Osama bin Laden and his organization declared war on US. If civilians get hurt in the process, so be it.
US declared war on Osama bin Laden and his organization. If civilians get hurt in the process, so be it.
Emotion coulds your thinking. I understand it's difficult to come to terms with reality, but US is by no means an innocent victim. US is a playground bully who got kicked in the balls.
I do think that right now US has no choice but to go after the perpetrators. The problem is, of course, doint it effectively. If you start droppping bombs all over the place, you risk killing too many civilians and thus creating even more "terrorists" (remember, these people are survivers of US aggression and they can't wait to return the favour).
Long term though, a change in US foreign policy would go a long way towards ensuring these attacks do not continue.
Those who support retaliation fail to realize that the Spet. 11 attack was itself a retaliation. The "terrorists" are in effect "punching back". Or do you buy into the propaganda that this was solely an "attack on your freedom"?
I am the "happy" owner of the Asus TX97e board with Intel's TX chipset. Intel intentionally crippled the chipset so that it caches only 64MB of RAM. If you have more than that, the performance goes down the toilet. After I upgraded my machine to 256MB RAM, Norton System Information benchmark went from 110 to 70 (AMD K6-2/300). It's not a scientific benchmark but still quite telling. Thank you Intel!
And don't even get me started on what they tried (and are still trying) to pull off with Rambust...
I am developing an extremely authentic and highly innovative gaming technology for the information superhighway called SuperDuperGameAccelerator. It's really cool. It will accelerate games and cook your dinner too. I was wondering if it's worth porting it to Linux. In fact I'm already porting it to Linux, I just wanted to announce it to the world by posting on slashdot. You know, after the.com crash we can't get any more funding, so we could use all the free advertizing we could find. And I figured slashdot editors are too stupid to recognize the thinly disguised commercial...
Is there an optometrist on/. who can answer this question? (year right!) Staring at an object so close to your eyeballs can't be good. Wouldn't it strain your eyes a lot more than conventional monitor?
In NT you are guaranteed that no process other than those that hold the "TCB" (act as part of the operating system) privilege are able to impersonate a user from a username/password pair. LocalSystem is the only account with this privilege
Hold on, I'm confused now:
- Only LocalSystem can impersonate another user.
- LocalSystem process needs to know the password of the user to impersonate
- But: LocalSystem can also set the password!
So what's the point of having a password in the first place?
Well, packets go through the kernel as well. The "use" of this is a packet router is far easier to make verifiably secure than a full web server.
Well, I would trust a packet router more if it had no web server code together with the routing code:-) But yeah, I see your point. Judging from the amount of damage Code Red & friends have done, I guess not too many people actually use it...
Nope. LocalSystem has the privilege to SET a user's password
But in that case the password is irrelevant, so in effect it's just doing su. It's also setting a random password which another process can use to "impersonate" this user. The chance of guessing the right password is probably less than that of winning a lottery, but still it's a potential security hole. In Unix you are guaranteed that no process (except root) will be able to su to that user.
On NT there are a whole swag of privileges that you can specifically enable or disable.
like what?
The privileges required to logon as a different user (ie call seteuid()) aren't held by any account other than LocalSystem.
In this case, Unix is actually more flexible than NT. You can allow a certain (non-root) user to switch to another user. Ever heard of sudo? For instance, running scripts as a different user can be accomplished even if apache is not running as root.
I thought that there is already a cure for plage? I know it was a big problem back in middle ages, but does anyone still get sick with it?
Sorry for stupid question. Please enlighten me.
Depending on how you configure it, it can have a secondary process spawned as a separate 'nobody' user that handles the requests.
But packets still go through the "primary" process which runs as LocalSystem, right? So what's the use of that?
There is no such thing as an account on NT being allowed to switch user to another account unless it knows the password (ie 'su'/setuid() without passwords is impossible, even as LocalSystem)
Password is something you can ask a person to verify their identity. Asking a process for a password is absolutely idiotic. That means the password must be hard-coded somewhere. If it's hard-coded (even as a constant) in applications, it means that it's never (or very rarely) changed. And it's stored as clear text in the code. I've dealt with WebLogic which suffers from moronic "authentication".
And before you post another dumb response, here's a clue: on NT accounts have much finer grained permissions than on (standard) Unix - you would do well to look at them.;-P
I'm assuming that by that you mean ACL. Most (all?) proprietary Unixes have had ACLs for quite a while - you would do well to look at them. AFAIK, it is a plannet feature for Linux 2.5. I do agree that it's useful when used right and *in conjunction* with standard UGO permissions.
Secondly, each website under IIS6 can run as a different user. So if you host 10 websites, each one can run as a separate user account, each with different security permissions.
I wonder what this is supposed to mean. Does IIS start 10 processes, each as a different user? Or does it actually mean that it will still run as LocalSystem and use "impersonation" to run *scripts* as different users, the way it already does? I suspect the latter is the case, and it's totally worthless -- it will save you from bugs in scripts but not from bugs in IIS which still runs as LocalSystem.
By default, IIS runs as a special account IUSR_machinename on the internet. For intranets it will often run with the end user's credentials.
So which user does it run as again? How does a running process magically switch the user it runs as? Oh right it doesn't! IIS runs as LocalSystem. As AC pointed out, it uses "impersonation" to run *scripts* as another user (this is eqivalent to sudo). Repeat: it runs *scripts* as whatever user; IIS itself runs as LocalSystem.
In fact, one of microsoft's Security recommendations is to make a special folder in system32 (pseudo-equivilant of/bin), move files like the command and scripting shells into it, and allowing only Administrators and System to access it (similar to moving that junk to/sbin)
This is the dumbest thing I have ever heard. It's like making bash and perl executable by root only. This prevents you from running scripts as non-root (or non-Administrator), and does exactly zero to improve security: if you got in through an IIS hole, you already are Administrator so you can do whatever you damn want.
Of course you can create any service account to run IIS if you're worried about a dictionary attack on the IUSR_machinename account.
Wait, all these special (service-only) accounts have passwords? So you can log in as say LocalSystem or IUSR_watever if you guess it? Then NT security is an even bigger joke than I thought! (and that's saying much).
(And before you post another dumb response, here is a clue: on Unix special accounts like bin, httpd, nobody, etc. have no passwords so you cannot log in with that user name no matter what password you type, but processes can still run as bin, httpd, or nobody).
Another problem is that Microsoft likes to play games with their updates. Some patches open the security holes closed by other patches. Some patches totally break the system (e.g. Service Pack 2 was know as Service Pack of Death). Some break only third party software (e.g. Service Pack 6 broke Lotus). Whether this is intentional or not we will never know, but Microsoft has no credibility left, so you can pretty much assume the worst.
I don't have much experience with other platforms--there may be better systems than Debian's
Doubt it. Only FreeBSD is even comparable with its cvsup (though it needs to compile stuff from source). No other systems I've seen even come close.
I wanted to post this but you were ahead of me. And it's not just a problem with IIS -- most (all?) NT "services" run as LocalSystem, which actually has even more privileges than Administrator.
Bugs and security holes are inevitable in any software, but their impact is different. Any buffer overflow in IIS is disasterous, whereas a buffer overflow in Apache will have a very limited damage. To 0wn a Unix box running Apache you need two security holes: first a hole in Apache to get unprivileged access, then another hole elsewhere that lets you get root. This is considerably harder and a lot more unlikely than a simple buffer overflow in the web server.
On top of that there is a huge problem with file system permissions. Both Unix and NT have the ability to restrict access to files. The difference is that a default installation of NT has all file permissions set to Everyone:Full Control(*). (That's like making every file and directory 777)! You have to manually lock it down! If the file system permissions are not used, running IIS as an unprivileged user won't help.
Contrast this with Unix. Even if a hole in Apache is exploited, you won't even be able to overwrite the web pages (unless another hole is used to gain root access, see above).
(*) I understand the default file permissions have been improved somewhat in windows 2000. Could somebody in the know give more details? Oh, and what's the deal with IIS running partially in the kernel? is it true or has it been debunked?
In all fairness, Unix has had its problems with root-running daemons. BIND was the latest exploit. Since then BIND guys have learned their lesson -- version 9 no longer runs as root. Will Microsoft learn? After so many years of beeing plagued with security holes, not bloody likely.
I did a little reasearch project on alternative energy a while back and here is what I discovered. (Bear with me I don't remember the details any more).
The NaH (or some other group 1 element) is used to store hydrogen. This compound is unstable under normal conditions and needs to be stored under pressure (only 2 athmospheres, less than a car tire) and low temperature (-20C or so). All you need to do to get hydrogen is.. reduce the pressure!
In order to manufacture hydrogen in any meaningful quantity, "toxic" (environmentalist definition) by-products are an inevitable. To wit:
1. Electrolytic conversion from water requires electricity. The vast amount of electricity generated comes from icky dirty coal.
Just want to disspel this myth.
Suppose we are using a dirty, toxic coal power plant to generate electricity that we then use to split water. The hydrogen is then pumped into cars.
This would be exactly the same, in terms of damage to the environment, as having cars burn gasoline instead, right? Wrong! For several reasons:
1. Efficiency. This cannot be emphasized enough. A car engine has many constraints. It must be powerful, light, small, etc. Efficiency and greenhouse gas emissins come last in the list. A power plant has only two constraints: it must be efficient and environmentally friendly. Moreover, the power plant owner has a monetary incentive to make his/her power plant as efficient and environmentally friendly as possible. Who cares how big or heavy it is? you don't need to drive it. Because of this a dirty coal power plant is a lot cleaner than N cars generating the same amount of energy. That alone makes fuel cells very attractive.
2. Location. Not much to say here. Cars have to be in the city. Power plant can be in the middle of nowhere.
3. Centralization. Suppose that someone invented a new gizmo that reduces the emission of greenhouse gases. It's a lot easier to install it on a 1000 power plants than on 100 million cars, especially since you don't need to worry about size/weight constraints (see above).
Furthermore, it's a lot easier to check for violations of enviromnal laws if you have to deal with 1000 power plants instead of 100 million cars.
Also, it's a lot easier to switch from a coal plant to a wind/solar power plant than replace every engine in N cars that generate equal amount of energy.
And this just scratches the surface. Other people have pointed out other benefits too...
The gist of it was that the bases that we used in Saudi Arabia during the Gulf War had been built after the Soviet Union invaded Afghanistan
Hah! That's true only insofar as the bases in Saudi Arabia were built for the purpose of attacking Iraq in the Gulf War, which chronologically was after Soviet Union had moved into Afganistan. It was also after Soviet Union had moved out:-) By no means was it a result of the war in Afganistan.
This is exactly what pissed off Osama bin Laden, BTW -- the presence of US troops in the holy land and their continued attacks on Iraq.
Just want to correct the false statement. Soviet Union did not "invade" Afganistan. They went there to stop the civil war and restore the communist government. And where did you get the information that Soviet Union wanted to invade Saudi Arabia?
It is the record companies' right to protect their investment in finding, recording and promoting artists.
The record companies are doing a lot more than protecting their investment. They are intentionally crippling their product in a way that infringes on your fair use rights. They have no right to do that. They are trying to control how you use their product. They have no right to do that. Heh.. not yet anyway, but watch them buy a few more laws.
The media cartel only exists because people keep fueling it and voting with their dollars
The media cartels exist because people have no other choice. Independent artists have even more difficult time getting to the top than alternative operating systems...
You're right there is a great deal of similarity. When I read their goals I immideately thought of Plan9. Many of the things they mention exist in Unix today. Plan9 takes them to another level. (But I guess it's true what they say: it's not invented until Microsoft invents it).
We haven't had any news about Plan9 in quite a while. Could someone in the know shed some light as to what's happening with it now?
I really hate it when people do that. The above post irritates me not because it criticises GPL, but because it contains NO INFORMATION. Read it carefully. Everything in the post is pure conjecture with a couple of clever frases thrown in just to make it look important. Mr ChaoticCoyote, if you want to criticise anything, I challenge you to provide FACTS and argue your position with logic, not thinly disguised rhetoric designed to entice a knee-jerk reaction. For instance, how does your slogan relate to GPL? How do you justify your last statement? Sigh... Sadly, rhetoric still works better than logic in motivating the croud...
Yeah, lots of free software comes with this warranty notice prominently displayed. (You even got the wording right). When I see these words I immideately think of Debian -- they put it in motd by default and that's one of the first things I change after I install a new Debian system. Kinda annoying, but neccessary.
Slashdot Mirror
Spoken like a true terrorist. Congrads!
Osama bin Laden and his organization declared war on US. If civilians get hurt in the process, so be it.
US declared war on Osama bin Laden and his organization. If civilians get hurt in the process, so be it.
Emotion coulds your thinking. I understand it's difficult to come to terms with reality, but US is by no means an innocent victim. US is a playground bully who got kicked in the balls.
I do think that right now US has no choice but to go after the perpetrators. The problem is, of course, doint it effectively. If you start droppping bombs all over the place, you risk killing too many civilians and thus creating even more "terrorists" (remember, these people are survivers of US aggression and they can't wait to return the favour).
Long term though, a change in US foreign policy would go a long way towards ensuring these attacks do not continue.
Those who support retaliation fail to realize that the Spet. 11 attack was itself a retaliation. The "terrorists" are in effect "punching back". Or do you buy into the propaganda that this was solely an "attack on your freedom"?
Besides, Intel was making Pentium Pro systems for the higher end workstation customers (insert consipiracy theory if you'd like).
That's exactly why Intel crippled the TX chipset. The (earlier) HX chipset does not suffer from this problem.
I am the "happy" owner of the Asus TX97e board with Intel's TX chipset. Intel intentionally crippled the chipset so that it caches only 64MB of RAM. If you have more than that, the performance goes down the toilet. After I upgraded my machine to 256MB RAM, Norton System Information benchmark went from 110 to 70 (AMD K6-2/300). It's not a scientific benchmark but still quite telling. Thank you Intel!
And don't even get me started on what they tried (and are still trying) to pull off with Rambust...
I am developing an extremely authentic and highly innovative gaming technology for the information superhighway called SuperDuperGameAccelerator. It's really cool. It will accelerate games and cook your dinner too. I was wondering if it's worth porting it to Linux. In fact I'm already porting it to Linux, I just wanted to announce it to the world by posting on slashdot. You know, after the .com crash we can't get any more funding, so we could use all the free advertizing we could find. And I figured slashdot editors are too stupid to recognize the thinly disguised commercial...
Is there an optometrist on /. who can answer this question? (year right!) Staring at an object so close to your eyeballs can't be good. Wouldn't it strain your eyes a lot more than conventional monitor?
Yeah, their engineers got confused using Hungarian Notation...
Hold on, I'm confused now:
- Only LocalSystem can impersonate another user.
- LocalSystem process needs to know the password of the user to impersonate
- But: LocalSystem can also set the password!
So what's the point of having a password in the first place?
Well, I would trust a packet router more if it had no web server code together with the routing code :-) But yeah, I see your point. Judging from the amount of damage Code Red & friends have done, I guess not too many people actually use it...
Nope. LocalSystem has the privilege to SET a user's password
But in that case the password is irrelevant, so in effect it's just doing su. It's also setting a random password which another process can use to "impersonate" this user. The chance of guessing the right password is probably less than that of winning a lottery, but still it's a potential security hole. In Unix you are guaranteed that no process (except root) will be able to su to that user.
On NT there are a whole swag of privileges that you can specifically enable or disable.
like what?
The privileges required to logon as a different user (ie call seteuid()) aren't held by any account other than LocalSystem.
In this case, Unix is actually more flexible than NT. You can allow a certain (non-root) user to switch to another user. Ever heard of sudo? For instance, running scripts as a different user can be accomplished even if apache is not running as root.
I thought that there is already a cure for plage? I know it was a big problem back in middle ages, but does anyone still get sick with it?
Sorry for stupid question. Please enlighten me.
But packets still go through the "primary" process which runs as LocalSystem, right? So what's the use of that?
There is no such thing as an account on NT being allowed to switch user to another account unless it knows the password (ie 'su'/setuid() without passwords is impossible, even as LocalSystem)
Password is something you can ask a person to verify their identity. Asking a process for a password is absolutely idiotic. That means the password must be hard-coded somewhere. If it's hard-coded (even as a constant) in applications, it means that it's never (or very rarely) changed. And it's stored as clear text in the code. I've dealt with WebLogic which suffers from moronic "authentication".
And before you post another dumb response, here's a clue: on NT accounts have much finer grained permissions than on (standard) Unix - you would do well to look at them. ;-P
I'm assuming that by that you mean ACL. Most (all?) proprietary Unixes have had ACLs for quite a while - you would do well to look at them. AFAIK, it is a plannet feature for Linux 2.5. I do agree that it's useful when used right and *in conjunction* with standard UGO permissions.
I wonder what this is supposed to mean. Does IIS start 10 processes, each as a different user? Or does it actually mean that it will still run as LocalSystem and use "impersonation" to run *scripts* as different users, the way it already does? I suspect the latter is the case, and it's totally worthless -- it will save you from bugs in scripts but not from bugs in IIS which still runs as LocalSystem.
So which user does it run as again? How does a running process magically switch the user it runs as? Oh right it doesn't! IIS runs as LocalSystem. As AC pointed out, it uses "impersonation" to run *scripts* as another user (this is eqivalent to sudo). Repeat: it runs *scripts* as whatever user; IIS itself runs as LocalSystem.
In fact, one of microsoft's Security recommendations is to make a special folder in system32 (pseudo-equivilant of /bin), move files like the command and scripting shells into it, and allowing only Administrators and System to access it (similar to moving that junk to /sbin)
This is the dumbest thing I have ever heard. It's like making bash and perl executable by root only. This prevents you from running scripts as non-root (or non-Administrator), and does exactly zero to improve security: if you got in through an IIS hole, you already are Administrator so you can do whatever you damn want.
Of course you can create any service account to run IIS if you're worried about a dictionary attack on the IUSR_machinename account.
Wait, all these special (service-only) accounts have passwords? So you can log in as say LocalSystem or IUSR_watever if you guess it? Then NT security is an even bigger joke than I thought! (and that's saying much). (And before you post another dumb response, here is a clue: on Unix special accounts like bin, httpd, nobody, etc. have no passwords so you cannot log in with that user name no matter what password you type, but processes can still run as bin, httpd, or nobody).
I don't have much experience with other platforms--there may be better systems than Debian's
Doubt it. Only FreeBSD is even comparable with its cvsup (though it needs to compile stuff from source). No other systems I've seen even come close.
That's odd. I thought it's already running partially in the kernel
I wanted to post this but you were ahead of me. And it's not just a problem with IIS -- most (all?) NT "services" run as LocalSystem, which actually has even more privileges than Administrator.
Bugs and security holes are inevitable in any software, but their impact is different. Any buffer overflow in IIS is disasterous, whereas a buffer overflow in Apache will have a very limited damage. To 0wn a Unix box running Apache you need two security holes: first a hole in Apache to get unprivileged access, then another hole elsewhere that lets you get root. This is considerably harder and a lot more unlikely than a simple buffer overflow in the web server.
On top of that there is a huge problem with file system permissions. Both Unix and NT have the ability to restrict access to files. The difference is that a default installation of NT has all file permissions set to Everyone:Full Control(*). (That's like making every file and directory 777)! You have to manually lock it down! If the file system permissions are not used, running IIS as an unprivileged user won't help.
Contrast this with Unix. Even if a hole in Apache is exploited, you won't even be able to overwrite the web pages (unless another hole is used to gain root access, see above).
(*) I understand the default file permissions have been improved somewhat in windows 2000. Could somebody in the know give more details? Oh, and what's the deal with IIS running partially in the kernel? is it true or has it been debunked?
In all fairness, Unix has had its problems with root-running daemons. BIND was the latest exploit. Since then BIND guys have learned their lesson -- version 9 no longer runs as root. Will Microsoft learn? After so many years of beeing plagued with security holes, not bloody likely.
Just so that idiots like you keep buying the latest and greatest.
I did a little reasearch project on alternative energy a while back and here is what I discovered. (Bear with me I don't remember the details any more).
The NaH (or some other group 1 element) is used to store hydrogen. This compound is unstable under normal conditions and needs to be stored under pressure (only 2 athmospheres, less than a car tire) and low temperature (-20C or so). All you need to do to get hydrogen is.. reduce the pressure!
Just want to disspel this myth.
Suppose we are using a dirty, toxic coal power plant to generate electricity that we then use to split water. The hydrogen is then pumped into cars.
This would be exactly the same, in terms of damage to the environment, as having cars burn gasoline instead, right? Wrong! For several reasons:
1. Efficiency. This cannot be emphasized enough. A car engine has many constraints. It must be powerful, light, small, etc. Efficiency and greenhouse gas emissins come last in the list. A power plant has only two constraints: it must be efficient and environmentally friendly. Moreover, the power plant owner has a monetary incentive to make his/her power plant as efficient and environmentally friendly as possible. Who cares how big or heavy it is? you don't need to drive it. Because of this a dirty coal power plant is a lot cleaner than N cars generating the same amount of energy. That alone makes fuel cells very attractive.
2. Location. Not much to say here. Cars have to be in the city. Power plant can be in the middle of nowhere.
3. Centralization. Suppose that someone invented a new gizmo that reduces the emission of greenhouse gases. It's a lot easier to install it on a 1000 power plants than on 100 million cars, especially since you don't need to worry about size/weight constraints (see above).
Furthermore, it's a lot easier to check for violations of enviromnal laws if you have to deal with 1000 power plants instead of 100 million cars.
Also, it's a lot easier to switch from a coal plant to a wind/solar power plant than replace every engine in N cars that generate equal amount of energy.
And this just scratches the surface. Other people have pointed out other benefits too...
Hah! That's true only insofar as the bases in Saudi Arabia were built for the purpose of attacking Iraq in the Gulf War, which chronologically was after Soviet Union had moved into Afganistan. It was also after Soviet Union had moved out :-) By no means was it a result of the war in Afganistan.
This is exactly what pissed off Osama bin Laden, BTW -- the presence of US troops in the holy land and their continued attacks on Iraq.
Just want to correct the false statement. Soviet Union did not "invade" Afganistan. They went there to stop the civil war and restore the communist government. And where did you get the information that Soviet Union wanted to invade Saudi Arabia?
The record companies are doing a lot more than protecting their investment. They are intentionally crippling their product in a way that infringes on your fair use rights. They have no right to do that. They are trying to control how you use their product. They have no right to do that. Heh.. not yet anyway, but watch them buy a few more laws.
The media cartel only exists because people keep fueling it and voting with their dollars
The media cartels exist because people have no other choice. Independent artists have even more difficult time getting to the top than alternative operating systems...
You're right there is a great deal of similarity. When I read their goals I immideately thought of Plan9. Many of the things they mention exist in Unix today. Plan9 takes them to another level. (But I guess it's true what they say: it's not invented until Microsoft invents it).
We haven't had any news about Plan9 in quite a while. Could someone in the know shed some light as to what's happening with it now?
I really hate it when people do that. The above post irritates me not because it criticises GPL, but because it contains NO INFORMATION. Read it carefully. Everything in the post is pure conjecture with a couple of clever frases thrown in just to make it look important. Mr ChaoticCoyote, if you want to criticise anything, I challenge you to provide FACTS and argue your position with logic, not thinly disguised rhetoric designed to entice a knee-jerk reaction. For instance, how does your slogan relate to GPL? How do you justify your last statement? Sigh... Sadly, rhetoric still works better than logic in motivating the croud...
Yeah, lots of free software comes with this warranty notice prominently displayed. (You even got the wording right). When I see these words I immideately think of Debian -- they put it in motd by default and that's one of the first things I change after I install a new Debian system. Kinda annoying, but neccessary.