Just because I'm registered to vote doesn't mean I need everyone and their mother to know where I live.
Just because I'm registered to vote doesn't mean I want CANDIDATES, such as yourself, contacting me at random.
These people also happen to be morons. They don't understand that a birthdate is not a secretive piece of information ("your last name and birthdate should be known only by family and close friends"). What the fuck? Any idiot can know your birthday.
In short, such information can certainly be useful, but it ought to be better protected and I ought to be able to say "Take my information out of there."
You're being overly optimistic. You remember reading books, papers, etc in fourth grade or so, right? Now look at literacy rates for the average U.S. 4th grader. You expect the mongoloids that these kids will mature into to understand and care about your freedoms?
Arrogance - Most people are not willing to go to jail for this.
Arrogance? I'm certainly not willing to sacrifice years of my life just because a bunch of old rich bastards managed to pay off the government. I would have no problem with hunting a few of them down and torturing them to death, though. Anyone game? Maybe when they start finding movie exec's bodies mutilated in the street they'll understand that people are not fucking kidding.
Uhm, I have no actual clue, but I remember when configuring 2.4.8 that I had to disable a bunch of FireWire support. It was actually on by default. So why don't you check the hardware guide and/or just try it.
I guess...if you choose to totally ignore the fact that if you want to use STL's string, you get a few terabytes of useless shit pulled in along with it.
Uhhh. Once your machine is completely compromised, cleaning it up requires a complete reinstall from the original media, then restoring your data from backups.
This is likely to take much longer than just a few minutes.
Great point! The only thing that is going to help the user is a fix. With closed source software, this rests on the vendor.
Certainly, it's within your right as the discoverer of the problem to fully disclose everything to bugtraq, attach a ready-to-go exploit.c that compiles out of the box on RedHat, and walk away.
However, if you're a security professional trying to, or at least pretending to, benefit the users, you're going to have to cooperate with the vendor to avoid screwing the users yourself; on top of that you ought to make sure the vendor doesn't get to screw the users either.
Your plan, I believe, is the best approach so far. With a partial disclosure (important!), the users get to know there's a problem and bitch at the vendor. Also, the more clever would be able to at least implement some kind of workaround if they know the "gist" of the issue.
But a month? I think that's way too lenient. When a vendor gets notification that there is a serious, exploitable vulnerability in one of their products, their first priority should then be to fix it. ASAP. Devote a team of programmers to it on the double. I can't think of any holes I'd give MS a month to patch, really. Give them a month, they'll take the whole month. In that amount of time, someone else could easily take your advisory, start working from there, and figure out the bug on their own (after all, you did it from scratch). Bad. I'd say the author should use some judgment, but a week should be enough for the most heinous of holes.
And...no, I don't think it applies only to closed source projects. Open source projects have maintainers, individuals or groups that are responsible for them. If such a maintainer is available for a project, why not give them the same advantage? You might argue that with open source, you should full-disclose so that any random joe has the chance to fix it, but if it were that easy, why didn't you fix it yourself and include a patch with your advisory? And if the maintainers can't fix it, Joe Shmoe will have his chance 2,3,4,5,6,7? days later when you do release the full.
Full disclosure is great, and it's absolutely necessary to completely document these holes. However, it's also dangerous. By allowing some time for the hole to get fixed, a really short time but some time nonetheless, the users, hackers and vendors all win.
X months from now when this scheme is in wide use, and all of a sudden come hundreds of anonymous Usenet or maillist postings screaming "Hey, the master key ix XYZZY"... these companies are all fucked.
And then Niels will be able to say "Well, see? If it weren't for your stupid DMCA, I would have told y'all this BEFORE you released it."
I'm getting that feeling in my stomach. I've got plenty of processing power at home...anyone have those screens?:D
This has the nice side-effect that all Unix vendors can be arrested because they ship with/usr/bin/tr, which CAN be used to circumvent ROT-13 protection technology:
My windows box caught fire, killed my girlfriend, and burnt off the left side of my face the other day!
Is there no justice in this world?!
Re:Microsoft should be sued
on
Code Red III
·
· Score: 1
You have just made an excellent point for a Code Red IV that scrambles the fucking hard drive like a bacon egg n cheese.
People might not care about network bandwidth but they'll care about their data.
Re:Microsoft should be sued
on
Code Red III
·
· Score: 1
Bwahahahahaha!!!!!
Score 6, HILARIOUS
Even Better. Much, actually.
on
Code Red III
·
· Score: 1
Rather than just putting it on a few of your own machines, how about overwriting the default.ida on your "attacker's" box (since it's root-compd) to do the same?
Seems a little more ethical than just taking it down, which of course is what we all WANT to do (grrr, I wish I had an offshore co-lo server.)
Most proponents of prostition prohibition say it's because it spreads diseases. On the same grounds, we should institute a ban against running Windows servers.:)
I can do without the corporate group hugs and pep rallies (ala Steve the Monkeyboy) as well as the commute whether it be driving behind some big ass SUV or having to sit near the mutants on public transportation.
Well then you need to move a 20 minute walk from your job like me:-D (NYC)
Slashdot Mirror
Just because I'm registered to vote doesn't mean I need everyone and their mother to know where I live.
Just because I'm registered to vote doesn't mean I want CANDIDATES, such as yourself, contacting me at random.
These people also happen to be morons. They don't understand that a birthdate is not a secretive piece of information ("your last name and birthdate should be known only by family and close friends"). What the fuck? Any idiot can know your birthday.
In short, such information can certainly be useful, but it ought to be better protected and I ought to be able to say "Take my information out of there."
Let's call it "cautious optimism" for now.
.com company I used to work for, aren't you?
You are the CEO of the
However, most of the angry people don't seem to have a true understanding of the underlying issues.
And this is, of course, something completely new and unheard of, and only relating to RMS.
You're being overly optimistic. You remember reading books, papers, etc in fourth grade or so, right? Now look at literacy rates for the average U.S. 4th grader. You expect the mongoloids that these kids will mature into to understand and care about your freedoms?
Arrogance - Most people are not willing to go to jail for this.
Arrogance? I'm certainly not willing to sacrifice years of my life just because a bunch of old rich bastards managed to pay off the government. I would have no problem with hunting a few of them down and torturing them to death, though. Anyone game? Maybe when they start finding movie exec's bodies mutilated in the street they'll understand that people are not fucking kidding.
Every Web browser you can name currently supports embedded applets, and is therefore in violation of the Eolas patent.
Is this guy for real? Has he really never heard of Lynx?
Uhm, I have no actual clue, but I remember when configuring 2.4.8 that I had to disable a bunch of FireWire support. It was actually on by default. So why don't you check the hardware guide and/or just try it.
I guess...if you choose to totally ignore the fact that if you want to use STL's string, you get a few terabytes of useless shit pulled in along with it.
Ugh.
The average cleanup takes a couple minutes
Uhhh. Once your machine is completely compromised, cleaning it up requires a complete reinstall from the original media, then restoring your data from backups.
This is likely to take much longer than just a few minutes.
Apparently this so-called expert has never seen the STL.
No he has, which is why he's running away from it at full speed.
Great point! The only thing that is going to help the user is a fix. With closed source software, this rests on the vendor.
Certainly, it's within your right as the discoverer of the problem to fully disclose everything to bugtraq, attach a ready-to-go exploit.c that compiles out of the box on RedHat, and walk away.
However, if you're a security professional trying to, or at least pretending to, benefit the users, you're going to have to cooperate with the vendor to avoid screwing the users yourself; on top of that you ought to make sure the vendor doesn't get to screw the users either.
Your plan, I believe, is the best approach so far. With a partial disclosure (important!), the users get to know there's a problem and bitch at the vendor. Also, the more clever would be able to at least implement some kind of workaround if they know the "gist" of the issue.
But a month? I think that's way too lenient. When a vendor gets notification that there is a serious, exploitable vulnerability in one of their products, their first priority should then be to fix it. ASAP. Devote a team of programmers to it on the double. I can't think of any holes I'd give MS a month to patch, really. Give them a month, they'll take the whole month. In that amount of time, someone else could easily take your advisory, start working from there, and figure out the bug on their own (after all, you did it from scratch). Bad. I'd say the author should use some judgment, but a week should be enough for the most heinous of holes.
And...no, I don't think it applies only to closed source projects. Open source projects have maintainers, individuals or groups that are responsible for them. If such a maintainer is available for a project, why not give them the same advantage? You might argue that with open source, you should full-disclose so that any random joe has the chance to fix it, but if it were that easy, why didn't you fix it yourself and include a patch with your advisory? And if the maintainers can't fix it, Joe Shmoe will have his chance 2,3,4,5,6,7? days later when you do release the full.
Full disclosure is great, and it's absolutely necessary to completely document these holes. However, it's also dangerous. By allowing some time for the hole to get fixed, a really short time but some time nonetheless, the users, hackers and vendors all win.
That's great, though.
... these companies are all fucked.
:D
X months from now when this scheme is in wide use, and all of a sudden come hundreds of anonymous Usenet or maillist postings screaming "Hey, the master key ix XYZZY"
And then Niels will be able to say "Well, see? If it weren't for your stupid DMCA, I would have told y'all this BEFORE you released it."
I'm getting that feeling in my stomach. I've got plenty of processing power at home...anyone have those screens?
This has the nice side-effect that all Unix vendors can be arrested because they ship with /usr/bin/tr, which CAN be used to circumvent ROT-13 protection technology:
tr N-ZA-Mn-za-m A-Za-z
Is the U.S. expected to curb their own jurisdiction here? Why doesn't the Russian government stand up for one of their own fucking citizens?
Your country? This country belongs to its IAA's and the government they've purchased.
Eventually, those of us that give a fuck will be forced take it back.
The time is drawing near, I'm afraid...
Because, glibc sucks.
And you have failed to explais SUV popularity and how they are becoming the new majority of new vehicles on the road.
See Windows' popularity, and how Microsoft is becoming the new majority of all workstations on the network.
Right on man!
My windows box caught fire, killed my girlfriend, and burnt off the left side of my face the other day!
Is there no justice in this world?!
You have just made an excellent point for a Code Red IV that scrambles the fucking hard drive like a bacon egg n cheese.
People might not care about network bandwidth but they'll care about their data.
Bwahahahahaha!!!!!
Score 6, HILARIOUS
Rather than just putting it on a few of your own machines, how about overwriting the default.ida on your "attacker's" box (since it's root-compd) to do the same?
Seems a little more ethical than just taking it down, which of course is what we all WANT to do (grrr, I wish I had an offshore co-lo server.)
Most proponents of prostition prohibition say it's because it spreads diseases. On the same grounds, we should institute a ban against running Windows servers. :)
Windows = the cheap $2 whore
What the hell kind of tech job pays $10/hr?? Jesus christ, I was making more than that in high school! Don't you have minimum wage laws?
I can do without the corporate group hugs and pep rallies (ala Steve the Monkeyboy) as well as the commute whether it be driving behind some big ass SUV or having to sit near the mutants on public transportation.
:-D (NYC)
Well then you need to move a 20 minute walk from your job like me
BTW, why are so many Slashdotters so obsessed with drinking and partying until practically dawn?
My guess is that we^H^H^H they like to be drunk, and up all night?