If this becomes a race between the "good guys" and the "bad guys", the bad guys have more incentive to get it right. Just like virus writers will buy anti-virus software, spammers will buy the C/R software. You don't attack your enemy's strengths, you attack his weaknesses, preferably ones he doesn't even know about.
Charlie's email address is automatically added to Bill's whitelist. So Charlie's challenge, showing his address as its source, flies straight to Bill's Inbox without a hitch.
Now all I need to do is know or guess anything on your whitelist (or have some means to automatically add something to your whitelist;).
Methinks all a CR system would do is add hassle to legitimate traffic and give the spammers an even easier time of it.
It seems like there may be one legitimate use for something like this - inside the network, inside the firewall.
Could be very effective. Inside your own network you should be able to identify which traffic is reasonable and proper and which traffic just does not belong.
If it can be set up to react quickly (and spectacularly) enough, your users will quickly learn to be much more cautious.
Click on something and after half an hour or half a day somebody figures out it was you. Click on something and almost immediately you screen goes into fireworks and your speakers start emitting rude noises.
I'm no expert but have mucked around with it a bit. With great skill and effort, Cygwin allows you to use a good Microsoft Windows computer as a poor Unix computer. And for that, the developers deserve high praise. Cygwin make Microsoft Windows useable, well almost at least.
The problem is that it's really Microsoft Windows underneath and it shows through occasionally.
Methinks that is the essential difference between paid-for and free (as in beer) software. I would also add that the right to an opinion, at least one that anyone will listen to, is not free. It isn't even cheap.
I reserve, however, the right to express astonishment, which under suitable circumstances is much more productive than the right to complain.
I have a problem. I am astonished at the problem. You fix the problem so you don't get astonished by the same problem. We both gain. I gain from your efforts, but as far as you are concerned, that is an irrelevant side effect.
You can buy commericial software and you do have the right to complain. But, unless it's very expensive, it's unlikely the complaints will do much if any good. The nature of support for commercial software tends much more to convince users that whatever they are experiencing is a user error rather than computer error. Also whoever is fielding the calls is in no position to actually do much of anything about it. But whoever is fielding the calls does have to listen, at least until (s)he finds an excuse for "We don't support that".
It will be interesting to see how industry (I don't mean IT) figures out how to pay for free software.
Had there not been other problems with mremap(), no one would've looked this closely at the code. What they've found is a very involved exploitation despite their claim of "easy to exploit". [Emphasis added]
That's like a mathematician saying something is "trivial". Don't complain, a good mathematician can show you something non-trivial.
Methinks the best comparison of security is how hard it is to find a crack. (and how much noise is generated for how small a crack;)
Further, it seems that Open Source when it finds one takes the effort to find its friends and neighbors. Closed Source tends to plug the crack, somewhat, at that's the end of it. Repeat the process and Open Source is much more secure.
So basically this proves that Linux is just as insecure as Windows is.
Only if a few drops is the same as a flood.
Re:Memory triggers on close-but-not-exact matches
on
The Memory Masters
·
· Score: 2, Interesting
They'll read a question too quickly, recall a question they've seen earlier, and then give the answer to the earlier question, not the one that's actually in front of them.
I've done that debugging, even to the point of having to narrow it down to one character before I could see it.
The real problem we're facing is the _assumption_ by operating systems that the programs executed by a user should have the same rights and capabilities as that user.
I've always wondered about that one and where it came from. It seems so incredible stupid. My best guess is that is was so that Microsoft could meet some letter of some security criterion. Essentially by destroying all chance of effective security.
Rephrasing, If I am to give any program that the user runs access to something, I must give all programs the user runs the same access to that something. In real life this would mean that I would have to give my plumber, my banker, my attorney, my doctor, my accountant, all of them, exactly the same access to my private stuff.
Effective security. Do you put everything away and lock your desk and your office door when you go to lunch? Should your computer get any better treatment? Seriously, a closed desk drawer is rather effective security.
Windows for Workgroups with Novell or Lantastic networking. You could set up a program in a DOS box that would attach a network drive to that DOS box only. In fact you could have several of them open with the same Drive letter attached to different resources. Probably not extremely secure, but at least it kept all the other things from messing with critical resources. Progress? Bah!
discovered that vulnerability back in August, 2000
So much for Microsoft being faster at patching vulnerabilities.
"(My favorite discovery was that the decompressor for RLE-compressed.BMP files is in the kernel, and contains a buffer overflow.)" That's still worth a chuckle.
"The persistent part of a server belongs in a database where you have a coherent model of the data." Very right. You need the ability to modify and reconfigure and reprogram a "running" server.
"What I want is security that actually works, rather than having to be patched every week." If it needs to be patched, it never was secure. Probably the only effective way to achieve security is for the address space to only include things that should be messed with. Elementary Unix security, with a few well chosen "users" has saved my bacon more than once.
And therefore head for the nearest refuge which provides a false sense of security. Totally predictable.
The computer wants to be your friend. A con man wants to be your friend. I fail to see any difference.
Smart computer, dumb user is a recipe for disaster. Smart user, dumb computer... works. In fact it works better the dumber the user and the smarter the computer. Smart computer has at least one fatal flaw. The computer does not know what the computer does not know. It lives in a flat-earth world, can't see the edges, and is in fact incapable of comprehending that edges could even exist. The solution is to never miss an oportunity to show how stupid the computer really is.
The "Real World" often trumps "Wide-eyed Idealism" when you are on the firing line, at least temporarily.
But some of us have long memories. Very long memories.
Re:Cha ching, reloaded.
on
Gates on Spam
·
· Score: 1
If this is going to be 'expensive computation which significantly slows [spammers'] mass-mailing efforts', won't it do the same for legitimate mass-mailing efforts as well?
I would expect this to affect the legitimate mass-mailing efforts instead of the spammers. The spammers have the resources and willingness to find ways to quickly "route around" the problem.
Think of it as getting post cards in the mail. Show the damned postmarks!
Piffle. The Slashdot headlines (and editorial sniping) are designed to stir up controversy. If the snipe is off-target, the first few comments let you know.
The Slashdot editors do not speak for the community, but many of the commenters, myself excluded, do. With a very slight perusal of the headlines and commentary, that should be obvious.
General rule of thumb...none of your users are trustworthy.
Actually, all of my users are trustworthy. (I trust my users far more than I do Microsoft;) And if they aren't, the computers are the least of my worries.
Theres much more advantage for a hacker to take over one of the abundant dual xeon machines running linux on the network.
True. You have to wonder why it's Microsoft Windows that seems to catch most all the malware. I would imagine that Linux would be a much more attractive target.
. . . and this is "medium"? Solaris isn't really the sort of system where you tend to have untrustworthy users. A lot also depends on the difficulty of doing the exploit.
The problem isn't really the executable email attachments. The problem is the idea that email is/can be/should be safe.
Microsoft may or may not be unable to fix things. Microsoft is certainly unwilling.
The problem is that hiding file extensions is even considered as an option, let alone the default. The problem is that dialog boxes must be clicked on before further progress can be made. The problem is the idea of smart computer, dumb user. The problem is the idea that anything to do with computers even might be wonderful.
If I'm running NSA Secure Linux, I'm sure not clicking on strange attachments. I'm not even letting those anywhere near the secure system. The click on anything with impunity only works on a trash system, with trash software, bug-ridden and full of security holes. Only when that is normal instead of special will email be safe.
My users don't click on strange attachments any more than they put strange objects in their mouths. From many years ago the basic rule has been: Don't run strange programs ESPECIALLY FROM PEOPLE YOU KNOW. (Who else is gonna send them?) About the only thing I've done recently is occasionally chuckle that the worms are getting sneakier, and that it will get worse before it gets better.
Slashdot Mirror
Good one that.
If this becomes a race between the "good guys" and the "bad guys", the bad guys have more incentive to get it right. Just like virus writers will buy anti-virus software, spammers will buy the C/R software. You don't attack your enemy's strengths, you attack his weaknesses, preferably ones he doesn't even know about.
Charlie's email address is automatically added to Bill's whitelist. So Charlie's challenge, showing his address as its source, flies straight to Bill's Inbox without a hitch.
Now all I need to do is know or guess anything on your whitelist (or have some means to automatically add something to your whitelist;).
Methinks all a CR system would do is add hassle to legitimate traffic and give the spammers an even easier time of it.
It'll be like those mailing list morons who have "out of office replies" when they leave town for a month..
With, of course a Reply to All which goes to someone else who does likewise.
Note to System.out.println(). With this, redundancy is the name of the game.
It seems like there may be one legitimate use for something like this - inside the network, inside the firewall.
Could be very effective. Inside your own network you should be able to identify which traffic is reasonable and proper and which traffic just does not belong.
If it can be set up to react quickly (and spectacularly) enough, your users will quickly learn to be much more cautious.
Click on something and after half an hour or half a day somebody figures out it was you.
Click on something and almost immediately you screen goes into fireworks and your speakers start emitting rude noises.
Right.
Methinks this mess will settle down only after firewalls are implemented to protect the internet (outside) from the intranet (inside).
With any kind of automated response system it seems like there would be too many cracks that could be used to cause the system to backfire.
It was one of these areas where perl wasn't the best tool for the job.
Surely you can run a shell script out of perl.
Something about a hammer making a poor screwdriver.
Someone educate me: why is this considered funny?
I'm no expert but have mucked around with it a bit.
With great skill and effort, Cygwin allows you to use a good Microsoft Windows computer as a poor Unix computer. And for that, the developers deserve high praise.
Cygwin make Microsoft Windows useable, well almost at least.
The problem is that it's really Microsoft Windows underneath and it shows through occasionally.
Dunno about you, but I prefer my news before it breaks.
(That's why I read Slashdot at work;)
Methinks that is the essential difference between paid-for and free (as in beer) software.
I would also add that the right to an opinion, at least one that anyone will listen to, is not free. It isn't even cheap.
I reserve, however, the right to express astonishment, which under suitable circumstances is much more productive than the right to complain.
I have a problem. I am astonished at the problem. You fix the problem so you don't get astonished by the same problem. We both gain. I gain from your efforts, but as far as you are concerned, that is an irrelevant side effect.
You can buy commericial software and you do have the right to complain. But, unless it's very expensive, it's unlikely the complaints will do much if any good. The nature of support for commercial software tends much more to convince users that whatever they are experiencing is a user error rather than computer error. Also whoever is fielding the calls is in no position to actually do much of anything about it. But whoever is fielding the calls does have to listen, at least until (s)he finds an excuse for "We don't support that".
It will be interesting to see how industry (I don't mean IT) figures out how to pay for free software.
Had there not been other problems with mremap(), no one would've looked this closely at the code. What they've found is a very involved exploitation despite their claim of "easy to exploit". [Emphasis added]
That's like a mathematician saying something is "trivial".
Don't complain, a good mathematician can show you something non-trivial.
Methinks the best comparison of security is how hard it is to find a crack. (and how much noise is generated for how small a crack;)
Further, it seems that Open Source when it finds one takes the effort to find its friends and neighbors. Closed Source tends to plug the crack, somewhat, at that's the end of it. Repeat the process and Open Source is much more secure.
So basically this proves that Linux is just as insecure as Windows is.
Only if a few drops is the same as a flood.
They'll read a question too quickly, recall a question they've seen earlier, and then give the answer to the earlier question, not the one that's actually in front of them.
I've done that debugging, even to the point of having to narrow it down to one character before I could see it.
Seems like there would be a large difference between remembering a few things that matter and a lot of things that don't matter.
The real problem we're facing is the _assumption_ by operating systems that the programs executed by a user should have the same rights and capabilities as that user.
I've always wondered about that one and where it came from. It seems so incredible stupid. My best guess is that is was so that Microsoft could meet some letter of some security criterion. Essentially by destroying all chance of effective security.
Rephrasing, If I am to give any program that the user runs access to something, I must give all programs the user runs the same access to that something. In real life this would mean that I would have to give my plumber, my banker, my attorney, my doctor, my accountant, all of them, exactly the same access to my private stuff.
Effective security. Do you put everything away and lock your desk and your office door when you go to lunch? Should your computer get any better treatment? Seriously, a closed desk drawer is rather effective security.
Windows for Workgroups with Novell or Lantastic networking. You could set up a program in a DOS box that would attach a network drive to that DOS box only. In fact you could have several of them open with the same Drive letter attached to different resources. Probably not extremely secure, but at least it kept all the other things from messing with critical resources. Progress? Bah!
discovered that vulnerability back in August, 2000
.BMP files is in the kernel, and contains a buffer overflow.)"
So much for Microsoft being faster at patching vulnerabilities.
"(My favorite discovery was that the decompressor for RLE-compressed
That's still worth a chuckle.
"The persistent part of a server belongs in a database where you have a coherent model of the data."
Very right. You need the ability to modify and reconfigure and reprogram a "running" server.
"What I want is security that actually works, rather than having to be patched every week."
If it needs to be patched, it never was secure.
Probably the only effective way to achieve security is for the address space to only include things that should be messed with. Elementary Unix security, with a few well chosen "users" has saved my bacon more than once.
People are stupid and fearful.
... works. In fact it works better the dumber the user and the smarter the computer.
And therefore head for the nearest refuge which provides a false sense of security. Totally predictable.
The computer wants to be your friend.
A con man wants to be your friend.
I fail to see any difference.
Smart computer, dumb user is a recipe for disaster.
Smart user, dumb computer
Smart computer has at least one fatal flaw. The computer does not know what the computer does not know. It lives in a flat-earth world, can't see the edges, and is in fact incapable of comprehending that edges could even exist.
The solution is to never miss an oportunity to show how stupid the computer really is.
The "Real World" often trumps "Wide-eyed Idealism" when you are on the firing line, at least temporarily.
But some of us have long memories. Very long memories.
If this is going to be 'expensive computation which significantly slows [spammers'] mass-mailing efforts', won't it do the same for legitimate mass-mailing efforts as well?
I would expect this to affect the legitimate mass-mailing efforts instead of the spammers. The spammers have the resources and willingness to find ways to quickly "route around" the problem.
Think of it as getting post cards in the mail. Show the damned postmarks!
Piffle. The Slashdot headlines (and editorial sniping) are designed to stir up controversy. If the snipe is off-target, the first few comments let you know.
The Slashdot editors do not speak for the community, but many of the commenters, myself excluded, do. With a very slight perusal of the headlines and commentary, that should be obvious.
With legitimate looking subjects and attachment names, ...
General rule of thumb...none of your users are trustworthy.
Actually, all of my users are trustworthy.
(I trust my users far more than I do Microsoft;)
And if they aren't, the computers are the least of my worries.
Not quite so black and white is it?
True. Most post cards are now in color.
Theres much more advantage for a hacker to take over one of the abundant dual xeon machines running linux on the network.
True. You have to wonder why it's Microsoft Windows that seems to catch most all the malware. I would imagine that Linux would be a much more attractive target.
. . . and this is "medium"?
Solaris isn't really the sort of system where you tend to have untrustworthy users.
A lot also depends on the difficulty of doing the exploit.
The problem isn't really the executable email attachments.
The problem is the idea that email is/can be/should be safe.
Microsoft may or may not be unable to fix things.
Microsoft is certainly unwilling.
The problem is that hiding file extensions is even considered as an option, let alone the default.
The problem is that dialog boxes must be clicked on before further progress can be made.
The problem is the idea of smart computer, dumb user.
The problem is the idea that anything to do with computers even might be wonderful.
If I'm running NSA Secure Linux, I'm sure not clicking on strange attachments. I'm not even letting those anywhere near the secure system.
The click on anything with impunity only works on a trash system, with trash software, bug-ridden and full of security holes. Only when that is normal instead of special will email be safe.
My users don't click on strange attachments any more than they put strange objects in their mouths. From many years ago the basic rule has been: Don't run strange programs ESPECIALLY FROM PEOPLE YOU KNOW. (Who else is gonna send them?) About the only thing I've done recently is occasionally chuckle that the worms are getting sneakier, and that it will get worse before it gets better.