Slashdot Mirror


User: drsmithy

drsmithy's activity in the archive.

Stories
0
Comments
12,153
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 12,153

  1. Re:Attacks Still Low on Apple Releases 31 Security Fixes · · Score: 1

    Any program files that might have a negative impact on the OS X system must be authorized with the Admin password.

    A binary running as the regular user can do pretty much everything it might possibly want to do.

    Not to mention there's a 9/10 chance that just popping up an "Admin password" dialog box will result in the user blindly typing in their admin password, giving away root access.

  2. Re:Attacks Still Low on Apple Releases 31 Security Fixes · · Score: 3, Informative

    99% of all windows users run as admin. 100% of all windows server administrators log in with a admin level account and do lots of things as admin they they should not.

    99% of the things malware wants to do, do not require elevated privileges.

    NO APP NEEDS WRITE ACCESS TO THE C:/WINDOWS directory... NONE! yet the microsoft morons designed it that way because of the stupid registry.

    Broken application that require write access to Windows system areas are 100% the fault of the app developer. It's got *nothing* to do with Microsoft.

    No developer has had an excuse for releasing software that writes to places like C:\Windows for ca. 7 - 8 years.

    Let's ignore the fact that most services under Unix lately do not run at the system level but under a protected user that does not have ADMIN access... but hey you were hoping that nobody noticed that.

    Like modern Windows services do, you mean ?

    Windows web server, buffer overflow = admin access. Linux web server, buffer overflow = user acces. Big different there. granted if you are silly and let apache user read the shadow passwords file your fault for not setting up security right.

    IIS runs as its own user. A buffer overflow only nets you the privilege level of that user.

  3. Re:Or... on John Dvorak On Vista's Launch · · Score: 1

    It could be concern over how the more-restrictive EULA for Vista affects the value of upgrading.

    Outside of Slashdot (and similar forums), "concern" over Vista's EULA is practically unmeasurablely small.

  4. Re:Effectively... on John Dvorak On Vista's Launch · · Score: 1

    This sounds like a troll, but I'll answer it from an IT person's perspective anyway... (your milage may vary)

    I was making the comment "from an IT person's perspective".

    When MS recently rolled out IE7, about 1/3 of our employees ignored all the emails we sent out telling them to "not install it until all web-based applications have been tested, and are either certified to work with IE7, or fixed to work with it."

    You don't centrally control your updates !? 8-O

    Now they are pushing an operating system at us that will create more work for us, no doubt.

    These sorts of things are always more work in the short term. The important question is wether they're more work in the long term. The trend, thus far, has been of better atuomated management with every Windows release.

    I like 2000 and XP because we as a corporation have figured out how to make all our software work on it, and business is good. Once you have a stable environment, you want to test anything new, to make sure that all remains good. A core change like an OS is not a good thing right off the bat. Even with compatibility mode, when we switched to XP, and got the last people in the company off 98 machines, we had issues.

    I don't think anyone's seriously suggesting corporations should just roll out Vista tomorrow, not even Microsoft...

    Just because they have shiny new bling, doesn't mean I want it. Rule of thumb around here... do -NOT- be an early adopter of any new technology until at least service pack 1. Let everyone else be the beta testers. And I don't care what any manufacturer says. If it is new, it's still beta. (Not just bashing MS here.)

    That's a pretty normal stance to take for something you have to rely on, rather than fiddle with. Certainly the same one we do.

    However, it would be negligent of any professional not to at least have some testing machines up and running with Vista, to see what real and relevant improvements it offers (if any).

  5. Effectively... on John Dvorak On Vista's Launch · · Score: 3, Insightful

    The lack of "buzz" around Vista and apathy towards upgrading - despite its myriad improvements - are a tacit acknowledgement of just how good Windows 2000 and XP were(/are)...

  6. Re:Who will do that? on Novell CEO Gives Behind the Scenes Account of Microsoft Deal · · Score: 1

    That's an odd statement, as I've seen lots of production environments running in vmware.

    Oh, I'm sure there are - I just don't see any real value in it, based on an evaluation of our environment and an extrapolation to what I would expect it to share in common with others.

    When the average windows box runs around 5-10% cpu utilization 90% of the time, it's hard NOT to see value in it.

    For things like DCs, maybe. But how many things like fileservers and Exchange servers aren't in need of large amounts of hardware grunt - in IO at the very least ? When low-end 1U servers run <$1000, is it really more economical to buy two (because bringing down multiple machines when the virtualisation server needs some work isn't really workable IMHO) suitably beefy servers to run the "low utilisation" things like DCs, that it is to just buy cheap machines to run them on ?

    I dunno, are there really that many environments dictating a need for loads of low-CPU-utilisation servers ?

    That aside, vmotion, if you've ever experienced it, is an amazing thing. Absolutely amazing. The flexibility it gives you creates a whole new methodology of building an IT environment.

    It certainly is very cool, but I just can't see the application outside of corner cases (which is not to downplay its value in those scenarios). You've still got the personnel/administrative overhead of a discrete machine, just without the hardware cost - but for the kinds of situations where the virtualisation performance hit isn't an issue, the hardware is dirt cheap anyway... Plus there's then the overhead of managing the virtualisation servers and the significant impact should one of them go down. You might save some money buying one beefy server instead of, say, 8 much smaller servers - but if the big beefy virtualisation server dies and takes 8 real machines down with it, those cost savings are probably going to evaporate pretty quickly.

    There are clearly people doing this sort of thing - and benefitting from it - I just struggle to see where the net advantage is in a typical environment.

  7. Re:Who will do that? on Novell CEO Gives Behind the Scenes Account of Microsoft Deal · · Score: 1

    People who want a stable subtrate operating system on which they can deploy their Windows services? Think about it. A stable underlying OS allows you to stop worrying about the actual servers and focus on the VMs.

    All you are doing is adding an extra layers of complexity and points of failure.

    This means you can do things like hot VM fail-over, for higher availability. Seems like a big win to me.

    If your hardware is failing frequently enough for this to be a meaningful issue, you need to buy better hardware (and, regardless, it's still going to fail running whatever your virtualisation host is).

    If it's OS failures that concern you, then it's pretty much irrelevant whether the OS is running on real or virtualised hardware when it fails.

    The only advantage to virtualisation in production environments that I can see, is consolidating hardware resources - and given how ridiculously cheap low-end servers are, while still being more than powerful enough for low-end tasks, even the value proposition there is difficult to see for typical environments.

    I've been using virtualisation for development and testing since VMWare 1.0. The value there is obvious. But having run some numbers, I really can't see any meaningful advantage at all to virtualisation in production environments - unless you're doing something kinda weird where you want *lots* of relatively slow machines without actually having physical hardware.

  8. Re:Seems a little Windows-centric ... on Community Comments To Security Absurdity Article · · Score: 1

    So what? They also account for most infections, since worms and Website exploits affect so many more targets than other malware. Every study I've seen shows this and it is supported by my own data.

    What studies ?

    Yeah, I think it was "bigger target, more problems" which he showed was not a truism.

    No, he didn't (although it's not a "truism", I'll agree - it *is* a strongly correlated factor, however).

    Windows suffers so much because it has a lethal combination of high marketshare and a largely ignorant userbase.

    So what part of "the default security model" did you think did not apply to your argument about the security model? I think it was pretty clear he was referring to default settings of that system.

    Seems to me it's a reference to the system security capabilities.

    Not that the default config - the infamous "Administrator by default" - ends up making a huge difference in practical terms.

    No it isn't. OS X and Linux desktops both are not seriously flawed as they appear to the average user.

    Sure they are. They suffer basically the same problems Windows does only with one or two more dialog boxes in the way. Moreso, if anything, since code executing as root has more power than code executing as "administrator".

    This is evidenced by the lack of widespread compromises on said platforms.

    No, it's not. The primary contributor to the "lack of widespread compromises" on Linux is the relatively tiny number of suitably ignorant users. On OS X, it's the relatively tiny marketshare.

    Buffer overflows are the result of coding flaws. Failing to contain trojans and said overflows is a infrastructure security flaw.

    Most "compromises" aren't coming from buffer overflows - especially unpatched ones.

    "Failing to contain trojans" is what happens when you allow ignorant users the ability to execute arbitrary code.

    Well it looks as though Apple will make eat those words with OS X 10.5 which looks to include default mandatory access control settings based upon application signing levels.

    So you're saying OS X won't let users run unsigned code ? Because that's going to be a legacy support cutoff so brutal I don't think even Apple would be game to carry it out.

    Care to bet how long it takes most Linux distros to do the same?

    Probably quite some time, although I'm sure Ubuntu will be quick to copy it. Should be funny watching the anti-Microsoft zealots try and spin mandatory signing of code it as suddenly being a good thing, as well.

  9. Re:Seems a little Windows-centric ... on Community Comments To Security Absurdity Article · · Score: 1

    You've made this claim before, but I've never seen you provide support for it.

    I provide as much support as people who write things like:

    Most infections by number are remote with no user interaction.

    Remote vulnerabilities for Windows - like most platforms - are few, far between and quickly fixed. Indeed, the vulnerabilities behind most high-profile remote exploits for Windows were typically fixed *before* those exploits occurred. A brief cruise around the various "security" sites shows this.

    Yeah, which is probably why the previous poster used it to demonstrate that the concept being presented was flawed, as it does not hold true in all cases.

    That must be why he wrote:

    Oh wait. That's right. Linux machines ARE visible targets, yet are not pwned in proportion to their use. "Ah," you cry, "but those are servers, not desktops." True. They are servers with purposefully exposed ports and running outside of firewalls; heck, many a Linux Box (PC or embedded) *IS* the firewall for Windows machines. They COULD in principle be compromised and used in botnets like any other computer out there.

    Seems to me the opinion is that Linux servers running Apache (or anything else, I imagine) are - in principal - just as vulnerable to being exploited as Windows desktops. An assertion that is ridiculous on its face.

    Thus the burden of proof shifts to those claiming that market share is the only important factor, since it has been proven this is not always the case.

    I don't believe anyone has said "market share" is the only factor. However, people frequently use "market share" as a general term to encompass a collection of relevant issues that correlate strongly with a platform's market share.

    What truly boggles the mind is people who say "market share" is irrelevant...

    He was using "system" to refer to the Windows desktop system that most people have to deal with, not some component of the core architecture, which he pretty clearly conveys using examples.

    There were no examples in the post I replied to. The only elaboration of the term "system" comes from:

    [...] is simply the default security model or braindead design [...]

    Which seems to be referring to "the system" at a pretty low level by my interpretation.

    He's saying Windows plus the included software as it makes its way onto the average user is flawed.

    Of course it is - every platform is. That doesn't change the fact that the vast majority of Windows exploits do not originate from coding or security infrastructure flaws.

    You cannot secure a general-purpose platform where ignorant end users have the ability to run arbitrary code, and have it remain usable.

  10. Re:Seems a little Windows-centric ... on Community Comments To Security Absurdity Article · · Score: 1

    It's easy to blame the user, but most infections of malware today involve no user interaction. Even for those that do, a properly designed OS can mitigate most of those problems.

    Most malware infections come from uses running rogue ActiveX controls, email attachments and the like.

    Scenario 1: malware is downloaded, the OS checks the binary against a known list detects and deletes it and blacklists the host you got it from. Have a nice day. Scenario 2: malware is downloaded and run and infects the user with no warnings from the OS. Is the OS in scenario 1 more secure than in scenario 2, or is the user at fault?

    Scenario 1, of course, where you essentially describe an OS-integrated anti-virus and anti-malware solution.

    Of course, if Microsoft actually did include the AV and anti-malware functionality you describe above in Windows, I've little doubt you'd be among the first - along with Symantec and Co. - running around yelling "anti-trust".

    Your hypocrisy is a bit sickening. On the one hand you decry Microsoft whenever they add functionality to improve Windows, but nearly in the same breath you insist they should add functionality to improve Windows.

  11. Re:Right and wrong on Novell Dumps the Hula Project · · Score: 1

    There IS plenty of demand for something that does what Exchange does. However, there's no demand for something that does what exchange does but doesn't work with Exchange.

    Yes, there is. For example, any shop that isn't already committed to Exchange has demand for something that does what Exchange does, but isn't Exchange. Any shop dissatisfied with Exchange's performance, also, is interested in something that does what Exchange does that isn't Exchange.

    People like you need to stop making excuses. There is heaps of demand for the high-level functionality Exchange provides. However, there is a dearth of software providing it. No-one is going to stop (or not start) using Exchange when there's nothing else to fill the niche.

    There are many, many ways of solving the problem but getting it to work with MS protocols isn't easy.

    It doesn't need to work with "MS protocols" any more than any other client/server application does to be successful on Windows. Or are you suggesting it's impossible to build an integrated client/server package on top of Windows ?

  12. Re:You are missing the point. on Novell Dumps the Hula Project · · Score: 1

    Almost all office desktops are Windows machines. Those machines have the exchange protocol built in, and so does MS office.

    A protocol on its own is useless (and irrelevant). You need Outlook (or a web browser) to get any real value out of Exchange - and Outlook doesn't come with Windows.

    That being the case, a sysadmin can either install an all new toolset and put together a server, or they can just go with exchange which is much easier. Most do the latter.

    Regardless of whether they use Exchange or some alternative, the same (conceptual - actual may differe depending on the quality of the product) amount of work is required.

    * Windows Server does not include Exchange. It must be purchased and configured.

    * Windows client does not include Outlook. It must be installed and configured.

    Windows has no inherent advantage in this space. It dominates because it's *better*.

    If exchange were not built into Windows and office, it would have competition.

    Exchange is not "built in" to Windows. On the client side it requires either Outlook - a separate program - or a web browser to use[0]. On the server side it requires Exchange itself.

    If the exchange protocol were open and documented as required by law, their would be alternative server implementations that compete.

    Or maybe Exchange alternatives could innovate and compete on their own merits, rather than riding on the back of Exchange's established userbase. Ie: a complete client/server package.

    Incidentally, I'm not aware of any law that requires protocols to be "open and documented".

    As it is, many shops just buy one exchange server and run everything else on Linux.

    Exactly. People use Exchange because it's the best option. Are you advocating people should be using Linux because it's Linux, not because it's the best solution ?

    People like you need to stop trying to blame every lack of decent alternative software on the Windows "monopoly". It's fundamentally counter-productive. There is *nothing* stopping somebody creating a good Exchange alternative.

    [0] By "use" I mean get value out of it over and above a simple mailserver. If all you want is email, any IMAP client will work (and Exchange server-side is massive overkill in that case anyway).

  13. Re:We wouldn't be having this problem if... on Community Comments To Security Absurdity Article · · Score: 1

    Yet there are thousands of viruses for AmigaOS for example..

    Probably because the Amiga was, in its past, one of the most popular computing platforms in the world.

  14. Re:Seems a little Windows-centric ... on Community Comments To Security Absurdity Article · · Score: 1

    Yeah. When Apache running on Linux ever breaks through and becomes a highly visible target, LOOK OUT.

    Not really. The proportion of internet-connected machines which are Linux/Apache servers is tiny and most of the people running them will detect and remedy any exploits in short order.

    Oh wait. That's right. Linux machines ARE visible targets, yet are not pwned in proportion to their use. "Ah," you cry, "but those are servers, not desktops." True. They are servers with purposefully exposed ports and running outside of firewalls; heck, many a Linux Box (PC or embedded) *IS* the firewall for Windows machines. They COULD in principle be compromised and used in botnets like any other computer out there.

    You do realise that the vast, vast bulk of exploited Windows machines weren't "pwned" by any sort of remote attack, right ?

    Servers have _completely_ different risk and exposure profiles to desktop - particularly unmanaged desktop - PCs. So different that even trying to draw conclusions about one based on the other is laughable.

    The "bigger target, more problems" arguement is flawed. The underlying problem at the system level (ie, not coutnting phishing, physical security problems, etc) is WINDOWS, period. You can argue about whether it is simply the default security model or braindead design all you want, but until that basic reality is accepted, this point of Windows market share is a deflection from the issue.

    Except at the system level, Windows's security model is (relatively) quite solid. By any objective measure, the security infrastructure of Windows is (relatively) good. Clearly, the problem isn't there.

  15. Re:Windows and vulnerabilities on Community Comments To Security Absurdity Article · · Score: 2, Informative

    I remember talking someone through setting up Tiscali broadband a few years ago using a Speedtouch and the Tiscali CD. His brand new, shiny Windows XP machine became infected over the connection in under 4 minutes. It's a classic catch-22 situation: You can't update your OS without a connection and you can't go online safely until you've updated your OS.

    Yes, you can. Just enable the firewall first.

    How about this: Virtualisation is a reality on most machines nowadays. [...]

    Holy overengineering, batman ! Did you actively try and come with such an incredibly complicated way of avoiding any incoming network connections, or did it just fall out of its own accord ?

    Too simple?

    Vastly more complicated than it needs to be. All you need to do is not allow any inbound network connections or, indeed, any network connectivity at all until the user has updated (or acknowledged the risk). Which is, incidentally, what Windows has been doing for years now.

  16. Re:Wrong approch on Community Comments To Security Absurdity Article · · Score: 1

    Virus scanners, network behavior analyzers, "app armor", stack canaries, random load addresses, nothing. 'Search and destroy' the spybots? Please. The biggest problem is C and all the other non-typesafe languages. Safe languages simply trade a certain amount of performance for the impossibility of buffer overflows, underflows, stack 'smashing', heap corruption, double-free's, pointer arithmetic errors, and all of the other low-level attacks. Everything at that level is toast in Java or in "managed" C# for instance.

    The point is valid, but the vast, vast majority of security breaches have nothing to do with software flaws (be they design or implementation).

    An OS implemented top to bottom in a typesafe language, would not remove the need for a virus scanner.

  17. Re:We wouldn't be having this problem if... on Community Comments To Security Absurdity Article · · Score: 1

    Ahhh, the 'macs don't have viruses/worms because they are less common, and therefore not targeted' argument. Except that OS 9 was less widely used than OS X and had many viruses.

    MacOS "Classic" was significantly more widely used than OS X.

    And which virus/worm writer wouldn't want to be the first successful writer for OS X?

    The hard part about viruses isn't creating them, it's getting them to spread. When only one in 100 machines is a target, it's not going to spread very fast.

    I don't think that there can be any doubt that OS X is being targeted.

    I don't think there's any doubt it is targeted orders of magnitude less than Windows (or, indeed, even Linux - albeit for different reasons).

    "Market share" is a simple way of referring to a number of significant factors which all combine to make Windows vastly more exploited than other platforms - and "security" (whatever the hell that's supposed to mean) is a relatively minor factor.

  18. Re:You are missing the point. on Novell Dumps the Hula Project · · Score: 1

    There are numerous open source exchange replacements. There are even more projects and protocols that replicate one part of the functionality. None of them are very widely adopted, however, because everyone is locked into exchange.

    No, they're not widely adopted because, compared to Exchange, they suck.

    If not for MS's monopoly abuse with that regard, there would be a demand for such a server and I imagine there would be one or more mature and common solutions by now.

    There is plenty of demand for something that does what Exchange does. There just aren't many products that deliver (and none that deliver as well).

  19. Re:Random questions and comments on Politics and 'An Inconvenient Truth' · · Score: 1

    Why is this a different question for people than corporations?

    Because corporations aren't people and don't act like people (well, they do in a sense, but they act like the kind of people that society typically refers to as varying degrees of "badly adjusted", and throw in gaol).

    See, everybody's always forgetting that corporations are just groups of people. They don't actually have an independent moral or ethical existence--legally, we treat them as such in a limited manner because it makes the law work better. But really, the rights and responsibilities or a business are understood by society to be an expression of the rights and responsibilities of their employees and owners.

    The whole *point* of a corporation is to (almost) completely exempt the people running it from individual responsibility for their actions. There are certain, rare, examples of this not occurring, but in general corporations exist to protect the individuals running them from the risks (ie: responsibilities) they would otherwise be exposed to acting _as people_.

    Contrary to your opinion, people are, in fact, well aware that corporations are run by people. They are also well aware that those people know they will rarely, if ever, be personally responsible for the actions the corporation takes. They are also well aware that positions of power (eg: running a corporation) attract people who are either a) extremely selfish or b) live their life to the mantra "the end justifies the means". Ie: psychopaths.

    In short, people don't trust corporations because they're typically run by selfish arseholes with little to no accountability for their actions - exactly the kind of people you don't trust in one-on-one relationships, either.

    You're just insisting that we hold certain groups of people responsible to a moral standard other than the law.

    The law is an exceptionally poor moral compass. Largely because it is not meant to be one. There's a reason people talk about lawyers with disdain, and that's because lawyers are typically the kind of people for whom the law *is* their moral guide.

  20. Re:Random questions and comments on Politics and 'An Inconvenient Truth' · · Score: 1

    I disagree with the assumption that the oil companies truly believe that global warming is a nonexistent threat.

    For more concrete proof of this, look no further than the huge investments energy companies (rather than just big oil) have made in researching and/or buying alternative/renewable energy sources.

    "Big Oil" knows what's coming - they're just stalling so when it arrives they're in the best position to profit from it.

  21. Re:How about reforming patents all together... on Test for "Obvious" Patents Questioned · · Score: 2, Insightful

    Actually, that's never been the stated purpose of patents.

    Nor does it need to be for it to reflect how they work.

    The government is not supposed to be in the business of enriching individual people or corporations, and they are well aware of it. The rationale for patents, as for any regulation, is to attempt to optimize the entire system. In the case of patents, by encouraging innovation. That's the party line, and pretty much every party around the world toes it.

    The point of a patent is to impose artificial scarcity and hence increase an invention's value. Note that the "invention" is distinct from the ensuing "products".

    As soon as you take money out of the equation, however, patents are pointless. Ie: it's all about the bottom line.

    There are actually few rational arguments for any sort of patents, and very substantial arguments against them.

    The rational argument for patents is the same as the one for copyright - that there is no (known) better way to create value where it would not otherwise exist (ie: in the face of infinite supply). Patents in the real world are much less of a problem, however, because they are opt-in. There _is_ the significant flaw in contemporary times that patenting things is *way* too easy, and that some things which should not be patentable, are (your example: software), but that largely a flaw in the execution, rather than the concept.

  22. Re:How about reforming patents all together... on Test for "Obvious" Patents Questioned · · Score: 1

    so that the only ones who can benefit from patents heavily are the "little guys". Big companies have little incentive to use patents in any other way except that benefits their bottom line.

    The point of patents is to benefit the bottom line of the patent holder - doesn't matter if they're big business or and individual.

  23. Re:So let me translate. on Virtualization Disallowed For Vista Home · · Score: 1

    There is absofuckinglutely no technical reason whatoever to stop virtualization as a hobby.

    There are rarely good technical reasons for *any* product/market segmentation. Not that technical reasons have anything to do with this situation.

    If I paid form my VM software, I paid form the cheapest MS OS, why the fuck should I tno be allowed to run it?

    Same reason you "can't" do anything else the licensing agreement forbids.

    There is no sane or decent explanation for this.

    Sure there is. Profit.

    Not that I care, but frankly some people around here should be more demanding and discriminating.

    Frankly some people around here need to learn the difference between "explaining" and "condoning".

  24. Re:no common sense case on No Business Case for HDTV? · · Score: 1

    a year ago i went into a small computer shop (not quite mom&pop, but not far) and asked for a null modem. every one, but i mean EVERYONE, even the manager, looked at me like i was some kind of monster from outerspace and pointed at the display of modems :\

    Well, in their defense, it's probably over a decade since "null modem cables" were anything approaching mainstream.

  25. Re:no common sense case on No Business Case for HDTV? · · Score: 1

    Athlon 2600+ (socket A) - Don't think that cuts the requirements, unfortunately:

    It will. My (old - since replaced with a Mac Mini) HTPC was a 2.4Ghz P4 underclocked to 1.8Ghz, and it easily handled watching one HDTV channel while simultaneously recording 2 others. Admittedly these were PCI and not USB tuners, but USB shouldn't make it *that* much worse.