Why is no security the default on so many software and hardware products?
Several reasons:
1. To make the software easier to install. Many software packages are installed by first-time users that don't like to RTM or spend a lot of time configuring security when they just want to try it in a pre-deployment mode.
2. Because "default security" is in fact an oxymoron. For example if the default username/password is "admin" and "admin" how is that any better than having no security enabled at all?
3. Many packages have the ability to use different security frameworks. LDAP, Kerberos, Active Directory, etc. Defaulting to one of those will put off users wanting to use something else.
Much of this can be addressed by having a decent install system involving an interactive script but that tends to be costly to implement and many projects would prefer spending what resources they have elsewhere.
All my Windows servers -- going back to still-running Windows/NT -- are hosted in a Linux-based hypervisor running as VMs. The older ones used to live on bare-metal and moved to a VM and the new ones have been VMs from the start.
So if I wanted something that Linux provides that Windows does not why wouldn't I just instantiate another Linux VM? All my LAMP, Glassfish, Wikis, mail servers, etc etc are VMs hosted on Ubuntu LTS.
(These days I never put a publicly routable IP address on a hypervisor environment.)
I just don't get why what Microsoft is doing would be useful, other than it sounds awesome to people who don't know what they are doing.
The movie Hidden Figures had many excellent and authentic moments but one of them was when one of the women got unintended access to "The IBM" (as they called it) and picked up a book on FORTRAN and taught herself how to program. With access and basic grasp of logic she built herself a career.
That's kind of how it happened for me and my peers, although we didn't have to steal our books from the whites-only section of the library. There were already good courses and professors in Computer Science at the university but their real value was mostly in giving the nascent programmer access to equipment on which to learn.
In that day you could easily have a thousand people using one computer such as a CDC 6600. A hundred people for a PDP-11 in timesharing was not uncommon. Today I have easily more than 100 Intel cores for my personal use and access to many more. My Macbook Pro alone has eight cores and more storage, compute, network power than an $20M supercomputer complex had back in 1970.
So for me access was the key. Not everyone could get access to computing capability that could do anything meaningful. Back then programmers looked more like a mysterious priesthood what with their exclusive access to special locked rooms and intimidating looking equipment and the ability to command "thinking machines". Being a member of the club I suppose had an attraction.
All the same I think I am having more fun today than I did then. There are so many more interesting things to play with.
I think we will make progress on these issues when we collectively stop pretending that "operator inattention" is the intended result of using of automated cars, not an unwanted by-product.
So -- someone is going to declare that hundreds of millions of people world wide woke up this morning and are suddenly prosecute-able criminals and have been ever since that content was added to the blockchain? That should interesting to see how they work that out.
Anyone Jaywalking is 100% not responsible for this.
An autonomous car is supposed to see and avoid ALL repeat ALL obstacles expected or otherwise. Just like a human driver.
An autonomous vehicle is supposed to be better at it the same way we expect a $2 microchip to be better at working arithmetic than any human ever born.
I would attach more blame to Facebook for allowing people to pull a stunt like this
If you are referring to the elevation of Donald Trump we should attach all blame where it belongs: on the idiots that voted for him.
Whatever stunts were pulled with social media by these guys and the Russians, the essential facts about Donald Trump and what an incredible dishonest, morally cretinous fraud he is were out there for anyone with the slightest inclination to do so could find. They elected this scumbag all pumped up with inane slogans. To this day too many of them defend him regardless of the constant stream of scandals and lies any one of which would have had them calling for the blood of any Democratic president.
On this scale of things Facebook is an innocent bystander.
The report from CNBC has caused Tesla's stock to tumble today.
Remember all the Tesla fires? The stock tumbled then and I managed to get in at the bottom of that particular drop.
I'll never understand how or why the markets are absolutely eager for anything remotely bad about Tesla Motors so they can let their fear-ridden backbrains take over and sell in a panic. Fine I will just buy then.
As to the issue: new factories pushing the edge on new kinds of parts will inevitably have issues of this kind. I would be more concerned if they reported a zero or tiny defect rate. That would indicate that the QA dept is not doing its job and somebody is hiding something.
Bottom line: Tesla revenues are supply limited. Specifically supply of batteries. They have a huge backlog of sales. Yes a 40% defect rate of something is a problem and has to be fixed. I have seen defect rates like that and worse on stable product that hasn't changed in 5 years. That is why there is a career in supply chain management. That is why there is a career in Quality Assurance.
But if you have a backlog and you have funding (Tesla has both) these problems will be fixed. The stock price drop has to do with the market obsession with making this quarter's shipments and revenue numbers and nothing else.
Had this not made the news I would have been surprised if this had even reached Elon's desk.
I don't get how you could conclude that I would think something like that.
The point is that a search -- legal or illegal, consensual or not -- won't find anything if I don't keep anything on there that the law considers contraband or evidence of illegality.
My other point is there is absolutely no reason to have anything like that on your portable device except stupidity.
I have to travel with my laptop but if I had anything to hide it sure as hell wouldn't be there. Anyone caught at the border with something illegal is an idiot an is destined to be caught.
Why the hell woudn't they encrypt it, stash it on a server, and downloaded when they get home? Alternatively send it to a home server before you even get on the plane? Then, of course, deep-delete everything.
The article doesn't call out what versions are affected. My router has 6.40.3 and an upgrade command says that's the latest.
But the bigger problem I have is: (from the TFA)
Routers download and run various DLL files in the normal course of business.
WTF? No they don't. My router doesn't download and run anything during normal operation and it doesn't need to and shouldn't need to. During an upgrade sure.
Anyone who installs a router that downloads stuff and runs it without their express command to do so is simply asking for it.
On top of that I don't understand why they call out DLLs. Mikrotiks run RouterOS based on Linux, most of which don't use DLLs for anything.
Exactly no one with any brains is surprised. This is government working the way it always does, badly.
Right. The Interstate highway system was such a complete disaster. And who could ever forget the mistake called Hoover dam. The power grid and water system never did do what it was supposed to. Private enterprise and the free market were the only reason we had no air carrier fatalities for 10 years and don't get me started on the U.S. Army. A high-school football team could probably push them over.
Too bad we didn't just leave it all up to AC. What were we thinking.
When you switch to more energy efficient products, this is a natural side effect. EVs will change that obviously.
But with a corresponding drop in demand for fossil fuels at the point of consumption.
Of course fossil fuels will still be used a lot for generation of electricity for EVs, but if renewables are actually dropping in price then that has to trend downward.
Which, of course, will cause the price of gasoline to crash because of the resulting glut.
The thing to watch for is if gasoline prices drop because of that then ICE cars become more cost-competitive against EVs than they were before. If that is true then EV cars need to become more cost-efficient than they currently are. And for that, Li-ION batteries have to both improve and drop in price.
I'm so old I remember back in the 70s the taxicab companies in New York discovered that putting a brake light in the rear window of their cars cut rear-ending accidents by 60%. The light was at eye level (for a driver) rather than bumper level.
You would have thought they had re-invented fire, the wheel, and all the rest of science and how marvelous everyone thought that was.
Now a car that brakes automatically before it hits something. My my.
Now, as then, my reaction is the only astounding thing is how absolutely anyone could be surprised at the result.
Interesting how this article accumulated over 50 posts and nobody (unless I just totally missed it) has pointed out that we are in the fix of a) being under concentrated cyber-attack from Russia and b) we have a president 100% committed to the idea that there is no threat.
Hopefully the career military, spooks, and bureaucrats are on the job because it is pretty much up to them to defend us.
KVM also doesn't work with Intel's Atom CPUs unless extensions are available.
It doesn't? In my last company we used an Atom C2000 and we used KVM/Libvirt to run VMs on it using Ubuntu 14.04. In fact we had one design win that depended on it.
You may be thinking of the feature (I forget the code name) that lets you virtual-ize PCI devices. It couldn't do that so you had to rely on the linux kernel bridge or OpenVSwitch.
Slashdot Mirror
Why is no security the default on so many software and hardware products?
Several reasons:
1. To make the software easier to install. Many software packages are installed by first-time users that don't like to RTM or spend a lot of time configuring security when they just want to try it in a pre-deployment mode.
2. Because "default security" is in fact an oxymoron. For example if the default username/password is "admin" and "admin" how is that any better than having no security enabled at all?
3. Many packages have the ability to use different security frameworks. LDAP, Kerberos, Active Directory, etc. Defaulting to one of those will put off users wanting to use something else.
Much of this can be addressed by having a decent install system involving an interactive script but that tends to be costly to implement and many projects would prefer spending what resources they have elsewhere.
That's my take anyway.
I suggest that we just forget all this security software stuff and just go back to the honor system.
What the hell would I want this for?
All my Windows servers -- going back to still-running Windows/NT -- are hosted in a Linux-based hypervisor running as VMs. The older ones used to live on bare-metal and moved to a VM and the new ones have been VMs from the start.
So if I wanted something that Linux provides that Windows does not why wouldn't I just instantiate another Linux VM? All my LAMP, Glassfish, Wikis, mail servers, etc etc are VMs hosted on Ubuntu LTS.
(These days I never put a publicly routable IP address on a hypervisor environment.)
I just don't get why what Microsoft is doing would be useful, other than it sounds awesome to people who don't know what they are doing.
The movie Hidden Figures had many excellent and authentic moments but one of them was when one of the women got unintended access to "The IBM" (as they called it) and picked up a book on FORTRAN and taught herself how to program. With access and basic grasp of logic she built herself a career.
That's kind of how it happened for me and my peers, although we didn't have to steal our books from the whites-only section of the library. There were already good courses and professors in Computer Science at the university but their real value was mostly in giving the nascent programmer access to equipment on which to learn.
In that day you could easily have a thousand people using one computer such as a CDC 6600. A hundred people for a PDP-11 in timesharing was not uncommon. Today I have easily more than 100 Intel cores for my personal use and access to many more. My Macbook Pro alone has eight cores and more storage, compute, network power than an $20M supercomputer complex had back in 1970.
So for me access was the key. Not everyone could get access to computing capability that could do anything meaningful. Back then programmers looked more like a mysterious priesthood what with their exclusive access to special locked rooms and intimidating looking equipment and the ability to command "thinking machines". Being a member of the club I suppose had an attraction.
All the same I think I am having more fun today than I did then. There are so many more interesting things to play with.
I think we will make progress on these issues when we collectively stop pretending that "operator inattention" is the intended result of using of automated cars, not an unwanted by-product.
So -- someone is going to declare that hundreds of millions of people world wide woke up this morning and are suddenly prosecute-able criminals and have been ever since that content was added to the blockchain? That should interesting to see how they work that out.
Anyone Jaywalking is 100% not responsible for this.
An autonomous car is supposed to see and avoid ALL repeat ALL obstacles expected or otherwise. Just like a human driver.
An autonomous vehicle is supposed to be better at it the same way we expect a $2 microchip to be better at working arithmetic than any human ever born.
I would attach more blame to Facebook for allowing people to pull a stunt like this
If you are referring to the elevation of Donald Trump we should attach all blame where it belongs: on the idiots that voted for him.
Whatever stunts were pulled with social media by these guys and the Russians, the essential facts about Donald Trump and what an incredible dishonest, morally cretinous fraud he is were out there for anyone with the slightest inclination to do so could find. They elected this scumbag all pumped up with inane slogans. To this day too many of them defend him regardless of the constant stream of scandals and lies any one of which would have had them calling for the blood of any Democratic president.
On this scale of things Facebook is an innocent bystander.
The report from CNBC has caused Tesla's stock to tumble today.
Remember all the Tesla fires? The stock tumbled then and I managed to get in at the bottom of that particular drop.
I'll never understand how or why the markets are absolutely eager for anything remotely bad about Tesla Motors so they can let their fear-ridden backbrains take over and sell in a panic. Fine I will just buy then.
As to the issue: new factories pushing the edge on new kinds of parts will inevitably have issues of this kind. I would be more concerned if they reported a zero or tiny defect rate. That would indicate that the QA dept is not doing its job and somebody is hiding something.
Bottom line: Tesla revenues are supply limited. Specifically supply of batteries. They have a huge backlog of sales. Yes a 40% defect rate of something is a problem and has to be fixed. I have seen defect rates like that and worse on stable product that hasn't changed in 5 years. That is why there is a career in supply chain management. That is why there is a career in Quality Assurance.
But if you have a backlog and you have funding (Tesla has both) these problems will be fixed. The stock price drop has to do with the market obsession with making this quarter's shipments and revenue numbers and nothing else.
Had this not made the news I would have been surprised if this had even reached Elon's desk.
Do you think that magically prevents the search?
I don't get how you could conclude that I would think something like that.
The point is that a search -- legal or illegal, consensual or not -- won't find anything if I don't keep anything on there that the law considers contraband or evidence of illegality.
My other point is there is absolutely no reason to have anything like that on your portable device except stupidity.
I have to travel with my laptop but if I had anything to hide it sure as hell wouldn't be there. Anyone caught at the border with something illegal is an idiot an is destined to be caught.
Why the hell woudn't they encrypt it, stash it on a server, and downloaded when they get home? Alternatively send it to a home server before you even get on the plane? Then, of course, deep-delete everything.
The article doesn't call out what versions are affected. My router has 6.40.3 and an upgrade command says that's the latest.
But the bigger problem I have is: (from the TFA)
Routers download and run various DLL files in the normal course of business.
WTF? No they don't. My router doesn't download and run anything during normal operation and it doesn't need to and shouldn't need to. During an upgrade sure.
Anyone who installs a router that downloads stuff and runs it without their express command to do so is simply asking for it.
On top of that I don't understand why they call out DLLs. Mikrotiks run RouterOS based on Linux, most of which don't use DLLs for anything.
Wasn't Broadcom already eated by Avago?
They went with Hardy Hardon.. I mean Heron for "H"
If you really want to see fireworks on /. just wait until they get to Sexy systemd.
Exactly no one with any brains is surprised. This is government working the way it always does, badly.
Right. The Interstate highway system was such a complete disaster. And who could ever forget the mistake called Hoover dam. The power grid and water system never did do what it was supposed to. Private enterprise and the free market were the only reason we had no air carrier fatalities for 10 years and don't get me started on the U.S. Army. A high-school football team could probably push them over.
Too bad we didn't just leave it all up to AC. What were we thinking.
$78B? OMG. That is like almost 8% of the cost of the Iraq war.
No way we could ever fund something that big.
As the author of the post you are responding to I reserve the right to reply: good answer.
I would leave it at : "governments can't be trusted"
We trust the government with nukes. Many other governments are trusted with this as well.
We trust the government with the data the IRS collects.
We trust the government with regulating the food supply, the water supply, and pharmaceuticals.
We trust the government to keep air travel safe. Pretty damn good job over the last 10 years even though Trump thinks he deserves credit for it.
I could go on, but at this point I would wonder what you mean.
When you switch to more energy efficient products, this is a natural side effect. EVs will change that obviously.
But with a corresponding drop in demand for fossil fuels at the point of consumption.
Of course fossil fuels will still be used a lot for generation of electricity for EVs, but if renewables are actually dropping in price then that has to trend downward.
Which, of course, will cause the price of gasoline to crash because of the resulting glut.
The thing to watch for is if gasoline prices drop because of that then ICE cars become more cost-competitive against EVs than they were before. If that is true then EV cars need to become more cost-efficient than they currently are. And for that, Li-ION batteries have to both improve and drop in price.
Maybe Elon is on to something.
I'm so old I remember back in the 70s the taxicab companies in New York discovered that putting a brake light in the rear window of their cars cut rear-ending accidents by 60%. The light was at eye level (for a driver) rather than bumper level.
You would have thought they had re-invented fire, the wheel, and all the rest of science and how marvelous everyone thought that was.
Now a car that brakes automatically before it hits something. My my.
Now, as then, my reaction is the only astounding thing is how absolutely anyone could be surprised at the result.
Just because someone has done something illegal, doesn't give you the right to do something illegal yourself in response.
And thus ... license servers have once again been reinvented.
I don't disagree but I do have sympathy for those whose software has been pirated.
This whole Russian hacking story is bogus.
Because bogus stories always result in 4 federal court guilty pleas and 14 indictments rising to the standards of federal prosecutors.
Interesting how this article accumulated over 50 posts and nobody (unless I just totally missed it) has pointed out that we are in the fix of a) being under concentrated cyber-attack from Russia and b) we have a president 100% committed to the idea that there is no threat.
Hopefully the career military, spooks, and bureaucrats are on the job because it is pretty much up to them to defend us.
KVM also doesn't work with Intel's Atom CPUs unless extensions are available.
It doesn't? In my last company we used an Atom C2000 and we used KVM/Libvirt to run VMs on it using Ubuntu 14.04. In fact we had one design win that depended on it.
You may be thinking of the feature (I forget the code name) that lets you virtual-ize PCI devices. It couldn't do that so you had to rely on the linux kernel bridge or OpenVSwitch.
Sounds to me like a lot of people get angry when challenged.