IE7+ on Vista and Win7 is essentially sandboxed through protected mode. We don't know enough about the bugs to know real impacts, but if they don't break out of protected mode then the attacker can get very little done.
Of course this doesn't apply on XP, but only suckers use XP anymore.
But now they get to decide what is "reasonable" and "legitimate" in network management policy. For instance, what about CDNs like Akamai and Level3? Clearly these networks pay ISPs more to prioritize the packets they are carrying rather than just connecting through conventional peering. Is this packet discrimination? I'm sure the FCC will say no, but in order to do so they have to open up holes in their definitions which will allow just about anything ISPs are inclined to do anyway.
Comcast's claims here are that the large increase in traffic to their network from L3 because of Netflix puts them in violation of their peering agreement, and that an adjustment is necessary.
Is this normally how peering arrangements work? If so, Comcast's position is reasonable.
The/. title says that Microsoft is making the complaints and this is not true. These are government complaints. Assuming Microsoft intends to do business in Russia legally and assuming they intend to defend their intellectual property rights there they have to cooperate with the government when presented with a complaint.
Nothing in the article that I saw indicated that Microsoft is initiating or exacerbating any of this.
Thinking back on this being non-white could present a problem for the Doctor when traveling to the past, especially in some time/places. Maybe this is a good thing for plot options, or perhaps it's a chance for the show to get even more politically preachy than it already is.
Of course the Doctor will remain a British alien, but there's no reason he has to be white. How about a Indian? Are there any such actors who would do well in this role?
Not true, he says in his advisory that Microsoft acknowledged receipt the same day.
They didn't do their own advisory within 5 days (actually 4 1/2), which is perhaps what made him think it was the right thing to go public. Ormandy himself has begun to realize that he handled it badly.
Bear in mind that he reported it the Saturday before an especially heavy Patch Tuesday. It's reasonable to presume that people at the MSRC were busy.
And if anyone thinks Google is involved they're obviously wrong. I'm sure the security people at Microsoft know that Ormandy thought he was acting in a private capacity. This was a poor decision on his part, and he can't do this sort of thing privately without it impacting on his employer. I'm sure they were pissed at him.
Let's assume for a moment, in the scenario that you imply, that this person was a developer (a scenario for which we have no real evidence). First I would point out that Google (through YouTube) has already begun dropping support for IE6, although other Google products (e.g. Toolbar) still support it. But even if you need to have IE6 on a system in order to test it, that doesn't mean that you have to develop on IE6. And a test system is surely not one on which you should be doing casual surfing, nor one which should have access both the Internet and to sensitive company information. Even here the security blame clearly lies with Google. And as others have pointed out, if you need to test in XP these days the obvious way to do it is in a VM.
Or let's assume that this was not a developer; perhaps they have some app which requires IE6. Stories of such apps are all over the place, even though they are by definition poorly-written apps. How will moving this user to a Mac solve the problem? You'll have to rewrite the app, a solution which makes XP and IE no longer necessary.
As for your claim that UAC on Vista is worthless, it's clear you don't have a whole lot of experience with Vista. I'm writing this on a Vista system which I use most of the day, including for some development. It's rare that I encounter a UAC prompt and it's usually reasonable when I do. And if I'm doing something which I expect to generate a lot of UAC prompts (e.g. lots of software installs) I can always Switch User to Administrator.
Anyone in the vulnerability research business knows that Windows 7 and Vista, in a properly managed environment, are at least as secure a desktop environment as anything you can make with Mac or Linux.
Something definitely seems wrong with the story. Remember, the system that was compromised at Google was an XP system running IE6 and logged in as administrator. IOW, they made no serious attempt to secure it. From this they jump all the way to banning Windows?
For the sort of targeted attack that hit Google an off-the-shelf Mac system is at least as vulnerable as an off-the-shelf Windows system. Surely Google knows this.
They're not really VMs, they're just processes. And all the Win16 apps ran within a single Win16 process. All these processes were preemptively multitasked by the 386 kernel of Win 3.0.
It did both. Windows apps were cooperatively multitasked within the Win16 process (not VM). The DOS boxes were in v86 processes. All these processes were preemptively multitasked.
Slashdot Mirror
IE7+ on Vista and Win7 is essentially sandboxed through protected mode. We don't know enough about the bugs to know real impacts, but if they don't break out of protected mode then the attacker can get very little done.
Of course this doesn't apply on XP, but only suckers use XP anymore.
How is it not factually correct?
But now they get to decide what is "reasonable" and "legitimate" in network management policy. For instance, what about CDNs like Akamai and Level3? Clearly these networks pay ISPs more to prioritize the packets they are carrying rather than just connecting through conventional peering. Is this packet discrimination? I'm sure the FCC will say no, but in order to do so they have to open up holes in their definitions which will allow just about anything ISPs are inclined to do anyway.
What are ARIN's contractual obligations for address ranges they have allocated? Can they just decide to give notice that addresses will be rescinded?
Comcast's claims here are that the large increase in traffic to their network from L3 because of Netflix puts them in violation of their peering agreement, and that an adjustment is necessary.
Is this normally how peering arrangements work? If so, Comcast's position is reasonable.
I've had the same thought about public security cameras. If you're out in public you can't have any reasonable expectation of privacy.
It's not pipes, it's TUBES! TUBES!
The /. title says that Microsoft is making the complaints and this is not true. These are government complaints. Assuming Microsoft intends to do business in Russia legally and assuming they intend to defend their intellectual property rights there they have to cooperate with the government when presented with a complaint.
Nothing in the article that I saw indicated that Microsoft is initiating or exacerbating any of this.
Mod this coward up. AFAIK there are no other icons on /. that are designed to denigrate the subject.
Getting the necessary right of way for high-speed rail between New York and Washington would be impossibly expensive. You need long straightways.
Microsoft and Sun signed a broad patent cross-license for this stuff long ago.
Android has its own VM called Dalvik. You use Java tools to compile to JVM bytecode and then there's a translater to Dalvik bytecode.
This is just after the appearance of the monolith, right?
It's firmware, meaning software in a ROM. It's only slightly unconventional.
And they say it's only on motherboards sent out as replacements. Interesting, you would think this would make it fairly easy to identify the source.
Thinking back on this being non-white could present a problem for the Doctor when traveling to the past, especially in some time/places. Maybe this is a good thing for plot options, or perhaps it's a chance for the show to get even more politically preachy than it already is.
Of course the Doctor will remain a British alien, but there's no reason he has to be white. How about a Indian? Are there any such actors who would do well in this role?
Or Schroeder? Either way I feel sorry for him.
Not true, he says in his advisory that Microsoft acknowledged receipt the same day.
They didn't do their own advisory within 5 days (actually 4 1/2), which is perhaps what made him think it was the right thing to go public. Ormandy himself has begun to realize that he handled it badly.
Bear in mind that he reported it the Saturday before an especially heavy Patch Tuesday. It's reasonable to presume that people at the MSRC were busy.
And if anyone thinks Google is involved they're obviously wrong. I'm sure the security people at Microsoft know that Ormandy thought he was acting in a private capacity. This was a poor decision on his part, and he can't do this sort of thing privately without it impacting on his employer. I'm sure they were pissed at him.
Right, because the Federal Government knows better how to secure a network than private industry.
Let's assume for a moment, in the scenario that you imply, that this person was a developer (a scenario for which we have no real evidence). First I would point out that Google (through YouTube) has already begun dropping support for IE6, although other Google products (e.g. Toolbar) still support it. But even if you need to have IE6 on a system in order to test it, that doesn't mean that you have to develop on IE6 . And a test system is surely not one on which you should be doing casual surfing, nor one which should have access both the Internet and to sensitive company information. Even here the security blame clearly lies with Google. And as others have pointed out, if you need to test in XP these days the obvious way to do it is in a VM.
Or let's assume that this was not a developer; perhaps they have some app which requires IE6. Stories of such apps are all over the place, even though they are by definition poorly-written apps. How will moving this user to a Mac solve the problem? You'll have to rewrite the app, a solution which makes XP and IE no longer necessary.
As for your claim that UAC on Vista is worthless, it's clear you don't have a whole lot of experience with Vista. I'm writing this on a Vista system which I use most of the day, including for some development. It's rare that I encounter a UAC prompt and it's usually reasonable when I do. And if I'm doing something which I expect to generate a lot of UAC prompts (e.g. lots of software installs) I can always Switch User to Administrator.
Anyone in the vulnerability research business knows that Windows 7 and Vista, in a properly managed environment, are at least as secure a desktop environment as anything you can make with Mac or Linux.
Something definitely seems wrong with the story. Remember, the system that was compromised at Google was an XP system running IE6 and logged in as administrator. IOW, they made no serious attempt to secure it. From this they jump all the way to banning Windows?
For the sort of targeted attack that hit Google an off-the-shelf Mac system is at least as vulnerable as an off-the-shelf Windows system. Surely Google knows this.
(My take: http://blogs.pcmag.com/securitywatch/2010/05/google_dropping_windows_for_in.php)
They're not really VMs, they're just processes. And all the Win16 apps ran within a single Win16 process. All these processes were preemptively multitasked by the 386 kernel of Win 3.0.
It did both. Windows apps were cooperatively multitasked within the Win16 process (not VM). The DOS boxes were in v86 processes. All these processes were preemptively multitasked.
by me in PCMag....
I believe he was also the first astronaut to land on the Simpsons.