Re:Difference between this and the IIS holes
on
Linux Kernel Bugs
·
· Score: 1
Hehe.
We're behind a firewall, so we're safe.
We have anti-virus software, so we're safe.
People behind the firewall get email and read web pages.
Virus writers have access to anti-virus software.
I'm beginning to suspect that more damage is done to corporate computing by anti-virus software than the viruses they purportedly protect us against.
Don't forget to edit/etc/lilo.conf and run/sbin/lilo.
mkinitrd is also required (I think) if you have SCSI drives. Check if there is an initrd-something in/boot.
Re:Terminal server is something different
on
Linux Kernel Bugs
·
· Score: 1
>>There are more than a hundreds rights that you can configure in the system.
What are they?
What do they do?
What do they really do?
What are the default settings?
What and where are the rest of the settings?
Exactly what settings do you have on your systems?
And why?
...how am I supposed to protect myself? "Microsoft this month launched a new security initiative, the Strategic Technology Protection Program (STPP)." Impressive, huh?
If you have a half assed decent network admin most of the time you don't even need the patch. Exactly. If you know the exploit.
I like to use E:\WINNT where D: is the CD-ROM.
C:\ is the natural home for viruses.
You can also mess up viruses by renaming or messing with any *script* executables.
The idea is that releasing exploits to the public is creating an environment where it's too easy to hack machines. Not releasing exploits is what made (most of) the machines today so easy to crack.
Releasing exploits is slowly making the machines harder to crack.
Imagine airplane safety today if aircraft designers were never allowed to know anything about airplane crashes.
That's the direction things seem to be heading. A few more years, and Microsoft Windows will be... just a dumb terminal. Everything important will be stored and secured on some real server somewhere. The idea of thin-client and the-network-is-the-computer is right. Just a bit premature.
You have to wonder about the feelings of the Black Hats in category B) as they watch their Intellectual Property slowly evaporating. The bugs that are publicized were always there. After publication, their ability to do unknown damage is severly curtailed.
If the exploit is "theoretical" and looks like entirely too much effort to take advantage of, most likely I will not apply any patches.
If the exploit is freely available, I can test and either patch or devise some workaround that thwarts the exploit. If adequate disclosure does not exist, I feel safer replying to "I send you this file to have your advice".
Look at how much success Microsoft has had getting Code Red and Nimda patched. With the noise about Code Red and company, I patched my RedHat boxes and other than stopping IIS and friends, pretty much gave up on Microsoft as a lost cause. After going to their web page, informing my browser (IE5) that I do not want to run scripts. Several times. And No I do not want to debug the scripts it is running anyway. No. No way is Microsoft going to secure this mess.
Unfortunately, what will actually make systems secure is to first release the exploit, then release the rationale behind it. Contacting the vendor is a waste of time. They should never have created the hole in the first place.
Otherwise the vendor has the false sense of security in the two weeks or so grace period before the exploit is publicized.
Open source has the advantage in that it is more likely that something resembling a patch will be circulated along with the exploit.
Microsoft wants to be viewed as secure, but is unwilling to expend the effort required to even patch similar bugs in closely related places. Without such as Bugtraq, Microsoft would leave the hole in, and loudly proclaim how secure Microsoft is.
There may be a few problems with early publishing the details of an attack, but without an excruciatingly detailed plan of attack, not only will the vendors ignore the problem, the users will discover that they are actually safer not running unknown executables.
>>Hardly. MS publishes every flaw they find. Literally hundreds of thousands...
Which they?
Seems like Microsoft only publishes flaws that other people find, not that Microsoft finds.
Hundreds of thousands? Seems a bit of an exageration, even for Microsoft.
Here is an unknown executable that calls itself a "security patch".
I don't know what's in it.
I don't know what it does.
I don't know how to tell if I need it.
I have no idea what it might break.
"How many MSN subscribers..." assumes a normalcy and countability of MSN subscribers that I am unwilling to stipulate. Personally I prefer the much. It makes an amorphous blob of MSN subscribers. Pretty accurate characterization IMNSHO.
To make Bill Gates the richest man on earth.
Maybe in the hopes that some of the magic will rub off on you?
For "truth in advertising" you'll have better luck in a carnival side-show.
For self-defense.
Install NT on small FAT partition at front of disk.
Create NTFS partition.
Install real NT on newly created partition.
Early NT systems would destroy read-only files used in booting.
Another stunt is to make an NT boot floppy.
It seems like Linux/BSD is more likely to actually fix the problem than just apply an ill-thought-out band-aid. I'm sure there are still holes, but they seem to be getting more and more esoteric and much harder to exploit.
With SirCam and Nimda, it seems like the "bad guys" have finally broken the 10-minute mile.
The Constitution is NOT a suicide pact. Hmmm, "Give me liberty or give me death"
And it terrorists, not "Islamic terrorists". Osama is enough over the wall that his own family has disowned him.
We give up our (not "so called") rights, guess what? The terrorists just won. Doesn't matter who we bomb, catch, whatever.
You cant compare an upgraded and constantly patched linux box to a default Win2k installation. Oh yes I can. It has to do with the amount of time and effort I am willing to spend, and the trust I have that the upgrades will not break things in the upgraded systems. Ftp the lot and rpm -Fvh *.rpm is about as easy as it can get. My Linux systems are patched. My NT systems are not. My IIS systems are shut down, unpatched and uninfected.
Public corporations have a duty to protect the interests of their shareholders. This is not their only duty. They also have duties in regard to employees, customers, suppliers, their industry, and their community.
>>...so full of misinformation, poor assumptions, and incorrect assertions that it hurts
So post. Yeah, it takes a bit of time and will still be misunderstood, but your silence lends tacit agreement.
Hehe.
We're behind a firewall, so we're safe.
We have anti-virus software, so we're safe.
People behind the firewall get email and read web pages.
Virus writers have access to anti-virus software.
I'm beginning to suspect that more damage is done to corporate computing by anti-virus software than the viruses they purportedly protect us against.
Don't forget to edit /etc/lilo.conf and run /sbin/lilo.
/boot.
mkinitrd is also required (I think) if you have SCSI drives. Check if there is an initrd-something in
>>There are more than a hundreds rights that you can configure in the system.
What are they?
What do they do?
What do they really do?
What are the default settings?
What and where are the rest of the settings?
Exactly what settings do you have on your systems?
And why?
Here come the mainframes.
adj. Not credible; too extraordinary and improbable to admit of belief. .NET is not a credible platform.
I will agree that
...how am I supposed to protect myself?
"Microsoft this month launched a new security initiative, the Strategic Technology Protection Program (STPP)." Impressive, huh?
If you have a half assed decent network admin most of the time you don't even need the patch.
Exactly. If you know the exploit.
I like to use E:\WINNT where D: is the CD-ROM.
C:\ is the natural home for viruses.
You can also mess up viruses by renaming or messing with any *script* executables.
The idea is that releasing exploits to the public is creating an environment where it's too easy to hack machines.
Not releasing exploits is what made (most of) the machines today so easy to crack.
Releasing exploits is slowly making the machines harder to crack.
Imagine airplane safety today if aircraft designers were never allowed to know anything about airplane crashes.
That's the direction things seem to be heading. A few more years, and Microsoft Windows will be ... just a dumb terminal. Everything important will be stored and secured on some real server somewhere. The idea of thin-client and the-network-is-the-computer is right. Just a bit premature.
You have to wonder about the feelings of the Black Hats in category B) as they watch their Intellectual Property slowly evaporating. The bugs that are publicized were always there. After publication, their ability to do unknown damage is severly curtailed.
If the exploit is "theoretical" and looks like entirely too much effort to take advantage of, most likely I will not apply any patches.
If the exploit is freely available, I can test and either patch or devise some workaround that thwarts the exploit. If adequate disclosure does not exist, I feel safer replying to "I send you this file to have your advice".
Look at how much success Microsoft has had getting Code Red and Nimda patched. With the noise about Code Red and company, I patched my RedHat boxes and other than stopping IIS and friends, pretty much gave up on Microsoft as a lost cause. After going to their web page, informing my browser (IE5) that I do not want to run scripts. Several times. And No I do not want to debug the scripts it is running anyway. No. No way is Microsoft going to secure this mess.
It would be nice if it worked that way.
Unfortunately, what will actually make systems secure is to first release the exploit, then release the rationale behind it. Contacting the vendor is a waste of time. They should never have created the hole in the first place.
Otherwise the vendor has the false sense of security in the two weeks or so grace period before the exploit is publicized.
Open source has the advantage in that it is more likely that something resembling a patch will be circulated along with the exploit.
Microsoft wants to be viewed as secure, but is unwilling to expend the effort required to even patch similar bugs in closely related places. Without such as Bugtraq, Microsoft would leave the hole in, and loudly proclaim how secure Microsoft is.
There may be a few problems with early publishing the details of an attack, but without an excruciatingly detailed plan of attack, not only will the vendors ignore the problem, the users will discover that they are actually safer not running unknown executables.
>>Hardly. MS publishes every flaw they find. Literally hundreds of thousands ...
Which they?
Seems like Microsoft only publishes flaws that other people find, not that Microsoft finds.
Hundreds of thousands? Seems a bit of an exageration, even for Microsoft.
Here is an unknown executable that calls itself a "security patch".
I don't know what's in it.
I don't know what it does.
I don't know how to tell if I need it.
I have no idea what it might break.
I don't blindly reach under rocks either.
"How many MSN subscribers..." assumes a normalcy and countability of MSN subscribers that I am unwilling to stipulate. Personally I prefer the much. It makes an amorphous blob of MSN subscribers. Pretty accurate characterization IMNSHO.
--examine parsings
what is the scope of and
to provide consumers with best-of-breed MSN content and services via Qwest's Internet infrastructure.
to provide consumers with
( (best-of-breed MSN content)
and
(services via Qwest's Internet infrastructure) ).
looks and sounds ugly
to provide consumers with
(best-of-breed
(MSN (content and services) ) )
via Qwest's Internet infrastructure.
most plausible parsing
Is there some rule about shortest plausible match to determine the scope of and?
Well, they do have the best breed of worms. The *nix varieties just don't seem to do very much. Even the honor virus doesn't seem to proliferate.
To make Bill Gates the richest man on earth.
Maybe in the hopes that some of the magic will rub off on you?
For "truth in advertising" you'll have better luck in a carnival side-show.
For self-defense.
Install NT on small FAT partition at front of disk.
Create NTFS partition.
Install real NT on newly created partition.
Early NT systems would destroy read-only files used in booting.
Another stunt is to make an NT boot floppy.
It seems like Linux/BSD is more likely to actually fix the problem than just apply an ill-thought-out band-aid. I'm sure there are still holes, but they seem to be getting more and more esoteric and much harder to exploit.
With SirCam and Nimda, it seems like the "bad guys" have finally broken the 10-minute mile.
The Constitution is NOT a suicide pact.
Hmmm, "Give me liberty or give me death"
And it terrorists, not "Islamic terrorists". Osama is enough over the wall that his own family has disowned him.
We give up our (not "so called") rights, guess what? The terrorists just won. Doesn't matter who we bomb, catch, whatever.
You cant compare an upgraded and constantly patched linux box to a default Win2k installation.
Oh yes I can. It has to do with the amount of time and effort I am willing to spend, and the trust I have that the upgrades will not break things in the upgraded systems. Ftp the lot and rpm -Fvh *.rpm is about as easy as it can get. My Linux systems are patched. My NT systems are not. My IIS systems are shut down, unpatched and uninfected.
Public corporations have a duty to protect the interests of their shareholders. This is not their only duty. They also have duties in regard to employees, customers, suppliers, their industry, and their community.
Linear interpolation should go back at least to the 19th century.
>>...so full of misinformation, poor assumptions, and incorrect assertions that it hurts
So post. Yeah, it takes a bit of time and will still be misunderstood, but your silence lends tacit agreement.