(if it doesn't return your password, you're no longer vulnerable)
On a side note - this is pretty bad - sure a lot of people are going to say this is local privilige escalation only, but combined with any other exploit, this allows an attacker root access.
This is the reason I use Debian for anything serious....
Except that in Apple's case the cabinet is made of chicken wire- you can convert the songs to Redbook audio with a minimum of effort and the cost of a blank CD.
Again, I agree. Apple's drm (along with both Sony's & Microsofts) can be easily defeated. It still doesn't really change the inention - to restrict me.
The fact that I'd have to:
a) Find a blank CD (why would I have one around for when I buy my music online anyway?) b) Encode using a highly compressed source
to listen to music I've purchsed legally purchased on ITMS on a different player in the event that my ipod dies really irks me.
Maybe Apple's DRM is the 'best' out there, but no DRM can really be good.
To be fair, the DRM on iTunes songs isn't even in the same league as the DRM on the Sony CD in question, let alone the same ballpark - at least it only affects the affected song, and doesn't open the entire PC up to compromise.
I completely agree with you - but itunes was not the only music service mentioned. From the EFF's site: CONNECT Music, f.y.e., iTunes, or Wal-Mart.
Whilst you might be prepared to trust Apple's DRM (and to be fair, I don't see much wrong with its terms either), read this thread before trusting Wal-mart's. (I don't think I'd have to work hard to convince most people here that putting faith in Sony's DRM is a bad idea as well.)
The ultimate trouble with drm - any drm, is that it restricts your right to do what you want to do with your music. It's like giving a company the keys to your CD cabinet & trusting them to unlock it when you ask them.
Actually, the iPod was an enormous improvement over the mp3 players which came before, because it combined three features which had not yet come together: form factor, storage capacity and ease of use.
I am somewhat surprised that you say the ipod's 'enormous improvement' is to combine existing mp3 player features - yet that was not an incremental improvement?
I think the comment above points out one of Slashdot's enduring biases and explains one of the reasons Slashdot as a whole has such a terrible track record in predicting success of failure of things like the iPod.
Aaah, the real reason for your comment - a random slashdot bash.
Newsflash - slashdot is not a technology prediction service, and noone was trying to predict the success or failure of the ipod.
Hmmmn, I agree with you that this is a non-story, but:
Why in the world are they trying to compare a full blown PVR/Media Center (Windows Media Center) to a computer with a remote (Mac Mini)?
should read:
Why in the world are they trying to compare a software suite (Windows Media Center) to a computer with a remote (Mac Mini)?
The article makes its bias clear with:
Unlike our experiences with most Windows PCs, you won't have to turn up the volume to mask the sound of the small jet plane taking off inside.
They're not comparing, they're reviewing the mac-mini and writing about memories of media centre PCs.
I think to most people (including MS) it's pretty clear that Apple is going to create a better media experience. However, the three way battle for the lounge room is not being fought on a single front. The real competitors for the Mac Mini are the Xbox 360 & PS3, not Media Centre.
If Samsung wants to beat Apple at their own game, they're going to have to do better than hang on their coattails.
Oh come on. The ipod (like this device) was an incremental improvement over other mp3 players from the time, not revolutionary.
This device (whilst it will almost certainly be no ipod killer in the ipod's major markets) looks & sounds pretty nice. Frankly I hope that Apple copies this feature back to the ipod:
The name of the current song appears at the bottom of every screen
That's one thing thats really irritated me about the ipod...
What he's talking about is a feature of Vista, called SuperFetch.
The idea is that the OS predicts what pages of what files you're going to need based on it's analysis of your usage of your computer, and caches those on any faster-than-disk-but-not-RAM storage you may have, like a flash drive.
Yes, I figured out he was talking about SuperFetch, but it's still drivel. SuperFetch is unproven and overhyped
Wow! Thanks Jim, 500MB of extra memory by plugging in a usb stick.
In addition, it's not likely to be any good for games. I can imagine loading system libraries, etc onto flash at boot... but games? It doesn't really work. Flash write time is still waaay to slow, and games manufacturer's are still going to want everything loaded off CD to attempt to prevent copying.
Do not waste time reading the article - it is stream-of-conciousness drivel. You will not get that 5 minutes of your life back.
Typical quote:
One of the technologies they showcased was the use of flash memory to increase system performance. By using flash, they can cut application load times dramatically; this has a huge impact on games (which load much more quickly from memory than from drives.) For us gamers, the game will load more quickly, we will be able to move between zones more quickly, and scenes pop more quickly.
This could keep you alive longer and overcome the problem of teams breaking apart before all team members can get to the same zone. The biggest improvement would be with laptop computers; for those of us who play games on our laptops, this is a good thing.
What? What are you talking about? Are you suggesting manufacturers will ship games on flash chips? And what the hell do laptops have to do with anything?
Nothing I've heard about intel's plans to use flash technology would improve any system performace other then boot time.
1. For safety reasons, always use the most updated BIOS utility! 2. Do not overclock the system/CPU during BIOS update! 3. Load "Setup Default" in BIOS menu before BIOS Update. 4. Make sure you have "Administator" privilege on your Windows system (WinNT4/2000/XP). 5. Close all application programs under Windows. 6. Disable any existing Anti-Virus applications in the system. 7. Reboot the PC after the BIOS update is complete. 8. Switch on the PC and load "Setup Default" in BIOS again.
Point 5 & 6 are actually quite hard to achieve under windows - there is alot of crap running that you can't really control (and its not like you can turn the GUI off temporarily).
You hear about the wreckage of bios flashing from within windows all the time on usenet. I for one would never trust it.
This isn't Windows 98 ive seen desktop XP systems get months and months of uptime without any problems.
Whilst I agree that XP is far more stable then '98, it still has a long way to go. Oh and Presumably these XP systems you've seen are run by somone who doesn't give a hoot about security & doesn't bother applying the XP patches.
No - its a terrible idea - Apple's gained a good reputation from its User base doing all the advertising for them for free....
Appointing a 'Security Czar' would move all these low key (outside of the/. and mac fanboy community) security rumblings onto the front page of real media. Joe public, who's never heard security and apple in the same sentence before will suddenly get the idea that Apple is no more secure then windows (after all they both need CSOs).
It's a terrible idea, Apple should continue to let their user base advertise there security for them.
ZUCK: Sure. ACT is an IT industry trade association based in Washington, D.C. It represents mostly small- and medium-sized information technology companies and their interests in Washington. So, we lobby on their behalf to prevent over-regulation of the industry; we fight both here and abroad for intellectual property protection;
Errr right, fight against over-regulation.... with ip regulation?
I would say that Slammer / Blaster / Code Red / etc infected far more people in a far shorter period of time then any via-user link.
But each of those would have been avoided if the user either kept their machines patched or (at least) kept them behind a firewall.
What you say is correct - but failing to keep your machine patched & behind a firewall is not generally whats meant by a vulnerability requiring user intervention.
When the grandparent talked about the user being the weak link in the chain, he meant the user actively doing something - like opening a zip emailed to them, renaming the file inside to an executable and running it.
What you're talking about is the user passively doing nothing & getting infected.
I'm a big fan of the Fox, but is this really a feature that should be built-in to our svelte (but extensible) browser?
TFA:
While Firefox 2 will get a phishing shield, no decision has been made on how it will be incorporated in Firefox, Shaver said
Seems like something that could be its own extension, or if Google is really so involved, integrated into the Google Toolbar for Firefox.
TFA:
"Google, like others who contribute to the project, has contributed code and expertise for us to experiment with," he said. "We haven't committed to a given approach, a given technology or a given partner."
He's not doing his job - he's posting rumours on/.
Whilst I take your point about classified information, the g-g-g-parent should not post a comment they were not able to substatiate if they did not want to get called for it.
This, RIGHT HERE, is the problem. An industry powerhouse like Michael Dell tells the Linux community what he wants, and how does the Linux community respond? By insisting that he's wrong and telling him what he actually wants.
Nope. I'm afraid the problem here is Dell not supporting linux - and making stupid excuses as to why.
It's called listening, folks. Maybe if the Linux community started listening to what users are SAYING they want, instead of dictating it to them, Linux would see wider adoption.
Hmmmmn, so you believe that:
1) Its OK for Michael Dell to tell all the linux distros (except the one lucky one) to pack up shop & go home (Pick commcercial or community distro now folks, you won;t be able to choose in goldspider's brave new world)
but
2) The Linux community can't point out when Michael Dell makes a stupid comment about linux 'being hard to support because there's too much choice'
Funny, thats what most haven't-quite-switched-yet Linux users want too...
No they don't - they want hardware that works out of the box on the distro they chose.
I'd be happy if Dell supported one distro (or hell, even netBSD). It would mean that other distro's could look at the drivers used & have an easy time supporting Dell.
Its not rocket science Michael, don't try to make it harder then it really is. Support one distro (my suggestion is Debian, as you get a nice slow moving target, or Ubuntu, for predictable release cycles) but it doesn't really matter which one you support
I never said that I was in the Marines. I am a civilian contractor.
My apologies - reading too many threads at the same time.
General Casey is in charge of theater-wide operations, therefore, all theater communications are under his control.
OK - I don't dispute that, but I still don't see why afghanistan has to be routed through bahgdad - does he inspect the packets personally or something?
For the curious, you can read the article as it originally appeared here
Whilst I agree with you that the original article was a typical zdnet troll attempting to stir the angry mac masses into page views, your statement: left people with the impression that a Mac OS X machine could be owned in 30 minutes just by being connected to the internet, without the user "doing" anything, is not really true if you read the whole article.
For instance, the original article contained the line:
Mac acting as a server -- with various remote services running and local access to users...[emphasis mine]
You also say:- How might a Linux or BSD distribution, other commercial UNIXes, or Windows stand up to a similar challenge, where anyone who wishes is given local account access?
I don't know about Windows / Commerical Unix, but under linux you have the option of using grsecurity to harden against unkown vulnerabilities. Nothing like this exists for the Mac that I'm aware of.
I understand the point of your test - that a mac can sit on a hostile network & not get hacked. But you seem to completely miss the concludion I drew from the outcome of the original test - do not underestimate the seriousness of local privilege escalation.
For instance (as I've written before), an unpatched local privilege escalation, used in conjuction with the vulnerability discussed in this article could result in a rooted machine - simply from visiting a hostile website (or even a website you visit regularly, that runs IIS and has been hacked itself)
I don't think Dave understood the point of the original challenge however - local privilige escalation - or maybe he was just taking issue with the way it was reported on zdnet.
Slashdot Mirror
Whoops! You are of course completely right...
Just goes to show that you can't be half-assed about password security
Mod my [easier] solution into the ground mods!
Open a terminal and type:(if it returns your password, you're vulnerable (wait) (if it doesn't return your password, you're no longer vulnerable)
The 'mypasswd' string grepped for above will immdiately preceed your primary user password
On a side note - this is pretty bad - sure a lot of people are going to say this is local privilige escalation only, but combined with any other exploit, this allows an attacker root access.
This is the reason I use Debian for anything serious....
Except that in Apple's case the cabinet is made of chicken wire- you can convert the songs to Redbook audio with a minimum of effort and the cost of a blank CD.
Again, I agree. Apple's drm (along with both Sony's & Microsofts) can be easily defeated. It still doesn't really change the inention - to restrict me.
The fact that I'd have to:
a) Find a blank CD (why would I have one around for when I buy my music online anyway?)
b) Encode using a highly compressed source
to listen to music I've purchsed legally purchased on ITMS on a different player in the event that my ipod dies really irks me.
Maybe Apple's DRM is the 'best' out there, but no DRM can really be good.
To be fair, the DRM on iTunes songs isn't even in the same league as the DRM on the Sony CD in question, let alone the same ballpark - at least it only affects the affected song, and doesn't open the entire PC up to compromise.
I completely agree with you - but itunes was not the only music service mentioned. From the EFF's site: CONNECT Music, f.y.e., iTunes, or Wal-Mart.
Whilst you might be prepared to trust Apple's DRM (and to be fair, I don't see much wrong with its terms either), read this thread before trusting Wal-mart's. (I don't think I'd have to work hard to convince most people here that putting faith in Sony's DRM is a bad idea as well.)
The ultimate trouble with drm - any drm, is that it restricts your right to do what you want to do with your music. It's like giving a company the keys to your CD cabinet & trusting them to unlock it when you ask them.
is a DRM-free version of the original CD, $7.50, and album downloads from iTunes, Sony Connect, and others.
Should read:
is a DRM-free version of the original CD, $7.50, and DRM-laden album downloads from iTunes, Sony Connect, and others.
I'd also like to know if anyone is going to try for a real settlement - like a company having to audit their network after finding one PC rooted.
Actually, the iPod was an enormous improvement over the mp3 players which came before, because it combined three features which had not yet come together: form factor, storage capacity and ease of use.
I am somewhat surprised that you say the ipod's 'enormous improvement' is to combine existing mp3 player features - yet that was not an incremental improvement?
I think the comment above points out one of Slashdot's enduring biases and explains one of the reasons Slashdot as a whole has such a terrible track record in predicting success of failure of things like the iPod.
Aaah, the real reason for your comment - a random slashdot bash.
Newsflash - slashdot is not a technology prediction service, and noone was trying to predict the success or failure of the ipod.
Hmmmn, I agree with you that this is a non-story, but:
Why in the world are they trying to compare a full blown PVR/Media Center (Windows Media Center) to a computer with a remote (Mac Mini)?
should read:
Why in the world are they trying to compare a software suite (Windows Media Center) to a computer with a remote (Mac Mini)?
The article makes its bias clear with:
Unlike our experiences with most Windows PCs, you won't have to turn up the volume to mask the sound of the small jet plane taking off inside.
They're not comparing, they're reviewing the mac-mini and writing about memories of media centre PCs.
I think to most people (including MS) it's pretty clear that Apple is going to create a better media experience. However, the three way battle for the lounge room is not being fought on a single front. The real competitors for the Mac Mini are the Xbox 360 & PS3, not Media Centre.
Oh come on. The ipod (like this device) was an incremental improvement over other mp3 players from the time, not revolutionary.
This device (whilst it will almost certainly be no ipod killer in the ipod's major markets) looks & sounds pretty nice. Frankly I hope that Apple copies this feature back to the ipod:That's one thing thats really irritated me about the ipod...
The idea is that the OS predicts what pages of what files you're going to need based on it's analysis of your usage of your computer, and caches those on any faster-than-disk-but-not-RAM storage you may have, like a flash drive.
Yes, I figured out he was talking about SuperFetch, but it's still drivel. SuperFetch is unproven and overhyped Wow! Thanks Jim, 500MB of extra memory by plugging in a usb stick.
In addition, it's not likely to be any good for games. I can imagine loading system libraries, etc onto flash at boot... but games? It doesn't really work. Flash write time is still waaay to slow, and games manufacturer's are still going to want everything loaded off CD to attempt to prevent copying.
Typical quote:What? What are you talking about? Are you suggesting manufacturers will ship games on flash chips? And what the hell do laptops have to do with anything?
Nothing I've heard about intel's plans to use flash technology would improve any system performace other then boot time.
I don't think the grandparent was referring to windows at all.
But now you mention it, from the Asus update rules for safe bios update: Point 5 & 6 are actually quite hard to achieve under windows - there is alot of crap running that you can't really control (and its not like you can turn the GUI off temporarily).
You hear about the wreckage of bios flashing from within windows all the time on usenet. I for one would never trust it.
This isn't Windows 98 ive seen desktop XP systems get months and months of uptime without any problems.
Whilst I agree that XP is far more stable then '98, it still has a long way to go. Oh and Presumably these XP systems you've seen are run by somone who doesn't give a hoot about security & doesn't bother applying the XP patches.
I once thought I could get away without 3.5 floppies anymore. I was wrong. Something always drags you back in the end. Flashing BIOS for instance.
You can flash your bios using a bootable cdrom without a problem.
I've been living quite happily without a floppy for 2+ years.
No - its a terrible idea - Apple's gained a good reputation from its User base doing all the advertising for them for free....
/. and mac fanboy community) security rumblings onto the front page of real media. Joe public, who's never heard security and apple in the same sentence before will suddenly get the idea that Apple is no more secure then windows (after all they both need CSOs).
Appointing a 'Security Czar' would move all these low key (outside of the
It's a terrible idea, Apple should continue to let their user base advertise there security for them.
Consider this quote of his: Errr right, fight against over-regulation.... with ip regulation?
He also shows no understanding of the issues Uh huh - thanks Jonathon, you do understand that anyone can (and plenty do) implement PDF royalty free don't you.
Conclusion - don't feel dirty, Zuck is the misinformed zealot, Stallman looks positively calm & reasonable in comparison.
When the grandparent talked about the user being the weak link in the chain, he meant the user actively doing something - like opening a zip emailed to them, renaming the file inside to an executable and running it.
What you're talking about is the user passively doing nothing & getting infected.
Understand the difference?
TFA: Seems like something that could be its own extension, or if Google is really so involved, integrated into the Google Toolbar for Firefox.
TFA:
The biggest problem is still the weakest link in the system: Its user.
Vulnerabilities aside, the user is what is responsible for over 90 percent of the infections monitored.
So which one is it? "The linkest weak is the user" or "vulnerabilities aside, the weakest link is the user"
I would suggest that its option B - "vulnerabilities aside, the weakest link is the user"
I would say that Slammer / Blaster / Code Red / etc infected far more people in a far shorter period of time then any via-user link.
In fact, I'll just modify your statement to read "In a non-windows system, the weakest link is the user"
Now, let the man in peace to do his job.
/.
He's not doing his job - he's posting rumours on
Whilst I take your point about classified information, the g-g-g-parent should not post a comment they were not able to substatiate if they did not want to get called for it.
This, RIGHT HERE, is the problem. An industry powerhouse like Michael Dell tells the Linux community what he wants, and how does the Linux community respond? By insisting that he's wrong and telling him what he actually wants.
Nope. I'm afraid the problem here is Dell not supporting linux - and making stupid excuses as to why.
It's called listening, folks. Maybe if the Linux community started listening to what users are SAYING they want, instead of dictating it to them, Linux would see wider adoption.
Hmmmmn, so you believe that:
1) Its OK for Michael Dell to tell all the linux distros (except the one lucky one) to pack up shop & go home (Pick commcercial or community distro now folks, you won;t be able to choose in goldspider's brave new world)
but
2) The Linux community can't point out when Michael Dell makes a stupid comment about linux 'being hard to support because there's too much choice'
Funny, thats what most haven't-quite-switched-yet Linux users want too...
No they don't - they want hardware that works out of the box on the distro they chose.
I'd be happy if Dell supported one distro (or hell, even netBSD). It would mean that other distro's could look at the drivers used & have an easy time supporting Dell.
Its not rocket science Michael, don't try to make it harder then it really is. Support one distro (my suggestion is Debian, as you get a nice slow moving target, or Ubuntu, for predictable release cycles) but it doesn't really matter which one you support
I never said that I was in the Marines. I am a civilian contractor.
My apologies - reading too many threads at the same time.
General Casey is in charge of theater-wide operations, therefore, all theater communications are under his control.
OK - I don't dispute that, but I still don't see why afghanistan has to be routed through bahgdad - does he inspect the packets personally or something?
control
I'm sorry - you're going to have to give more then a single word answer to convince me.
Why does the pentagon have more control routing through baghdad then through washington? Its satelite for god sake.
I'm afraid that I don't believe you're in Bahgdad or the marines at all, but in some PR agency in Washington.
....but we serve all of Afghanistan and Iraq through satellite here in Baghdad.
I might be missing something here... but you serve... Afghanistan from Bagdhad?
Looking at this map I find that a little hard to believe. There is the small matter of Iran in between those two countries.
And if via sattelite - why bother routing through baghdad at all?
Whilst I agree with you that the original article was a typical zdnet troll attempting to stir the angry mac masses into page views, your statement: left people with the impression that a Mac OS X machine could be owned in 30 minutes just by being connected to the internet, without the user "doing" anything, is not really true if you read the whole article.
For instance, the original article contained the line: You also say:- How might a Linux or BSD distribution, other commercial UNIXes, or Windows stand up to a similar challenge, where anyone who wishes is given local account access?
I don't know about Windows / Commerical Unix, but under linux you have the option of using grsecurity to harden against unkown vulnerabilities. Nothing like this exists for the Mac that I'm aware of.
I understand the point of your test - that a mac can sit on a hostile network & not get hacked. But you seem to completely miss the concludion I drew from the outcome of the original test - do not underestimate the seriousness of local privilege escalation.
For instance (as I've written before), an unpatched local privilege escalation, used in conjuction with the vulnerability discussed in this article could result in a rooted machine - simply from visiting a hostile website (or even a website you visit regularly, that runs IIS and has been hacked itself)
This story was a comment a few days ago
I don't think Dave understood the point of the original challenge however - local privilige escalation - or maybe he was just taking issue with the way it was reported on zdnet.