For some of us, those Flash sites are *already* inaccessible.
I don't run worms either. I'm not saying all Flash sites are worms. I am saying that I'm not sophisticated enough to tell the difference, and that if I get one, I'll get the other.
Isn't slashdot already the place for Microsoft hating and bashing? Slashdot is the place to keep up with the latest in Microsoft wormage. (At least that's what I tell management;) Slashdot seems to be the only source for unbiased technical information about Microsoft products. (I didn't say/. was unbiased. It's the only place you're likely to find any unbiased information.)
All operating systems are as secure as their admins. All cars are as safe as their drivers. Rubbish. The difference between the security of Multics and the security of Windows 95 is the skill of the administrator?
Microsoft has millions of dollars and some of the top programmers in the world. So what is their problem?
One of the problems with a lot of these metrics is the lack of a fair, formal and neutral third party methodology for analysis... That is a big problem under the best of circumstances. With any marketing games going on, the numbers can be expected to be, if not wrong, highly misleading. The statistics tend to be like "A bank was robbed. 1300 pieces of paper were taken." The unanswered key question is what was attacked. Why would also be worthwhile knowing. Actually, this one seems more informative than most.
Speaking of damage, from the article:
"The economic damage from the attacks, in lost productivity and recovery costs, fell below average in August, to $707-million (U.S.).
The overall economic damage in August from overt and covert attacks as well as viruses and worms stood at an all-time high of $28.2-billion."
What I find interesting is that Linux attacks are up and damage due to Linux attacks are down.
"Microsoft Windows servers belonging to governments, however, were the most attacked (51.4 per cent) followed by Linux (14.3 per cent) in August."
Preferably before the bad guys mix something like Sobig or slammer with something that does actual damage, potentially hardware damage. Yep, although I would expect any such to not really live up to expectations. Linux (and moreso the BSDs) in many subtle ways encourage people to be aware of what is going on. What is required for containment is rapid response, not by the best and brightest, but by the poor saps who happen to be on the firing line at the time. Prediction: (he who lives by the crystal ball shall learn to enjoy ground glass) The reaction will resemble the Keystone Kops, but the damage will be less than one should expect.
"There is no such thing as a 100% secure networked computer."
1. So what? There are certainly degrees of insecurity. The alternative to 100% secure is not 0% secure.
2. I'm not that sure it's impossible. Take a *BSD and strip out everything not essential to what the computer will be doing. Partition according to size and function and mount with the tightest privileges required to do its function. PITA and would require rebooting to make the slightest changes. Got root? Fine, but you can't do anything. It's certainly possible to set up a server so it's not worth attacking it.
Something I don't think I've seen addressed in coping with these things. Short-term versus long term. The tactics and priorities are quite different. Getting rid of all of them is a long-term process. In the short term, you want to stay operational with minimal colateral damage. While emergency training will certainly help, it's almost a certainty that what needs to be done is not covered in the book. Sophisticated tools could certainly help, but it seems to me that with TCPDUMP and a pair of eyes and almost no knowledge it would be obvious that something was going on plus a few clues as to what and from where. I suspect that the best bet for long-term survivability is to leave decisions at the point of crisis to the whim of whoever is manning the stuff at the time. One PC goes wild. Probably ignored since there's plenty of capacity to handle it. One PC goes wild and a large bunch of it neighbors do too. You do something to stop the flood. Probably catches a bit of legitimate stuff too. Then you look and see what's making the flood and refine your stuff a bit. After such as Slammer, I would rather see a mixed-up mess that gets the internet back operational in an hour than something carefully thought-out that gets it back in 24 hours.
To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: [Emphasis added]
Good, something doable by a passing worm/virus or aberrent sysadmin is sufficient to verify that the patch has been installed.
I'm sure there's a lot of information available. I'm sure all the bad guys know what it is and where to get it and are quite willing to take the time and trouble to get it.
Come on man pick up your game. My "game" is watch and see just how Microsoft manages to self-destruct. I intend and expect to survive it. If you get enough people blindly and repeatedly patching anything and everything, surely there's something fiendish that can (and quite possible will) be done.
What about people who don't speak English, but want to reach a wider audience? Their English might be broken but their language isn't. If they've got something to say, it generally manages to come out pretty well intact. What's missing is the exact phrasing and vocabulary to effectively go so far and no further. (Think Greenspan's pronouncements;). If they've got something to say, it tends to be fairly bold and it is not inconceivable that it actually gains in mistranslation. (I would expect that last clause/phrase/whatever to be murdered by translation;)
Have you ever seen the Far Side comic where a student asks the teacher to be excused because his "brain is full"? Have you ever met or heard of anyone that has happened to? Hehe. Oh, I've done that to more than a few. Take something and just keep piling it on. Actually exploring most anything to its full depth and breadth will do that. However, in the balance between an elaborate house of cards and about half a minor point of something basic and fundamental, you're much ahead to get the fundamentals right.
Easiest way to learn the multiplication tables? Invent them. That way if you forget what 7*8 is, you can readily recreate what it has to be.
Accurate spelling, grammar and vocabulary allow greater precision in conveying exactly what you mean. I can get by in German with "Ya, Nein, Bitte, and Prost". Anything else I care about would require substantially better than a good tourist's vocabulary.
Of course if you are running code written by amateurs who use undocumented system calls then you probably should test everything over and over and over.
Hehe. Hehe. Sorry, but you can laugh or you can cry. Laughing's better. Russian roulette with Microsoft patches. Sorry, I gave up that game 2-3 years ago. I feel safer on my unpatched NT Workstation (with a few tweaks so it doesn't run worms/viruses so good anymore).
Given the "oh so helpful" descriptions of MS Patches ("This patch fixes a security hole which allows remote execution of code") and the sheer volume of them, it's a lot harder than most people think to keep boxes up to date. If the description said what was fixed, and what files were replaced to fix it, and what those replacement files were, exactly, then you would at least be able to determine if the patch "took" or not. By withholding that information, the patches look like they work, whether or not they actually did anything. It's essentially impossible to unpatch if necessary.
Running it again found the patches I needed for the 3rd one. If at first you don't succeed, try try again.;-) Gives a lot of faith in their update process, eh wot? [bad attempt at Brittish humor]
I wonder if comparing the parse tree, as suggested elsewhere in this over-thread, would provide good results?
The odds of two independent very well executed codings of a function are quite high. Actually there is a reasonable chance of code matching variable names and comments.
What's more interesting is that with a large sample you should be able to find two "different" functions with identical parse trees.
Don't like the behavior of a system class? Doesn't let you do something you'd like to? Then override the implementation and do your worst. It's just that easy.
Finally, it is quite obvious that stupid people find it easier to program in Windows. Mash a button. Out pops a program. Very simple and easy, actually. Getting a program that does what you want, however, is an entirely different kettle of fish.
Linux requires knowing a lot of intricate details and knowledge of unstable APIs written by other people and not maintained in a consistent or even perfectly protable format. Windows requires knowing a lot of intricate details and knowledge of unstable and undocumented APIs written by unknown other people. The state of its maintenance is unknown but it is most likely safe to assume that it is neither consistent and we can be sure that it's not in a perfectly portable format. (portable to what?)
Despite being (intentionally?) intimidating, Linux (or any unix) is easier to use, more forgiving, and less error prone than Microsoft Windows.
but I am sure that there are less expensive ways to engineer software than J2EE Oh, definitely. I see J2EE and I see gaggles of mainframes. Stuff that works and keeps working 5, 10, 20 years into the future. Regardless of what's free or freely available, that is not cheap territory. PHP/MySQL is capable of some heavy lifting, even in enterprise settings, but in doing so will become very much a highly specialized niche. The phenomenon is essesentially that of painting yourself into a corner. Small size, no problem. Large size, with many painters, can easily dominate all other considerations.
Long Term Stability. I would expect J2EE to be very much around in 20 years. To die off, it would need both Sun and IBM to lose interest, and further that it not be picked up by Open Source. Concurrently. Sun and IBM losing interest alternately will not kill it. Five years from now,.NET will become "that old thing" to Microsoft and it off to the next mirage.
The choice of projects, scale, and time scale all affect which one is "better". It's pretty much always better in the short term to stay with what you've already got. Seems like the reality is that sea changes are ultimately cheaper if they're done earlier even though studies will fail to attribute anything to the real costs of making the change later, essentially take cognizance of "Pay me now" and ignoring the "or Pay me later".
Well put. Like cockroaches. You just can't get rid of them. They're hard to find. And when you squash one, three more come from nowhere!
When you find one, get rid of them. The one you found and its brothers and sisters. Some bugs are findable only in the context of other bugs.
They're hard to find. This is why Open Source ultimately wins. The residual bugs, the hard-to-find-bugs, are not found by the experienced developers. They are found by the poor sap who happens into the magic combination that exposes the bug. To be squashed, you must have at the same time and place the ability to duplicate the bug and the ability to modify the behavior of the bug. Highly developed skills would be nice to have, but are not essential. The poor sap who found the bug can squash the bug (s)he's interested in, while exposing ten more that are of no consequence in this exact context. Assuming the poor sap managed to somehow "fix" the problem, the poor sap is happy, almost. Next year is maybe a problem. At best the patch can be repeated. At worst the maneuvering room has been eliminated and the patch cannot be repeated. So,.... Here is a patch and some relevant info. Please, please look at it. From the main-line, a bunch of these is an extremely valuable resource. The main-line is interested in ensuring that "three more come from nowhere" does not happen.
Don't get too excited. They failed to rule the world by force. Now they're trying to do it peacefully, by co-opting us geeks. It could only be done through Linux. Now we know who Linus was working for when he said "world domination."
Actually, it's good reason to get excited. Go to a Bird Sacntuary. Think to yourself, "World Domination". Repeat. Rule. Control. It's not really what you want. You have to give up far too much. I've seen no indication that IBM is co-opting anybody, certainly not "us geeks". Linux seems to me like a triumph of anarchy. It does not need to be controlled. If Linux does wind up in a state of "World Domination", I am not in the slightest concerned. (Plenty of room in that "World Domination" for *BSD and a lot of other things;)
You laugh, but in certain contexts, that is the easiest way to go, and not that bad, security-wise. I don't see why it's so bad to have low-security when high-security is unwarrented. Personally, I think it's bad to have high-security where only low-security is warranted. I have systems where the computer name is the same as the user name is the same as the password, writ large on the keyboard. Part of effective security is limiting exposure as much as possible. For high-security, you want the minimum exposre possible, by the fewest people and for the shortest durations and for only very limited purposes. This has to mean that most everything is not that well secured. Your office has a certain level of security. Surely you've got a bunch of things that require better guards than say your slashdot password. You have an increased level of security in desk drawers that are closed.
A secure password secures that one aspect only. It does nothing whatever to improve any other aspect of security, and to the extent that it gives a false sense of security, works strongly against overall security.
Ditto on the primary email account. I've seen no indications that NYT has done or has any intentions of doing anything untoward with my email account. I did opt in and they do occasionally send me some stuff, but the whole feel of the thing is that NYT intends everything they do to be above reproach. I think what makes spam spam is that it is a constant barrage of minor irritants. Tell someone "Good Morning". Repeat. Keep repeating. See how long before the target becomes infuriated.
What this whole SCO thing is about is modern day robber barons. CEO-theives who think they can create a high level of fear and uncertainty from suits; enough that they will listen, enough that they will wonder, enough that they will pay. Exactly. It's not just Linux, IBM, Open Source, or IT. It's everything from ball-bearings to matchsticks. It's about what the 21st century should be as opposed to what the 19th century was.
Slashdot Mirror
For some of us, those Flash sites are *already* inaccessible.
I don't run worms either.
I'm not saying all Flash sites are worms. I am saying that I'm not sophisticated enough to tell the difference, and that if I get one, I'll get the other.
Why is MS acting like it's going to lose this lawsuit
Listening to a few worms lately?
Having my browser under somebody else's control, without my knowledge or consent, is not a good idea.
Isn't slashdot already the place for Microsoft hating and bashing? /. was unbiased. It's the only place you're likely to find any unbiased information.)
Slashdot is the place to keep up with the latest in Microsoft wormage. (At least that's what I tell management;)
Slashdot seems to be the only source for unbiased technical information about Microsoft products. (I didn't say
All operating systems are as secure as their admins.
All cars are as safe as their drivers. Rubbish. The difference between the security of Multics and the security of Windows 95 is the skill of the administrator?
Microsoft has millions of dollars and some of the top programmers in the world.
So what is their problem?
That is a big problem under the best of circumstances. With any marketing games going on, the numbers can be expected to be, if not wrong, highly misleading. The statistics tend to be like "A bank was robbed. 1300 pieces of paper were taken." The unanswered key question is what was attacked. Why would also be worthwhile knowing. Actually, this one seems more informative than most.
Speaking of damage, from the article:
What I find interesting is that Linux attacks are up and damage due to Linux attacks are down.
Preferably before the bad guys mix something like Sobig or slammer with something that does actual damage, potentially hardware damage.
Yep, although I would expect any such to not really live up to expectations. Linux (and moreso the BSDs) in many subtle ways encourage people to be aware of what is going on. What is required for containment is rapid response, not by the best and brightest, but by the poor saps who happen to be on the firing line at the time. Prediction: (he who lives by the crystal ball shall learn to enjoy ground glass) The reaction will resemble the Keystone Kops, but the damage will be less than one should expect.
"There is no such thing as a 100% secure networked computer."
1. So what? There are certainly degrees of insecurity. The alternative to 100% secure is not 0% secure.
2. I'm not that sure it's impossible. Take a *BSD and strip out everything not essential to what the computer will be doing. Partition according to size and function and mount with the tightest privileges required to do its function. PITA and would require rebooting to make the slightest changes. Got root? Fine, but you can't do anything. It's certainly possible to set up a server so it's not worth attacking it.
Something I don't think I've seen addressed in coping with these things. Short-term versus long term. The tactics and priorities are quite different.
Getting rid of all of them is a long-term process.
In the short term, you want to stay operational with minimal colateral damage. While emergency training will certainly help, it's almost a certainty that what needs to be done is not covered in the book. Sophisticated tools could certainly help, but it seems to me that with TCPDUMP and a pair of eyes and almost no knowledge it would be obvious that something was going on plus a few clues as to what and from where. I suspect that the best bet for long-term survivability is to leave decisions at the point of crisis to the whim of whoever is manning the stuff at the time.
One PC goes wild. Probably ignored since there's plenty of capacity to handle it.
One PC goes wild and a large bunch of it neighbors do too. You do something to stop the flood. Probably catches a bit of legitimate stuff too. Then you look and see what's making the flood and refine your stuff a bit. After such as Slammer, I would rather see a mixed-up mess that gets the internet back operational in an hour than something carefully thought-out that gets it back in 24 hours.
To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: [Emphasis added]
Good, something doable by a passing worm/virus or aberrent sysadmin is sufficient to verify that the patch has been installed.
I'm sure there's a lot of information available. I'm sure all the bad guys know what it is and where to get it and are quite willing to take the time and trouble to get it.
Come on man pick up your game.
My "game" is watch and see just how Microsoft manages to self-destruct. I intend and expect to survive it. If you get enough people blindly and repeatedly patching anything and everything, surely there's something fiendish that can (and quite possible will) be done.
What about people who don't speak English, but want to reach a wider audience?
Their English might be broken but their language isn't.
If they've got something to say, it generally manages to come out pretty well intact. What's missing is the exact phrasing and vocabulary to effectively go so far and no further. (Think Greenspan's pronouncements;).
If they've got something to say, it tends to be fairly bold and it is not inconceivable that it actually gains in mistranslation. (I would expect that last clause/phrase/whatever to be murdered by translation;)
Have you ever seen the Far Side comic where a student asks the teacher to be excused because his "brain is full"? Have you ever met or heard of anyone that has happened to?
Hehe. Oh, I've done that to more than a few. Take something and just keep piling it on. Actually exploring most anything to its full depth and breadth will do that.
However, in the balance between an elaborate house of cards and about half a minor point of something basic and fundamental, you're much ahead to get the fundamentals right.
Easiest way to learn the multiplication tables? Invent them. That way if you forget what 7*8 is, you can readily recreate what it has to be.
Accurate spelling, grammar and vocabulary allow greater precision in conveying exactly what you mean. I can get by in German with "Ya, Nein, Bitte, and Prost". Anything else I care about would require substantially better than a good tourist's vocabulary.
12 year old girls getting sued, give me a break.
Time for a little FUD.
12 year old girl sued for posessing RIAA music. Mom settles for $2000.
Possessing RIAA music is illegal.
The only way to hit RIAA where it hurts is to do absolutely nothing.
Oh I dunno. A few wildcat pickets of record stores might prove interesting.
Of course if you are running code written by amateurs who use undocumented system calls then you probably should test everything over and over and over.
You mean Microsoft Software?
Hehe. Hehe. Sorry, but you can laugh or you can cry. Laughing's better.
;-)
Russian roulette with Microsoft patches. Sorry, I gave up that game 2-3 years ago. I feel safer on my unpatched NT Workstation (with a few tweaks so it doesn't run worms/viruses so good anymore).
Given the "oh so helpful" descriptions of MS Patches ("This patch fixes a security hole which allows remote execution of code") and the sheer volume of them, it's a lot harder than most people think to keep boxes up to date.
If the description said what was fixed, and what files were replaced to fix it, and what those replacement files were, exactly, then you would at least be able to determine if the patch "took" or not. By withholding that information, the patches look like they work, whether or not they actually did anything. It's essentially impossible to unpatch if necessary.
Running it again found the patches I needed for the 3rd one.
If at first you don't succeed, try try again.
Gives a lot of faith in their update process, eh wot? [bad attempt at Brittish humor]
I wonder if comparing the parse tree, as suggested elsewhere in this over-thread, would provide good results?
The odds of two independent very well executed codings of a function are quite high. Actually there is a reasonable chance of code matching variable names and comments.
What's more interesting is that with a large sample you should be able to find two "different" functions with identical parse trees.
Don't like the behavior of a system class? Doesn't let you do something you'd like to? Then override the implementation and do your worst. It's just that easy.
Finally, it is quite obvious that stupid people find it easier to program in Windows.
Mash a button. Out pops a program. Very simple and easy, actually. Getting a program that does what you want, however, is an entirely different kettle of fish.
Linux requires knowing a lot of intricate details and knowledge of unstable APIs written by other people and not maintained in a consistent or even perfectly protable format.
Windows requires knowing a lot of intricate details and knowledge of unstable and undocumented APIs written by unknown other people. The state of its maintenance is unknown but it is most likely safe to assume that it is neither consistent and we can be sure that it's not in a perfectly portable format. (portable to what?)
Despite being (intentionally?) intimidating, Linux (or any unix) is easier to use, more forgiving, and less error prone than Microsoft Windows.
but I am sure that there are less expensive ways to engineer software than J2EE
.NET will become "that old thing" to Microsoft and it off to the next mirage.
Oh, definitely. I see J2EE and I see gaggles of mainframes. Stuff that works and keeps working 5, 10, 20 years into the future. Regardless of what's free or freely available, that is not cheap territory. PHP/MySQL is capable of some heavy lifting, even in enterprise settings, but in doing so will become very much a highly specialized niche. The phenomenon is essesentially that of painting yourself into a corner. Small size, no problem. Large size, with many painters, can easily dominate all other considerations.
Long Term Stability.
I would expect J2EE to be very much around in 20 years. To die off, it would need both Sun and IBM to lose interest, and further that it not be picked up by Open Source. Concurrently. Sun and IBM losing interest alternately will not kill it.
Five years from now,
The choice of projects, scale, and time scale all affect which one is "better". It's pretty much always better in the short term to stay with what you've already got. Seems like the reality is that sea changes are ultimately cheaper if they're done earlier even though studies will fail to attribute anything to the real costs of making the change later, essentially take cognizance of "Pay me now" and ignoring the "or Pay me later".
Well put.
.... Here is a patch and some relevant info. Please, please look at it. From the main-line, a bunch of these is an extremely valuable resource. The main-line is interested in ensuring that "three more come from nowhere" does not happen.
Like cockroaches.
You just can't get rid of them. They're hard to find. And when you squash one, three more come from nowhere!
When you find one, get rid of them. The one you found and its brothers and sisters. Some bugs are findable only in the context of other bugs.
They're hard to find. This is why Open Source ultimately wins. The residual bugs, the hard-to-find-bugs, are not found by the experienced developers. They are found by the poor sap who happens into the magic combination that exposes the bug. To be squashed, you must have at the same time and place the ability to duplicate the bug and the ability to modify the behavior of the bug. Highly developed skills would be nice to have, but are not essential. The poor sap who found the bug can squash the bug (s)he's interested in, while exposing ten more that are of no consequence in this exact context. Assuming the poor sap managed to somehow "fix" the problem, the poor sap is happy, almost. Next year is maybe a problem. At best the patch can be repeated. At worst the maneuvering room has been eliminated and the patch cannot be repeated. So,
Don't get too excited. They failed to rule the world by force. Now they're trying to do it peacefully, by co-opting us geeks. It could only be done through Linux. Now we know who Linus was working for when he said "world domination."
Actually, it's good reason to get excited.
Go to a Bird Sacntuary. Think to yourself, "World Domination". Repeat.
Rule. Control. It's not really what you want. You have to give up far too much.
I've seen no indication that IBM is co-opting anybody, certainly not "us geeks".
Linux seems to me like a triumph of anarchy. It does not need to be controlled. If Linux does wind up in a state of "World Domination", I am not in the slightest concerned. (Plenty of room in that "World Domination" for *BSD and a lot of other things;)
The professionals hate him. They will be professional about it.
The unprofessionals hate him. They will be unprofessional about it.
IBM will be professional.
Some of us will be unprofessional.
We are not asking anyone's opinion or advice.
"if you're doing something illegal then don't admit it"
Sounds like standard legal advice.
Among other things, you're likely to admit to something you didn't do.
You laugh, but in certain contexts, that is the easiest way to go, and not that bad, security-wise.
I don't see why it's so bad to have low-security when high-security is unwarrented.
Personally, I think it's bad to have high-security where only low-security is warranted. I have systems where the computer name is the same as the user name is the same as the password, writ large on the keyboard. Part of effective security is limiting exposure as much as possible. For high-security, you want the minimum exposre possible, by the fewest people and for the shortest durations and for only very limited purposes. This has to mean that most everything is not that well secured.
Your office has a certain level of security. Surely you've got a bunch of things that require better guards than say your slashdot password. You have an increased level of security in desk drawers that are closed.
A secure password secures that one aspect only. It does nothing whatever to improve any other aspect of security, and to the extent that it gives a false sense of security, works strongly against overall security.
Ditto on the primary email account. I've seen no indications that NYT has done or has any intentions of doing anything untoward with my email account. I did opt in and they do occasionally send me some stuff, but the whole feel of the thing is that NYT intends everything they do to be above reproach. I think what makes spam spam is that it is a constant barrage of minor irritants. Tell someone "Good Morning". Repeat. Keep repeating. See how long before the target becomes infuriated.
What this whole SCO thing is about is modern day robber barons. CEO-theives who think they can create a high level of fear and uncertainty from suits; enough that they will listen, enough that they will wonder, enough that they will pay.
Exactly. It's not just Linux, IBM, Open Source, or IT. It's everything from ball-bearings to matchsticks. It's about what the 21st century should be as opposed to what the 19th century was.