I wouldn't have expected someone with a four-digit account to be in a beginning programming class (though it looks like you just have to satisfy some requirements.) You must have been young when you signed up!
Are you trying to say WindowsXP or Linux is more secure when it comes to privilege escalation attacks than OS X ?
How could you infer that from what I wrote? I never once mentioned any other OS. I have little doubt that XP is less secure, but that's not the issue. Up until a few days ago, no one was claiming to be able to escalate user privileges under OS X. Now someone is claiming that. And if it's true, it's a problem not to be taken lightly. And if it can be done programatically, then it's a very serious issue.
For what it's worth, I don't run XP. I don't run Linux. I run OS X, and I've done so since it first came out. And I ran Mac OS 9, and 8, and 7, and 6, and even had a original Mac with only a floppy drive. So I'm not looking to bash Macs. In fact, my friends who I drive nuts with my "Mac talk" would laugh at the idea.
But that still doesn't mean this is a trivial issue. And it doesn't really matter that's it's "less bad" than XP. I take that to be a given.
They don't conduct a different test with different conditions in order to disprove the original.
Let me clarify my own post by saying that I realize that the tester is *not* trying to duplicate the original. I didn't mean to imply that I think he's doing anything sneaky or underhanded. It's just the opposite, in fact. I apologize if I implied anything else. I'd sure like to see the original test confirmed, though.
The original test was equivalent to saying "I'll let a thief into my house. Let's see if he can steal anything!"
I don't think that analogy is quite apt. It's more like locking someone in your basement and they figure out how to gain access to your whole house.
When I run a third party program I am essentially letting them inside, but as a non-priviledged user I'm confining them to a specific area. But if this ability to elevate privileges turn out to be a fact, then any program I run can have full access.
Right now we have only this one supposed demonstration of it. What I'd really appreciate seeing is that *original* test repeated. If we can look at this as if it were an experiment, then when someone publishes a result others try to repeat it under the same conditions. They don't conduct a different test with different conditions in order to disprove the original.
While I appreciate this test, and expect it to not be breached, it is simply not the same test. The original test was to see if a regular local user could elevate its privileges to admin. The fact that the "proof" was to be done by changing a web page is a red herring. The real story was that someone was (apparently) able to do that.
This test is of the web server, and of remote cracking without local access. Also, the explanation page says that the original article did not mention that local access was given. Well, perhaps they've updated the article, but it certainly says so now:
"Participants were given local client access to the target computer and invited to try their luck."
As I said, I appreciate this test, but I am also concerned about the apparent ability of an ordinary local user to gain admin status.
This is because people who want to look nice will pay more for jeans.
This is so ridiculous! Hilfiger is WAY overpriced for what you get. I could make my own jeans from off the shelf fabrics for less than half, *and* with better specs. And later if I want to upgrade I can swap out the pockets in a few minutes with just a pair of scissors and some thread. Try doing *that* with your proprietary closed jeans.
An anon user already mentioned CMD drives. Another option is IDE64 with which you can use disks or CF cards as big as 8 gigs, and CD-ROMs of course.
I'm not saying it can't be done, and presumably the poster was talking about a time much later, but at the time I was writing programs for it, nobody in the world had a personal computer with a gigabyte disk. And with a 8k executable, my little 10MB drive had plenty of room to spare. I think by the time I sold my Atari stuff I'd used maybe a little over 5MB of it.
This will be a boon to those doing internal company projects who would like to connect to IM to send messages which need to be received in real time for monitoring things like servers or some other process
Assuming your servers or other processes are running under Windows. For me, it's an anti-boon, at least for now. I was doing exactly what you described right up until it suddenly stopped working.
What if I develope a Google API application, release it under the GPL3 and then 6 months down the line, Google change their licensing, locking it down or charging a fee for it.
If you developed it there's no problem. You own the copyright. If you took someone else's GPLed work that didn't require a key, and modified it so that it depended on a third party such as Google behaving in a certain way, well, I dunno.
Could you publish results, I think that this sort of challenge is as news worthy if not more so than this parent story.
I agree that the results would be interesting, but the parent story should not be dismissed. If what it says happened actually did happen, then it's pretty serious. A regular user account was able to elevate its privileges to admin. That would mean that any app you run, even from an unprivileged account, could conceivably take control of your computer.
That's great, but when you actually work in a real company, you'll probably have to learn MS Office and Word. You'll wish you learned this before.
So you're saying that Microsoft's office and word processor are so complicated that you'll be staring at the screen, unable to process words or even officize, ruing the fact you didn't learn how to use them when you had the chance?
And... do not be lazy to check the real source because what is written is not always the whole truth - thanks for the small lesson.
Well, to be honest the only reason I checked it was because of your post. It seemed to me that there ought to be more to it, and I wanted to see the context.
At the same time, my phone is always on vibrate in a theatre, or other such occasion, and i mute it before it vibrates to much/or stop the call completely, walk outside and deal with the situation.
Good for you. And you can blame the people who don't do that for screwing it up for you. Just like a thousand other things. I don't hijack airplanes, for instance, and yet I still have to put up with that crap.
The very first time I miss an emergency call because of this paint, I will be suing both the building and the company that made the paint. I might even sue the guy who applied the paint on the walls..
Even if you knew when you went in there that your phone wouldn't work?
Some people RELY on their cell phones' ability to receive calls...
Well, yeah. But that's your problem. Don't transfer it to me. If you RELY on your phone working it's up to you to make sure you've got a signal.
I didn't realize Azureus was an SWT app. I did, though, realize it was unusable, at least on OS X. It eventually (and seemingly inevitably) manages to completely monopolize the computer. Every once in a while I try a new version, but it's been a while since the last time, so maybe things have improved.
Slashdot Mirror
I wouldn't have expected someone with a four-digit account to be in a beginning programming class (though it looks like you just have to satisfy some requirements.) You must have been young when you signed up!
So you're saying that there are as many, if not more, scourges with advanced degrees as there are successes?
How could you infer that from what I wrote? I never once mentioned any other OS. I have little doubt that XP is less secure, but that's not the issue. Up until a few days ago, no one was claiming to be able to escalate user privileges under OS X. Now someone is claiming that. And if it's true, it's a problem not to be taken lightly. And if it can be done programatically, then it's a very serious issue.
For what it's worth, I don't run XP. I don't run Linux. I run OS X, and I've done so since it first came out. And I ran Mac OS 9, and 8, and 7, and 6, and even had a original Mac with only a floppy drive. So I'm not looking to bash Macs. In fact, my friends who I drive nuts with my "Mac talk" would laugh at the idea.
But that still doesn't mean this is a trivial issue. And it doesn't really matter that's it's "less bad" than XP. I take that to be a given.
Let me clarify my own post by saying that I realize that the tester is *not* trying to duplicate the original. I didn't mean to imply that I think he's doing anything sneaky or underhanded. It's just the opposite, in fact. I apologize if I implied anything else. I'd sure like to see the original test confirmed, though.
I don't think that analogy is quite apt. It's more like locking someone in your basement and they figure out how to gain access to your whole house.
When I run a third party program I am essentially letting them inside, but as a non-priviledged user I'm confining them to a specific area. But if this ability to elevate privileges turn out to be a fact, then any program I run can have full access.
Right now we have only this one supposed demonstration of it. What I'd really appreciate seeing is that *original* test repeated. If we can look at this as if it were an experiment, then when someone publishes a result others try to repeat it under the same conditions. They don't conduct a different test with different conditions in order to disprove the original.
This test is of the web server, and of remote cracking without local access. Also, the explanation page says that the original article did not mention that local access was given. Well, perhaps they've updated the article, but it certainly says so now:
As I said, I appreciate this test, but I am also concerned about the apparent ability of an ordinary local user to gain admin status.This is so ridiculous! Hilfiger is WAY overpriced for what you get. I could make my own jeans from off the shelf fabrics for less than half, *and* with better specs. And later if I want to upgrade I can swap out the pockets in a few minutes with just a pair of scissors and some thread. Try doing *that* with your proprietary closed jeans.
I'm not saying it can't be done, and presumably the poster was talking about a time much later, but at the time I was writing programs for it, nobody in the world had a personal computer with a gigabyte disk. And with a 8k executable, my little 10MB drive had plenty of room to spare. I think by the time I sold my Atari stuff I'd used maybe a little over 5MB of it.
Assuming your servers or other processes are running under Windows. For me, it's an anti-boon, at least for now. I was doing exactly what you described right up until it suddenly stopped working.
If you developed it there's no problem. You own the copyright. If you took someone else's GPLed work that didn't require a key, and modified it so that it depended on a third party such as Google behaving in a certain way, well, I dunno.
I agree that the results would be interesting, but the parent story should not be dismissed. If what it says happened actually did happen, then it's pretty serious. A regular user account was able to elevate its privileges to admin. That would mean that any app you run, even from an unprivileged account, could conceivably take control of your computer.
You did? A gigabyte? When I finally got a hard drive for my Atari 800 it was 10 megabytes.
So you're saying that Microsoft's office and word processor are so complicated that you'll be staring at the screen, unable to process words or even officize, ruing the fact you didn't learn how to use them when you had the chance?
Well, to be honest the only reason I checked it was because of your post. It seemed to me that there ought to be more to it, and I wanted to see the context.
Here's what he actually wrote:
What does the "stop winging" button do? Get her to follow the script?
I'll bet you also point out that elephants couldn't actually hide in cherry trees.
So then what does Chinese Pi taste like?
Obviously there won't be many, having had their brains scooped out during their Web 2.0 days and all.
Good for you. And you can blame the people who don't do that for screwing it up for you. Just like a thousand other things. I don't hijack airplanes, for instance, and yet I still have to put up with that crap.
Even if you knew when you went in there that your phone wouldn't work?
Some people RELY on their cell phones' ability to receive calls...
Well, yeah. But that's your problem. Don't transfer it to me. If you RELY on your phone working it's up to you to make sure you've got a signal.
(and I'm old enough to remember when (some) people really talked like that)
I didn't realize Azureus was an SWT app. I did, though, realize it was unusable, at least on OS X. It eventually (and seemingly inevitably) manages to completely monopolize the computer. Every once in a while I try a new version, but it's been a while since the last time, so maybe things have improved.
Sure, but ebay is pretty crappy. One big weakness (among many) is its search capabilities. I'm guessing Google could do that part a bit better.
I think you're right. Your post and bemenaker's make a lot of sense. I should have thought about it more thoroughly.