> The site I am currently working on is aimed at users within large corporations. > They have asked for (and got) some pretty wizzy features, many of which are > simply not possible to implement without JS (or some other kind of scripting). > Given that all of them (and I mean ALL) are using either NS or IE, and will > almost certainly have JS enabled, am I supposed to turn around and say > "sorry, we can't make the site JS only, it goes against my geek principles"? I think not.
At work...
1) It's my employer's computers, paid for out of my employer's pocket, and therefore my employer's rules
2) We can reasonably trust apps written by our own corporate IT programmers
On the Wild Wild Web
1) It's my computer, paid for out of my pocket, and therefore my rules
2) Yes, they *ARE* out to get you
On the WWW, "wizzy" features mean
- at best to throw pop-up/pop-under garbage at me.
- many people complain about sites (not just porn sites anymore) that throw open so many windows that the resource usage crashes the browser, if not the OS.
- at worst, malicious scripts can compromise your machine. One vector for NIMDA's spread was for script-enabled IE browsers to view infected web-pages. How soon people forget.
The thing about mobile code (Java/Javascript/ActiveX/Fuckwave-Slash) is that *YOUR MACHINE IS DOWNLOADING AND EXECUTING FOREIGN CODE*. I happen to be 50, and I remember the days of BBS's, when it was pounded into people that that you do *NOT* download and execute every last single program you run across. Why have we forgotten this lesson ?
It may be safe for a cute secretary to walk down the hall from your office in a mini-skirt at 2:30 PM. It's a totally different matter at 2:30 AM in the bad section of town. Running with Javascript enabled may be safe on a corporate intranet, but not on the web.
> Why would grandmother using AOL on an emachine be running IIS?:-)
1) because her nephew or who-ever installed Win9X on it selected "everything"
2) When she installed FrontPage to do her personal webpage, IIS gets installed as part of the process
> Because then you'd bitch because Microsoft took away your choice. I can see it now: > "If I want to run a program, I damn well better be able to run any binary I want!"
If I want to run a program, I can run it in linux. However, what's insidious about Windows is that it runs programs *WHEN YOU MERELY OPEN AN EMAIL*. Remember when "Good Times Virus" was merely a sick joke on AOL cl00bies ? Well, now KLEZ makes it for real in Windows. In linux/unix
- assuming that I wanted singing/dancing email and set midiplay to run audio/x-midi attachments
- assuming that I ran a GUI mailer like Netscape and clicked on a malicious ELF (linux executable attachment) deliberately mis-labelled as audio/x-midi
The worst that happens is that midiplay tries to play it and core dumps. More likely, it'll say "WTF is this so-called midi file?" and exit gracefully. In Windows, the mis-labelled "midi" file will be *EXECUTED WITHOUT ASKING ME*, and it'll run as an EXE.
Put it this way. If windows is soooo fragile that you can't *OPEN* an email attachment without risking a total takeover, there is something badly broken with it.
> And then there's the problem of someone retaliating against a dynamic IP address. > It may have been the right person at the very moment of an intrusion, but by the time > the admin gets around to checking their logs, it's whoever else happened to dial into > that POP. Then someone totally innocent gets nailed instead, just because they > happened to get assigned the same IP address as yesterday's miscreat.
Not to mention KLEZ virus/worm, which forges the "From:" address, and even Envelope-sender. There are a lot of cl00bies out there, including so-called "sys-admins", who will blindly believe the "From:", and ignore the "Received:" headers.
On nanae (news.admin.net.abuse.email) newsgroup, there's some yelling and screaming going on about RAV antivirus. It bounces KLEZ emails without the virus to the (forged) "From:" address. Then it sends back a copy *WITH THE VIRUS*. So RAV actually helps spread KLEZ around the internet. And each bounce includes an ad for RAV antivirus. So they...
1) DOS you with 2 emails for each forged one they encounter
2) Send a copy of the virus with every second email
3) spam for their product while they're at it
Under the proposed law, would you have the right to cripple the bozos who bounce KLEZ forgeries to you, as well as the bozos at RAV who make all this possible ?
> There also is also the possibility of hacking back at the wrong computer, > said C.H. "Chuck" Chassot of the Department of Defense's Command, Control, > Communications & Intelligence office.
> "It is the DoD's policy not to take active measures against anybody > because of the lack of certainty of getting the right person," Chassot said.
Guys like this can give "military intelligence" a good reputation. Sheesh.
Not really. The Royal Navy went about boarding American on the high seas ships and dragging off alleged British deserters kicking and screaming. I don't blame the US for considering it an act of war. BTW, I live in Toronto, Ontario, Canada.
Genetically modified seeds that won't germinate sound very similar in concept to bastardized CDs that can be copied. I wonder if Monsanto ever fears that their "protection" might be "cracked" one day by an "agricultural hacker".
>...is a full blown programming language...and that means that *YOU* want *ME* to download and execute *YOUR FOREIGN CODE* on my machine. No fucking way. You may not be 50 like me, and remember the days of BBS's, when the prime directive was *FER-CRYIN-OUTLOUD-DON'T-DOWNLOAD-AND-EXECUTE-EVER Y-PROGRAM-YOU-SEE*.
It was a good principle in the days of BBS's, and it's still a good idea today. A lot of people were infected with NIMDA because their Internet Exploder had scripting turned on. I run linux and Mozilla; however, I don't bury my head in the sand with an "it can't happen here" attitude.
I got sick and tired of the security-advisory-loop
1) javascript is your friend. All of you people with javascript turned off are a bunch of paranoid pinko-commie-fags.
2) security alert. The sky is falling, security hole discovered in Javascript, turn off scripting immediately
3) security patch/update released; apply and GOTO 1)
Javascript started with so little functionality in the Livescript/Mocha days that everyone figured it didn't need a sandbox. Now feature-creep has set in and it's obvious that Javascript gives too much power over your machine to the website. Outside of trusted code in the intranet at work, forget it.
Send this in the middle of a *PLAIN TEXT* email to any poor soul who uses Outhouse Excuse or Lookout, and watch them scream about viruses. Note that the left side must be flush to the left margin.
begin 666 loveletter.txt.vbs Microsoft's stupid braindead Outhouse Excuse thinks this is a Malicious attachment if you haven't updated OE.
> Something made me realize the same thing recently. Here in Montreal, the Molson Centre > (Where the Canadians play), will change its name to the Bell Centre (Or something like that).
It could've been worse. Apple could've bought naming rights, and the place would be called "Mac Arena"
> Read up about it... MS ISNT THE FINAL WORD ON WHAT RUNS ON YOUR BOX.
Not today it isn't... [/home/waltdnes]cat/proc/version Linux version 2.4.18-3 (bhcompile@daffy.perf.redhat.com) (gcc version 2.96 20000731 (Red Hat Linux 7.3 2.96-110)) #1 Thu Apr 18 07:37:53 EDT 2002
> Get it? Get it people? Its an OPEN architecture, allowing users/administrators > to determine which sources are trusted to sign and verify code.
And guess who holds the patent on the DRM hard+software concept. That's right, Microsoft. They can licence it to whomever they want under whatever conditions they want. They might even expressly forbid its use with GPL software. If you think this is Slashdot-tinfoil-brigade material, I suggest you mosey on down to Microsoft's own website, specifically...
http://msdn.microsoft.com/library/default.asp?ur l=/library/en-us/dnkerb/html/Finalcifs_LicenseAgrmnt _032802.asp and check out item 3.3. This supposedly "open" CIFS spec is *NOT* to be used in any GPL'd software. I'm not inventing this; check it out for yourself.
An end-user OS doesn't need additional hardware to protect the end-user. The corporations who pay off Fritz Hollings want hardware to protect them, and the hell with the end-user.
> Software is never enough for really secure systems.
> And second, Outlook does have protections (now), which is why the number > of Outlook-bourne viruses is low now compared to two or three years ago.
I don't need to argue strongly to blow your argument apart... you're doing a pretty good job of it yourself. The basic idea is that enduser clients should *NEVER* execute outside code. If I want to execute something, I'll download it to my directory first.
In unix, email can only invoke whatever programs are associated with a file-type in mailcap. This is unlike Windows where clicking on an executable in an email is identical to clicking it on the desktop. Even if you click on an executable in a linux gui mail reader, it won't run. Well I suppose, you *COULD* enable backtick expansion and have the unix equivalent of Windows Scripting Host... but why?
> It's not going to happen... stop worrying. Microsoft would have to take > control of every motherboard, chip, and card manufacturer to do that.
Wrong. They merely have to buy a bunch of legislators to pass laws banning "uncertified" software and hardware. Consider for instance Fritz Hollings and his SSSCA or CBDTPA, or whatever alphabet-soup-du-jour he's calling it today. 40 billion will easily get you the best senators and representatives that money can buy.
Are you aware that you can...
- install GNOME+KDE
- run FVWM2 alone as your "desktop"
- run any KDE/GNOME apps such as AbiWord, Gnumeric, Kmail, etc
And if you don't like FVWM2's menu system, you can always execute "panel", which brings up the GNOME panel.
I get the best of both worlds...
- all the apps/applets/games in GNOME+KDE
- no resource-hogging pointy-clicky, draggy-droppy, touchy-feely, ooey-gui desktop to slow a 3-year-old machine to a crawl.
My attitude is that I don't run desktops, I run applications. That's my priority, and that's where my machine's limited resources should have their priority.
> its not because they have enough money that they can survive, *cough* enron *cough*
Unlike Enron, whose "net assets" existed only on the spreadsheets Arthur Andersen's accountants, Microsoft has 40 or 50 billion dollars of *REAL MONEY* in the bank.
> Why're you holding MS to a higher standard than any other software provider?
We're not. Microsoft's flagship email system will *NOT* read email as plain text. It *WILL* interpret/execute html, plus Microsoft's extensions thereto. It *WILL* display filenames like loveletter.txt.vbs as loveletter.txt by default. It *WILL* display loveletter.txt.lnk as loveletter.txt *EVEN IF YOU TELL IT TO DISPLAY ALL EXTENSIONS* (unless you do some down-n-dirty hacking with regedit). It *WILL* *EXECUTE* audio/x-midi file attachments *WITHOUT ASKING YOU FIRST*... even if the file-attachments are actually mis-labelled.EXE's (that's how KLEZ spreads).
All Microsoft has to do is tear out the parts of the OS that do all this crap without asking your permission. Then you'd be in control, which Bill Gates doesn't seem to like. One thing about linux, you have to think a little, because you actually get to issue the orders.
> it also installs a mess of stuff from DoubleClick, which though not named > specifically in the EULA, is also covered by your "consent" at installation.
And be sure to clean out your/etc/mailcap file after installing Real. One of the reasons I fled Windows was to get away from frigging email that launches apps all over the place.
Javascript, Java, and Shockwave are present on most PCs, Windows and linux. I think that Brown Orifice (Java) allowed others to spy on your linux harddrive. Javascript is a common scripting language. I'm sure that there'll be linux exploits there eventually. Javascript was one of the modes of NIMDA's propagation. Flash now has a scripting language. For an idea of the cute stunts it can pull, check this article on Slashdot.
And watch your mailcap files. This is mandatory on a Redhat install before using email the first time. And if you install RealPlayer, be prepared for a shock in your mailcap. I would advise logging on as root, de-fanging all mailcap, Mailcap,.mailcap, and.Mailcap files, and then hit them with "chattr +i".
Re:So they're finally going to cave in ...
on
'Unbreakable Linux'
·
· Score: 1
> and STOP shipping with WU-FTPD:-).
And while we're at it... KDE has the *OPTION* of using SGI_FAM (File Alteration Monitor). The idiots at RedHat built it so that KDE *REQUIRES* the presence of SGI_FAM. Oh, did I mention that SGI_FAM isn't a "well-known-service" ? So it has to register with portmap, which assigns it a semi-random port number. When KDE starts up, it queries portmap to find which port SGI_FAM is listening on. So, just to run a stinkin *DESKTOP*, RedHat configures linux to come up with Sunrpc portmap on port 111 (Hello Lion/Ramen) and SGI_FAM (on some semi-random port) listening to the internet by default.
If you set rc.d to not start SGI_FAM, KDE still works, but the SGI_FAM libs must be present, even if inactive. You can uninstall portmap, using rpm -e with the --nodeps option. Maybe it's time the head honcho at RedHat sent a memo to his employees telling them to put security ahead of features<g>.
> So when did this turn into a discussion on Windows?
You pounded away at how these features *DEFAULT TO OFF*. My counterargument was that in Windows, "NO" doesn't necessarily mean "NO", and various stuff has ended up being executed without the end-user being asked.
> I totally understand the flaws inhertent to Windows, and > therefore do not run it in any sort of server configuration.
That's where I disagree with you. There is a difference between rendering data and executing code, and Macromedia has crossed the line. I remember the days of BBS's when it was *POUNDED* into people not to download and execute every program you came across. Yet today, webpages *DEMAND* that you download their code and *EXECUTE* it.
The difference between *RENDERING DATA* (text, pictures, streaming audio/video) and *EXECUTING MOBILE CODE* is clear in my mind. If I ran telnet server, and you typed in a shell script and executed it, I assume you understand the security risk. That is *EXACTLY* what happens when I run a browser and a webpage sends javascript or SWF commands to it. Just like telnet, thare is *SUPPOSED* to be a sandbox to prevent malicious stuff. Too often, it doesn't work. That's true in unix, and it's true in Windows. You *ARE* running a server if your browser executes java, javascript, activeX, or shockwave. Macromedia *BRAGS* to developers about their improved scripting language. Hello... one of the first things I did back in my Windows days was to remove Windows Scripting Host, now someone else wants to execute their scripts on my machine. Screw them.
> Your arguement is flawed because it works off an almost Luddite fear of an unknown.
In linux one of the basic principles of security is not to run unnecessary public services. SWF is one that any web page can access, I don't want to run it any more than I want to run ftpd or httpd. What's "Luddite" about that ?
> I will not deny that this feature poses some sort of a security risk, > but what feature doesn't in some way. This offers a benefit to the user
That last part is absolute bull. On a small number of sites, a 3D-VRML plugin is nice. At sites like http://www.joecartoon.com shockwave is actually useful. At 95% of webpages, it's not really necessary. Not being able to get into the Bell Canada website without Flash is an obscenity. I notice that they do do offer a by-pass for registered shareholers who want to vote online. Web designers take this too personally, and don't allow bypass options often enough.
> What part of it defaults to off don't you understand?
I do understand that a lot of people use Microsoft Windows, where "defaults to off" doesn't mean anything.
- What about the supposedly safe javascript that allowed NIMDA to download itself and infect IE users who browsed infected webpages ?
- What about the viruses that auto execute on Outhouse Excuse when you *MERELY OPEN THE EMAIL* ? Remember when "Good Times Virus" was merely a sick joke aimed a clueless AOL-ers ?
- What about this Register article showing how IE and Outlook can be forced to execute any random program with the appropriate HTML (webpage or HTML-email). And this works *EVEN WITH ACTIVE-X, JAVASCRIPT, AND JAVA TURNED OFF* !!!
> This means that you have to consciously go in and turn it on.
It only means that some skript-kiddie has to exploit a security hole in Windows. "Trustworthy Computing"... Trust me... Windows *WILL* get hosed on this eventually.
> With linux, it turns out to be simple to arrange things so that even with a lot of > complicated, customized software installed on a machine, you can reformat your root partition, > reinstall linux, and have your non-standard software installed and configured in under an > hour. This makes it feasible to do every few weeks for your home computer.
> The main reason is that most of the software configuration consists of ascii text files in >/etc and a few other locations which in any event are well known, or easy to figure out.
Right on. Microsoft ranted and raved at length about how long and obtuse CONFIG.SYS was in DOS and OS/2. But have you ever done any spelunking through "the registry" ? Give me CONFIG.SYS any time./etc/whatever is even nicer in that each program has it's own relativly small file, separate from other programs. Another thing is that I can copy/restore a program without hooking into a monolithic central registry.
that masquarades as an XXX screensaver with a EULA ? Buried deep in the EULA is full disclosure that it's actually a harmfull virus/worm ? If the luser clicks "Yes", does it absolve the virus-writer of all guilt ? No, I am *NOT* advocating this... it's merely a reductio-ad-absurdum to demonstrate stupidity of many EULAs.
Slashdot Mirror
> The site I am currently working on is aimed at users within large corporations.
> They have asked for (and got) some pretty wizzy features, many of which are
> simply not possible to implement without JS (or some other kind of scripting).
> Given that all of them (and I mean ALL) are using either NS or IE, and will
> almost certainly have JS enabled, am I supposed to turn around and say
> "sorry, we can't make the site JS only, it goes against my geek principles"? I think not.
At work...
1) It's my employer's computers, paid for out of my employer's pocket, and therefore my employer's rules
2) We can reasonably trust apps written by our own corporate IT programmers
On the Wild Wild Web
1) It's my computer, paid for out of my pocket, and therefore my rules
2) Yes, they *ARE* out to get you
On the WWW, "wizzy" features mean
- at best to throw pop-up/pop-under garbage at me.
- many people complain about sites (not just porn sites anymore) that throw open so many windows that the resource usage crashes the browser, if not the OS.
- at worst, malicious scripts can compromise your machine. One vector for NIMDA's spread was for script-enabled IE browsers to view infected web-pages. How soon people forget.
The thing about mobile code (Java/Javascript/ActiveX/Fuckwave-Slash) is that *YOUR MACHINE IS DOWNLOADING AND EXECUTING FOREIGN CODE*. I happen to be 50, and I remember the days of BBS's, when it was pounded into people that that you do *NOT* download and execute every last single program you run across. Why have we forgotten this lesson ?
It may be safe for a cute secretary to walk down the hall from your office in a mini-skirt at 2:30 PM. It's a totally different matter at 2:30 AM in the bad section of town. Running with Javascript enabled may be safe on a corporate intranet, but not on the web.
> Why would grandmother using AOL on an emachine be running IIS? :-)
1) because her nephew or who-ever installed Win9X on it selected "everything"
2) When she installed FrontPage to do her personal webpage, IIS gets installed as part of the process
> Because then you'd bitch because Microsoft took away your choice. I can see it now:
> "If I want to run a program, I damn well better be able to run any binary I want!"
If I want to run a program, I can run it in linux. However, what's insidious about Windows is that it runs programs *WHEN YOU MERELY OPEN AN EMAIL*. Remember when "Good Times Virus" was merely a sick joke on AOL cl00bies ? Well, now KLEZ makes it for real in Windows. In linux/unix
- assuming that I wanted singing/dancing email and set midiplay to run audio/x-midi attachments
- assuming that I ran a GUI mailer like Netscape and clicked on a malicious ELF (linux executable attachment) deliberately mis-labelled as audio/x-midi
The worst that happens is that midiplay tries to play it and core dumps. More likely, it'll say "WTF is this so-called midi file?" and exit gracefully. In Windows, the mis-labelled "midi" file will be *EXECUTED WITHOUT ASKING ME*, and it'll run as an EXE.
Put it this way. If windows is soooo fragile that you can't *OPEN* an email attachment without risking a total takeover, there is something badly broken with it.
> And then there's the problem of someone retaliating against a dynamic IP address.
> It may have been the right person at the very moment of an intrusion, but by the time
> the admin gets around to checking their logs, it's whoever else happened to dial into
> that POP. Then someone totally innocent gets nailed instead, just because they
> happened to get assigned the same IP address as yesterday's miscreat.
Not to mention KLEZ virus/worm, which forges the "From:" address, and even Envelope-sender. There are a lot of cl00bies out there, including so-called "sys-admins", who will blindly believe the "From:", and ignore the "Received:" headers.
On nanae (news.admin.net.abuse.email) newsgroup, there's some yelling and screaming going on about RAV antivirus. It bounces KLEZ emails without the virus to the (forged) "From:" address. Then it sends back a copy *WITH THE VIRUS*. So RAV actually helps spread KLEZ around the internet. And each bounce includes an ad for RAV antivirus. So they...
1) DOS you with 2 emails for each forged one they encounter
2) Send a copy of the virus with every second email
3) spam for their product while they're at it
Under the proposed law, would you have the right to cripple the bozos who bounce KLEZ forgeries to you, as well as the bozos at RAV who make all this possible ?
> There also is also the possibility of hacking back at the wrong computer,
> said C.H. "Chuck" Chassot of the Department of Defense's Command, Control,
> Communications & Intelligence office.
> "It is the DoD's policy not to take active measures against anybody
> because of the lack of certainty of getting the right person," Chassot said.
Guys like this can give "military intelligence" a good reputation. Sheesh.
> as I understand the Americans started it
Not really. The Royal Navy went about boarding American on the high seas ships and dragging off alleged British deserters kicking and screaming. I don't blame the US for considering it an act of war. BTW, I live in Toronto, Ontario, Canada.
Genetically modified seeds that won't germinate sound very similar in concept to bastardized CDs that can be copied. I wonder if Monsanto ever fears that their "protection" might be "cracked" one day by an "agricultural hacker".
> Analog television turn-off is mandated by the FCC in the US for December 31, 2006.
- Worst for industry
- analog TV shuts down
- people stay away from digital TV in droves
- major networks go tits-up
- Best for people
- analog TV shuts down
- people stay away from digital TV in droves
- major networks go tits-up
Now about all those rose-coloured-glasses predictions about how much telecoms companies are going to shell out for 3G licences... yeah sure.
> ...is a full blown programming language ...and that means that *YOU* want *ME* to download and execute *YOUR FOREIGN CODE* on my machine. No fucking way. You may not be 50 like me, and remember the days of BBS's, when the prime directive was *FER-CRYIN-OUTLOUD-DON'T-DOWNLOAD-AND-EXECUTE-EVER Y-PROGRAM-YOU-SEE*.
It was a good principle in the days of BBS's, and it's still a good idea today. A lot of people were infected with NIMDA because their Internet Exploder had scripting turned on. I run linux and Mozilla; however, I don't bury my head in the sand with an "it can't happen here" attitude.
I got sick and tired of the security-advisory-loop
1) javascript is your friend. All of you people with javascript turned off are a bunch of paranoid pinko-commie-fags.
2) security alert. The sky is falling, security hole discovered in Javascript, turn off scripting immediately
3) security patch/update released; apply and GOTO 1)
Javascript started with so little functionality in the Livescript/Mocha days that everyone figured it didn't need a sandbox. Now feature-creep has set in and it's obvious that Javascript gives too much power over your machine to the website. Outside of trusted code in the intranet at work, forget it.
Send this in the middle of a *PLAIN TEXT* email to any poor soul who uses Outhouse Excuse or Lookout, and watch them scream about viruses. Note that the left side must be flush to the left margin.
begin 666 loveletter.txt.vbs
Microsoft's stupid braindead Outhouse Excuse thinks this is a
Malicious attachment if you haven't updated OE.
end
> Something made me realize the same thing recently. Here in Montreal, the Molson Centre
> (Where the Canadians play), will change its name to the Bell Centre (Or something like that).
It could've been worse. Apple could've bought naming rights, and the place would be called "Mac Arena"
> Read up about it... MS ISNT THE FINAL WORD ON WHAT RUNS ON YOUR BOX.
/proc/version
r l= /library/en-us/dnkerb/html/Finalcifs_LicenseAgrmnt _032802.asp and check out item 3.3. This supposedly "open" CIFS spec is *NOT* to be used in any GPL'd software. I'm not inventing this; check it out for yourself.
Not today it isn't...
[/home/waltdnes]cat
Linux version 2.4.18-3 (bhcompile@daffy.perf.redhat.com) (gcc version 2.96 20000731 (Red Hat Linux 7.3 2.96-110)) #1 Thu Apr 18 07:37:53 EDT 2002
> Get it? Get it people? Its an OPEN architecture, allowing users/administrators
> to determine which sources are trusted to sign and verify code.
And guess who holds the patent on the DRM hard+software concept. That's right, Microsoft. They can licence it to whomever they want under whatever conditions they want. They might even expressly forbid its use with GPL software. If you think this is Slashdot-tinfoil-brigade material, I suggest you mosey on down to Microsoft's own website, specifically...
http://msdn.microsoft.com/library/default.asp?u
An end-user OS doesn't need additional hardware to protect the end-user. The corporations who pay off Fritz Hollings want hardware to protect them, and the hell with the end-user.
> Software is never enough for really secure systems.
> And second, Outlook does have protections (now), which is why the number
> of Outlook-bourne viruses is low now compared to two or three years ago.
I don't need to argue strongly to blow your argument apart... you're doing a pretty good job of it yourself. The basic idea is that enduser clients should *NEVER* execute outside code. If I want to execute something, I'll download it to my directory first.
In unix, email can only invoke whatever programs are associated with a file-type in mailcap. This is unlike Windows where clicking on an executable in an email is identical to clicking it on the desktop. Even if you click on an executable in a linux gui mail reader, it won't run. Well I suppose, you *COULD* enable backtick expansion and have the unix equivalent of Windows Scripting Host... but why?
> It's not going to happen ... stop worrying. Microsoft would have to take
> control of every motherboard, chip, and card manufacturer to do that.
Wrong. They merely have to buy a bunch of legislators to pass laws banning "uncertified" software and hardware. Consider for instance Fritz Hollings and his SSSCA or CBDTPA, or whatever alphabet-soup-du-jour he's calling it today. 40 billion will easily get you the best senators and representatives that money can buy.
Are you aware that you can...
- install GNOME+KDE
- run FVWM2 alone as your "desktop"
- run any KDE/GNOME apps such as AbiWord, Gnumeric, Kmail, etc
And if you don't like FVWM2's menu system, you can always execute "panel", which brings up the GNOME panel.
I get the best of both worlds...
- all the apps/applets/games in GNOME+KDE
- no resource-hogging pointy-clicky, draggy-droppy, touchy-feely, ooey-gui desktop to slow a 3-year-old machine to a crawl.
My attitude is that I don't run desktops, I run applications. That's my priority, and that's where my machine's limited resources should have their priority.
> its not because they have enough money that they can survive, *cough* enron *cough*
Unlike Enron, whose "net assets" existed only on the spreadsheets Arthur Andersen's accountants, Microsoft has 40 or 50 billion dollars of *REAL MONEY* in the bank.
> Why're you holding MS to a higher standard than any other software provider?
.EXE's (that's how KLEZ spreads).
We're not. Microsoft's flagship email system will *NOT* read email as plain text. It *WILL* interpret/execute html, plus Microsoft's extensions thereto. It *WILL* display filenames like loveletter.txt.vbs as loveletter.txt by default. It *WILL* display loveletter.txt.lnk as loveletter.txt *EVEN IF YOU TELL IT TO DISPLAY ALL EXTENSIONS* (unless you do some down-n-dirty hacking with regedit). It *WILL* *EXECUTE* audio/x-midi file attachments *WITHOUT ASKING YOU FIRST*... even if the file-attachments are actually mis-labelled
All Microsoft has to do is tear out the parts of the OS that do all this crap without asking your permission. Then you'd be in control, which Bill Gates doesn't seem to like. One thing about linux, you have to think a little, because you actually get to issue the orders.
> it also installs a mess of stuff from DoubleClick, which though not named
/etc/mailcap file after installing Real. One of the reasons I fled Windows was to get away from frigging email that launches apps all over the place.
> specifically in the EULA, is also covered by your "consent" at installation.
And be sure to clean out your
> Some of us ache for something smaller.
And I'm sure that Steve Case loves it too. Now he can *REALLY* distribute AOL free samplers in every box of Cracker Jacks.
Javascript, Java, and Shockwave are present on most PCs, Windows and linux. I think that Brown Orifice (Java) allowed others to spy on your linux harddrive. Javascript is a common scripting language. I'm sure that there'll be linux exploits there eventually. Javascript was one of the modes of NIMDA's propagation. Flash now has a scripting language. For an idea of the cute stunts it can pull, check this article on Slashdot.
.mailcap, and .Mailcap files, and then hit them with "chattr +i".
And watch your mailcap files. This is mandatory on a Redhat install before using email the first time. And if you install RealPlayer, be prepared for a shock in your mailcap. I would advise logging on as root, de-fanging all mailcap, Mailcap,
> and STOP shipping with WU-FTPD :-).
And while we're at it... KDE has the *OPTION* of using SGI_FAM (File Alteration Monitor). The idiots at RedHat built it so that KDE *REQUIRES* the presence of SGI_FAM. Oh, did I mention that SGI_FAM isn't a "well-known-service" ? So it has to register with portmap, which assigns it a semi-random port number. When KDE starts up, it queries portmap to find which port SGI_FAM is listening on. So, just to run a stinkin *DESKTOP*, RedHat configures linux to come up with Sunrpc portmap on port 111 (Hello Lion/Ramen) and SGI_FAM (on some semi-random port) listening to the internet by default.
If you set rc.d to not start SGI_FAM, KDE still works, but the SGI_FAM libs must be present, even if inactive. You can uninstall portmap, using rpm -e with the --nodeps option. Maybe it's time the head honcho at RedHat sent a memo to his employees telling them to put security ahead of features<g>.
> So when did this turn into a discussion on Windows?
You pounded away at how these features *DEFAULT TO OFF*. My counterargument was that in Windows, "NO" doesn't necessarily mean "NO", and various stuff has ended up being executed without the end-user being asked.
> I totally understand the flaws inhertent to Windows, and
> therefore do not run it in any sort of server configuration.
That's where I disagree with you. There is a difference between rendering data and executing code, and Macromedia has crossed the line. I remember the days of BBS's when it was *POUNDED* into people not to download and execute every program you came across. Yet today, webpages *DEMAND* that you download their code and *EXECUTE* it.
The difference between *RENDERING DATA* (text, pictures, streaming audio/video) and *EXECUTING MOBILE CODE* is clear in my mind. If I ran telnet server, and you typed in a shell script and executed it, I assume you understand the security risk. That is *EXACTLY* what happens when I run a browser and a webpage sends javascript or SWF commands to it. Just like telnet, thare is *SUPPOSED* to be a sandbox to prevent malicious stuff. Too often, it doesn't work. That's true in unix, and it's true in Windows. You *ARE* running a server if your browser executes java, javascript, activeX, or shockwave. Macromedia *BRAGS* to developers about their improved scripting language. Hello... one of the first things I did back in my Windows days was to remove Windows Scripting Host, now someone else wants to execute their scripts on my machine. Screw them.
> Your arguement is flawed because it works off an almost Luddite fear of an unknown.
In linux one of the basic principles of security is not to run unnecessary public services. SWF is one that any web page can access, I don't want to run it any more than I want to run ftpd or httpd. What's "Luddite" about that ?
> I will not deny that this feature poses some sort of a security risk,
> but what feature doesn't in some way. This offers a benefit to the user
That last part is absolute bull. On a small number of sites, a 3D-VRML plugin is nice. At sites like http://www.joecartoon.com shockwave is actually useful. At 95% of webpages, it's not really necessary. Not being able to get into the Bell Canada website without Flash is an obscenity. I notice that they do do offer a by-pass for registered shareholers who want to vote online. Web designers take this too personally, and don't allow bypass options often enough.
> What part of it defaults to off don't you understand?
I do understand that a lot of people use Microsoft Windows, where "defaults to off" doesn't mean anything.
- What about the supposedly safe javascript that allowed NIMDA to download itself and infect IE users who browsed infected webpages ?
- What about the viruses that auto execute on Outhouse Excuse when you *MERELY OPEN THE EMAIL* ? Remember when "Good Times Virus" was merely a sick joke aimed a clueless AOL-ers ?
- What about this Register article showing how IE and Outlook can be forced to execute any random program with the appropriate HTML (webpage or HTML-email). And this works *EVEN WITH ACTIVE-X, JAVASCRIPT, AND JAVA TURNED OFF* !!!
> This means that you have to consciously go in and turn it on.
It only means that some skript-kiddie has to exploit a security hole in Windows. "Trustworthy Computing"... Trust me... Windows *WILL* get hosed on this eventually.
> A camera and a Microphone are two very useful items for online communication.
> If you don't want to be seen or heard, don't freaking buy them.
People want to be seen and heard *ON THEIR TERMS*, not when some spyware decides to do it.
> Flash has to evolve like anything else to stay alive.
In that case DIE FUCKWAVE SLASH, DIE ! And take PDF with you you. HTML is good enough, thank you.
> With linux, it turns out to be simple to arrange things so that even with a lot of
/etc and a few other locations which in any event are well known, or easy to figure out.
/etc/whatever is even nicer in that each program has it's own relativly small file, separate from other programs. Another thing is that I can copy/restore a program without hooking into a monolithic central registry.
> complicated, customized software installed on a machine, you can reformat your root partition,
> reinstall linux, and have your non-standard software installed and configured in under an
> hour. This makes it feasible to do every few weeks for your home computer.
> The main reason is that most of the software configuration consists of ascii text files in
>
Right on. Microsoft ranted and raved at length about how long and obtuse CONFIG.SYS was in DOS and OS/2. But have you ever done any spelunking through "the registry" ? Give me CONFIG.SYS any time.
that masquarades as an XXX screensaver with a EULA ? Buried deep in the EULA is full disclosure that it's actually a harmfull virus/worm ? If the luser clicks "Yes", does it absolve the virus-writer of all guilt ? No, I am *NOT* advocating this... it's merely a reductio-ad-absurdum to demonstrate stupidity of many EULAs.