"things will get better" [ of their own accord, which if the above comment on the bank which has its accounting system online because "they have only one network" is at all indicative of the state of affairs, just is not going to happen.]
or
"we will be living in a non Microsoft world" [ the only viable recourse if things to not get better on their own. ]
One of my assignments in a previous project was to optimize and debug an aerospace engineering package. I reduced the source size by half and the binary size by 90%. Was that of "negative value"? Nope. I eliminated a lot of bloat, fixed a lot of bugs, and accelerated the code enormously. The effort, though, was negligable, partly because I'm a damn good programmer but also because it was badly written to start with.
Anecdotal, but any legitimate attempt at a software metric must be able to cope with such as the before and the after as stated and give meaningful and useable numbers.
SLOC is easily and objectively measureable. Measuring the number of paths may give a more defensible measure but is not as easily nor as objectively measureable. However, in either case anything objective will rate your after as smaller than the before.
Methinks the basic problem is confusing cost with value. Every line of code, every complexity, every path through the code is a cost. Value has to be measured outside of the program. Value exists in what the program accomplishes and how well it accomplishes it. The resources consumed in doing that are some of the costs.
"The effort, though, was negligable" seems a bit incredible. I've done similar and I'd rate the effort as damned hard. Well,....., compared to the effort of the first round, quite plausible.
"because I'm a damn good programmer" seems essential and even in polite society that's the proper terminology. Seems like it requires sufficient mastery that the code is "engineered" (and I don't mean "Software Engineering" which seems like trying to build bridges without knowledge of Strength of Materials.)
Why does Microsoft have to publish their APIs? Windows is their stuff, can't they keep it secret if they want?
Developers. Developers. Developers.
It would make complete sense if Microsoft were the only user of Windows. As it is, missing or misleading documentation, or more importantly retrofitting the APIs to perform as your own people have misunderstood them, puts Miscrosoft's competitors at a distinct disadvantage.
we live in reality, where software really needs to have security briefs that don't border on the philosophical.
We are -ASSUMING-, when evaulating code for security-conscious methodology, that the environment functions as advertised.
Seems like you're confusing need with ability. A program is insecure if it or anything it depends on is insecure. Assigning the blame elsewhere does not make it secure.
Do you think a hive of tropical bess would survive a harsh Canadian winter?
A few, yes. It only takes a few to repopulate the species. Furthere, populations migrate over time. There's no reason to assume that the bees now in the tropics came from the tropics. A few survive, multiply, and diverge into different ecological niches.
that no one bothers to read anything that says, "The evidence is good" because it disagrees with their preconceived notions.
Nope. If the evidence is good, it can stand on its own. If it needs to be propped up by someone saying "The evidence is good", then no one bothers with it, preconceived notions or otherwise.
If I'm dealt thirteen spades, I know somebody has stacked the deck. I know a few too many pranksters for it to be chance.
I've heard of composite studies and I've also heard of horses that can do arithmetic. With covert channels of communication you can do some amazing things.
Interesting phrasing "the likelihood that all of the studies examined were incorrect or selectively reported". [Emphasis added] I'd be more interested in the likelihood that all of the studies examined were correct and that none of them were selectively reported (or selectively selected).
When I sign a royalty-free agreement for these protocols, what am I licensing?
I think there is some reasonable assumption that if you are selling something that you have something to sell, that if you are licensing something that you have something to license.
That would imply that MSFT owns or controls what it is licencing. I think that is the normal assumption that whoever is licensing something owns or controls what they are licensing. Licensing something that belongs to somebody else seems rather fraudulent and is certainly not respecting the Intellectual Property of those others.
Re:Why is it so hard to catch these criminals?
on
Fishing for Phishers
·
· Score: 1
Is there just no will to do this or am I missing something?
I doubt it's that easy or simple, but. The authorities tend to be good at gathering and accumulating statistics. The banks should also be concerned that somebody is using their identity fraudulently. Savvy users forward the email with headers to such as abuse@citibank.com (which bounces, so there probably is no will to actually do anything about it).
Seems that if the authorities are to be able to do anything about it, they need lots of in-depth information so that the activities of the phishers are exposed as the activities are engaged in.
"Using the standards applied to any other area of science, it is concluded that psychic functioning has been well established. The statistical results of the studies examined are far beyond what is expected by chance. Arguments that these results could be due to methodological flaws in the experiments are soundly refuted."
With a prelude like that, it's guaranteed bunkum. Stastical results devised after the data is in can be guaranteed to show stastical properties that are outside the limits of chance. Measuring methodological flaws from within the box presumes a bit too much, methinks.
Houdini wanted very much to find some real mediums, but all he could find were fakes.
If I can teleport something up, seems I can make a functioning perpetual motion machine. If I can teleport something down, where does the energy go?
This is a ridiculus statement to make. All claims should be judged by the same criterea. Just because you think the claim is ridiculus you should not be able to raise the bar for proof beyond any other claim. Science is science, proof is proof. You don't get to say "this proof is not sufficient because your claim is incredible". [Emphasis added]
Informative, yes. (Best laugh I've had this month;)
Informative anecdotal evidence to "If Windows is not actually writting data to the harddrives then it's probably a good OS..."
If the OS does what you want it to do it is a good OS. If the OS does what it wants to do it is a bad OS.
It is possible for Windows to behave like a good OS.
In terms of writing to disk, standard instructions to our users is that if the system starts acting funny, do not log off, do not go through the normal shutdown sequence, do not let Windows write its damaged brain to the disk. Kill the power.
I wonder if Windows swaps early to compensate for all the memory leaks
(Chuckle) Defensive coding out of Windows? Not that likely. Other than some cooperation to score well on some benchmarks, the various pieces of Windows are in competition with each other to show that they are doing better than their peers. In this scheme of things, if you can somehow attribute the blame for your mistakes elsewhere, you come out looking better. If I can do 5% better by making you 20% worse, I come out ahead.
There's ways of counteracting such. To compare A and B, run A + C and B + C and compare the timings of C. That's the real reason that Linux seems to behave a lot better than Windows. Linux might be better coded than Windows, but if not, Windows thingees gobbling resources to be a little bit better is a sure loser. Each one is trying to be a winner but the combination is a loser.
IE 5, NT 4 SP6 virus-running stuff renamed. Unpatched for 2-3 years or so. Shows http://www.microsoft.com Same in status bar Right-Click-down shows http:\\www.google.com in status bar Right-Click-up shows context menu.
"The flaw is possible because Internet Explorer has difficulty processing improperly formed HTML. The attack opens one href tag, and then leaves that tag open while enclosing a second URL within a table. The browser displays the first URL in the status bar, but sends users to the second URL."
Such is the penalty for "working" with broken HTML. Different browsers can be expected to have different opinions as to which is theURL that is encoded. Different opinions within the same browser is almost a guarantee of something exploitable.
With all the stories on Microsoft exploits, the Slashdot editors are trying to give equal time.
"mod_include: Fix potential buffer overflow with escaped characters in SSI tag string." -- At least it's a different one.
"Multiple security issues... that could allow an attacker to compromise a computer running Windows and gain complete control over it." -- I thought they fixed that already.
scientists are "shocked", "mystified", "befuddled", etc. by the data
This is not a statement about the nature of scientists. This is a statement about the media and its journalistic integrity or more accurately the lack thereof. After many months or years of preparations the scientists do not have ready sound bites for the shocked, mystified and befuddled journalists who in turn project their own inadequacies on the scientists.
"Forking is of particular concern in the FOSS development process.A fork occurs when the development community splits over the path of development of a given application.In the worst-case scenario, development of forked FOSS may be halted, or the technical direction may become so altered that it no longer meets the institution's needs.
Institutions should mitigate this risk by ensuring that adequate support is available for the current FOSS software either in-house, through vendors, or other outside sources."
What is not mentioned is that the forking problem exists in closed source as well. You're just limited to the one prong of the fork the vendor is willing to let exist.
Also mentioned only indirectly, (and due to the phrasing, I can't really blame them), institutions need to find a way to pay for free software (so that their fork stays supported).
I was (mis?) using the term signature as some function of the file that would be different if anything were changed in the file. The point I was trying to make is that you want this signature to be multiple and obtainable from multiple sources. The problem with an integral signature scheme is that it's integral, just one point to crack.
Your point is well taken as to identifying the source of whatever you have as coming from the expected source (or someone who has or has somehow managed to use that private key). The point I was making is that once the signatures/hashes/whatever are initially computed and promulgated it becomes essentially impossible to effectively compromise the system. Would you install Red Hat 9.1 if it came with credentials that proved it came from Red Hat?
If you have a steady stream of different communications from a source it is expedient to trust, its a good idea to have something that would detect strangers, maybe a wrapper like gzip around the tarball. One of the advantages of open source is that it is possible to have very secure systems with nothing more that a few people keeping their eyes open.
Or perhaps the solution is to send out a bunch of phishing emails and...
Don't. Except possibly as part of an April Fools gag. Do not give the concept of phishing any connection to legitimacy. Do not ask for any information you do not need. You do not want to be responsible for its safekeeping. "Had this been a real scam, you would be broke now" turns out to be true anyway because your box got rooted. Too risky.
You want different channels for the tarball and the signatures. Completely different characteristics. For the tarball you want fast access (like broadband) to a reasonable probability of getting all of it. To handle communication errors if nothing else, you need a way to verify that what you actually got is what you wanted. For the signatures, speed is not a problem. Accuracy is, at least to the point that they are not all lying.
You want to be able to obtain the tarball itself from any available mirror, including mirrors that nobody has ever heard of, because of speed and convenience if nothing else. You want to be able to obtain the signatures from multiple sources, including some "official" sources.
When everything is OK, all the signatures are identical, including generated ones. When something is wrong, its suffices that not all the signatures can be faked simultaneously. Easiest way is that one of the primary sources is a junk box that is good for that one thing only and requires physical access to update.
Expediency tends to make things simpler if everything is on one good box. But if and when this kind of thing becomes a problem, there are some easy ways to set things up so that it is effective impossible to crack of it. I suspect there are enough paranoids who download stuff and look for any suspicious changes in signatures listed on hosts that even if the maintainers have sloppy security, anything that moves that should not be moving will be spotted. A few moments of glory for not a lot of effort -- seems reasonable.
Slashdot Mirror
I think you misspelled "and."
Nope, the or is correct.
"things will get better"
[ of their own accord, which if the above comment on the bank which has its accounting system online because "they have only one network" is at all indicative of the state of affairs, just is not going to happen.]
or
"we will be living in a non Microsoft world"
[ the only viable recourse if things to not get better on their own. ]
[ and then ] things will get bettor.
The important thing in trademark law is whether the word is in common usage in the domain of the product.
Hmmmm, Is "excel" in common usage in the domain of computer software?
One of my assignments in a previous project was to optimize and debug an aerospace engineering package. I reduced the source size by half and the binary size by 90%. Was that of "negative value"? Nope. I eliminated a lot of bloat, fixed a lot of bugs, and accelerated the code enormously. The effort, though, was negligable, partly because I'm a damn good programmer but also because it was badly written to start with.
Anecdotal, but any legitimate attempt at a software metric must be able to cope with such as the before and the after as stated and give meaningful and useable numbers.
SLOC is easily and objectively measureable. Measuring the number of paths may give a more defensible measure but is not as easily nor as objectively measureable. However, in either case anything objective will rate your after as smaller than the before.
Methinks the basic problem is confusing cost with value. Every line of code, every complexity, every path through the code is a cost. Value has to be measured outside of the program. Value exists in what the program accomplishes and how well it accomplishes it. The resources consumed in doing that are some of the costs.
"The effort, though, was negligable" seems a bit incredible. I've done similar and I'd rate the effort as damned hard. Well,....., compared to the effort of the first round, quite plausible.
"because I'm a damn good programmer" seems essential and even in polite society that's the proper terminology. Seems like it requires sufficient mastery that the code is "engineered" (and I don't mean "Software Engineering" which seems like trying to build bridges without knowledge of Strength of Materials.)
"There is no correlation." Accurate summation.
Why does Microsoft have to publish their APIs? Windows is their stuff, can't they keep it secret if they want?
Developers. Developers. Developers.
It would make complete sense if Microsoft were the only user of Windows.
As it is, missing or misleading documentation, or more importantly retrofitting the APIs to perform as your own people have misunderstood them, puts Miscrosoft's competitors at a distinct disadvantage.
we live in reality, where software really needs to have security briefs that don't border on the philosophical.
We are -ASSUMING-, when evaulating code for security-conscious methodology, that the environment functions as advertised.
Seems like you're confusing need with ability.
A program is insecure if it or anything it depends on is insecure.
Assigning the blame elsewhere does not make it secure.
Do you think a hive of tropical bess would survive a harsh Canadian winter?
A few, yes. It only takes a few to repopulate the species.
Furthere, populations migrate over time. There's no reason to assume that the bees now in the tropics came from the tropics.
A few survive, multiply, and diverge into different ecological niches.
that no one bothers to read anything that says, "The evidence is good" because it disagrees with their preconceived notions.
Nope. If the evidence is good, it can stand on its own.
If it needs to be propped up by someone saying "The evidence is good", then no one bothers with it, preconceived notions or otherwise.
If I'm dealt thirteen spades, I know somebody has stacked the deck. I know a few too many pranksters for it to be chance.
I've heard of composite studies and I've also heard of horses that can do arithmetic. With covert channels of communication you can do some amazing things.
Interesting phrasing "the likelihood that all of the studies examined were incorrect or selectively reported". [Emphasis added]
I'd be more interested in the likelihood that all of the studies examined were correct and that none of them were selectively reported (or selectively selected).
When I sign a royalty-free agreement for these protocols, what am I licensing?
I think there is some reasonable assumption that if you are selling something that you have something to sell, that if you are licensing something that you have something to license.
That would imply that MSFT owns or controls what it is licencing.
I think that is the normal assumption that whoever is licensing something owns or controls what they are licensing. Licensing something that belongs to somebody else seems rather fraudulent and is certainly not respecting the Intellectual Property of those others.
Is there just no will to do this or am I missing something?
I doubt it's that easy or simple, but.
The authorities tend to be good at gathering and accumulating statistics.
The banks should also be concerned that somebody is using their identity fraudulently.
Savvy users forward the email with headers to such as abuse@citibank.com (which bounces, so there probably is no will to actually do anything about it).
Seems that if the authorities are to be able to do anything about it, they need lots of in-depth information so that the activities of the phishers are exposed as the activities are engaged in.
"Using the standards applied to any other area of science, it is concluded that psychic functioning has been well established. The statistical results of the studies examined are far beyond what is expected by chance. Arguments that these results could be due to methodological flaws in the experiments are soundly refuted."
With a prelude like that, it's guaranteed bunkum.
Stastical results devised after the data is in can be guaranteed to show stastical properties that are outside the limits of chance.
Measuring methodological flaws from within the box presumes a bit too much, methinks.
Houdini wanted very much to find some real mediums, but all he could find were fakes.
If I can teleport something up, seems I can make a functioning perpetual motion machine. If I can teleport something down, where does the energy go?
Maybe this piece of spam is legit? Not likely.
This is a ridiculus statement to make. All claims should be judged by the same criterea. Just because you think the claim is ridiculus you should not be able to raise the bar for proof beyond any other claim. Science is science, proof is proof. You don't get to say "this proof is not sufficient because your claim is incredible". [Emphasis added]
Does your logic apply to your own statement?
but some people honestly believe that system restore on Windows is the greatest thing ever and cannot be defeated. Go figure.
Some people may be right.
Sounds like a good way to create a worm that cannot be removed.
**ducks and runs for cover**
Informative, yes. (Best laugh I've had this month;)
Informative anecdotal evidence to "If Windows is not actually writting data to the harddrives then it's probably a good OS..."
If the OS does what you want it to do it is a good OS.
If the OS does what it wants to do it is a bad OS.
It is possible for Windows to behave like a good OS.
In terms of writing to disk, standard instructions to our users is that if the system starts acting funny, do not log off, do not go through the normal shutdown sequence, do not let Windows write its damaged brain to the disk. Kill the power.
I wonder if Windows swaps early to compensate for all the memory leaks
(Chuckle) Defensive coding out of Windows? Not that likely.
Other than some cooperation to score well on some benchmarks, the various pieces of Windows are in competition with each other to show that they are doing better than their peers. In this scheme of things, if you can somehow attribute the blame for your mistakes elsewhere, you come out looking better. If I can do 5% better by making you 20% worse, I come out ahead.
There's ways of counteracting such. To compare A and B, run A + C and B + C and compare the timings of C. That's the real reason that Linux seems to behave a lot better than Windows. Linux might be better coded than Windows, but if not, Windows thingees gobbling resources to be a little bit better is a sure loser. Each one is trying to be a winner but the combination is a loser.
IE 5, NT 4 SP6 virus-running stuff renamed. Unpatched for 2-3 years or so.
Shows http://www.microsoft.com
Same in status bar
Right-Click-down shows http:\\www.google.com in status bar
Right-Click-up shows context menu.
"The flaw is possible because Internet Explorer has difficulty processing improperly formed HTML. The attack opens one href tag, and then leaves that tag open while enclosing a second URL within a table. The browser displays the first URL in the status bar, but sends users to the second URL."
Such is the penalty for "working" with broken HTML.
Different browsers can be expected to have different opinions as to which is theURL that is encoded. Different opinions within the same browser is almost a guarantee of something exploitable.
As a rule, any program of reasonable complexity has bugs.
A possible exception exists for programs written by Knuth.
What is freakish is that Knuth is the only person with the ability and determination and discipline required to write a program without bugs.
Me I'd find some other term than "freakish", like phenominal, but the critical distinction is the same.
With all the stories on Microsoft exploits, the Slashdot editors are trying to give equal time.
... that could allow an attacker to compromise a computer running Windows and gain complete control over it."
"mod_include: Fix potential buffer overflow with escaped characters in SSI tag string."
-- At least it's a different one.
"Multiple security issues
-- I thought they fixed that already.
it must be a technical solution which makes it difficult or impossible to steal an identity.
The solution is low tech. It's when your grandparents knew their grandparents.
scientists are "shocked", "mystified", "befuddled", etc. by the data
This is not a statement about the nature of scientists.
This is a statement about the media and its journalistic integrity or more accurately the lack thereof.
After many months or years of preparations the scientists do not have ready sound bites for the shocked, mystified and befuddled journalists who in turn project their own inadequacies on the scientists.
explaining how Linux will cause the great apocolypse and M$ is our savior.
Close, but the "great apocolypse" is Microsoft's and Microsoft expects you to be Microsoft's savior.
As in "get the facts", Microsoft has little problem playing loose with the truth, and probably believing it themselves.
"Forking is of particular concern in the FOSS development process.A fork occurs when the development community splits over the path of development of a given application.In the worst-case scenario, development of forked FOSS may be halted, or the technical direction may become so altered that it no longer meets the institution's needs.
Institutions should mitigate this risk by ensuring that adequate support is available for the current FOSS software either in-house, through vendors, or other outside sources."
What is not mentioned is that the forking problem exists in closed source as well. You're just limited to the one prong of the fork the vendor is willing to let exist.
Also mentioned only indirectly, (and due to the phrasing, I can't really blame them), institutions need to find a way to pay for free software (so that their fork stays supported).
I was (mis?) using the term signature as some function of the file that would be different if anything were changed in the file. The point I was trying to make is that you want this signature to be multiple and obtainable from multiple sources. The problem with an integral signature scheme is that it's integral, just one point to crack.
Your point is well taken as to identifying the source of whatever you have as coming from the expected source (or someone who has or has somehow managed to use that private key). The point I was making is that once the signatures/hashes/whatever are initially computed and promulgated it becomes essentially impossible to effectively compromise the system. Would you install Red Hat 9.1 if it came with credentials that proved it came from Red Hat?
If you have a steady stream of different communications from a source it is expedient to trust, its a good idea to have something that would detect strangers, maybe a wrapper like gzip around the tarball. One of the advantages of open source is that it is possible to have very secure systems with nothing more that a few people keeping their eyes open.
Or perhaps the solution is to send out a bunch of phishing emails and ...
Don't. Except possibly as part of an April Fools gag.
Do not give the concept of phishing any connection to legitimacy.
Do not ask for any information you do not need.
You do not want to be responsible for its safekeeping.
"Had this been a real scam, you would be broke now" turns out to be true anyway because your box got rooted. Too risky.
You want different channels for the tarball and the signatures.
Completely different characteristics.
For the tarball you want fast access (like broadband) to a reasonable probability of getting all of it. To handle communication errors if nothing else, you need a way to verify that what you actually got is what you wanted.
For the signatures, speed is not a problem. Accuracy is, at least to the point that they are not all lying.
You want to be able to obtain the tarball itself from any available mirror, including mirrors that nobody has ever heard of, because of speed and convenience if nothing else.
You want to be able to obtain the signatures from multiple sources, including some "official" sources.
When everything is OK, all the signatures are identical, including generated ones.
When something is wrong, its suffices that not all the signatures can be faked simultaneously. Easiest way is that one of the primary sources is a junk box that is good for that one thing only and requires physical access to update.
Expediency tends to make things simpler if everything is on one good box. But if and when this kind of thing becomes a problem, there are some easy ways to set things up so that it is effective impossible to crack of it. I suspect there are enough paranoids who download stuff and look for any suspicious changes in signatures listed on hosts that even if the maintainers have sloppy security, anything that moves that should not be moving will be spotted. A few moments of glory for not a lot of effort -- seems reasonable.
The hardware giveth.
The software taketh.
That's the long and the short of it.
Hornwise, that is.