Same with the TS "shatter"... TS isolates the window sets of each user. If the user has something in their "window space" then it can be attacked.
(BTW: Does anyone else find it funny when people insist on bringing up distances in networked problems? Of COURSE it works a hundred miles away! It's a bloody network!)
It can only receive messages if there is a window associated with it. (Which may be hidden)
As another poster said, administrator level programs that interact directly with the desktop of a non-privledged user are a big no-no. (Not to say they don't exist, but they shouldn't).
No OS design will keep a developer from creating an insecure app when their app runs as administrator.
Right... a non-priveleged user has access to a window running a more-priveleged account.
But the window must be in the user's workspace. You can impersonate the user, or, if the software in question has bugs in it (buffer overruns, etc), you can exploit those.
If the user doesn't have any access to these programs (which they probably shouldn't in a truly secure environment) it isn't an issue. Turn off the user component.
Look at it this way... if you have a X window to a SUID program running and you run arbitrary code... you could well be screwed. This isn't any different.
Still, I'm back to my "If the user runs unknown code, they're screwed". There will always be SOME bugs in ANY operating system which can be exploited if you can get a user to run arbitrary code. Which is why encouraging good user habits are so important.
So basically you're saying that if you can get a user to run arbitrary code and that user has access to applications with higher access rights, you can get those access rights.
If you can get the user to run arbitrary code, they're already dead.
Not to say that windows is secure, but this seems to be picking nits to me.
Which state boundry are you talking about? I know Kentucky and Indiana have a bit of this going on, but I wasn't aware of any others.
Yeah, we've got those where I'm at, too. The number of times I've caught up with the guy in front of me on my way in and said "Hey, I fogot my badge, can you scan me through?" is without number.
Also, those doors have malfunctioned at least 10 times in the past 10 months. Once it just sat there all day spinning. Anyone could have walked though.
The door is only as secure as the people who use it and how well it is maintained.
Do I hear the words "I have a cunning plan" marching this way will ill deserved favor?
I hope I didn't seem to be jumping down your throat on the Notwithstanding thing... just trying to clear up confusion with the definition.
As for the any file on the computer, I would swear I read earlier a part of the bill which basically said if they had to do it to get the file off the P2P network, they could. I'll be damned if I can find it now, so you're probably right. Damned office plants must be putting off hallucinigenic chemicals again. 'Pologies.