I represent the market that would buy a unified product, and I believe that my perspective will become more ubiquitous as time and technology advances, so eventually we will see all of our computing technology being built (modularly) into our TVs.
You're on the right path: convergence. But I think you've arrived at the wrong destination. Computing technology won't merge with TVs... its the other way around.
Convergence has been an occasionally surfacing buzzword for years now. Its been attempted by shoe-horning a PC in an entertainment center. Its been tried with internet appliances / set-top boxes. Meanwhile the technically elite have been changing the face of entertainment media and attempting to shoehorn better hardware in to their desktops to match. In every case, the interface ultimately fails. And its obvious why - all tasks do not work well with all interfaces.
This is why I believe you've arrived at the wrong conclusion. A "TV" does not make a good computing interface.
The folks at Moxi have taken a step in the right direction with their Moxi Media Center product. It basically becomes a central hub for entertainment media / data. Everything else (TV, speakers, etc) become satalite devices feeding off a wireless link. It even becomes a central hub for your data connection. So how does this solve the "computing from the couch" interface problem?
Moxi has made the first step. TVs will stop being TVs and become remote monitors. Strip out everything else. Slap it on a flat screen - a big flat screen. And then also create smaller versions of the device - webpads. The more personal size for handling email, taking notes, web surfing, etc. A slightly larger (something simular to the new iMac perhapse?) version provides an interface that's comfortable for desktop computing / work. Keyboards, pointers (mice, trackballs, etc), game controllers, and other such peripherals could talk to all such devices to create the right interface for any environment from balancing a spreadsheet to console gaming.
In short, computing (a centralized media server) absorbs all other devices (desktop, console game, TV, stereo, etc). Convergence moves away from the TV. And your experience is defined by what modular components you use to communicate with that central media server.
Thank gawd the author, Frank Pellegrini, is there to assure us that there's nothing to worry about. Its not a problem until the tool being created becomes mandated. And, of course, anybody with privacy concerns are "the same type who squawked in 1908 when the FBI was born."
Frankly, computer PIMs suck, it was always easier to get the data on my handheld. Of course, I'm not a business user, so I don't have tons of shared schedules in Outlook that I need to carry with me.
When I first got my PalmPro, and was forced to use an Exchange client, syncing with Outlook was a great feature (even if I had to pay extra for it). For example, I would get an email announcing a meeting (dunno why it was never an invitation). I could drag that email to my calender and generate an appointment. The note had the text of the email. A quick sync and I had it on my palm. Having that text available proved usefull a number of times (when if I had done it by hand, I certainly wouldn't have included full text).
Having said that, these days I mostly sync to the desktop simply to back up my device. I can see why a backup cartridge would be popular (considerably more portable than even the lightest laptop).
It can do a combo, but it's a PDA. It has limited space, and if it wants to compete in the PDA market it had better have the same bells and whistles as your average Palm or Handspring with a proprietary OS on it. So, it can't have a 50/50 balance.
It has to pick one, Linux or Windows?
You're right - its a PDA. Not a desktop. It has very little to do with Linux or Windows software. It has a LOT more to do with the ability to sync data and use various data types. A PDA is an extension. It allows you to access data away from the desktop.
To access this data, it must be able to sync (wireless access, etc. are nice bonus features). Windows users need a good desktop application. They'll need conduits for, as an example, Outlook (which seems to be provided). Linux folk might appreciate "Hey guys - here's some desktop software and some conduits for KPilot ang GnomePilot." But they'll much more appreciate "Hey guys - here's how our PDA talks and these are the internal application's data structures."
Not enough space to cram all that in? Hardly. A single CDROM is plenty large for all this. And then there's the net.
The PDA itself may need the bells and whistles. But then its all about the PDA itself and what its going to do with the data once its managed to get a hold of it. And at that point, where the data came from (Windows, Linux, MacOS, biological entity, etc) is a moot point.
I can understand (not condone) writing viruses/worms/trojans for getting access to a computer for other ends, but why create a virus for Flash? Infecting other Flash files seems pretty silly to me.
I would guess that the initial reports were simply proof of concept. It shows that something beyond what would be expected is possible. It proves that it is also possible to create something with a viral nature. From that point, it is simply a matter of devising a more... selective... payload. The advantage to infecting Flash files is that the format hadn't previously been considered a potential infection vector. It is (was) now a new way to attack your target - be that target a specific entity (individual, corporation, government, etc) or the world at large (glory seeking).
On the subject of proof-of-concept virus and trojans - I would argue that most virus / trojans in the wild are simular proof of concepts. They are attempts to shock the internet-using public and make them aware of their insecure environment. They do this by infecting hosts and then touching, but rarely damaging, data. Its a digital couting coup - "look at what I could have done if I had wanted to."
Of course, it also proves that you don't have to destroy data to gain noteriety. If you did, I wouldn't be suprised to see more damaging payloads.
USENET didn't use to be much of an on-line community compared to some of the others, but it was a community. Once it became archival, anonymous, and searchable, that went away. Who, after all, wants their every word recorded and replayed into perpetuity?
Can I prevent my message from becoming a permanent part of Google Groups?
Granted - this assumes they honor the header. I would expect Google does.
Re:Unix Worms - what have they done lately?
on
Linux Virus Alert
·
· Score: 2
You failed to point out the more widespread BIND worm.
Perhapse that was the li0n worm? It took advantage of a BIND vulnerability.
In any case, what I provided was not a definitive list. But I think it made a fairly good representation of recent Unix worms and their impact. Feel free to show references to something I might have missed.
And exactly how does infecting a Solaris host "deface IIS sites"? IIS is a Microsoft product.
Ahhh. You didn't follow the link, did you? Sadmind propogated on Solaris hosts. It also attacked and defaced IIS (Windows) hosts... but did not propogate through them. Fairly unique.
And on a slight tangent, after seeing Harry Potter and reading the book, I was impressed by how much the movie followed the book.
I agree that the Harry Potter movie followed the first book well. However, the first Harry Potter book was fairly simple. Not bad. But not complex. I wonder how well the following Harry Potter movies will track their book tittles as those books get increasingly more complex.
The comparison between the first Harry Potter and LOTR movies is difficult. I find that the LOTR works were much more complex than the first Harry Potter book. Thus I don't think it suprising to find more compromises made with the LOTR movie than Harry Potter.
Also, another friend told me that the character of Galdalf in the movie is much different than the character in the book (in the movie he was a kindly, friendly sort of fellow; according to my friend, he's a manipulative SOB in the book).
Different people make their own interpretations. I felt that Gandalf was very well portrayed in the movie. True to my interpretation, at least... if not a tad kinder, and a tad less serious, than I would have thought. In any case, Gandalf does carry considerable power and considerable responsibility. I thought that the movie showed Gandalf as caring for these odd little hobits but burdoned with the understanding of what they must do for the greater good... and the hell that they will undergo to do it.
To which I have to ask; if the movie is "off" in these two instances, what is the real attraction to the movie?
As "off" as it might have been... it was also "on" often enough to warrent accolades. No interpretation will please everybody - especially when the fan base is as eclectic, and the work is as unique, as LOTR.
Re:Unix Worms - what have they done lately?
on
Linux Virus Alert
·
· Score: 2
It's only after 10 years of an advisory-a-day that Unix finally got somewhere near secure.
Indeed. Unix has taken its lumps. But then, Unix has been in the thick of things as the concepts of information security have evolved. And the infosec landscape is still changing. Unix has evolved too.
The mean-time-to-remote-root of a particular RedHat release is still about a week (and ships with documentation referring to "fascist" system administrators that deny root to their users!)
I'd like to see documentation to back these two statements up. Is there a source that tracks mean time to remote compromise? And a cursory search did not find any RedHat documentation (at least online) that referred to "fascist" denial of root to their users. I'd be suprised if it exists. I've always understood that its a fairly common convention that root access is strictly controlled.
Feel free to talk up something that doesn't inherently suck security-wise.
Sure. Unix didn't start with security - it had security features shoe-horned in to the system. Microsoft's offerings make nice claims in its marketing material, but as pointed out, it really still lags behind the industry. VMS does a much better job at including security concepts from its inception - but it very rarely gets mentioned.
Infosec is evolving. Unix and Windows are also evolving (to name two). And while the Morris Worm makes a nice footnote in history, it has few lessons to offer today. If you want to track the current state of infosec for Unix (or any other OS) - look at current history. Even when vulnerabilities do hit the wild, Unix has fared pretty well in recent history.
Unix Worms - what have they done lately?
on
Linux Virus Alert
·
· Score: 3, Insightful
A reminder is perhaps due here that the first internet worm program to cause significant damage (the Morris worm) was released in the 1988 and infected UNIX systems through a well known vulnerability (yep, good ole gets(3)) in the fingerd daemon.
And waddaya know,UNIX application programmers are _still_ using the occasional gets(3) call in setuid root programs, more than a decade later...
The Morris worm and other aspects of infosec history reflect the security landscape. Information security has been horrid in the past. It has been bad in more recent times. But there are improvements. Or, at least, improvements in some circles. Within the nebulous Unix (and Unix-like for the purists) environment, security has made vast improvements. While this does not mean these environments are bullet-proof, they are far removed from other environments that are ripe for malicious code.
The Morris worm is a nice spectre to pull out of the Unix closet and remind everyone that Unix is not infallable. Just look at all the damage done in the early internet days! Spooky.
However, this is history - ancient by Interent standards. Since then, there have been other Unix-based worms to hit the net at large. I can name three more recent examples off-hand. Sadmind spread amoung Solaris hosts to deface IIS sites. The ramen worm attacked Linux (specifically RedHat) hosts. And there were reports of ramen code being modified and sent on its way. And then there was another Linux worm called li0n.
In each case the worm hit the wild, was discovered and reported, had a brief life as appropriate counter measures were taken, then faded out. Missing was the media frenzy one would expect with something as damaging as the Morris worm. That came later on a different platform with a different worm: Code Red.
Once again - Unix is not infalliable. But various generations have been in the trenches dealing with infosec issues for years. Recent incidents have began to show off its experience, versitility, and resiliance. It is small wonder the Unix crowd tends to look at virus issues with almost a disinterest compared to their Windows counterparts who are burned either more often or more severely by such a threat.
People piss on "corporatists" on this board all the time. But that corporate system, with a few exceptions, is what allows immigrants to come to this country with nothing but what they could fit in a pair of suitcases and become the CEOs of their own corporations.
Criticism of the corporate system is usually based on the ethics of that system. Ethics based on the idea that almost any action is justifiable by its value to the bottom line. In short, "its just business."
Its true that the corporate business environment provides a lot of oportunity. But it also exacts an increasing cost as leaders within that system take less and less personal, and generally ethical, responsibility for their actions as part of that system.
The bennifits do not invalidate the criticisms.
Re:has the targeted demographic really changed?
on
Attack of the Clones
·
· Score: 5, Insightful
...those of us who grew up loving star wars saw them originally as children.
This gets bandied about every time Star Wars is mentioned. Especially after George Lucas used it to dismiss his fans' critisims from EP1. Star Wars is a kids movie. Anybody who claims otherwise are blinded by nostalgia.
I don't buy it.
Sure. I'm a sucker for nostalgia. There's lots of things I enjoy simply because I had enjoyed them in the past. But I can tell when I'm simply being nostalgic.
There are plenty of examples within movies (and television). I still enjoy the first 3 Star Wars movies. I was disappointed in the 4th (EP1). Even now, comparing all four on VHS I get the same reactions.
Distorted views through nostalgia lenses? Hardly. I used to enjoy some B-grade scifi, Buck Rogers, and The A Team. Now when I see these same works, I also see the small bits of why I thought they were so cool. But its also glaringly obvious why my father would roll his eyes and leave the room.
Good, if not great, works remain so even if they were origionally seized by a younger generation. And uninspired works remain... uninspired.
Star Wars was a suprise hit in an area that The Industry had, rightfully, disreguarded. It did something different and suceeded. Alas, that something is now lost to Lucas. He's sunk in to mediocraty. And his defense is our childhood.
Really, this is similar to saying, "why pay for a newspaper every morning when I can swipe one from the guy on the subway?"
This is actually a really interesting concept to consider.
One doesn't HAVE to buy a daily paper. There's lots of places to get much of the same information. One could steal a paper from the neighbor. One could pitch in a few cents with a bunch of people, slip in the quarter (or two, or four) and everyone take a paper out of the machine (stealing X copies from the origional in a manner). One could grab a used paper laying around the neighborhood coffee shop or bus station. One could read the paper at the local library. Add nausium.
However, papers still get sold. Through stands, machines, subscriptions, etc. Content, convenience, and price (to name a few issues) outweigh all the other ways to get the same news, and even the same product legitimately or not.
The PressPlayster spoof says it all: "Making it easier to steal music than to buy music..." The music industry has loss considerable stranglehold over music distribution. These recent attempts to regain that control will fail. The Industry should be finding a way to leverage their considerable content (and legal issues around it) to offer a convenient and competatively priced product. Then they may succeed.
Can someone please explain to me the moral or ethical mandate that supports/justifies this sort of vigilante thinking?
Information security tends to take a far back seat within the corporate world. Doesn't matter if it is management, administration, or development - infosec is a secondary thought if its even considered.
Part of this is the specialized knowledge required to handle infosec issues (not that it couldn't be widely aquired). It takes a concious effort to implement a secure system. This is often considered additional effort. And additional cost.
Another part of the puzzle is a general disbelief anyone could discover a vulnerability and would bother to take advantage of it. This discounts the number of technically minded individuals your infrastructure is exposed to on the net (compounded by automating attacks). It also ignores that even trivial applications can cause considerable damage (I have some friends working infosec for large corporations who went in to high gear with this announcement - AIM exists in many environments).
Finally, infosec is rarely a consumer requirement. Functionality is what sells widgets. Unless the widget is touted as being secure (even IF its supposed to be secure), security won't sell as many widgets if the widgets don't blink and beep nicely. Thus infosec isues are not pushed during initial development.
All of these actions could have theoretically been done in the name of improving security but in the short-term all they do is recklessly endanger it.
So now it gets bloody. Damage gets done. Consumers begin to see how these strange little issues cause them pain. They begin to demand better, more secure products. Product goals begin to include infosec. Better products get produced.
And those who would take advantage of vulnerabilities... quietly and to personal gain (or even loudly and publically) have fewer and fewer targets.
There is at least one long-term upside to w00w00's actions, though. Their actions will hasten the approval of legislation which makes online reckless endangerment as criminal on the Internet as it is in your neighborhood.
And its possible more attention will be paid to those who build faulty, and ultimately dangerous, data infrastructures. Maybe even legal liability.
It's for this very reason that I doubt that Brian Valentine would be stupid enough to warn whoever was going to leak this email to NOT forward it.
This assumes the memo is some kind of trap to ferret out leaks. It could also be legitimate communication and he's telling his people to stop forwarding it around. If people take heed, it throws more suspicion on any forwarded messages. And if asked why they forwarded a message, the user will have a harder time pleading ignorance.
Maybe it's just me, but I always react with skepticism whenever an "anonymous source" leaks a "classified document" to the public. For all we know, this e-mail was written up by Mark Jabroni from Nowhere, TX.
Well... that's the nature of the beast, isn't it?
I've been on the inside of stories hitting various web news outlets before. It lead to some discussion amoung my co-workers, but nobody commented in public... even when such forums were available. What I knew could have shed some interesting light on the story... but it could also have cost my job. You never know how management and/or the legal department (not to mention PR) will react.
Because of this, its pretty obvious that verifying a source will be difficult. At best, the reporter breaking the story might have some idea of their source. But in this day of less-than-thorough reporting you can hardly expect this. And even if the reporter could be trusted to do some background checking, their job is likely to be difficult. We've seen plenty of legal action recently that should cause any legitimate insider / whistle-blower to hide their true identity.
Having said all that - I do agree with the overall post. Skepticism is good. We should look at any anonymous source carefully. I remember an April Fools joke from several years ago that took much of this community for a ride simply because the community believed anything put in front of them. But at the same time, we can't immediately dismiss anonymous information simply because of its anonymous nature.
What especially rings my "hoax/troll bell" is the last couple of lines about the message being "Microsoft Confidential" and how he can track any and all forwards. Give me a break.
Eh. I don't find this as particularly odd. First, I've seen the "CompanyName Confidential" moniker included in emails from other companies. And the bit about tracking forwards actually rings true. All this "confidential" and "tracking" speak sounds just like the Secret Squirrel games I've seen non-infosec people play. And it works.
The horrid truth is that even within the most technically advanced organizations... there are still a cadre of very technically limited users. And they tend to be found most often within Sales & Marketing roles (I know, I know... that's a broad brush I'm using. Not every individual in sales fits this. But my experince shows the generality tends to hold true).
It does not suprise me such wordings would be found in a legitimate internal memo. It would not suprise me if it was fairly effective. And it certainly wouldn't suprise me if there was an individual with the minimal technical understanding to circumvent these precautions / threats.
Most people feel more comfortable being able to touch products they're going to spend their hard earned cash on, and can then take home that day. Clicking a button and then waiting like a puppy by your mailbox is not a fun way to shop.
Tell that to the mail-order industry. Heck - even the Home Shopping Network might enjoy a good giggle over it.
How much longer has Windows (NT) had a journaling filesystem than Linux?
My understanding is that NTFS' journaling was rudimentary at best. It hasn't been until its recent incarnation (introduced with Win2k) that its managed anything close to a true journaling file system.
Kleenex is simular to Xerox - they became commonly used names, but they didn't START within the common language. They are (or at least were) unique trademarks.
Now, the word apple is a better example. Of course, the merrits of this particular example have already been well discussed.
...so suddenly I get all these images of people flying along all happy and then find themselves flying in to a swarm of locasts. Or earth worms. And other such bugs, worms, glowing clouds of plague, and such creapy-crawlies.
Or, at least, occasionally having to land back on solid ground to pick the bugs from between their teeth. Maybe applying one of those teeth-whitening patches.
Am I the only one...who hasn't gotten a single one of these worms?
...
Are the people I converse with in email just cooler/smarter than everyone else, or is this whole email virus thing more hype than reality?
My personal mail accounts tend not to see any of this traffic. Although some of this may have to do with the systems on which my accounts live. And I'm sure its also got something to do with my usual lists of correspondents.
Still - these things certainly exist and they're a pain for some. I do infosec consulting and see it all the time with my clients and in conversations with friends and peers in the industry.
As a side note - it never ceases to amaze me how some businesses manage to continue functioning with all the crap dumped on to, and floating around, their insecure networks. Especially smaller businesses who's resources are usually a lot tighter than their larger counterparts.
I'm just glad I can escape it all to the (relative) safety of my own little home network once in awhile.:)
I can see what you're saying - the foldaway keyboard is a slick feature. However, for my interest its not all that necessary.
I am involved in developing a data collection system for a medical practice. This is actually the 3rd implementation of the same idea from the (more or less) same group. Where the system had previously stumbled was the user (read: Doctor's) interface.
Previous systems used a web-based application accessed via terminals (well - in the test case, they were cheap white-box PCs) located in each examining room. The problem was that Doctors tended to feel uncomfortable juggling a keyboard / mouse and the patient at the same time. The software itself received high marks.
The software involves a lot of checking boxes as it burrows down a path of diagnotic observations. Actual text entry is at a very minimum.
The webpad / tablet form factor seems ideal. Some testing was done with PDAs and they were found to be a little restrictive on available screen realestate to be comfortable. The Aquapad seems to offer ample space for even a fairly complex form without loosing the user. Doctors are often already comfortable with interacting with a patient and ticking off notes on a pad. Putting the data in front of them in that pad will enable them to (we hope) easily note their observations and collect accurate data while still maintaining patient interaction.
A friend of mine, with the help of some third-party hardware, managed to get a 10M HD running on his C=64. He also had a gen-u-ine Hayes 2400 baud MODEM going on it. Made a spiff BBS. I was so jelous.:)
We were going through a surplus catalog that was trying to unload some 100M drive units. We would go on about how to cool those things in his room and just what kind of kick-butt BBS we could have with THAT much space. Assuming it was even possible to get the C=64 to talk to the HD unit.
Now, now... doing what you wanted to do anyway isn't exactly a form of martyrdom.
Convergence has been an occasionally surfacing buzzword for years now. Its been attempted by shoe-horning a PC in an entertainment center. Its been tried with internet appliances / set-top boxes. Meanwhile the technically elite have been changing the face of entertainment media and attempting to shoehorn better hardware in to their desktops to match. In every case, the interface ultimately fails. And its obvious why - all tasks do not work well with all interfaces.
This is why I believe you've arrived at the wrong conclusion. A "TV" does not make a good computing interface.
The folks at Moxi have taken a step in the right direction with their Moxi Media Center product. It basically becomes a central hub for entertainment media / data. Everything else (TV, speakers, etc) become satalite devices feeding off a wireless link. It even becomes a central hub for your data connection. So how does this solve the "computing from the couch" interface problem?
Moxi has made the first step. TVs will stop being TVs and become remote monitors. Strip out everything else. Slap it on a flat screen - a big flat screen. And then also create smaller versions of the device - webpads. The more personal size for handling email, taking notes, web surfing, etc. A slightly larger (something simular to the new iMac perhapse?) version provides an interface that's comfortable for desktop computing / work. Keyboards, pointers (mice, trackballs, etc), game controllers, and other such peripherals could talk to all such devices to create the right interface for any environment from balancing a spreadsheet to console gaming.
In short, computing (a centralized media server) absorbs all other devices (desktop, console game, TV, stereo, etc). Convergence moves away from the TV. And your experience is defined by what modular components you use to communicate with that central media server.
Whew. I can go back to sleep now.
When I first got my PalmPro, and was forced to use an Exchange client, syncing with Outlook was a great feature (even if I had to pay extra for it). For example, I would get an email announcing a meeting (dunno why it was never an invitation). I could drag that email to my calender and generate an appointment. The note had the text of the email. A quick sync and I had it on my palm. Having that text available proved usefull a number of times (when if I had done it by hand, I certainly wouldn't have included full text).
Having said that, these days I mostly sync to the desktop simply to back up my device. I can see why a backup cartridge would be popular (considerably more portable than even the lightest laptop).
To access this data, it must be able to sync (wireless access, etc. are nice bonus features). Windows users need a good desktop application. They'll need conduits for, as an example, Outlook (which seems to be provided). Linux folk might appreciate "Hey guys - here's some desktop software and some conduits for KPilot ang GnomePilot." But they'll much more appreciate "Hey guys - here's how our PDA talks and these are the internal application's data structures."
Not enough space to cram all that in? Hardly. A single CDROM is plenty large for all this. And then there's the net.
The PDA itself may need the bells and whistles. But then its all about the PDA itself and what its going to do with the data once its managed to get a hold of it. And at that point, where the data came from (Windows, Linux, MacOS, biological entity, etc) is a moot point.
I would guess that the initial reports were simply proof of concept. It shows that something beyond what would be expected is possible. It proves that it is also possible to create something with a viral nature. From that point, it is simply a matter of devising a more... selective... payload. The advantage to infecting Flash files is that the format hadn't previously been considered a potential infection vector. It is (was) now a new way to attack your target - be that target a specific entity (individual, corporation, government, etc) or the world at large (glory seeking).
On the subject of proof-of-concept virus and trojans - I would argue that most virus / trojans in the wild are simular proof of concepts. They are attempts to shock the internet-using public and make them aware of their insecure environment. They do this by infecting hosts and then touching, but rarely damaging, data. Its a digital couting coup - "look at what I could have done if I had wanted to."
Of course, it also proves that you don't have to destroy data to gain noteriety. If you did, I wouldn't be suprised to see more damaging payloads.
Can I prevent my message from becoming a permanent part of Google Groups?
Granted - this assumes they honor the header. I would expect Google does.
Perhapse that was the li0n worm? It took advantage of a BIND vulnerability.
In any case, what I provided was not a definitive list. But I think it made a fairly good representation of recent Unix worms and their impact. Feel free to show references to something I might have missed.
Ahhh. You didn't follow the link, did you? Sadmind propogated on Solaris hosts. It also attacked and defaced IIS (Windows) hosts... but did not propogate through them. Fairly unique.
The comparison between the first Harry Potter and LOTR movies is difficult. I find that the LOTR works were much more complex than the first Harry Potter book. Thus I don't think it suprising to find more compromises made with the LOTR movie than Harry Potter.
Different people make their own interpretations. I felt that Gandalf was very well portrayed in the movie. True to my interpretation, at least... if not a tad kinder, and a tad less serious, than I would have thought. In any case, Gandalf does carry considerable power and considerable responsibility. I thought that the movie showed Gandalf as caring for these odd little hobits but burdoned with the understanding of what they must do for the greater good... and the hell that they will undergo to do it. As "off" as it might have been... it was also "on" often enough to warrent accolades. No interpretation will please everybody - especially when the fan base is as eclectic, and the work is as unique, as LOTR.Indeed. Unix has taken its lumps. But then, Unix has been in the thick of things as the concepts of information security have evolved. And the infosec landscape is still changing. Unix has evolved too.
I'd like to see documentation to back these two statements up. Is there a source that tracks mean time to remote compromise? And a cursory search did not find any RedHat documentation (at least online) that referred to "fascist" denial of root to their users. I'd be suprised if it exists. I've always understood that its a fairly common convention that root access is strictly controlled.
Sure. Unix didn't start with security - it had security features shoe-horned in to the system. Microsoft's offerings make nice claims in its marketing material, but as pointed out, it really still lags behind the industry. VMS does a much better job at including security concepts from its inception - but it very rarely gets mentioned.
Infosec is evolving. Unix and Windows are also evolving (to name two). And while the Morris Worm makes a nice footnote in history, it has few lessons to offer today. If you want to track the current state of infosec for Unix (or any other OS) - look at current history. Even when vulnerabilities do hit the wild, Unix has fared pretty well in recent history.
The Morris worm is a nice spectre to pull out of the Unix closet and remind everyone that Unix is not infallable. Just look at all the damage done in the early internet days! Spooky.
However, this is history - ancient by Interent standards. Since then, there have been other Unix-based worms to hit the net at large. I can name three more recent examples off-hand. Sadmind spread amoung Solaris hosts to deface IIS sites. The ramen worm attacked Linux (specifically RedHat) hosts. And there were reports of ramen code being modified and sent on its way. And then there was another Linux worm called li0n.
In each case the worm hit the wild, was discovered and reported, had a brief life as appropriate counter measures were taken, then faded out. Missing was the media frenzy one would expect with something as damaging as the Morris worm. That came later on a different platform with a different worm: Code Red.
Once again - Unix is not infalliable. But various generations have been in the trenches dealing with infosec issues for years. Recent incidents have began to show off its experience, versitility, and resiliance. It is small wonder the Unix crowd tends to look at virus issues with almost a disinterest compared to their Windows counterparts who are burned either more often or more severely by such a threat.
Criticism of the corporate system is usually based on the ethics of that system. Ethics based on the idea that almost any action is justifiable by its value to the bottom line. In short, "its just business."
Its true that the corporate business environment provides a lot of oportunity. But it also exacts an increasing cost as leaders within that system take less and less personal, and generally ethical, responsibility for their actions as part of that system.
The bennifits do not invalidate the criticisms.
This gets bandied about every time Star Wars is mentioned. Especially after George Lucas used it to dismiss his fans' critisims from EP1. Star Wars is a kids movie. Anybody who claims otherwise are blinded by nostalgia.
I don't buy it.
Sure. I'm a sucker for nostalgia. There's lots of things I enjoy simply because I had enjoyed them in the past. But I can tell when I'm simply being nostalgic.
There are plenty of examples within movies (and television). I still enjoy the first 3 Star Wars movies. I was disappointed in the 4th (EP1). Even now, comparing all four on VHS I get the same reactions.
Distorted views through nostalgia lenses? Hardly. I used to enjoy some B-grade scifi, Buck Rogers, and The A Team. Now when I see these same works, I also see the small bits of why I thought they were so cool. But its also glaringly obvious why my father would roll his eyes and leave the room.
Good, if not great, works remain so even if they were origionally seized by a younger generation. And uninspired works remain... uninspired.
Star Wars was a suprise hit in an area that The Industry had, rightfully, disreguarded. It did something different and suceeded. Alas, that something is now lost to Lucas. He's sunk in to mediocraty. And his defense is our childhood.
This is actually a really interesting concept to consider.
One doesn't HAVE to buy a daily paper. There's lots of places to get much of the same information. One could steal a paper from the neighbor. One could pitch in a few cents with a bunch of people, slip in the quarter (or two, or four) and everyone take a paper out of the machine (stealing X copies from the origional in a manner). One could grab a used paper laying around the neighborhood coffee shop or bus station. One could read the paper at the local library. Add nausium.
However, papers still get sold. Through stands, machines, subscriptions, etc. Content, convenience, and price (to name a few issues) outweigh all the other ways to get the same news, and even the same product legitimately or not.
The PressPlayster spoof says it all: "Making it easier to steal music than to buy music..." The music industry has loss considerable stranglehold over music distribution. These recent attempts to regain that control will fail. The Industry should be finding a way to leverage their considerable content (and legal issues around it) to offer a convenient and competatively priced product. Then they may succeed.
Information security tends to take a far back seat within the corporate world. Doesn't matter if it is management, administration, or development - infosec is a secondary thought if its even considered.
Part of this is the specialized knowledge required to handle infosec issues (not that it couldn't be widely aquired). It takes a concious effort to implement a secure system. This is often considered additional effort. And additional cost.
Another part of the puzzle is a general disbelief anyone could discover a vulnerability and would bother to take advantage of it. This discounts the number of technically minded individuals your infrastructure is exposed to on the net (compounded by automating attacks). It also ignores that even trivial applications can cause considerable damage (I have some friends working infosec for large corporations who went in to high gear with this announcement - AIM exists in many environments).
Finally, infosec is rarely a consumer requirement. Functionality is what sells widgets. Unless the widget is touted as being secure (even IF its supposed to be secure), security won't sell as many widgets if the widgets don't blink and beep nicely. Thus infosec isues are not pushed during initial development.
So now it gets bloody. Damage gets done. Consumers begin to see how these strange little issues cause them pain. They begin to demand better, more secure products. Product goals begin to include infosec. Better products get produced.
And those who would take advantage of vulnerabilities... quietly and to personal gain (or even loudly and publically) have fewer and fewer targets.
And its possible more attention will be paid to those who build faulty, and ultimately dangerous, data infrastructures. Maybe even legal liability.
This assumes the memo is some kind of trap to ferret out leaks. It could also be legitimate communication and he's telling his people to stop forwarding it around. If people take heed, it throws more suspicion on any forwarded messages. And if asked why they forwarded a message, the user will have a harder time pleading ignorance.
(shrug)
Well... that's the nature of the beast, isn't it?
I've been on the inside of stories hitting various web news outlets before. It lead to some discussion amoung my co-workers, but nobody commented in public... even when such forums were available. What I knew could have shed some interesting light on the story... but it could also have cost my job. You never know how management and/or the legal department (not to mention PR) will react.
Because of this, its pretty obvious that verifying a source will be difficult. At best, the reporter breaking the story might have some idea of their source. But in this day of less-than-thorough reporting you can hardly expect this. And even if the reporter could be trusted to do some background checking, their job is likely to be difficult. We've seen plenty of legal action recently that should cause any legitimate insider / whistle-blower to hide their true identity.
Having said all that - I do agree with the overall post. Skepticism is good. We should look at any anonymous source carefully. I remember an April Fools joke from several years ago that took much of this community for a ride simply because the community believed anything put in front of them. But at the same time, we can't immediately dismiss anonymous information simply because of its anonymous nature.
Eh. I don't find this as particularly odd. First, I've seen the "CompanyName Confidential" moniker included in emails from other companies. And the bit about tracking forwards actually rings true. All this "confidential" and "tracking" speak sounds just like the Secret Squirrel games I've seen non-infosec people play. And it works.
The horrid truth is that even within the most technically advanced organizations... there are still a cadre of very technically limited users. And they tend to be found most often within Sales & Marketing roles (I know, I know... that's a broad brush I'm using. Not every individual in sales fits this. But my experince shows the generality tends to hold true).
It does not suprise me such wordings would be found in a legitimate internal memo. It would not suprise me if it was fairly effective. And it certainly wouldn't suprise me if there was an individual with the minimal technical understanding to circumvent these precautions / threats.
Tell that to the mail-order industry. Heck - even the Home Shopping Network might enjoy a good giggle over it.
My understanding is that NTFS' journaling was rudimentary at best. It hasn't been until its recent incarnation (introduced with Win2k) that its managed anything close to a true journaling file system.
Kleenex is simular to Xerox - they became commonly used names, but they didn't START within the common language. They are (or at least were) unique trademarks.
Now, the word apple is a better example. Of course, the merrits of this particular example have already been well discussed.
Or, at least, occasionally having to land back on solid ground to pick the bugs from between their teeth. Maybe applying one of those teeth-whitening patches.
Still - these things certainly exist and they're a pain for some. I do infosec consulting and see it all the time with my clients and in conversations with friends and peers in the industry.
As a side note - it never ceases to amaze me how some businesses manage to continue functioning with all the crap dumped on to, and floating around, their insecure networks. Especially smaller businesses who's resources are usually a lot tighter than their larger counterparts.
I'm just glad I can escape it all to the (relative) safety of my own little home network once in awhile. :)
I am involved in developing a data collection system for a medical practice. This is actually the 3rd implementation of the same idea from the (more or less) same group. Where the system had previously stumbled was the user (read: Doctor's) interface.
Previous systems used a web-based application accessed via terminals (well - in the test case, they were cheap white-box PCs) located in each examining room. The problem was that Doctors tended to feel uncomfortable juggling a keyboard / mouse and the patient at the same time. The software itself received high marks.
The software involves a lot of checking boxes as it burrows down a path of diagnotic observations. Actual text entry is at a very minimum.
The webpad / tablet form factor seems ideal. Some testing was done with PDAs and they were found to be a little restrictive on available screen realestate to be comfortable. The Aquapad seems to offer ample space for even a fairly complex form without loosing the user. Doctors are often already comfortable with interacting with a patient and ticking off notes on a pad. Putting the data in front of them in that pad will enable them to (we hope) easily note their observations and collect accurate data while still maintaining patient interaction.
We were going through a surplus catalog that was trying to unload some 100M drive units. We would go on about how to cool those things in his room and just what kind of kick-butt BBS we could have with THAT much space. Assuming it was even possible to get the C=64 to talk to the HD unit.