Another trick, which I don't think I have ever seen mentioned (it's from my personal reserve) is, when using NTFS, to set permissions for Deny Execute for Everyone. Then you happily reboot and just delete the suckers.
Works best on things that do the service and run at startup tricks.
I dare say this will be lost in the arms race eventually, but a useful weapon never-the-less.
Land Rover over-rated? I don't think so. A Land Rover is almost indestructable. That is why you find them all over the planet. First car to go from Alaska to Cape Horn. Look at any film you may see with relief effort in Africa and examine what they are driving - why, they're Land Rovers.
They are relative cheap (especially considering their lifespan), simple (less to go wrong), easy to repair, and easy to jury rig to limp home.
Sort of reminds me of the (apocryphal) story about the NASA $1Million pen and the Russian 5c pencil.
When I say things like the "community does this" and "we do that" people are swift to leap on the supposed fallacy of "you suppose slashdot posters all share the same opinion". Yet add the magic ingredient of "opposition to Microsoft" and shazam - it's OK. I did mention double standards earlier, didn't I? Well, what you just wrote was a great example.
It's not like you had to look far to see a post highly critical of MS hidden APIs - the immediately previous post in response to mine does so.
Trolling - nope. But it seems that not only is anything slightly critical of Apple seen as a troll in these here parts, but even a pointing out of the double standards that apply when judging Apple is seen as a troll.
This is slashdot - a feverent member of the open/free software world. If anybody suggested that any other vendor* should be able to keep APIs private and for their own use only the outrage would be immense. We're no even talking about truly internal APIs, but APIs that are used in the vendor's applications.
If the offender was Microsoft then it would be nerd apocolypse.
* The exception is, of course, google - they also get a free pass when indulging in questionable behaviour. It seems that there is a lot of "the enemy of my enemy is my friend" going on, with MS being the enemy. I'm old enough to remember when MS was in google's position, and IBM was the leviathan, crushing all before it. And I'm astute enough to realise the there will be a new enemy along in a minute, and the next generation of geeks will be vilifying google (or whoever - google are my bet) praising a new upstart through rose-tinted glasses, and slightly bemused that MS was once seen as an 800lb gorilla.
I could be wrong - google could become a benevolent mega-corp. But I'm not holding my breath.
Ah - right. So when a company has undocumented APIs then it is because they are not documenting them for altruistic reasons.
Unless the company is Microsoft - then it becomes evil.
The slight problem with this slightly simplistic argument is that the APIs are not undocumented. They are documented, otherwise the Apple developers would not be able to use them (and, after all, the article is about disassembling an Apple application to find out how they worked).
The APIs are just not documented publically - Secret APIs in other words.
Of course this is no doubt still a case of Apple's Secret APIs: Good vs Microsoft's Secret APIs: Evil, but it's late, and I'm not up to the mental gymnastics that will be required to make the leap. No doubt an Appleista will be along in due course to make clear the path to enlightenment.
I know this because because a judge determined that their status had not been determined by a competent tribunal.
Hamdan has not been determined by a competent tribunal to be an offender triable under the law of war, 10 U.S.C. 821, and because in any event the procedures established for the Military Commission by the President's order are "contrary to or inconsistent" with those applicable to courts-martial, 10 U.S.C. 836, Hamdan's petition will be granted in part.
Judge James Robertson of the United States District Court in Washington D.C.
And a pretty good argument can be made that the terrorists we have down there are outside of the Geneva convention as they aren't members of any regular army backed by a real country.
And that is exactly the point: "An argument can be made". This implies that there is some doubt as to their status, as obviously the opposite argument can be made. Which, according to the Geneva convention, means that:
"Should any doubt arise as to whether persons, having committed a belligerent act and having fallen into the hands of the enemy, belong to any of the categories enumerated in Article 4, such persons shall enjoy the protection of the present Convention until such time as their status has been determined by a competent tribunal."
Their status has not been determined by a competent tribunal, and therefore they are being held in violation of the Geneva convention.
Republican policy Republican Senate Republican meeting even Republican Party.
None of these assume membership of a political party. Adjectives are funny like that. Or would you argue that all Republican voters are members of the Republican party?
Do you have similar problems with "Royal Butler"? Do you think that it only means that the butler is royality, rather than the Butler, while not being royalty himself, serves royalty.
He is a shill of the Republicans, as opposed to he is a Republican who is a shill.
The cheapest sky package is £13:50 - see Sky Packages. Although you may be on a half-price introductory offer for the £19 package, it is a little disengenous to claim that it is £9 a month - a bit like saying the supermarket is giving away free pizzas when actually it is a BOGOF (Buy one get one free) offer.
That is true now, but Apple tried to charge royalties and stymied the adoption of Firewire. See this article, amoung many others. Confusion in naming has its genesis in this totally stupid attempted royality grab.
There is one thing missing from your security model. Most exploits come from people who are allowed access to information who misuse it. So the fact that you have a (in your parlance) a 5/5/5 system is neither here nor there - the compenents in the system performed in the correct and secure manner, but the user is the rogue component.
The missing thing, of course, is auditing - not only failures (sort of goes without saying) but successes. You should be able to take, say, a file, and produce a history of who accessed it when, who modified it when. This obviously only becomes useful when you are sure who is who (so good authentication is required) but can be invaluable.
The other thing I'll mention (mainly because this will be my only post to this article) is the difference between perception and reality when it comes to an audit system. The way I think of it is that a system has a status (how you think it is behaving) and a state (how it is actually behaving). The goal of a good audit system is to make sure that the status corresponds to the state as often as possible, and that it fails safe as seldom as possible. And it never fails dangerously.
To expand - a system can be compromised or uncompromised. You can also think it is compromised or uncompromised. But you must set things up so that you never (or very rarely - how rare is part of your risk management strategy) have the situation whhere you think it is uncompromised but it is actually compromised.
This obviously requires a lot of work, and a lot of tuning for a specific system, but for the more paranoid end of the market this is a good avenue to consider
Incidently I knicked...erm was inspired by disease control methods and the effectiveness of medical test for diagnosis of disease then implementing this - the book "Reckoning with Risk" was very enlightening read, especially about how counter-intuitive lots of these things are. Definitely worth a read if you are in any circumstance where you must rely on the results of things that do not produce definite information.
There is a lawsuit going on between the movie studios and various video distributers. The gist of it is that the distributers are editing films for content (sex, violence etc) and renting people the edited version. There are various facets of the lawsuit but it boils down to how much a third party (ClearFlicks) can alter the content of a second party (A movie studio) without breaching copyright.
Complex and I don't think it has been resolved. For example if you give a film to a friend to edit for you is this a breach of copyright? Would it be a breach of copyright for your friend to offer a free service to everybody to edit their films? What if your friend made money out of the service (say, by sticking some advertising into the edited film)?
The way I see it is that google is using other people's content to drive their advertising; making money by, effectively, creating derivative works of other people's pages. To my mind this is wrong. The fact that they bundle a service to the user is not really pertinent - it is not the user being harmed (however slightly) but the creator of the content.
Randomly musing here, but surely Google is creating a derivative work by modifying the pages before they are seen by the user? This would make them in breach of copyright if true (unless they have the permission of the author of the page, which seems pretty unlikely).
Of course, you could argue that the user is creating the derivative work and just using google as the means to do this, but I think modifying content to this extent falls outside fair use.
Ironic then that they are (allegedly) infringing on Microsoft's patent (a form of intellectual property) while they infringe on other people's copyrights (another form of IP).
I should have explained myself more clearly. A PDC in an NT4 style domain was the single point of failure. Now, in AD style domain there are five single points of failure, called FSMOs.
Think of it this way - can every DC in a domain independently create objects? No. All DCs except the RID master must contact the RID master to get a pool of RIDs to allow it to create objects. Hence all machines are not peers (despite copious literature saying the opposite).
BDCs in NT4 do not contain a read-only copy of the domain information - last logon time is updated at each BDC independently (makes checking for last logon time annoying).
The role of PDC emulator does support downlevel clients. It also exceptionally important for domain security - it is always tried if the local DC cannot authenticate you for example. It also does urgent replication when an account is locked out. Finally it gets notified immediately of password changes: a user can change a password anywhere and logon anywhere else without worrying about the DC having his recently changed password.
Ideally you have nobody in the admins group - passwords in a sealed envelope etcetera. But reality is that things break, and you need people in the admins group to fix them.
There are also various applications - exchange being a notable culprit - that are extremely picky about the way rights work, and there is a whole world of pain awaiting for when you start delegating.
Techy explanation - windows objects (which is everything in the active directory) has a set of security permissions which controls who can do what. This is called a DACL (for discretionary access control list). Windows orders the DACLs so that any deny permissions come first for performance reasons (what happens is that a request is made to the OS saying "I want to do this action to this object - say change a password on a user account. The OS starts reading through the permissions until it finds that you have enought rights and stops. Therefore if denies could be at the end of the DACL then for every access every DACL entry must be checked - a major performance hit.) Exchage developers, in their very finite wisdom, decided the first DACL entry should be permit for full exchange admins, followed by a deny for full exchange admins, followed by a properly ordered DACL. If you try and delegate rights to people who also have full exchange rights (and these rights are not full, despite what it says on the tin) odd things happen.
ARGGGHHHHHH!
It makes managing who can do what to mailboxes challenging, to say the least.
I've also had nightmares with delegate rights - blew away the entire permissions on the exchange config container which killed exchange dead. Only time I have ever done an authoratitive restore for real.
But it is pretty cool - I just wish someone had given the exchange developers a good slap when they suggested cure tricks with DACL ordering.
Actually there are such things as BDCs in AD - there are now five FSMO roles of various flavours: PDC emulator, domain naming master, schema master, infrastructure master, RID master. Multiple roles can exist on one box, but these "flexible single master operators|operations" boxes are the new PDCs.
If you have more than one domain you need more than one DC for each domain that has a Golbal Catalog server in it, as GCs should never sit on Infrastructure Masters (not sure if this is still true in 2003).
Flat is seldom the answer unless your domain will be very small.
Domains form security boundaries. Unless you want everybody who is in domain admins or who may need domain admins the ability to completely screwup your schema and enterprise configuration then you should have as a minimum a place-holder root.
A placeholder root also allows different security policies for different users. This is the most annoying weakness of AD: user accounts get the security policy of the domain controllers, and not of the user container. So separate domains for separate requirements.
Mergers/de-mergers/acquistions all benefit substatially from being able to spin domains in and out of a forest. You don't need a forest for this, but it helps.
Internal politics also may mandate separate domains - many companies are loosely allied fiefdoms, and there is no way they will agree to monolithic centralised IT. So give them a bone - here, your very own domain. They will not realise that there is no effective difference if you control the root.
Other reasons are said to include control of replication, but I've never really bought this. AD replication is pretty minor compared to other traffic. I know that in 2000 there is a problem with groups (membership is replicated, not membership deltas - changed in 2003) that might suggest it's a good idea, but if you are doing a 2003 roll out - nah.
Oh yeah - as seems de rigour in this thread I was also once involved in one of the largest AD roll outs in the entire world - headquarters (one of them) opposite Waterloo station in London.
All true. The kicker was that orignally he was using the game.co.uk domain in an area of business that did not overlap with the GAME group's area of business, so there was no trademark problems.
After the tooing and froing over the price he then set up game.co.uk so that there was trademark confusion - basically he started selling games from the website. Now there was confusion over the trademark.
He was, in my opinion, dinged reasonable for acting in bad faith. If he did not move the game.co.uk website into the area of business of GAME I don't think he would have had any problems.
Interesting. My spam volume from the two domains I have has gone up hugely recently. I hadn't relaly noticed it because I used spam filtering that limited it to a few tens per day I actually say. But my computer died and it took just under two weeks to fix it. In that time I had accumulated over 100,000 messages, totaling over 500 Megabytes. Of these maybe 20 messages were for me - the rest were spam.
What had happened was that some joker thought it would be a massively successful sales technique to send the same spam dozens of times to dozens of non-existant accounts on one domain. Needless to say he was wrong (but "rule 1 - spammers are stupid" would have told you this anyway).
All this resulted in a call from my e-mail provider saying - "You seem to have a lot of mail in your inbox....can we delete it". And the provision of some server side spam filtering which is running on "label" until I'm happy then it will just delete detected spam for this particular domain.
Slashdot Mirror
Another trick, which I don't think I have ever seen mentioned (it's from my personal reserve) is, when using NTFS, to set permissions for Deny Execute for Everyone. Then you happily reboot and just delete the suckers.
Works best on things that do the service and run at startup tricks.
I dare say this will be lost in the arms race eventually, but a useful weapon never-the-less.
Land Rover over-rated? I don't think so. A Land Rover is almost indestructable. That is why you find them all over the planet. First car to go from Alaska to Cape Horn. Look at any film you may see with relief effort in Africa and examine what they are driving - why, they're Land Rovers.
They are relative cheap (especially considering their lifespan), simple (less to go wrong), easy to repair, and easy to jury rig to limp home.
Sort of reminds me of the (apocryphal) story about the NASA $1Million pen and the Russian 5c pencil.
And it is tyres.
When I say things like the "community does this" and "we do that" people are swift to leap on the supposed fallacy of "you suppose slashdot posters all share the same opinion". Yet add the magic ingredient of "opposition to Microsoft" and shazam - it's OK. I did mention double standards earlier, didn't I? Well, what you just wrote was a great example.
It's not like you had to look far to see a post highly critical of MS hidden APIs - the immediately previous post in response to mine does so.
Trolling - nope. But it seems that not only is anything slightly critical of Apple seen as a troll in these here parts, but even a pointing out of the double standards that apply when judging Apple is seen as a troll.
This is slashdot - a feverent member of the open/free software world. If anybody suggested that any other vendor* should be able to keep APIs private and for their own use only the outrage would be immense. We're no even talking about truly internal APIs, but APIs that are used in the vendor's applications.
If the offender was Microsoft then it would be nerd apocolypse.
* The exception is, of course, google - they also get a free pass when indulging in questionable behaviour. It seems that there is a lot of "the enemy of my enemy is my friend" going on, with MS being the enemy. I'm old enough to remember when MS was in google's position, and IBM was the leviathan, crushing all before it. And I'm astute enough to realise the there will be a new enemy along in a minute, and the next generation of geeks will be vilifying google (or whoever - google are my bet) praising a new upstart through rose-tinted glasses, and slightly bemused that MS was once seen as an 800lb gorilla.
I could be wrong - google could become a benevolent mega-corp. But I'm not holding my breath.
Ah - right. So when a company has undocumented APIs then it is because they are not documenting them for altruistic reasons.
Unless the company is Microsoft - then it becomes evil.
The slight problem with this slightly simplistic argument is that the APIs are not undocumented. They are documented, otherwise the Apple developers would not be able to use them (and, after all, the article is about disassembling an Apple application to find out how they worked).
The APIs are just not documented publically - Secret APIs in other words.
Of course this is no doubt still a case of Apple's Secret APIs: Good vs Microsoft's Secret APIs: Evil, but it's late, and I'm not up to the mental gymnastics that will be required to make the leap. No doubt an Appleista will be along in due course to make clear the path to enlightenment.
I don't really find this to be a troll
Then, with respect, you would not know a troll if it ripped out your eyeballs and licked your brain.
What? The "...forced to use..." was not enough of a hint?
I really don't know why the editors bother.
Oh, wait. They don't.
From the article:
Actually he didn't - we just made that quote up.
Sheesh.
Almost - it depends on the context:
"The Board is the highest decision-making body in the company."
and
"The Board are split on the issue."
See Economist Style Guide for the details.
Judge James Robertson of the United States District Court in Washington D.C.
And that is exactly the point: "An argument can be made". This implies that there is some doubt as to their status, as obviously the opposite argument can be made. Which, according to the Geneva convention, means that:
Their status has not been determined by a competent tribunal, and therefore they are being held in violation of the Geneva convention.
Republican policy
Republican Senate
Republican meeting
even Republican Party.
None of these assume membership of a political party. Adjectives are funny like that. Or would you argue that all Republican voters are members of the Republican party?
Do you have similar problems with "Royal Butler"? Do you think that it only means that the butler is royality, rather than the Butler, while not being royalty himself, serves royalty.
He is a shill of the Republicans, as opposed to he is a Republican who is a shill.
The cheapest sky package is £13:50 - see Sky Packages. Although you may be on a half-price introductory offer for the £19 package, it is a little disengenous to claim that it is £9 a month - a bit like saying the supermarket is giving away free pizzas when actually it is a BOGOF (Buy one get one free) offer.
That is true now, but Apple tried to charge royalties and stymied the adoption of Firewire. See this article, amoung many others. Confusion in naming has its genesis in this totally stupid attempted royality grab.
Good post.
There is one thing missing from your security model. Most exploits come from people who are allowed access to information who misuse it. So the fact that you have a (in your parlance) a 5/5/5 system is neither here nor there - the compenents in the system performed in the correct and secure manner, but the user is the rogue component.
The missing thing, of course, is auditing - not only failures (sort of goes without saying) but successes. You should be able to take, say, a file, and produce a history of who accessed it when, who modified it when. This obviously only becomes useful when you are sure who is who (so good authentication is required) but can be invaluable.
The other thing I'll mention (mainly because this will be my only post to this article) is the difference between perception and reality when it comes to an audit system. The way I think of it is that a system has a status (how you think it is behaving) and a state (how it is actually behaving). The goal of a good audit system is to make sure that the status corresponds to the state as often as possible, and that it fails safe as seldom as possible. And it never fails dangerously.
To expand - a system can be compromised or uncompromised. You can also think it is compromised or uncompromised. But you must set things up so that you never (or very rarely - how rare is part of your risk management strategy) have the situation whhere you think it is uncompromised but it is actually compromised.
This obviously requires a lot of work, and a lot of tuning for a specific system, but for the more paranoid end of the market this is a good avenue to consider
Incidently I knicked...erm was inspired by disease control methods and the effectiveness of medical test for diagnosis of disease then implementing this - the book "Reckoning with Risk" was very enlightening read, especially about how counter-intuitive lots of these things are. Definitely worth a read if you are in any circumstance where you must rely on the results of things that do not produce definite information.
There is a lawsuit going on between the movie studios and various video distributers. The gist of it is that the distributers are editing films for content (sex, violence etc) and renting people the edited version. There are various facets of the lawsuit but it boils down to how much a third party (ClearFlicks) can alter the content of a second party (A movie studio) without breaching copyright.
Complex and I don't think it has been resolved. For example if you give a film to a friend to edit for you is this a breach of copyright? Would it be a breach of copyright for your friend to offer a free service to everybody to edit their films? What if your friend made money out of the service (say, by sticking some advertising into the edited film)?
The way I see it is that google is using other people's content to drive their advertising; making money by, effectively, creating derivative works of other people's pages. To my mind this is wrong. The fact that they bundle a service to the user is not really pertinent - it is not the user being harmed (however slightly) but the creator of the content.
A googol of them.
Or three, excluding dupes.
Randomly musing here, but surely Google is creating a derivative work by modifying the pages before they are seen by the user? This would make them in breach of copyright if true (unless they have the permission of the author of the page, which seems pretty unlikely).
Of course, you could argue that the user is creating the derivative work and just using google as the means to do this, but I think modifying content to this extent falls outside fair use.
Ironic then that they are (allegedly) infringing on Microsoft's patent (a form of intellectual property) while they infringe on other people's copyrights (another form of IP).
I should have explained myself more clearly. A PDC in an NT4 style domain was the single point of failure. Now, in AD style domain there are five single points of failure, called FSMOs.
Think of it this way - can every DC in a domain independently create objects? No. All DCs except the RID master must contact the RID master to get a pool of RIDs to allow it to create objects. Hence all machines are not peers (despite copious literature saying the opposite).
BDCs in NT4 do not contain a read-only copy of the domain information - last logon time is updated at each BDC independently (makes checking for last logon time annoying).
The role of PDC emulator does support downlevel clients. It also exceptionally important for domain security - it is always tried if the local DC cannot authenticate you for example. It also does urgent replication when an account is locked out. Finally it gets notified immediately of password changes: a user can change a password anywhere and logon anywhere else without worrying about the DC having his recently changed password.
Ideally you have nobody in the admins group - passwords in a sealed envelope etcetera. But reality is that things break, and you need people in the admins group to fix them.
There are also various applications - exchange being a notable culprit - that are extremely picky about the way rights work, and there is a whole world of pain awaiting for when you start delegating.
Techy explanation - windows objects (which is everything in the active directory) has a set of security permissions which controls who can do what. This is called a DACL (for discretionary access control list). Windows orders the DACLs so that any deny permissions come first for performance reasons (what happens is that a request is made to the OS saying "I want to do this action to this object - say change a password on a user account. The OS starts reading through the permissions until it finds that you have enought rights and stops. Therefore if denies could be at the end of the DACL then for every access every DACL entry must be checked - a major performance hit.) Exchage developers, in their very finite wisdom, decided the first DACL entry should be permit for full exchange admins, followed by a deny for full exchange admins, followed by a properly ordered DACL. If you try and delegate rights to people who also have full exchange rights (and these rights are not full, despite what it says on the tin) odd things happen.
ARGGGHHHHHH!
It makes managing who can do what to mailboxes challenging, to say the least.
I've also had nightmares with delegate rights - blew away the entire permissions on the exchange config container which killed exchange dead. Only time I have ever done an authoratitive restore for real.
But it is pretty cool - I just wish someone had given the exchange developers a good slap when they suggested cure tricks with DACL ordering.
Actually there are such things as BDCs in AD - there are now five FSMO roles of various flavours: PDC emulator, domain naming master, schema master, infrastructure master, RID master. Multiple roles can exist on one box, but these "flexible single master operators|operations" boxes are the new PDCs.
If you have more than one domain you need more than one DC for each domain that has a Golbal Catalog server in it, as GCs should never sit on Infrastructure Masters (not sure if this is still true in 2003).
Flat is seldom the answer unless your domain will be very small.
Domains form security boundaries. Unless you want everybody who is in domain admins or who may need domain admins the ability to completely screwup your schema and enterprise configuration then you should have as a minimum a place-holder root.
A placeholder root also allows different security policies for different users. This is the most annoying weakness of AD: user accounts get the security policy of the domain controllers, and not of the user container. So separate domains for separate requirements.
Mergers/de-mergers/acquistions all benefit substatially from being able to spin domains in and out of a forest. You don't need a forest for this, but it helps.
Internal politics also may mandate separate domains - many companies are loosely allied fiefdoms, and there is no way they will agree to monolithic centralised IT. So give them a bone - here, your very own domain. They will not realise that there is no effective difference if you control the root.
Other reasons are said to include control of replication, but I've never really bought this. AD replication is pretty minor compared to other traffic. I know that in 2000 there is a problem with groups (membership is replicated, not membership deltas - changed in 2003) that might suggest it's a good idea, but if you are doing a 2003 roll out - nah.
Oh yeah - as seems de rigour in this thread I was also once involved in one of the largest AD roll outs in the entire world - headquarters (one of them) opposite Waterloo station in London.
All true. The kicker was that orignally he was using the game.co.uk domain in an area of business that did not overlap with the GAME group's area of business, so there was no trademark problems.
After the tooing and froing over the price he then set up game.co.uk so that there was trademark confusion - basically he started selling games from the website. Now there was confusion over the trademark.
He was, in my opinion, dinged reasonable for acting in bad faith. If he did not move the game.co.uk website into the area of business of GAME I don't think he would have had any problems.
Interesting. My spam volume from the two domains I have has gone up hugely recently. I hadn't relaly noticed it because I used spam filtering that limited it to a few tens per day I actually say. But my computer died and it took just under two weeks to fix it. In that time I had accumulated over 100,000 messages, totaling over 500 Megabytes. Of these maybe 20 messages were for me - the rest were spam.
What had happened was that some joker thought it would be a massively successful sales technique to send the same spam dozens of times to dozens of non-existant accounts on one domain. Needless to say he was wrong (but "rule 1 - spammers are stupid" would have told you this anyway).
All this resulted in a call from my e-mail provider saying - "You seem to have a lot of mail in your inbox....can we delete it". And the provision of some server side spam filtering which is running on "label" until I'm happy then it will just delete detected spam for this particular domain.