This argument is, at best, semantics -- the latest-and-greatest versions of software do not show up in OpenBSD.
A not insignificant degree of OBSD's security comes from the fact that it simply doesn't enable a ton of services out of box. RH used to run *tons* of daemons out of box in the 5.x and earlier days, so it was "less secure". By that metric, classic Mac OS (which *never* had a remote root exploit out-of-box) beats OBSD in terms of security.:-)
*You* have a cap of six months of unauthorized computer access. *We* get it potentially classified as a terrorist act, capped only at life imprisonment. Lovely justice system we have over here.
Where is your arguement? All you did is detail how Windows users save files. There is no argument there, since everyone already knew that.
Did you read the whole paragraph, or just the first line and decide that you didn't like it? "So we have many steps, including familiar steps that will tend to clue even a novice Windows user, rather than a single "OK"."
idiotically? MS? I think that should read "conveniently enough, this is enabled by default by most browsers."
Some other browsers do do this as well. Right now, though, I'm talking about Explorer. I'll cover them when I get to that. The ability to throw up dialogs is a significant part of what gets users used to simply clicking "OK" in any dialog that comes up in their web browser.
Please give me a couple URLs where I can see all these pop-up boxes that I have been missing.
Yesterday I was watching someone at a lecture at some site "Hacker666" or something along those lines...doesn't seem to be off of go.to or come.to...just tried to find it..., it was through one of the ".to" redirectors. Anyway, it used the right-mouse-button-pops-up-a-dialog script as well as popping up a new dialog each time the user went to a new frame. The user gets used to whacking enter each frame, you toss up an ActiveX control, he whacks enter and starts executing it.
JavaScript can't do that except in unpatched browsers. MS did not "set it up" that way. Lying like that is irresponsible in the extreme of you.
Sorry -- you're right about that. I was still thinking of Javascripts because of what I was talking about earlier. I should have written "web page".
No, they should blame Microsoft. Like that article posted earlier about Slammer, the idea of blaming the victim for the crime is a little skewed. Microsoft needs to engineer better products.
Very true -- the whole "user is the guilty one" approach is a pretty disgusting spin from PR people. However, I'd point out that MS is not the only company that tries to pull this.
If you are selling shoddy software, you may not be legally liable (if your EULA disclaims responsibility for damages, say), but you are *not* an innocent babe when it comes to bad things happening. Customers should avoid companies that try to pawn blame off on their customers for their product's flaws.
Even if they copy everything off of your hard drive and send it to their own servers, according to most Slashdotters, that is only copyright infringement (not theft), provided they don't delete anything.
Then those Slashdotters would be wrong. Federal law prohibits unauthorized access to a computer.
Granted, you could argue that running IE and not installing the tons of patches MS has slapped over many of its plethora of holes is "granting authorization" to the remote site, but I don't think a judge's sense of irony would go that far.:-)
It's not much different than if someone downloads a file to the desktop and decides to double-click on it.
I'd argue that it is. First they have to see a (familiar) file-dialog box pop up. They aren't just hitting "OK" in a box -- they know that they are saving a file somewhere. Even novice users are generally pretty familiar with the file open/save dialog boxes. Second, they have to navigate to their desktop. to save the file. Then they have to click "save", switch to Explorer, and then double-click the icon. Again, double-clicking is a fairly familiar action, and people are aware that yes, they are openin something. So we have many steps, including familiar steps that will tend to clue even a novice Windows user, rather than a single "OK".
Ultimately, the user should read any warning message that pops up, whether it's from IE, your anti-virus software, or from your OS.
Windows users are *innundated* by dialog boxes. Every time they delete a file. A whole slew of them when they install software. Four hours ago, my roommate was using a TV-viewing program that brough up a message box telling him that he'd "enabled option foo" each time he clicked a checkbox in the prefs dialog.
In addition, Javascript can bring up message boxes (idiotically enough, this is enabled by default by MS). So most users (*especially* Internet Explorer users) run into a ton of message boxes while browsing. Yes, perhaps they should go through each dialog box and examine it, but that's very time-consuming. If you read through Apple's Human Interface Guidelines, you'll notice that the *vast* majority of rules for menus and modal dialogs are designed around one single goal -- letting the user *not* have to examine each dialog box once they're familiar with it or boxes in similar software. The point is that Windows users are sick and tired of dialog boxes, and *do not read them* in detail. And they shouldn't *have* to be screwed over if they skim or misread a box when simply web browsing. A Javascript should not be able to take malicious, destructive action just because someone clicked "OK" in one of a series of dialogs that a Javascript popped up. To set up IE to operate this was was irresponsible in the extreme by Microsoft.
Even aside from that, why the hell does IE do installations directly from a web page? That's beyond idiotic.
Let's see, we have the technically illiterate on one hand. These people fall prey *far* more to malicious remote-install links than they are benefitted by deliberately remote-installing software. Not benefit to IE's behavior there.
Then we have the technically ept, who are quite able to download, save, and run an installer if they really want to run it. No benefit to IE's behavior there.
Frankly, IE's behavior takes a position of extreme trust of the remote end, which is just plain *stupid* in today's world.
At the least, they might want to provide a bare bones web browser only version of IE that renders pages and does standard javascript.
For helpfile browsing, embedded html (emails, within programs, etc.) Sounds like a good idea from a technical standpoint, but it would break the "monolithic IE" model that served them so well during the antitrust trials -- I doubt it would be done.
It's pretty easy to use Moz or Opera, which never started going down the security-hostile path of automated installation from *web pages*. And bookmarking. And so forth.
If you're using IE, you're running a piece of software *on your machine* which is advertising and providing the ability for a web page to basically screw your system up. If precisely this happens...well, you should have tried another browser.:-)
(If you don't like the Moz suite approach, try Phoenix)
Oh, come on. Why not try to get a job doing IT work at the largest data haven in the world?:-) It doesn't fall under Brit law, though of course you couldn't live on the mainland if you wanted to stay outside of it...
No other nation in the Western Hemisphere has "America" in its name.
But, of course, there are other countries on said continent. And "European" doesn't refer to, say, a citizen of a member nation of the EU -- it refers to any resident of Europe. "African" doesn't refer to a resident of South Africa.
Frankly, I've always felt that using the phrase "US citizen" instead of "American" would be more accurate. The only problem is that it's too long -- "USian" solves that, however. I think I'll start using "USian".
Don't be so bothered about gcc3.2. It frickin BITES. If you are using XFS you are f*cked - it is incapable of compiling any kernel with XFS support. No doubt there are other things wrong with it beyond this one.
Or, rather, XFS bites because it fails to pass the stricter checking of gcc 3.2.
As a company, you have to be pretty frigging dumb to sell something that can cause serious injury on contact with human skin, and have it be meant for immediate ingestion.
Simple reason -- many, if not *most* of the people that get coffee at McDonald's at the drive-through (as she did) purchase a coffee that they will drink at work when they get in.
You can always ask for it to have some cool water added.
I mean, it comes down to the fact that anyone should be expected to deal with hot beverages. I make hot cocoa that's too hot to drink frequently, and let it cool for a bit first. Soup -- same thing. Letting things that are too hot for you cool is simply something that anyone older than a very young child should be able to handle.
Please realize, people making outraged responses to SF, that he *is* one of Slashdot's more prolific trolls. Don't respond. Just give him a "foe" marking and move along.
Sure, perhaps he went overboard, but I don't think that he would be out of line in leaving negative feedback, either. Not really harsh feedback, but let's look at it from the user's point of view. You set up an auction and had to cancel it. All they care about is whether they have to deal with cancelled auctions, not the reasons -- and so, from a user's point of view, the seller should ensure that they really have the quantity that they're selling.
That's just the way it is. Yes, perhaps buyers need to realize that sellers are "just people, not businesses", but in return, people looking at feedback need to realize that the people leaving it are also "just people". You cannot expect an absolutely perfect record if you sell a ton of items on eBay -- someone *will* feel like they got a bad bargain. Happens with retail stores too, and people don't expect to see an absolutely perfect record from people they buy from.
I bloody hope no-one is specifically blocking this port. That's not how firewalls are supposed to be used. First you block everything then only open the specific ports you need. In most cases, these are 80 and 22 and maybe 25.
Don't take it personally, but I sure am glad you aren't my IT admin. I'd get pissed in no time.
A $10,000,000 machine dedicated to breaking into a single encrypted communication for a full year will be able to break it! This makes encryption completely worthless!
That should read "...for a full year *might* be able to break it", assuming he's right. Hasn't actually been done yet.
The output is quite *large*. I saw a full dependency graph of the (smaller) set of RH packages once, and that isn't as many packages by a long shot. Ick.
There was some program (forget the name, and isn't free) that lets you examine large graphs, hundreds of thousands of nodes, and get useful information from them...you can view all nodes/edges N hopes away from a given node, and things like that.
You're certainly right that it's hard to change, but I don't even think we need to go that far. It's hard to *make* a system like this. Nature used brute force, a massive computer, and bazillions of years to do it, and didn't get to specify much about what came out the other end.
This guy obviously knows nothing about biology. A single base change in DNA can result in mutations that cause death or spontaneous abortion. As little as a change in a single 'character' can be lethal. That's a pretty "small change" that results in a pretty big "crash."
I think most of the data in DNA requires multiple base pair changes to have a major impact -- I'm not a biologist, though. Otherwise, radiation from the Sun would mutate the bejeezus out of everyone all the time.
Seriously, has there ever been a need to write a program of 10 million lines?
Exactly. I don't care how many lines of code there are in the kernel or glibc or glib or gtk or Xlib or SDL -- I happily use them without worrying about them. If you sum all of them up, you can probably get some insane LOC count...but it's modularized.
I meant that it was not "only copyright infringement". Which is why I commented about "unauthorized access".
Too bad the Open Source community has no equivalent...
not secure by limiting or removing functionality
:-)
This argument is, at best, semantics -- the latest-and-greatest versions of software do not show up in OpenBSD.
A not insignificant degree of OBSD's security comes from the fact that it simply doesn't enable a ton of services out of box. RH used to run *tons* of daemons out of box in the 5.x and earlier days, so it was "less secure". By that metric, classic Mac OS (which *never* had a remote root exploit out-of-box) beats OBSD in terms of security.
*You* have a cap of six months of unauthorized computer access. *We* get it potentially classified as a terrorist act, capped only at life imprisonment. Lovely justice system we have over here.
Where is your arguement? All you did is detail how Windows users save files. There is no argument there, since everyone already knew that.
Did you read the whole paragraph, or just the first line and decide that you didn't like it? "So we have many steps, including familiar steps that will tend to clue even a novice Windows user, rather than a single "OK"."
idiotically? MS? I think that should read "conveniently enough, this is enabled by default by most browsers."
Some other browsers do do this as well. Right now, though, I'm talking about Explorer. I'll cover them when I get to that. The ability to throw up dialogs is a significant part of what gets users used to simply clicking "OK" in any dialog that comes up in their web browser.
Please give me a couple URLs where I can see all these pop-up boxes that I have been missing.
Yesterday I was watching someone at a lecture at some site "Hacker666" or something along those lines...doesn't seem to be off of go.to or come.to...just tried to find it..., it was through one of the ".to" redirectors. Anyway, it used the right-mouse-button-pops-up-a-dialog script as well as popping up a new dialog each time the user went to a new frame. The user gets used to whacking enter each frame, you toss up an ActiveX control, he whacks enter and starts executing it.
JavaScript can't do that except in unpatched browsers. MS did not "set it up" that way. Lying like that is irresponsible in the extreme of you.
Sorry -- you're right about that. I was still thinking of Javascripts because of what I was talking about earlier. I should have written "web page".
No, they should blame Microsoft. Like that article posted earlier about Slammer, the idea of blaming the victim for the crime is a little skewed. Microsoft needs to engineer better products.
Very true -- the whole "user is the guilty one" approach is a pretty disgusting spin from PR people. However, I'd point out that MS is not the only company that tries to pull this.
If you are selling shoddy software, you may not be legally liable (if your EULA disclaims responsibility for damages, say), but you are *not* an innocent babe when it comes to bad things happening. Customers should avoid companies that try to pawn blame off on their customers for their product's flaws.
Even if they copy everything off of your hard drive and send it to their own servers, according to most Slashdotters, that is only copyright infringement (not theft), provided they don't delete anything.
:-)
Then those Slashdotters would be wrong. Federal law prohibits unauthorized access to a computer.
Granted, you could argue that running IE and not installing the tons of patches MS has slapped over many of its plethora of holes is "granting authorization" to the remote site, but I don't think a judge's sense of irony would go that far.
It's not much different than if someone downloads a file to the desktop and decides to double-click on it.
I'd argue that it is. First they have to see a (familiar) file-dialog box pop up. They aren't just hitting "OK" in a box -- they know that they are saving a file somewhere. Even novice users are generally pretty familiar with the file open/save dialog boxes. Second, they have to navigate to their desktop. to save the file. Then they have to click "save", switch to Explorer, and then double-click the icon. Again, double-clicking is a fairly familiar action, and people are aware that yes, they are openin something. So we have many steps, including familiar steps that will tend to clue even a novice Windows user, rather than a single "OK".
Ultimately, the user should read any warning message that pops up, whether it's from IE, your anti-virus software, or from your OS.
Windows users are *innundated* by dialog boxes. Every time they delete a file. A whole slew of them when they install software. Four hours ago, my roommate was using a TV-viewing program that brough up a message box telling him that he'd "enabled option foo" each time he clicked a checkbox in the prefs dialog.
In addition, Javascript can bring up message boxes (idiotically enough, this is enabled by default by MS). So most users (*especially* Internet Explorer users) run into a ton of message boxes while browsing. Yes, perhaps they should go through each dialog box and examine it, but that's very time-consuming. If you read through Apple's Human Interface Guidelines, you'll notice that the *vast* majority of rules for menus and modal dialogs are designed around one single goal -- letting the user *not* have to examine each dialog box once they're familiar with it or boxes in similar software. The point is that Windows users are sick and tired of dialog boxes, and *do not read them* in detail. And they shouldn't *have* to be screwed over if they skim or misread a box when simply web browsing. A Javascript should not be able to take malicious, destructive action just because someone clicked "OK" in one of a series of dialogs that a Javascript popped up. To set up IE to operate this was was irresponsible in the extreme by Microsoft.
You certainly are quick to know about the "uninstallation" directions. You got nailed by it, didn't you?
Even aside from that, why the hell does IE do installations directly from a web page? That's beyond idiotic.
Let's see, we have the technically illiterate on one hand. These people fall prey *far* more to malicious remote-install links than they are benefitted by deliberately remote-installing software. Not benefit to IE's behavior there.
Then we have the technically ept, who are quite able to download, save, and run an installer if they really want to run it. No benefit to IE's behavior there.
Frankly, IE's behavior takes a position of extreme trust of the remote end, which is just plain *stupid* in today's world.
At the least, they might want to provide a bare bones web browser only version of IE that renders pages and does standard javascript.
For helpfile browsing, embedded html (emails, within programs, etc.) Sounds like a good idea from a technical standpoint, but it would break the "monolithic IE" model that served them so well during the antitrust trials -- I doubt it would be done.
It's pretty easy to use Moz or Opera, which never started going down the security-hostile path of automated installation from *web pages*. And bookmarking. And so forth.
:-)
If you're using IE, you're running a piece of software *on your machine* which is advertising and providing the ability for a web page to basically screw your system up. If precisely this happens...well, you should have tried another browser.
(If you don't like the Moz suite approach, try Phoenix)
I guess it's time to look at NZ.
:-) It doesn't fall under Brit law, though of course you couldn't live on the mainland if you wanted to stay outside of it...
Oh, come on. Why not try to get a job doing IT work at the largest data haven in the world?
No other nation in the Western Hemisphere has "America" in its name.
But, of course, there are other countries on said continent. And "European" doesn't refer to, say, a citizen of a member nation of the EU -- it refers to any resident of Europe. "African" doesn't refer to a resident of South Africa.
Frankly, I've always felt that using the phrase "US citizen" instead of "American" would be more accurate. The only problem is that it's too long -- "USian" solves that, however. I think I'll start using "USian".
Don't be so bothered about gcc3.2. It frickin BITES. If you are using XFS you are f*cked - it is incapable of compiling any kernel with XFS support. No doubt there are other things wrong with it beyond this one.
Or, rather, XFS bites because it fails to pass the stricter checking of gcc 3.2.
All a matter of perspective.
As a company, you have to be pretty frigging dumb to sell something that can cause serious injury on contact with human skin, and have it be meant for immediate ingestion.
Simple reason -- many, if not *most* of the people that get coffee at McDonald's at the drive-through (as she did) purchase a coffee that they will drink at work when they get in.
You can always ask for it to have some cool water added.
I mean, it comes down to the fact that anyone should be expected to deal with hot beverages. I make hot cocoa that's too hot to drink frequently, and let it cool for a bit first. Soup -- same thing. Letting things that are too hot for you cool is simply something that anyone older than a very young child should be able to handle.
Please realize, people making outraged responses to SF, that he *is* one of Slashdot's more prolific trolls. Don't respond. Just give him a "foe" marking and move along.
Sure, perhaps he went overboard, but I don't think that he would be out of line in leaving negative feedback, either. Not really harsh feedback, but let's look at it from the user's point of view. You set up an auction and had to cancel it. All they care about is whether they have to deal with cancelled auctions, not the reasons -- and so, from a user's point of view, the seller should ensure that they really have the quantity that they're selling.
That's just the way it is. Yes, perhaps buyers need to realize that sellers are "just people, not businesses", but in return, people looking at feedback need to realize that the people leaving it are also "just people". You cannot expect an absolutely perfect record if you sell a ton of items on eBay -- someone *will* feel like they got a bad bargain. Happens with retail stores too, and people don't expect to see an absolutely perfect record from people they buy from.
I bloody hope no-one is specifically blocking this port. That's not how firewalls are supposed to be used. First you block everything then only open the specific ports you need. In most cases, these are 80 and 22 and maybe 25.
Don't take it personally, but I sure am glad you aren't my IT admin. I'd get pissed in no time.
And what more useful place to post this than Slashdot, already full of libertarian types that aren't interested in a war for oil *anyway*?
How about printing out pamphlets, handing them out, and actually having some impact?
A $10,000,000 machine dedicated to breaking into a single encrypted communication for a full year will be able to break it! This makes encryption completely worthless!
That should read "...for a full year *might* be able to break it", assuming he's right. Hasn't actually been done yet.
In Soviet Russia, encryption breaks *people*.
the output is quite fascinating.
The output is quite *large*. I saw a full dependency graph of the (smaller) set of RH packages once, and that isn't as many packages by a long shot. Ick.
There was some program (forget the name, and isn't free) that lets you examine large graphs, hundreds of thousands of nodes, and get useful information from them...you can view all nodes/edges N hopes away from a given node, and things like that.
I don't think there's a free equivalent, though.
You're certainly right that it's hard to change, but I don't even think we need to go that far. It's hard to *make* a system like this. Nature used brute force, a massive computer, and bazillions of years to do it, and didn't get to specify much about what came out the other end.
This guy obviously knows nothing about biology. A single base change in DNA can result in mutations that cause death or spontaneous abortion. As little as a change in a single 'character' can be lethal. That's a pretty "small change" that results in a pretty big "crash."
I think most of the data in DNA requires multiple base pair changes to have a major impact -- I'm not a biologist, though. Otherwise, radiation from the Sun would mutate the bejeezus out of everyone all the time.
Seriously, has there ever been a need to write a program of 10 million lines?
Exactly. I don't care how many lines of code there are in the kernel or glibc or glib or gtk or Xlib or SDL -- I happily use them without worrying about them. If you sum all of them up, you can probably get some insane LOC count...but it's modularized.