What pop-up are you talking about? IE6 SP2 only shows a small notification below the link bar of your current open window, which auto-hides after a few seconds.
Stop running your daily desktop account as Administrator. Most, if not all, of the spyware will fail when it attempts to infect your system. It's just general good practice anyway. No one runs KDE/Gnome as root, or log into their OSX machine as root. Neither should we.
Microsoft has billions of dollars *in cash* at any given time. And a staff of 50k that grows by the day. This is a massive company, but it's built to branch out to new arenas quickly.
we get stock when signing with the company, and have a very generous employee stock purchase program. it's good to be the king.
Re:open-source vs. suitability to task
on
Learning PHP 5
·
· Score: 1
You have many insightful points on your post, but I figured I'd field this one:
How on Earth could a closed vendor compete with that? The answer: they can't.
oh, I don't know, possibly by providing a product that actually works, and increases productivity, versus an inferior copy-of-features, slightly usable program.
That is not to say OpenS software is inferior (plenty are amazing--linux,mozilla,openoffice,etc..), just commenting on your seeming blind adoption of it just because it's OpenS.
After developing in asp.net in visual studio, and jsp in eclipse, I couldn't imagine going back to the textpad days. What is available in terms of debuggers for php sites? Are we still depending on echo's?
Do you think they'll be busted? Given the linux communitie's tech saavy, probably not too many systems were affected, so there won't be a big impetus from law enforcement from getting involved. Still, given that the slashdot crowd is on the case, the person will probably be found and at the very least fined in some way.
You are right. And I hope I'm not the only one here to have pointed out that 99% (if not all) of the current viruses/malware/spyware in Windows are due to this same issue. Windows users have been trained to run as root (Administrator) at all times -- so if I write a batch file that starts at C:\ and deletes recursively -- bingo! I have a working malware. We're starting to see a bigger push to move away from this from MS and from the outside, lets hope it gets widely adopted.
Yes, there have been a handful of legitimate exploit viruses. Thankfully if you keep Auto-Update on, these will automatically be patched within days of discovery of the exploit (or even the same day). And no one is immune to this.
Some months ago OSX had a privilidge elevation exploit in their OS, which they patched quickly, thankfully. Funny thing is, if you read the patch description, it says 'improving the user interface'.
The good news is that now people are required to know Writing Secure Code, and (more recently) Threat Modelling by heart. I can tell you first hand those approaches have been adopted company wide. While Threat Modelling can be time consuming, I've personally found possible issues in code that we wouldn't have noticed without it. Plus we got other people outside our department looking at our code. All in all this is the best approach we could be taking. Microsoft is not sitting on it's ass about this issue.
Your first instinct would be wrong, at least when it comes to it being built by a separate team. The fact is, as hard to believe at it is, for the past year Microsoft has put in place for every product systematic development techniques that directly target the security of an application (Threat Modeling, Secure coding techniques). Furthermore, this kind of test is standard within Microsoft (feed random inputs to all possible input locations). And once all the coding is done, the source still has to pass inspection through a security group within Microsoft! You can read about this stuff at the secure windows initiative.
And this shift is working. The trend per-product is a significant reduction in security vulnerabilities. That is not to say there aren't any, that would be impossible, but if you look at the vulnerability graph for, say, Win2k Server since it's release, and win2k3 Server since it's release, there is a significant drop in the amount of vulnerabilities that are coming in since the release of the product. Furthermore, a large part of the vulnerabilities are found from within the company. The same thing can be said for most products, including IE, IIS, Office, etc... We're getting there....
Now, go off and run as LUA, and nip this stupid spyware problem in the bud.
It's very simple, really. Set up your users as a limited user account, instead of an Administrator on the machine. Problem solved. No need for Ad-aware, spybot, or any of those machines. The user will not be able to write to the registry (HKLM), or write to system directories. All of the most common spyware breaks when the user is running as a limited user.
All you need to do is create a policy for software installation. Probably only allow tech people to install, so their accounts would be administrator across the domain.
Yes she did. As I understand it from other sources, the problem is when you install google desktop, you are administrator. As such, you index the whole hard drive, since the administrator has permissions to it. Later, this index is available to all users, and the cache allows for unprotected vieweing of the contents of the files.
Well, if you are running as root, well, the answer to your question is EVERY OS. Run your desktop as root, and it'd take me 5 minutes to write an executable that will hose your whole system.
The fact is, Windows has a solid, well implemented, priviledge system. The second fact is that they gave this up in favor of app compatiblity (crappy programs that expect to write to the windows directory just to run, versus to user directories) and ease of use. This is biting them in the ass, and they are working on getting people away from running as Administrators. Just not as heavy a push as I'd like.
I'm dissapointed that MS hasn't done a big enough push to get people accustomed to running as a limited user, versus running as Administrator all the time. This is the main reason why linux/OSX are more 'secure' -- programs like these would execute as user, not as root, given the OS's both discourage people from runnin their every day tasks as root.
If the users who get this funny.exe were not running as Administrator, their system wouldn't get infected. The app may be able to propagate itself, but a quick log off/log on would kill the virus.
I personally find the video photo output of my still digicam useful. When I visit family, I plug in the camera to their TV, and off goes the slide show. Depending on the implementation, it would be pretty sweet. While carrying around a camera all day isn't too common, carrying around an iPod is. So it will open up for good sharing experiences.
How to write an anti-MS manifesto
a) critique features long since fixed/patched (blue screens, constant reboots, security vulnerabilities)
b) attribute your inability to set up windows correctly to a fundamental flaw in Windows (i.e. - You can't bother to remove your user account from the Administrator group, but still whine when you get spyware)
There are great reasons to use Linux over Windows. The anti-M$ crowd really needs to lay off the innacuracies or misrepresentations.
What don't you understand? Read the replies to this story. Plenty of them smirk at the fact that Microsoft products are in use, and imply that it's why the system is vulnerable.
If the system were running linux, and the voting interface ran as root, as did the admin socket listener app, and any other process on the machine, would people call the developer stupid, or call linux insecure?
... for Diebold's absolutely retarded system design and configuration. Come on people, if you are building a 'secure application', you do not place the interface and the voting data at the same user protection level. Hell, you probably don't want to place the voting data in the same physical location as the interface.
But really, this is somehow Microsoft's fault. I know it!!:)
bah, been doing it for years
on
Mechanical Pong
·
· Score: 1, Funny
I've been playing the physical version of pong for years. It's called ping pong. Or table tennis for all your pros out there.
Slashdot Mirror
You are right, it's annoying that neither windows, nor linux, unix, solaris or osx implemented a desktop search into their OS.
What pop-up are you talking about? IE6 SP2 only shows a small notification below the link bar of your current open window, which auto-hides after a few seconds.
Scanning through previous posts it looks like mine is a bit reduntant, although the links above are useful. I'm glad to see this is catching on.
Yeah! Firefox couldn't possibly have bugs it it. It's M$ fault!!11!1!eleven
Microsoft has billions of dollars *in cash* at any given time. And a staff of 50k that grows by the day. This is a massive company, but it's built to branch out to new arenas quickly.
we get stock when signing with the company, and have a very generous employee stock purchase program. it's good to be the king.
You have many insightful points on your post, but I figured I'd field this one:
How on Earth could a closed vendor compete with that? The answer: they can't.
oh, I don't know, possibly by providing a product that actually works, and increases productivity, versus an inferior copy-of-features, slightly usable program.
That is not to say OpenS software is inferior (plenty are amazing--linux,mozilla,openoffice,etc..), just commenting on your seeming blind adoption of it just because it's OpenS.
After developing in asp.net in visual studio, and jsp in eclipse, I couldn't imagine going back to the textpad days. What is available in terms of debuggers for php sites? Are we still depending on echo's?
Do you think they'll be busted? Given the linux communitie's tech saavy, probably not too many systems were affected, so there won't be a big impetus from law enforcement from getting involved. Still, given that the slashdot crowd is on the case, the person will probably be found and at the very least fined in some way.
You are right. And I hope I'm not the only one here to have pointed out that 99% (if not all) of the current viruses/malware/spyware in Windows are due to this same issue. Windows users have been trained to run as root (Administrator) at all times -- so if I write a batch file that starts at C:\ and deletes recursively -- bingo! I have a working malware. We're starting to see a bigger push to move away from this from MS and from the outside, lets hope it gets widely adopted.
Yes, there have been a handful of legitimate exploit viruses. Thankfully if you keep Auto-Update on, these will automatically be patched within days of discovery of the exploit (or even the same day). And no one is immune to this.
Some months ago OSX had a privilidge elevation exploit in their OS, which they patched quickly, thankfully. Funny thing is, if you read the patch description, it says 'improving the user interface'.
I wasn't aware you had to pay for Windows Update/Automatic Updates.
That's certainly a good point (pre 2000).
The good news is that now people are required to know Writing Secure Code, and (more recently) Threat Modelling by heart. I can tell you first hand those approaches have been adopted company wide. While Threat Modelling can be time consuming, I've personally found possible issues in code that we wouldn't have noticed without it. Plus we got other people outside our department looking at our code. All in all this is the best approach we could be taking. Microsoft is not sitting on it's ass about this issue.
Your first instinct would be wrong, at least when it comes to it being built by a separate team. The fact is, as hard to believe at it is, for the past year Microsoft has put in place for every product systematic development techniques that directly target the security of an application (Threat Modeling, Secure coding techniques). Furthermore, this kind of test is standard within Microsoft (feed random inputs to all possible input locations). And once all the coding is done, the source still has to pass inspection through a security group within Microsoft! You can read about this stuff at the secure windows initiative.
And this shift is working. The trend per-product is a significant reduction in security vulnerabilities. That is not to say there aren't any, that would be impossible, but if you look at the vulnerability graph for, say, Win2k Server since it's release, and win2k3 Server since it's release, there is a significant drop in the amount of vulnerabilities that are coming in since the release of the product. Furthermore, a large part of the vulnerabilities are found from within the company. The same thing can be said for most products, including IE, IIS, Office, etc... We're getting there....
Now, go off and run as LUA, and nip this stupid spyware problem in the bud.
It's very simple, really. Set up your users as a limited user account, instead of an Administrator on the machine. Problem solved. No need for Ad-aware, spybot, or any of those machines. The user will not be able to write to the registry (HKLM), or write to system directories. All of the most common spyware breaks when the user is running as a limited user.
All you need to do is create a policy for software installation. Probably only allow tech people to install, so their accounts would be administrator across the domain.
Yes she did. As I understand it from other sources, the problem is when you install google desktop, you are administrator. As such, you index the whole hard drive, since the administrator has permissions to it. Later, this index is available to all users, and the cache allows for unprotected vieweing of the contents of the files.
It would be just as easy to write a funny.exe that used the jabber interface to propagate itself.
Well, if you are running as root, well, the answer to your question is EVERY OS. Run your desktop as root, and it'd take me 5 minutes to write an executable that will hose your whole system.
The fact is, Windows has a solid, well implemented, priviledge system. The second fact is that they gave this up in favor of app compatiblity (crappy programs that expect to write to the windows directory just to run, versus to user directories) and ease of use. This is biting them in the ass, and they are working on getting people away from running as Administrators. Just not as heavy a push as I'd like.
I'm dissapointed that MS hasn't done a big enough push to get people accustomed to running as a limited user, versus running as Administrator all the time. This is the main reason why linux/OSX are more 'secure' -- programs like these would execute as user, not as root, given the OS's both discourage people from runnin their every day tasks as root. If the users who get this funny.exe were not running as Administrator, their system wouldn't get infected. The app may be able to propagate itself, but a quick log off/log on would kill the virus.
I personally find the video photo output of my still digicam useful. When I visit family, I plug in the camera to their TV, and off goes the slide show. Depending on the implementation, it would be pretty sweet. While carrying around a camera all day isn't too common, carrying around an iPod is. So it will open up for good sharing experiences.
New clustering search engine makes Slashdot front page, falls into obscurity shortly thereafter.
How to write an anti-MS manifesto a) critique features long since fixed/patched (blue screens, constant reboots, security vulnerabilities) b) attribute your inability to set up windows correctly to a fundamental flaw in Windows (i.e. - You can't bother to remove your user account from the Administrator group, but still whine when you get spyware) There are great reasons to use Linux over Windows. The anti-M$ crowd really needs to lay off the innacuracies or misrepresentations.
What don't you understand? Read the replies to this story. Plenty of them smirk at the fact that Microsoft products are in use, and imply that it's why the system is vulnerable.
If the system were running linux, and the voting interface ran as root, as did the admin socket listener app, and any other process on the machine, would people call the developer stupid, or call linux insecure?
... for Diebold's absolutely retarded system design and configuration. Come on people, if you are building a 'secure application', you do not place the interface and the voting data at the same user protection level. Hell, you probably don't want to place the voting data in the same physical location as the interface.
:)
But really, this is somehow Microsoft's fault. I know it!!
I've been playing the physical version of pong for years. It's called ping pong. Or table tennis for all your pros out there.