Up until a few months ago, the site ZDNet had a bug in their comments that allowed the first person who made a comment under a story or blog to change the headline displayed over the comments section by modifying the querystring.
For example under a story called "Flaw found in Internet Explorer" the link to post a comment would look like this....
And the "new" title would appear over the comments section for the world to see. I had fun with it a few times - never anything dirty or offensive and I even reported the bug to them multiple time, but they left it unfixed for years. Someone with ill intentions could have put something vulgar up for all of their readers to see.
disagree on two aspects of this. First, the government hasn’t the ability (let alone the authority) to bring about equal outcomes;
The parent never said the government should bring about equal outcomes. He said it should enforce an equal playing field. There is a distinct difference.
Secondly, the only way the government can “enforce an equal playing field” is to steal from one person and give to another; that is you violate the property rights of the “haves” so that the “have-nots” reap the rewards of another’s work
This is how functioning societies work. The alternative is ever growing income disparity and eventual societal collapse. The wealthy are able to get that way because they have healthy functioning society and economy to exploit, and the wealthy inevitably pay a larger portion of the tax base due to the fact that they are the only ones that have the resources to do so. Using the pejorative term stealing for taxation is not helpful. Attitudes towards taxation like yours resulted in the rolling back of taxes for the wealthy in the early 1980's the only thing it has gotten us is a federal debt that almost equals WWII levels and shit to show for it,.
That's a privilege escalation vulnerability. Those have existed in every OS since the the concept of privilege separation was first introduced. Like that one, many vulnerabilities (read: sshd) end up being present for several years before being discovered/disclosed.
Your original post inferred that Windows contained an inherent design flaw that always allowed dll code injection, which is bullshit.
This would kill the custom modding scene as we know it if this happens, and makes me wish that people who "cook" ROMs would PGP or gpg sign the images, so a determined blackhat would not be able to tamper with things.
It wouldn't kill the scene, but it would certainly encourage ROM makers to provide checksums for/sign their releases and not preconfigure the OS to be so promiscuous.
I cook my own Windows Mobile ROMs and sign every custom exe and dll that I insert into the ROM with my own self generated cert and pre-confgure the OS to trust that cert. Most (Windows Mobile) ROM makers just configure the OS to allow unsigned apps by default.
Your idea is a good one. If/when I decide to release my ROM, I will provide checksums for the image.
The Windows admin will be going to enormous effort to make everything "just work" without logging in as the NT equivalent of root,
An inexperienced Windows admin might. I haven't had that problem.
any reasonably young distro locks root login by default.
"locking" root (I assume you are talking about distros like Ubuntu) provides no extra security. root is not really locked, as root permissions are used every time sudo is invoked. Besides that, in the case of Ubuntu, the default settings for sudo - to cache the password fot a time after sudo is invoked allows any process running under a users credentials to capture root permissions as soon as that user invokes sudo - basically a built in - *designed in* - privilege escalation vulnerability.
Why on earth are mobile phone apps even allowed to make calls in the first place, without some sort of specificaly made user authorization?
I'm pretty sure that they aren't allowed by default. I used to have an app that would dial my voice mail. I would get a prompt to confirm the dialing. This was with Windows Mobile 6.1, which almost identical under the hood compared to 6.5. During the install process some policy must have been changed to allows the automatic dialing.
Completely removing the ability of the program to do such things would make the platform inferior IMO. Some sort of better framework (I've seen something like that with Android and Blackberry) that notifies the user exactly what programs want to do via some sort of manifest is a much better solution.
Nope. WinMo is a geek paradise as it is one of the most open platforms. I cooked my own ROMs for my past two phones.
The other two phone platforms that compare in openness are Andriod and Maemo, so given the direction Microsoft is taking Windows Mobile, my next phone will probably run one of those two.
You can't assume that the column of oil is made of 100% oil. The oil might be dispersing into the water immediately upon exiting the pipe, making the column a mixture of oil and water.
Think of faucet in your kitchen or bath. Many have aerators on the nozzle that serve to mix the water with air. These aerators increase the size of the column of water, making it appear that a larger volume of water is coming out of the faucet.
Thanks. I'm aware of SPB, but actually like Sense/Manilla myself. I don't know what she would think of SPB.
She had a Motorola Cliq before and she liked the Android interface, but the phone was horribly buggy (10x worse that the issues she has with the HD2) so we mailed it back to t-Mobile.
My wife has the HD2, and there are some stability issues with her phone that I don't have with my Touch Pro 2.
I make my own ROMs for my touch pro 2, but don't want to mess with trying to cook up something for her phone as she wouldn't be happy not having it for long periods of time. I'd rather just flash a third party custom ROM on her phone.
Sudo password caching (it's actually an authentication validity timeframe, doesn't store the password) is local to your terminal. An application that's running in the background somewhere won't be able to access it.
Any process that is running under your credentials can access any terminal that you can.
In the case of sudo being invoked in a virtual terminal window, accessing that terminal may involve forcefully closing that window (which may or may not arise suspicion. I've seen xterm and Konsole crash), or waiting for the terminal to be closed by the user. The timeout configured for sudo is public information so the rogue process could wait for the user to close the tty and then force it's way in at the last second.
I would guess that most invocations of sudo in graphical distributions like Ubuntu are done, not in terminal windows, but via the graphical shell (gksudo) which uses the same tty that Xorg does. There is no need to kill anything to launch a process in this tty.
The solution to this is to use sudo -k, completely turn off caching in sudo's config, or do what I've always preferred and just use su/roor for root access and sudo for specific commands.
Slashdot Mirror
You would think...
Up until a few months ago, the site ZDNet had a bug in their comments that allowed the first person who made a comment under a story or blog to change the headline displayed over the comments section by modifying the querystring.
For example under a story called "Flaw found in Internet Explorer" the link to post a comment would look like this....
http://zdnet.com/blogs?foo=4343?title=Flaw+Found+in+Internet+Explorer
The first person to post a comment could change the querystring like so...
http://zdnet.com/blogs?foo=4343?title=Microsft+gives+up+advises+edveryone+to+use+Firefox+instead
And the "new" title would appear over the comments section for the world to see. I had fun with it a few times - never anything dirty or offensive and I even reported the bug to them multiple time, but they left it unfixed for years. Someone with ill intentions could have put something vulgar up for all of their readers to see.
disagree on two aspects of this. First, the government hasn’t the ability (let alone the authority) to bring about equal outcomes;
The parent never said the government should bring about equal outcomes. He said it should enforce an equal playing field. There is a distinct difference.
Secondly, the only way the government can “enforce an equal playing field” is to steal from one person and give to another; that is you violate the property rights of the “haves” so that the “have-nots” reap the rewards of another’s work
This is how functioning societies work. The alternative is ever growing income disparity and eventual societal collapse. The wealthy are able to get that way because they have healthy functioning society and economy to exploit, and the wealthy inevitably pay a larger portion of the tax base due to the fact that they are the only ones that have the resources to do so. Using the pejorative term stealing for taxation is not helpful. Attitudes towards taxation like yours resulted in the rolling back of taxes for the wealthy in the early 1980's the only thing it has gotten us is a federal debt that almost equals WWII levels and shit to show for it,.
YOU FAIL AT HISTORY.
First they fight against outlawing slavery, to the point of nearly destroying the country,
Actually, it's the Republicans who did that. Disgustingly, you talk about it as if were a bad thing.
then they re-enslave millions of blacks with government "benefits" programs
Poverty rates of African American families has gone steadily down since the Civil rights era, from 40.9% in 1966 to 23.1% in 2006. [source]
I have to hand it to Democrats and the liberal machine...they've pulled off a massive marketing coup.
In regards to marketing and politics, the Democrats/Liberals have merely caught up to what Republicans/Conservatives figured out 30 to 40 years ago.
Remember, be a smug asshole.
So making an effort to not incriminate yourself equates to being a smug asshole?
That's a privilege escalation vulnerability. Those have existed in every OS since the the concept of privilege separation was first introduced. Like that one, many vulnerabilities (read: sshd) end up being present for several years before being discovered/disclosed.
Your original post inferred that Windows contained an inherent design flaw that always allowed dll code injection, which is bullshit.
And your reaction to it is pure hilarity, moron.
This would kill the custom modding scene as we know it if this happens, and makes me wish that people who "cook" ROMs would PGP or gpg sign the images, so a determined blackhat would not be able to tamper with things.
It wouldn't kill the scene, but it would certainly encourage ROM makers to provide checksums for/sign their releases and not preconfigure the OS to be so promiscuous.
I cook my own Windows Mobile ROMs and sign every custom exe and dll that I insert into the ROM with my own self generated cert and pre-confgure the OS to trust that cert. Most (Windows Mobile) ROM makers just configure the OS to allow unsigned apps by default.
Your idea is a good one. If/when I decide to release my ROM, I will provide checksums for the image.
The Windows admin will be going to enormous effort to make everything "just work" without logging in as the NT equivalent of root,
An inexperienced Windows admin might. I haven't had that problem.
any reasonably young distro locks root login by default.
"locking" root (I assume you are talking about distros like Ubuntu) provides no extra security. root is not really locked, as root permissions are used every time sudo is invoked. Besides that, in the case of Ubuntu, the default settings for sudo - to cache the password fot a time after sudo is invoked allows any process running under a users credentials to capture root permissions as soon as that user invokes sudo - basically a built in - *designed in* - privilege escalation vulnerability.
Code injection into a system DLL is possible as a regular user.
Repeatedly saying something doesn't make it true.
Please provide a source for your claim. If you can't, you should apologize for posting bullshit and retract your statement.
Why on earth are mobile phone apps even allowed to make calls in the first place, without some sort of specificaly made user authorization?
I'm pretty sure that they aren't allowed by default. I used to have an app that would dial my voice mail. I would get a prompt to confirm the dialing. This was with Windows Mobile 6.1, which almost identical under the hood compared to 6.5. During the install process some policy must have been changed to allows the automatic dialing.
Completely removing the ability of the program to do such things would make the platform inferior IMO. Some sort of better framework (I've seen something like that with Android and Blackberry) that notifies the user exactly what programs want to do via some sort of manifest is a much better solution.
The guy IS joking, right?
Nope. WinMo is a geek paradise as it is one of the most open platforms. I cooked my own ROMs for my past two phones.
The other two phone platforms that compare in openness are Andriod and Maemo, so given the direction Microsoft is taking Windows Mobile, my next phone will probably run one of those two.
I should have said in my original post they are not necessarily synonyms.
They do have similar meanings.
innovate
verb
to introduce something new; make changes in anything established.
Who the right people are is very subjective.
...the "Microsoft has never innovated" crowd is that they don't know what the word innovation means.
Hint: Innovation is not a synonym for invention.
You can't assume that the column of oil is made of 100% oil. The oil might be dispersing into the water immediately upon exiting the pipe, making the column a mixture of oil and water.
Think of faucet in your kitchen or bath. Many have aerators on the nozzle that serve to mix the water with air. These aerators increase the size of the column of water, making it appear that a larger volume of water is coming out of the faucet.
I tend to beleive these are some cheap knockoffs made in Asia.
Them being knock offs would mean that Apple filed a false police report.
Surely Ubuntu capturing the remaining 33% of the collective 1.5% desktop market share that Linux holds will be the straw the breaks the camels back!
If you'll note from all the replies to the parent, most won't.
Why would I care what a a bunch of random people on the internet think? These are same fools that think Linux makes for a good desktop OS.
Thanks. I'm aware of SPB, but actually like Sense/Manilla myself. I don't know what she would think of SPB.
She had a Motorola Cliq before and she liked the Android interface, but the phone was horribly buggy (10x worse that the issues she has with the HD2) so we mailed it back to t-Mobile.
I might have her try SPB.
That's fuckin' awesome, but I have to question the real value in it.
Do you run a custom ROM on your HD2?
My wife has the HD2, and there are some stability issues with her phone that I don't have with my Touch Pro 2.
I make my own ROMs for my touch pro 2, but don't want to mess with trying to cook up something for her phone as she wouldn't be happy not having it for long periods of time. I'd rather just flash a third party custom ROM on her phone.
WinMo FTW! ;)
(I'm gonna miss it)
Sudo password caching (it's actually an authentication validity timeframe, doesn't store the password) is local to your terminal. An application that's running in the background somewhere won't be able to access it.
Any process that is running under your credentials can access any terminal that you can.
In the case of sudo being invoked in a virtual terminal window, accessing that terminal may involve forcefully closing that window (which may or may not arise suspicion. I've seen xterm and Konsole crash), or waiting for the terminal to be closed by the user. The timeout configured for sudo is public information so the rogue process could wait for the user to close the tty and then force it's way in at the last second.
I would guess that most invocations of sudo in graphical distributions like Ubuntu are done, not in terminal windows, but via the graphical shell (gksudo) which uses the same tty that Xorg does. There is no need to kill anything to launch a process in this tty.
The solution to this is to use sudo -k, completely turn off caching in sudo's config, or do what I've always preferred and just use su/roor for root access and sudo for specific commands.