1. You assume (thinly) that the best (in any field) will work for microsoft.
Pretty hard to quantify the "best" person in cryptography, but you could probably get a list of the fifty or so best-known players. I suspect that most of them would be more than happy to work with Microsoft. My own experiences say that even that folks that are generally dislike MS practices aren't willing to throw away a good contract to work with them. It's only the most extreme fanatics -- RMS might be willing to do so, for instance, but he's definitely the exception to the rule, and a radical.
2. You assume that "Microsoft" listens to the "best" and does whatever they recommend, regardless of the consequences.
*Snort*. This is true of any company. Plenty of good engineering advice gets ignored. Same thing happens on open-source projects, for political or NIH or what-have-you reasons.
3. You assume that MS will take suggestions from edus when the edu finds something of note in the MS source.
Depends on how significant it is. If it's "we can break the VPN you're billing as secure badly and trivially, then yes, MS will act. May take some PR exposure, but they'll do it.
Two of the mentioned OSS projects so far have not taken action, it's also interesting to note.
Make your home visit and install remote management software. It'll be a significant savings in the long run, regardless of whether it's relevant this time or not.
Parent post is a bit trollish, but it isn't too bad, so what the hell.
You do realize that there's a good reason well-known-cryptographers don't fuck around implementing what they write? It's because their analysis work is far more valuable (and more highly paid) than implementing said code is.
Gutmann did a lot of useful work for several OSS projects in his post. He's vaguely pissed because nobody responded to any of his analyses. Bashing him for making the same effective use of his time that an employer would is ridiculous.
This is open source, figure out where to submit your patches or else you are nothing but an arm chair security expert.
Absolutely absurd. I can't believe you wrote this. People who are good at writing code donate code to free software projects. People who are good artists donate art to free software projects. Yet, somehow, when a noted cryptographer does a (somewhat acerbic) security analysis of *three* open source packages and lists fixes, somehow you feel that he hasn't contributed anything.
Incidently, I'm curious if you're aware exactly how much it would cost in consulting fees to get someone like him to sit down and review a given product. This guy contributed a lot more in terms of intellectual value to those three projects than the forty-five people that sat down and wrote five-line patches to remove gcc warnings (not that their work isn't appreciated, but still).
I'm curious if anyone knows of good Gamespot alternatives -- preferably a site with a chronologically-orderable list of past reviews. I've been wanting to move away from Gamespot ever since their ads started getting out of hand, but haven't found a decent alternative yet.
im starting to get tired of having to buy all new hardware every few months.
So don't.
The good games that were produced a couple of years ago haven't lost any of their goodness. If you want to sit on the bleeding edge and deal with expensive hardware, issues with new systems coming out, and constantly upgrade, and "beta test" all new games coming out. The only reason to sit right on the edge is because marketing is forcing you ("August 28th, the world will fear...Warcraft IV!") to do so. Just ignore it.
It's better to view the PC market as a system where the current set of games is a beta test for what you *will* be playing in a year or so, at the earliest. That way, all the bugs (savegame corruption, random crashes, getting stuck) are ironed out, frequently expansions get bundled with the main game for free, there are good strategy resources out, the hardware is cheaper, and you don't spend all your time on the bleeding edge. It's called "bleeding" for a reason.
Taking this to a probably more extreme extent than most would be willing, I just played Star Control 2 (via Ur-Quan Masters) and Majesty on Linux for the first time in the last month. Both tons of fun, and for both my PIII is a ridiculous powerhouse.
You can play Half Life (great fun) and the expansions very smoothly on systems that people are throwing in the trash.
It's just a difference between the PC and the console market. The console approach has everyone buy hardware, and then sit there for a couple years while the hardware stagnates. The PC approach is to make games with scalable effects, let people buy hardware when they want -- but make the games available overly early. Only the most fanatical of must-have-it-before-everyone-else gamers should purchase games at release date. Everyone else should just walk the path that they blaze.
The Mac world is now many, many times larger than the Windows market was when it was already flooded with new viruses. It still hasn't seen the inrush that people have claimed would happen as it got larger.
Unix machines host many more servers than Windows machines, but there hasn't been a Code Red or Nimbda for Unix. There are worms that exist -- but they are far more limited in scope.
It's not the OS itself -- that's true. It's also care being taken WRT application software. While the userbase plays some role as well, all three elements -- OS, apps, and users -- tend to be more aware of security in the Unix world.
Because most of the people pushing for legal changes to reduce "cybercrime" have little or no interest in actually reducing cybercrime. They have their own aims, and fear of cybercrime makes a nice vehicle to put their own issues through.
Regardless of whether Schwartz said so or not, the point is that Symantic has lots of people who aren't idiots. It's unlikely that the company will follow the path that Schwartz has been claimed to have been pushing.
tools that could help virus writers? like, what? c++? visual basic? or, more realistically, nessus?
Pretty much what I thought. There isn't a lot that you can really ban that would stop a virus writer without negatively affecting regular ol' developers, much less people who work in the security field.
Frankly, I find all this silly. Most people that are handing around information on how to produce viruses will also hand around copyrighted software as well. That's illegal, but it really doesn't seem to stop them.
The right solution is to harden hosts against viruses and worms. Outlook is a huge vector, because it has traditionally made embedding active content and executing attachments very easy. Outlook should go away. The macro system in Word is inappropriate for a format frequently used for general document distribution. Permissions should be tightened up -- there's a reason the UNIX world doesn't run into viruses.
I can't see why you'd care whether a vendor is "cheating" or not. Lets say that you're a Tribes 2 fan. You run out and look at Tribes 2 benchmarks in reviews. The reviewer says something about image quality, and includes bits of screenshots (I vaguely remember this happening with the Riva128 and G200 the last time I purchased a 3d card for gaming). End of story.
Now, there are a couple of possibilities. First, both you and the reviewer can't see the image quality degradation that's taking place, and you do notice the speed increase. That's not cheating! The card vendor has just figured out a way to provide you with more resources that you care about at the cost of something that you don't even notice. We do this all the time with lossy compression in JPEG and MP3 -- you don't care about 90% of the data, but you do care about the size savings. People didn't care when lossy texture compression became the standard on video cards because the only thing that lossless compression gives them is a psychological "this is a flawless image".
Another possibility is that the reviewer or you notice image quality degradation. If this is the case, the card gets a lower image quality score. Big deal!
Finally, you may be worried about game-specific tweaking in that the game won't provide a representative sample of how the card will do on other games. This is *always* the case! Cards could perform quite differently on any set of games just due to the fact that designs differ, and different things form a bottleneck on different cards in different games.
Just let some reviewer sit down and try the stupid card out, and if they're enjoying the card...hey, who cares what hacks are included in the driver?
Obviously, you have your own ideas about what's best for your kids, and there also obviously is no One Right Answer That Everyone Must Subscribe To. However, I really don't think that having kids exposed to guns or nudity or whatnot makes them killers or rapists.
Kids have played with tin soldiers, played cowboys and Indians, cops and robbers, and games in the same vein forever. The fact that the current game involving shooting happens to be a video game simply doesn't justify it. The kid playing the robber in cops and robbers didn't run out and blast a couple of police officers with a real revolver.
The problem here isn't that people are exposed to violence. It's that they aren't making a good, informed decision about real life. I'd rather that they have already thought about the fact that guns kill people, and it it's a pretty bad idea to run around shooting vehicles. Frankly, I think that shielding people from something is a poor way to help them deal with it. People *are* going to run into violence at some point in life, and I'd rather sit down, talk about, explain my feelings, and encourage a kid to do what I think is best then to try to hide what I disagree with from him.
Remember Freud? He had some really good insights about the hyper-repressive Victorian society of his time. Sexual repression can cause a bunch of personality problems. I'm not a fan of "hiding" things or "covering them up". If people are getting shot, talk about it.
The most common argument I've heard against a sensible conversation is that "Junior isn't old enough." That's ridiculous. Pure age has very little impact on the way you think -- maybe some homonal changes, but that's about it. The difference between a ten year old and a twenty year old is experience. The only way to get experience is to come into contact with things, and I'd strongly prefer that Junior hear from me what I consider reasonable early on.
That doesn't mean you should *try* to shove things down someone's throat. It just means not actively trying to hide them. If Junior wants to jerk off to nudie magazines, fine. If he sees people getting killed on TV, fine. Just be sure that you also provide some guidance.
The Second Most Impressive Slashdot Troll Ever
on
Slashdot Google Bombers?
·
· Score: 5, Insightful
All right, we should all clap and move on. This may be the single most impressive Slashdot Troll Story I've ever seen (the first, of course, being the hillarious take on the goat.cx link).
You successfully managed to get a story posted that: * has nothing to do with nerds * Is a meta-joke (the fact that you have a story up at all means that there is no question) * contains obvious and highly visible links to a crappy personal webpage of pictures * contains a direct plea to Slashdot to assist in spamming. * was posted from an account that wasn't built up at all with legitimate postings, but had been used for just trolling.
So, I say we should clap momentarily and move on. I suspect that many trolls have tried over the years, but pulling the wool so completely over editors' eyes cannot possibly be easy.
I used Mavis, and I have to say that it's an okay way to learn. There are, however, many non-Wintel alternatives
To the original poster -- I also code, and I have to say that it took a good long stint with Mavis and then forcing myself to touch type while programming through a coding class or two (it takes a while to learn to type "again", since the keys you hit when coding in most languages are rarely pressed when typing ordinary English). If you can simply force yourself to touch type, and damn the short term cost in time and how frusterating it seems at first, you will get phenomenal payoffs. There isn't really a shortcut there. You have to make yourself do things the hard way for a bit -- it's the same thing as dieting, but once you can touch type, you're done forever.
The Unix chroot kludge doesn't really translate to NT, but there are NT kludges for making sandboxes, usually involving ACLs.
I've never seen or heard of a NT sandbox.
Fortunately not. setuid is the door to so many Unix exploits it isn't even funny. For NT, you would use services to do this.
Setuid improperly used, sure. To say that suid is flawed is ridiculous, though. It's an interface for giving privilege escallation with an application-defined interface. You cannot say that something that basic is flawed. You *can* run something under NT as a service. It's a small, limited subset of exactly what can be done with suid/sgid. It gives zero security benefits over suid/sgid, and doesn't work for apps that can't run as a service.
The fact is, you can make windows as secure as any other OS out there, as long as you know what you're doing.
Can you?
Can an NT administrator, using user level tools, perform the equivalent of a chroot jail? Can he make specific apps suid or sgid?
While Windows technically does not imply use of other Microsoft products, it does tend to be correlated with it. Outlook has had numerous poor security decisions that a mail admin simply cannot fix. IIS has also had poor architectural decisions. Remember MS swearing that they'd rewrite the thing from the ground up for the next release? The design of IE -- permeating the entire OS, providing many services to applications, and with no internal security model in place, makes for all kinds of nasty problems. It's a great way for spyware to slip pass personal firewalls, it's used in places like Outlook where a full-blown HTML renderer with the huge variety of features it has is a pretty bad idea from a security standpoint, and it provides a high degree of control to remote websites over the local computer -- much higher, than Mozilla.
The MS Blaster issue wasn't actually all that egregious, AFAIK. It's not like UNIX systems haven't had RPC flaws in the past, either. The real problem was the number of unmaintained machines that were vulnerable. I'd call something like Melissa, that relies on phenomenally stupid security decisions from Microsoft ("let's have an automatic execution environments in our documents, which are intended for wide interchange!") much worse.
I use sawfish, and consider it the best (for my uses) of the window managers out there.
Metacity was designed for an entirely different set of reasons. Sun's usability testing discovered that Joe Blow users don't like being given tons of options to worry about. Metacity is dead simple. Fortunately, GNOME isn't tied to any one window manager, and you can use whatever you like.
1. You assume (thinly) that the best (in any field) will work for microsoft.
Pretty hard to quantify the "best" person in cryptography, but you could probably get a list of the fifty or so best-known players. I suspect that most of them would be more than happy to work with Microsoft. My own experiences say that even that folks that are generally dislike MS practices aren't willing to throw away a good contract to work with them. It's only the most extreme fanatics -- RMS might be willing to do so, for instance, but he's definitely the exception to the rule, and a radical.
2. You assume that "Microsoft" listens to the "best" and does whatever they recommend, regardless of the consequences.
*Snort*. This is true of any company. Plenty of good engineering advice gets ignored. Same thing happens on open-source projects, for political or NIH or what-have-you reasons.
3. You assume that MS will take suggestions from edus when the edu finds something of note in the MS source.
Depends on how significant it is. If it's "we can break the VPN you're billing as secure badly and trivially, then yes, MS will act. May take some PR exposure, but they'll do it.
Two of the mentioned OSS projects so far have not taken action, it's also interesting to note.
Make your home visit and install remote management software. It'll be a significant savings in the long run, regardless of whether it's relevant this time or not.
Parent post is a bit trollish, but it isn't too bad, so what the hell.
You do realize that there's a good reason well-known-cryptographers don't fuck around implementing what they write? It's because their analysis work is far more valuable (and more highly paid) than implementing said code is.
Gutmann did a lot of useful work for several OSS projects in his post. He's vaguely pissed because nobody responded to any of his analyses. Bashing him for making the same effective use of his time that an employer would is ridiculous.
This is open source, figure out where to submit your patches or else you are nothing but an arm chair security expert.
Absolutely absurd. I can't believe you wrote this. People who are good at writing code donate code to free software projects. People who are good artists donate art to free software projects. Yet, somehow, when a noted cryptographer does a (somewhat acerbic) security analysis of *three* open source packages and lists fixes, somehow you feel that he hasn't contributed anything.
Incidently, I'm curious if you're aware exactly how much it would cost in consulting fees to get someone like him to sit down and review a given product. This guy contributed a lot more in terms of intellectual value to those three projects than the forty-five people that sat down and wrote five-line patches to remove gcc warnings (not that their work isn't appreciated, but still).
He deserves our thanks, not scorn.
I'm curious if anyone knows of good Gamespot alternatives -- preferably a site with a chronologically-orderable list of past reviews. I've been wanting to move away from Gamespot ever since their ads started getting out of hand, but haven't found a decent alternative yet.
im starting to get tired of having to buy all new hardware every few months.
So don't.
The good games that were produced a couple of years ago haven't lost any of their goodness. If you want to sit on the bleeding edge and deal with expensive hardware, issues with new systems coming out, and constantly upgrade, and "beta test" all new games coming out. The only reason to sit right on the edge is because marketing is forcing you ("August 28th, the world will fear...Warcraft IV!") to do so. Just ignore it.
It's better to view the PC market as a system where the current set of games is a beta test for what you *will* be playing in a year or so, at the earliest. That way, all the bugs (savegame corruption, random crashes, getting stuck) are ironed out, frequently expansions get bundled with the main game for free, there are good strategy resources out, the hardware is cheaper, and you don't spend all your time on the bleeding edge. It's called "bleeding" for a reason.
Taking this to a probably more extreme extent than most would be willing, I just played Star Control 2 (via Ur-Quan Masters) and Majesty on Linux for the first time in the last month. Both tons of fun, and for both my PIII is a ridiculous powerhouse.
You can play Half Life (great fun) and the expansions very smoothly on systems that people are throwing in the trash.
It's just a difference between the PC and the console market. The console approach has everyone buy hardware, and then sit there for a couple years while the hardware stagnates. The PC approach is to make games with scalable effects, let people buy hardware when they want -- but make the games available overly early. Only the most fanatical of must-have-it-before-everyone-else gamers should purchase games at release date. Everyone else should just walk the path that they blaze.
The Mac world is now many, many times larger than the Windows market was when it was already flooded with new viruses. It still hasn't seen the inrush that people have claimed would happen as it got larger.
Unix machines host many more servers than Windows machines, but there hasn't been a Code Red or Nimbda for Unix. There are worms that exist -- but they are far more limited in scope.
It's not the OS itself -- that's true. It's also care being taken WRT application software. While the userbase plays some role as well, all three elements -- OS, apps, and users -- tend to be more aware of security in the Unix world.
Because most of the people pushing for legal changes to reduce "cybercrime" have little or no interest in actually reducing cybercrime. They have their own aims, and fear of cybercrime makes a nice vehicle to put their own issues through.
It's not a run-on sentence. It's gramatically correct, though it is quite long. Take a look at Webster's Run-on Reference.
Regardless of whether Schwartz said so or not, the point is that Symantic has lots of people who aren't idiots. It's unlikely that the company will follow the path that Schwartz has been claimed to have been pushing.
tools that could help virus writers? like, what? c++? visual basic? or, more realistically, nessus?
Pretty much what I thought. There isn't a lot that you can really ban that would stop a virus writer without negatively affecting regular ol' developers, much less people who work in the security field.
Frankly, I find all this silly. Most people that are handing around information on how to produce viruses will also hand around copyrighted software as well. That's illegal, but it really doesn't seem to stop them.
The right solution is to harden hosts against viruses and worms. Outlook is a huge vector, because it has traditionally made embedding active content and executing attachments very easy. Outlook should go away. The macro system in Word is inappropriate for a format frequently used for general document distribution. Permissions should be tightened up -- there's a reason the UNIX world doesn't run into viruses.
So...what exactly is wrong with this?
I can't see why you'd care whether a vendor is "cheating" or not. Lets say that you're a Tribes 2 fan. You run out and look at Tribes 2 benchmarks in reviews. The reviewer says something about image quality, and includes bits of screenshots (I vaguely remember this happening with the Riva128 and G200 the last time I purchased a 3d card for gaming). End of story.
Now, there are a couple of possibilities. First, both you and the reviewer can't see the image quality degradation that's taking place, and you do notice the speed increase. That's not cheating! The card vendor has just figured out a way to provide you with more resources that you care about at the cost of something that you don't even notice. We do this all the time with lossy compression in JPEG and MP3 -- you don't care about 90% of the data, but you do care about the size savings. People didn't care when lossy texture compression became the standard on video cards because the only thing that lossless compression gives them is a psychological "this is a flawless image".
Another possibility is that the reviewer or you notice image quality degradation. If this is the case, the card gets a lower image quality score. Big deal!
Finally, you may be worried about game-specific tweaking in that the game won't provide a representative sample of how the card will do on other games. This is *always* the case! Cards could perform quite differently on any set of games just due to the fact that designs differ, and different things form a bottleneck on different cards in different games.
Just let some reviewer sit down and try the stupid card out, and if they're enjoying the card...hey, who cares what hacks are included in the driver?
Aside from that, folks occasionally actually use apps other than web browsers.
Obviously, you have your own ideas about what's best for your kids, and there also obviously is no One Right Answer That Everyone Must Subscribe To. However, I really don't think that having kids exposed to guns or nudity or whatnot makes them killers or rapists.
Kids have played with tin soldiers, played cowboys and Indians, cops and robbers, and games in the same vein forever. The fact that the current game involving shooting happens to be a video game simply doesn't justify it. The kid playing the robber in cops and robbers didn't run out and blast a couple of police officers with a real revolver.
The problem here isn't that people are exposed to violence. It's that they aren't making a good, informed decision about real life. I'd rather that they have already thought about the fact that guns kill people, and it it's a pretty bad idea to run around shooting vehicles. Frankly, I think that shielding people from something is a poor way to help them deal with it. People *are* going to run into violence at some point in life, and I'd rather sit down, talk about, explain my feelings, and encourage a kid to do what I think is best then to try to hide what I disagree with from him.
Remember Freud? He had some really good insights about the hyper-repressive Victorian society of his time. Sexual repression can cause a bunch of personality problems. I'm not a fan of "hiding" things or "covering them up". If people are getting shot, talk about it.
The most common argument I've heard against a sensible conversation is that "Junior isn't old enough." That's ridiculous. Pure age has very little impact on the way you think -- maybe some homonal changes, but that's about it. The difference between a ten year old and a twenty year old is experience. The only way to get experience is to come into contact with things, and I'd strongly prefer that Junior hear from me what I consider reasonable early on.
That doesn't mean you should *try* to shove things down someone's throat. It just means not actively trying to hide them. If Junior wants to jerk off to nudie magazines, fine. If he sees people getting killed on TV, fine. Just be sure that you also provide some guidance.
All right, we should all clap and move on. This may be the single most impressive Slashdot Troll Story I've ever seen (the first, of course, being the hillarious take on the goat.cx link).
You successfully managed to get a story posted that:
* has nothing to do with nerds
* Is a meta-joke (the fact that you have a story up at all means that there is no question)
* contains obvious and highly visible links to a crappy personal webpage of pictures
* contains a direct plea to Slashdot to assist in spamming.
* was posted from an account that wasn't built up at all with legitimate postings, but had been used for just trolling.
So, I say we should clap momentarily and move on. I suspect that many trolls have tried over the years, but pulling the wool so completely over editors' eyes cannot possibly be easy.
I dont think it matters too much;
Well...I'd want the default subnet mask to be correct, so barring other concerns, I'd choose the IP range that has the subnet mask correct.
You could try cutting away part of the case and using a larger computer case-style fan -- slower revolutions, quieter sound.
There's supposed to be an accent on the "e", you uncultured cur.
I used Mavis, and I have to say that it's an okay way to learn. There are, however, many non-Wintel alternatives
To the original poster -- I also code, and I have to say that it took a good long stint with Mavis and then forcing myself to touch type while programming through a coding class or two (it takes a while to learn to type "again", since the keys you hit when coding in most languages are rarely pressed when typing ordinary English). If you can simply force yourself to touch type, and damn the short term cost in time and how frusterating it seems at first, you will get phenomenal payoffs. There isn't really a shortcut there. You have to make yourself do things the hard way for a bit -- it's the same thing as dieting, but once you can touch type, you're done forever.
The Unix chroot kludge doesn't really translate to NT, but there are NT kludges for making sandboxes, usually involving ACLs.
I've never seen or heard of a NT sandbox.
Fortunately not. setuid is the door to so many Unix exploits it isn't even funny. For NT, you would use services to do this.
Setuid improperly used, sure. To say that suid is flawed is ridiculous, though. It's an interface for giving privilege escallation with an application-defined interface. You cannot say that something that basic is flawed. You *can* run something under NT as a service. It's a small, limited subset of exactly what can be done with suid/sgid. It gives zero security benefits over suid/sgid, and doesn't work for apps that can't run as a service.
The fact is, you can make windows as secure as any other OS out there, as long as you know what you're doing.
Can you?
Can an NT administrator, using user level tools, perform the equivalent of a chroot jail? Can he make specific apps suid or sgid?
While Windows technically does not imply use of other Microsoft products, it does tend to be correlated with it. Outlook has had numerous poor security decisions that a mail admin simply cannot fix. IIS has also had poor architectural decisions. Remember MS swearing that they'd rewrite the thing from the ground up for the next release? The design of IE -- permeating the entire OS, providing many services to applications, and with no internal security model in place, makes for all kinds of nasty problems. It's a great way for spyware to slip pass personal firewalls, it's used in places like Outlook where a full-blown HTML renderer with the huge variety of features it has is a pretty bad idea from a security standpoint, and it provides a high degree of control to remote websites over the local computer -- much higher, than Mozilla.
The MS Blaster issue wasn't actually all that egregious, AFAIK. It's not like UNIX systems haven't had RPC flaws in the past, either. The real problem was the number of unmaintained machines that were vulnerable. I'd call something like Melissa, that relies on phenomenally stupid security decisions from Microsoft ("let's have an automatic execution environments in our documents, which are intended for wide interchange!") much worse.
An OS programmer compared to a low-level IT worker? You must be joking.
I use sawfish, and consider it the best (for my uses) of the window managers out there.
Metacity was designed for an entirely different set of reasons. Sun's usability testing discovered that Joe Blow users don't like being given tons of options to worry about. Metacity is dead simple. Fortunately, GNOME isn't tied to any one window manager, and you can use whatever you like.
This is a really, really interesting thought.
It *is* a better deal for Germany to do this.
Uh, huh. You wouldn't happen to be reading this on a power-guzzling P4 with the A/C running, would you?