Look, *any* vulnerability scanner is going to have false positives. The nice commercial one we run at work generates a ton of them because we - by choice - do not allow it to access the system to check reg keys and the like. It just does a scan over the network. The difference is the commercial one has a tool to allow us to remediate what the scanner flags.
The author really isn't having a problem with the report. He's having a problem that he's just been given reguritated raw data and now has to clean it up himself. Been there before, have had management freak out at the numbers. The only option is remediation.
Getting a report with 1000 flags and showing management that 200 of these can be dismissed as false positives due to a handful of scans goes a lot farther to discrediting the auditor's work than saying "look it only took me a few hours to generate the same report." The best "attack" is cold, hard facts to show that the report isn't useful on its own. Showing that the report didn't take any significant amount of time to create isn't as effective an argument.
These suggestions are clueless. About the only advice to give is to take the report and remediate the issues. Identify the false positives and the excepted issues. The rest will have to get prioritized. Management will then have to determine what to tackle based on knowing the risks and costs.
This isn't an insurmountable task. If he knows that he has tons of false positives it should be possible to use tools/scripts to rule them out. For example, on Windows use MBSA and scan the machine. Or use a script to get program's version on a Unix system. I've had to do both numerous times to close out tickets from our vulnerability scans. The key is documenting how you determined that a flag was indeed a false positive. In my experience, false positives show up as clusters so a scan will flag every instance of MS04-011 even though you've patched all your servers for that issue. You can write boilerplate and as long as you do indeed check all those incidents you're fine. Take the low-hanging fruit and issues with your border devices first and once they're out of the way research the rest.
The suggestion to "show" that the report is frivolous will probably backfire. If it was so damn easy to make that why hasn't it been done before? It makes the admin look like he or she isn't being pro-active. Which leads into your next "option" which will be summarily dismissed because you haven't shown the need to justify those costs.
So, if I'm reading your post correctly, you advise scanning a network you shouldn't be accessing and run the risk of bringing their systems down or getting their staff in a tizzy over your scan just so you can say "Yes Virginia, there are other vulnerable networks out there."
They label it "Content" but anything that you've created going over their service would fall under copyright. I don't see their terms of service as being a legal transfer.
Not knowing how an AIM account works at all, I wonder what would happen if you put something in your profile like "I do not give AOL permission to use anything under my copyright without written consent and appropriate compensation." Obviously it invalidates the Terms of Service and they would more than likely kick you off if it was noticed but what would happen if they did use your copyrighted work under those circumstances?
When you reincarnate please remember to stay in line and get double helpings on observance (you missed the emoticon which provides *gasp* context) and humor (ummmm, it was an obvious joke) before coming back. The gift of "leading sheep into making bad mods on/." really wasn't meant to be taken seriously.
That leaves us being able to do exactly what Brazil does and just make the drugs. You forget that a patent discloses the invention. They move and we still get the technology only this time they don't make a dime.
At least for domains that the user is paranoid about. I could hash "paypal.com" and store it. Then whenever there is a link that has a valid domain of paypal.com the browser would give some indication that the link is good. Say cursor changes to a thumbs-up icon or something equally silly. You could have a corresponding blacklist too.
I know that this isn't necessarily trivial to accomplish due to redirects and the like but it might be worthwhile considering.
Substitute colors with changes in font. Numbers bold and IDN in italics with a larger font. Or something like that. Making it friendly for the International community is a seperate problem. People have already suggested having the program pull user settings and adapt to that.
Heck, you could have all of these options and turn the URL into a pulsing rainbow. As long as it readily identifies the mixed character set. IMHO, this problem won't have a solution that will make everyone happy. The question is there a solution that everyone can live with?
Yeah. In one instance you get a frontpage article on/. In the other instance you watch your honest, but mundane article languish because it won't generate hits.
I wonder how much it would cost to film shredding this thing. It could be a performance art piece. Call it "The People v. The Wonderful Fruit" Have multiple copies of the Copyright Act strewn about and just send wave after wave of shredded metal over the whole mess while a bunch of naked actors re-enact Eldred v. Ashcroft for the audience in a pool of grits.
Of course the height of artistry here is we will forbid recording of the performance and sell copies at outrageous prices which will force the entire thing to be pirated onto the Internet.
Think I could get a government grant to pull it off?
They'll be cheap because Sony will take a loss on the console and make the money off of the games. Just like MS did with the Xbox. The question is just how much of a loss on the unit can Sony accept?
I simply cannot imagine what the state of networking would be like today if STP had been patented and DEC charged for the technology for 17 years. Being extremely melodramatic here (oh why not, it's/.) but the thought that just crossed my mind is it would have been akin to the burning of the Library at Alexandria.
I see you don't have a/. subscription so why is it so bad to take advertising money from Sun?
And anyway, the release of Solaris 10 is a pretty big deal. I'd be going WTF if/. didn't cover it on the front page.
Finally, honestly, what banner ad? 99% of the time I ignore them. I keep up with/. on a regular basis and I didn't notice it. Even now as you mention it I barely recall seeing them. I'm not seeing what the big deal is here.
This zooming doesn't work well for me. I have bad eyesight (-3.75, -4) and after a while on the monitor my eyes get tired. I need a larger font. The problem is when I zoom into a comfortable font the size of the document is now too big for the screen and I have to constantly use the mouse to move the document left and right.
And that's another problem. If the document is longer than the screen I have to use the mouse to "scroll" through the document. This is never smooth because.... I'm using a mouse. So just after a little browsing my eyes get even more tired.
Since this is just a demo for one part of the UI I'm assuming there is a way to break out of this mode and have a documentment "snap-to" the screen. If there isn't I'm going to go blind jerking around with the thing (pun intended.) Another question I have is how the UI assists the user in organizing documents. I could really see someone screw themselves over by minimizing documents haphazardly.
Slashdot Mirror
What part of "It is unknown when the patches will appear in a public version of Safari." failed to parse? My bet is it comes out in Tabby.
But it got you to post and generate ~3 banner ad hits to get your rant out. Something's working.
The author really isn't having a problem with the report. He's having a problem that he's just been given reguritated raw data and now has to clean it up himself. Been there before, have had management freak out at the numbers. The only option is remediation.
Getting a report with 1000 flags and showing management that 200 of these can be dismissed as false positives due to a handful of scans goes a lot farther to discrediting the auditor's work than saying "look it only took me a few hours to generate the same report." The best "attack" is cold, hard facts to show that the report isn't useful on its own. Showing that the report didn't take any significant amount of time to create isn't as effective an argument.
This isn't an insurmountable task. If he knows that he has tons of false positives it should be possible to use tools/scripts to rule them out. For example, on Windows use MBSA and scan the machine. Or use a script to get program's version on a Unix system. I've had to do both numerous times to close out tickets from our vulnerability scans. The key is documenting how you determined that a flag was indeed a false positive. In my experience, false positives show up as clusters so a scan will flag every instance of MS04-011 even though you've patched all your servers for that issue. You can write boilerplate and as long as you do indeed check all those incidents you're fine. Take the low-hanging fruit and issues with your border devices first and once they're out of the way research the rest.
The suggestion to "show" that the report is frivolous will probably backfire. If it was so damn easy to make that why hasn't it been done before? It makes the admin look like he or she isn't being pro-active. Which leads into your next "option" which will be summarily dismissed because you haven't shown the need to justify those costs.
Tito, pass me the cluestick.
As long as that cashier gets sufficiently cowed into submission and is willing to accept my $3 bills I say let bygones be bygones.
and would have been found in as much time as it took you to post.
And that's why I live in Wisconsin....
Not knowing how an AIM account works at all, I wonder what would happen if you put something in your profile like "I do not give AOL permission to use anything under my copyright without written consent and appropriate compensation." Obviously it invalidates the Terms of Service and they would more than likely kick you off if it was noticed but what would happen if they did use your copyrighted work under those circumstances?
Go Brewers! :P
Oh! Ok. Nevermind....
When you reincarnate please remember to stay in line and get double helpings on observance (you missed the emoticon which provides *gasp* context) and humor (ummmm, it was an obvious joke) before coming back. The gift of "leading sheep into making bad mods on /." really wasn't meant to be taken seriously.
That leaves us being able to do exactly what Brazil does and just make the drugs. You forget that a patent discloses the invention. They move and we still get the technology only this time they don't make a dime.
Yeah, but at this this story puts the piece in a different light....
Hey, you could open an xterm, start a program and when it dumps core you could watch it go down in flames. Literally.
I know that this isn't necessarily trivial to accomplish due to redirects and the like but it might be worthwhile considering.
Heck, you could have all of these options and turn the URL into a pulsing rainbow. As long as it readily identifies the mixed character set. IMHO, this problem won't have a solution that will make everyone happy. The question is there a solution that everyone can live with?
Presentation is everything. Even with nerds.
Of course the height of artistry here is we will forbid recording of the performance and sell copies at outrageous prices which will force the entire thing to be pirated onto the Internet.
Think I could get a government grant to pull it off?
They'll be cheap because Sony will take a loss on the console and make the money off of the games. Just like MS did with the Xbox. The question is just how much of a loss on the unit can Sony accept?
I simply cannot imagine what the state of networking would be like today if STP had been patented and DEC charged for the technology for 17 years. Being extremely melodramatic here (oh why not, it's /.) but the thought that just crossed my mind is it would have been akin to the burning of the Library at Alexandria.
And anyway, the release of Solaris 10 is a pretty big deal. I'd be going WTF if /. didn't cover it on the front page.
Finally, honestly, what banner ad? 99% of the time I ignore them. I keep up with /. on a regular basis and I didn't notice it. Even now as you mention it I barely recall seeing them. I'm not seeing what the big deal is here.
And that's another problem. If the document is longer than the screen I have to use the mouse to "scroll" through the document. This is never smooth because.... I'm using a mouse. So just after a little browsing my eyes get even more tired.
Since this is just a demo for one part of the UI I'm assuming there is a way to break out of this mode and have a documentment "snap-to" the screen. If there isn't I'm going to go blind jerking around with the thing (pun intended.) Another question I have is how the UI assists the user in organizing documents. I could really see someone screw themselves over by minimizing documents haphazardly.
For you we can rework the license so everyone's happy. For the moderator who marked you insightful? No.
It's only meaningful if self-inflicted. You're new here aren't you?