I agree 100%. A coding mistake allows something to execute without the users consent under the users credentials. Even if the user isn't root/admin, there's a lot of nastiness that can happen. Anything you can get to, the executed code can get to.
If Firefox was the #1 browser, hackers would switch focus. Exploit seekers are going for fame and fortune and they're not going to get it by targeting OSS. Even IIS gets more attention than Apache because anything Microsoft related makes the news. Most people don't know what Apache is. Security through obscurity isn't the entire solution, but it's definitely a good first line of defense. Remove that defense and get the limelight of media and user attention by being #1 and you're setting yourself up to get banged on by every hot shot out there.
How the hell did you manage to turn this into a "Down with republicans" rant? What's next, blaming the republicans for ineffective h3rb4l v|4gr4? Pointed statements and conspiracy theories like this only preach to the converted and turn off those that have other viewpoints. Stereotyping, making blanket statements, and offending the intelligence of the other side doesn't help your case. All it does is make the other side feel that much more resolved to dismiss your opinion as an immature, cynical rant. How do you feel when a religious individual harps on you? That's what I thought.
How on Earth can you single handedly admin 1,000 servers properly? Are all the servers just in a maintenance phase with no plans for updates, upgrades, and replacement? Everything is automated? All security, auditing, and alerts are in place?
You have some great points there, but one thing to watch out for is that you shouldn't stop your hunt when you're in the interview process with a company. Until papers are signed and you're working, you still don't have a job. Worst case scenario is that you're in the interview process with Company A and a resume you send out to Company B gets a bite. Well, now you have two companies to choose from.
Actually, Right to Work refers to having the choice to join a union instead of being forced to when you become employed in a company with a union. What you're referring to is called At Will. Regarding your comment on employers being careful when they fire employees, the laws that protect employees from wrongful termination are easy for the employer to work around. Unless you're a 100% super employee, they can and will find another reason for firing you. Unless you have an email, recording, or some other form of evidence, good fucking luck fighting it in court.
The best solution is to not get involved with a company lik this in the first place. When you're going through the hiring process, talk to current employees and ask them what's good and bad about the company. If you're in the same situation I was in a few years ago, an evil corporation may come in and buy you out from a great employer. In those cases, you have to try your best to keep a positive attitude and make job searching a full time job. Most people that bitch about not being able to find a job, just aren't putting in a real effort. Posting your resume on monster.com and firing off resumes to job openings on dice.com is nothing more than a token effort. You have to act like a door to door life insurance salesman and do everything you can to land a better job. If you need to move to a bigger city, do it! Save up about 2 months of living expense money and move. Put most of your stuff in storage if it will help temporarily. Once you get to the city, spend the first month selling yourself like a pimp with an expensive crack habit. Hell, you could hit up managerial looking people at Starbucks if it will help. If you really can't land a job in that initial month, get any old night job to live off of and make finding another job your day job. If you still can't land anything, maybe you're in the wrong field or have some personality issues that employers are seeing. Applicants that shine through the rest because of their own drive to get their foot in the door already have a lead on the rest. If you're doing this to say, 100 companies at a time, at least one will pay off.
I used to work for a company called Convergys that Microsoft outsources their support to. In two separate locations, employees attempted to form a union. Employees were fired and that put an end to that idea. It sounds like EA is worse than Convergys, in which case I understand why there's no union there.
You can still buy record players and any old piece of hardware. Even if 1,000 years passed and we needed to revive information from ancient media, we could at the very least easily manufacture a player to retrieve the data. Hell, in 1,000 years, we'll probably have some type of scanning device that requires no physical contact and can read data from all known formats. This is all assuming a media is lost for 1,000 years. The truth is that when it's digital, data can be easily transferred from an old medium to a new one and for most people, this is a non-issue. Even if they are allergic to computers, everyone knows someone that can do this for them or can pay for a shop to do it for them.
-Lucas
Re:Here is what all the hype was about.
on
Halo 2 Reviews
·
· Score: 1
I agree completely. Warcraft 2, Starcraft, Quake, Quake 2, a few Unreal games, Counter Strike, etc. I really like Warcraft 2 and most of the FPS games on the computer, but I've spent way more time playing Halo online via Xbox Connect. Hell, I actually prefer console games over computer games. With a computer, there's so much crap to worry about like frames per second, your audio card, patches, etc. With a console game, you just pop it in and play. No upgrades or anything else required. I can have a few friends sitting on the same couch looking at the same TV or two with minimal amount of effort and setup time. Yes, bleeding edge computer games are going to be prettier, but pretty graphics are only a factor the first time you play through or maybe for a short time in multiplayer. After that, it's all about the gameplay mechanics and level design. It all comes down to the programmers. In that aspect, I haven't really seen much of a difference in quality between computer games and console games, so I choose to be a lazy bastard and use a console. In the end, I have some $ left in the bank to put towards something other than a video card/motherboard/cpu every year or two (Consoles have a 4-5 year life cycle). A Pentium 2 350 with 512MB of RAM, 7200RPM drive with 8MB buffer, and a $70 video card works great as my home computer and the latest console or two of my choice works great as my gaming system(s).
I'm so sure that the current president is the one that decided to display that message. He told them exactly what to put down. C'mon people! Do you even think he knows this is happening???
"Anyone with an archive of, say, video files on around 24 DVDs (or a dozen DL DVDs) and access to a nice fast link could fill 100Gig in an afternoon."
Afternoon means 12:01 until dusk. Where I live (Tucson, AZ), sunset is at 18:09, so I'd say dusk would be around 17:45. Let's say 18:01, just to get a nice round number and to get a best case scenario.
I remember when they cost a few grand and I never even thought they could drop in price so much that they'd be pretty much standard in new computers. The first big drop was when they did start coming out for several hundred dollars instead of a few grand. That's when the excitement began! I think I was 16 years old, working full time, and contemplating saving up for one. Boy am I glad I decided to wait for the prices to drop. I still haven't gotten one and thank god! Now, I can get a dual layer DVD writer for under a hundred dollars instead. I think I'm going to keep waiting and see if the price drops even more. hehe
"It's easy to blame the users, but the ultimate responsibility always is the IT department, because it is responsible for security."
No, it's the IT department's responsibility to produce an Information Security Policy, Acceptible Use Policy, get management buy-in, train the users on the policies and have them sign. Assuming all that is done, it's up to management and HR to enforce the policies with the technical assistance from IT in monitoring for acts of abuse. It is by no means, all up to IT. In the end, it is the responsibility of the user that did something they knew they shouldn't be doing.
If what you're suggesting is using technology to stop the users from doing anything bad, GOOD FUCKING LUCK! Technology can only help save the users from themselves up to an extent and that boundry is easily crossed every day thanks to programmers that intentionally dodge these measures. Virus writers, adware, P2P software, IM software, etc. It is simply too prohibitive in most situations for IT to lock down the machines and the network that far. As an example, do you realize how difficult it is to block Yahoo Messenger from connecting out? I had to use a network sniffer and the messenger software on my workstation to create a list of all the servers (A few dozen) that shit tries to connect to using port 80. If I wanted to lock things down completely, I'd have to block everything by default and create exceptions. That includes limiting what programs can be launched using a hash for each exe, deny all egress access, and create exceptions for every little thing that the employees need access to. I'd also have an staff dedicated to personally looking at every inbound email communication since viruses are now using zip files. It gets past my list of blocked file types and there's a time gap before new AV definitions are available. I can't rely on many employees to be smarter than the social engineering tactics, regardless of the training I give.
In a nutshell, I'm sorry, but most companies aren't the NSA where information security is number one.
There was an issue with the FAA software running on Windows 2000 Server. They produced a procedure to work around the issue instead of fixing it. A technician messed up the procedure and all hell broke loose. Some of the writers got confused and declared that it's windows fault.
I did a search for the 49.7 days in Microsoft's knowledge base and found one possibly related bug, the non-related bug referenced by the article submitter, and some other non-related bugs. The one thing they all have in common is an improperly used GetTickCount function in the code.
First, there's the five and a half year old patch fixing an issue in Windows 95/98. There's no reason this should have been mentioned anywhere in reference to this incident. Shame on the poster and all the people backing this theory. It's pure reverse FUD because there's nothing indicating that this bug was related and everything shows that this only affects 9x. Personally, I'm positive that this problem isn't in 2000 because I supported 2000 for Microsoft when it was released and never heard of this happening. Also, Microsoft is good about testing all of its products to see which are affected. If this type of screw-up were common, the articles would be common on Slashdot since the typical reader lusts after examples of MS screw-ups. There's also the fact that there's a LOT of Windows 2000 boxes with uptimes way past a month and a half.
But then there's the CPU utilization rpcss.exe bug. If this is what was happening, then it's partially Microsoft's fault for not having enough QC testing targeted towards idiot programming mistakes. Nobody tested enough to see what happens under different scenarios when GetTickCount is improperly used. Also, the hotfix from Microsoft is only a few months old, probably not enough time to test and deploy. On the other hand, GetTickCount is designed to only work for 49.7 days and shouldn't have been used for this application. I'd assume that they didn't know what was going on when shit hit the fan after a month and a half of running relatively smoothly and only after the MS patch was released did they review their code and see that they were improperly using the function. Still though, any company that has an internally written or contracted program with this serious of a bug should have invested the resources required to find the problem and fix it. They should have known that the problem was related to software installed on the server, most likely their proprietary FAA program because if every Windows 2000 computer running on a Dell had this problem, Microsoft would have released a patch long ago. Heck, they should have found that they were using the function improperly. If the programmers knew how long it ran for before dying (49.7 days), they should have realized that it's related to the GetTickCount function and could have narrowed in their efforts to wherever the function was used.
If the problem was not related to the rpcss.exe bug, then I don't see how MS is to blame. The blame lies solely with the programmers of the FAA software for improperly using the GetTickCounter function.
In conclusion, with either of these scenarios, I'd be replacing some of my programmers if I were the manager in charge of the project that wrote the FAA software.
The patch in question was released almost 5 and a half years ago and does not affect the NT family of operating systems. There is no excuse for not testing and rolling it out on an operating system (95/98/ME) that shouldn't be used for critical operations to begin with.
The Intelligent Autonomous Systems Laboratory at University of the West of England is where this robot is being developed. Here's a link to their homepage. They have a projects section that has more information.
Not to mention that the author completely overlooked the default configuration of the open ports. A lot of them are only open to the local subnet, which for 99.9% of the people is a home or small business LAN. Anything coming in from beyond the router is dropped. Smart move. A LOT of people would have been pissed off if their home file sharing stopped working after installing SP2 and they would have just disabled the firewall. In a corporate environment, administrators can lock down all the clients froma central point using group policy. The default configuration combined with powerful administration tools is probably the most secure way they could have done it.
A ruling on what? The non-existent law? In order for it to actually go to a judge, they have to charge him with something and claim that the law can be interpreted as saying that using public hotspots is illegal. From my understanding, there isn't any law that could be interpreted this way.
If he stood up to the officer by saying there is no state or federal law prohibiting him from using the access point and were arrested, he would have been released very quickly with apologies once the police tried to look up the law they thought existed. If it were federal, the FBI would have laughed and called them idiots over the phone.
If you try browsing the web from Windows Server 2003, it does this. 2003 is so locked down, it's a PITA to use as a client. I download patches from my workstation and copy them over to the server so I don't have to browse from the server to get patches.
As a NT sysadmin, I agree 100%. There's a lot of software written by programmers that don't understand how to properly code for NT. They're used to 9x and assume that the computer their product is being installed on is only used by one person, logged on with local admin privelages. All the shortcuts end up going to the user profile instead of the All Users' profile and users that are only a member of the local Power Users group can't install the program at all. The Power Users group exists to allow users to install programs without giving them admin rights.
Note to Sun: The Java Runtime does this!!!! All icons go to the current user's profile. The automatic update screws up if it downloads while one person is logged in and another user tries to tell it to go ahead and install. I haven't even bothered to see if it can be installed by someone in the Power Users group.
This vulnerability was just announced 7 days ago. Microsoft usually releases patches on the second Tuesday of each month. I wonder if that applies to critical vulnerabilities that are released to the public. After all, people are reporting that assholes are already exploiting this one to pwn systems. As a sysadmin for a MS network, I'll be watching to see how MS handles this.
If you're using PPP, then there really is no "Local subnet" because the ppp connection will have a mask of/32. If you're using a bridged connection or cable modem, that's a different story. I'm wondering if the defaults might be different from Home to pro and Workgroup vs Domain.
Instead of seeing what that other software says, actually go into your Windows Firewall config and take a look. It would make sense that your other firewall would report the ports as open if they're open to the local subnet. That other software wouldn't know that the ports are only open to the local subnet.
Slashdot Mirror
I agree 100%. A coding mistake allows something to execute without the users consent under the users credentials. Even if the user isn't root/admin, there's a lot of nastiness that can happen. Anything you can get to, the executed code can get to.
If Firefox was the #1 browser, hackers would switch focus. Exploit seekers are going for fame and fortune and they're not going to get it by targeting OSS. Even IIS gets more attention than Apache because anything Microsoft related makes the news. Most people don't know what Apache is. Security through obscurity isn't the entire solution, but it's definitely a good first line of defense. Remove that defense and get the limelight of media and user attention by being #1 and you're setting yourself up to get banged on by every hot shot out there.
-Lucas
How the hell did you manage to turn this into a "Down with republicans" rant? What's next, blaming the republicans for ineffective h3rb4l v|4gr4? Pointed statements and conspiracy theories like this only preach to the converted and turn off those that have other viewpoints. Stereotyping, making blanket statements, and offending the intelligence of the other side doesn't help your case. All it does is make the other side feel that much more resolved to dismiss your opinion as an immature, cynical rant. How do you feel when a religious individual harps on you? That's what I thought.
-Lucas
Good job gathering numbers, but you might want to work on the people skills. Maybe take an anger management class.
Out of curiousity, I checked some stats on the web and the server to admin ration is typically between 10 and 20 servers per admin.
How on Earth can you single handedly admin 1,000 servers properly? Are all the servers just in a maintenance phase with no plans for updates, upgrades, and replacement? Everything is automated? All security, auditing, and alerts are in place?
-Lucas
-Lucas
The best solution is to not get involved with a company lik this in the first place. When you're going through the hiring process, talk to current employees and ask them what's good and bad about the company. If you're in the same situation I was in a few years ago, an evil corporation may come in and buy you out from a great employer. In those cases, you have to try your best to keep a positive attitude and make job searching a full time job. Most people that bitch about not being able to find a job, just aren't putting in a real effort. Posting your resume on monster.com and firing off resumes to job openings on dice.com is nothing more than a token effort. You have to act like a door to door life insurance salesman and do everything you can to land a better job. If you need to move to a bigger city, do it! Save up about 2 months of living expense money and move. Put most of your stuff in storage if it will help temporarily. Once you get to the city, spend the first month selling yourself like a pimp with an expensive crack habit. Hell, you could hit up managerial looking people at Starbucks if it will help. If you really can't land a job in that initial month, get any old night job to live off of and make finding another job your day job. If you still can't land anything, maybe you're in the wrong field or have some personality issues that employers are seeing. Applicants that shine through the rest because of their own drive to get their foot in the door already have a lead on the rest. If you're doing this to say, 100 companies at a time, at least one will pay off.
-Lucas
I used to work for a company called Convergys that Microsoft outsources their support to. In two separate locations, employees attempted to form a union. Employees were fired and that put an end to that idea. It sounds like EA is worse than Convergys, in which case I understand why there's no union there.
-Lucas
-Lucas
-Lucas
OMFG, I can't believe I did that. lol
Afternoon means 12:01 until dusk. Where I live (Tucson, AZ), sunset is at 18:09, so I'd say dusk would be around 17:45. Let's say 18:01, just to get a nice round number and to get a best case scenario.
8 hours * 60 minutes * 60 seconds = 28,800 seconds
100GB * 1024 * 8 = 819,200Mb
819,200 / 28,800 = 28.44Mbps upstream bandwidth required. Oh yeah, don't forget about protocol overhead.
I think you mean that anyone with 100GB of data and more than say, 28.5Mbps of upstream bandwidth could fill 100GB in an afternoon.
-Lucas
-Lucas
No, it's the IT department's responsibility to produce an Information Security Policy, Acceptible Use Policy, get management buy-in, train the users on the policies and have them sign. Assuming all that is done, it's up to management and HR to enforce the policies with the technical assistance from IT in monitoring for acts of abuse. It is by no means, all up to IT. In the end, it is the responsibility of the user that did something they knew they shouldn't be doing.
If what you're suggesting is using technology to stop the users from doing anything bad, GOOD FUCKING LUCK! Technology can only help save the users from themselves up to an extent and that boundry is easily crossed every day thanks to programmers that intentionally dodge these measures. Virus writers, adware, P2P software, IM software, etc. It is simply too prohibitive in most situations for IT to lock down the machines and the network that far. As an example, do you realize how difficult it is to block Yahoo Messenger from connecting out? I had to use a network sniffer and the messenger software on my workstation to create a list of all the servers (A few dozen) that shit tries to connect to using port 80. If I wanted to lock things down completely, I'd have to block everything by default and create exceptions. That includes limiting what programs can be launched using a hash for each exe, deny all egress access, and create exceptions for every little thing that the employees need access to. I'd also have an staff dedicated to personally looking at every inbound email communication since viruses are now using zip files. It gets past my list of blocked file types and there's a time gap before new AV definitions are available. I can't rely on many employees to be smarter than the social engineering tactics, regardless of the training I give.
In a nutshell, I'm sorry, but most companies aren't the NSA where information security is number one.
-Lucas
I did a search for the 49.7 days in Microsoft's knowledge base and found one possibly related bug, the non-related bug referenced by the article submitter, and some other non-related bugs. The one thing they all have in common is an improperly used GetTickCount function in the code.
First, there's the five and a half year old patch fixing an issue in Windows 95/98. There's no reason this should have been mentioned anywhere in reference to this incident. Shame on the poster and all the people backing this theory. It's pure reverse FUD because there's nothing indicating that this bug was related and everything shows that this only affects 9x. Personally, I'm positive that this problem isn't in 2000 because I supported 2000 for Microsoft when it was released and never heard of this happening. Also, Microsoft is good about testing all of its products to see which are affected. If this type of screw-up were common, the articles would be common on Slashdot since the typical reader lusts after examples of MS screw-ups. There's also the fact that there's a LOT of Windows 2000 boxes with uptimes way past a month and a half.
But then there's the CPU utilization rpcss.exe bug. If this is what was happening, then it's partially Microsoft's fault for not having enough QC testing targeted towards idiot programming mistakes. Nobody tested enough to see what happens under different scenarios when GetTickCount is improperly used. Also, the hotfix from Microsoft is only a few months old, probably not enough time to test and deploy. On the other hand, GetTickCount is designed to only work for 49.7 days and shouldn't have been used for this application. I'd assume that they didn't know what was going on when shit hit the fan after a month and a half of running relatively smoothly and only after the MS patch was released did they review their code and see that they were improperly using the function. Still though, any company that has an internally written or contracted program with this serious of a bug should have invested the resources required to find the problem and fix it. They should have known that the problem was related to software installed on the server, most likely their proprietary FAA program because if every Windows 2000 computer running on a Dell had this problem, Microsoft would have released a patch long ago. Heck, they should have found that they were using the function improperly. If the programmers knew how long it ran for before dying (49.7 days), they should have realized that it's related to the GetTickCount function and could have narrowed in their efforts to wherever the function was used.
If the problem was not related to the rpcss.exe bug, then I don't see how MS is to blame. The blame lies solely with the programmers of the FAA software for improperly using the GetTickCounter function.
In conclusion, with either of these scenarios, I'd be replacing some of my programmers if I were the manager in charge of the project that wrote the FAA software.
-Lucas
-Lucas
-Lucas
-Lucas
If he stood up to the officer by saying there is no state or federal law prohibiting him from using the access point and were arrested, he would have been released very quickly with apologies once the police tried to look up the law they thought existed. If it were federal, the FBI would have laughed and called them idiots over the phone.
-Lucas
-Lucas
Note to Sun: The Java Runtime does this!!!! All icons go to the current user's profile. The automatic update screws up if it downloads while one person is logged in and another user tries to tell it to go ahead and install. I haven't even bothered to see if it can be installed by someone in the Power Users group.
-Lucas
-Lucas
I remember that IBM and Motorola were working together. I've been out of the Apple community for a while now. Did things change?
-Lucas
Instead of seeing what that other software says, actually go into your Windows Firewall config and take a look. It would make sense that your other firewall would report the ports as open if they're open to the local subnet. That other software wouldn't know that the ports are only open to the local subnet.
-Lucas