Steve Gibson has a record of being confused! Here's the obligatory http://grcsucks.com/ link! Shields up everybody!
If I remember correctly, Steve was briefly famous for claiming the sky was falling based on some changes to how Windows XP was being architected to handle sockets. The hacker community came back around and roasted this guy. He's an 'interesting' fellow. Thanks for the security community flashback, Slashdot! It's been a long time since I thought about happyhacker, antionline, grc and the like.:)
I'm not sure what will happen as a consequence, but when this story gets re-posted, it's sure to have the same sentence in the description, like, 4 times.
I doubt any of my fellow Americans can be inspired to choose an addressing scheme that requires us to enter in 1080:0:0:0:8:800:200C:417A instead of 10.0.0.1. When forced to contemplate the marathon keystroking necessary to apply ipv6 on our home networks, I'm certain that 100% of slashdotters pull long and hard drags from their inhalers. This pavlovian response would pale in comparison to the mind-numbing volume of addresses to be changed on corporate networks, datacenters and the Internet.
Any addressing scheme that requires two hands to configure will ensure global productivity takes a hit. America, reject IPv6! Think of the children! It's the devil's plot to give babies carpal tunnel!
Time is a limited resource. The nature of the problem isn't difficulty, it's availability. My understanding is the start.com site is actually a bit of a hobby project developed primarily by only 2 devs. It is supposed to be somewhat of an RSS reader... It'd be great if it properly imported OPML files, but the guys working on it are maxed out I think...
No, please re-read my original post. You are talking about authentication at the server side. I'm talking about client side authentication that doesn't require additional code. Relax a little and go re-read. I'm telling you, what I've described is currently not possible without using I.E- and not only that, it's a compelling reason to use I.E. only solutions for large, medium and even small (10-100 employees) sized businesses.
You can hack out some php code to integrate Active Directory, but if the company has more than one custom application, you're wasting their money re-writing authentication & authorization code that also may be insecure. Oh, and by the way, this code-based AD integration is not what I am talking about in the parent post when I'm referencing windows authentication. What you're refering to falls under forms authentication.
Your world:
1) Write code that queries against Active Directory
2) Write cleaning code that looks at form fields for malicious input
3) Write AD Authorization handling code
4) Compile and Implement
5) User must type in a username and password in a form
6) Server deals with overhead for passing data back and forth against AD (note this is more expensive than my solution- you'll see why in a second)
My world:
1) Write web application that uses one line of code to reference Windows Authentication
2) Set acls on the web application directory giving users permissions to the app through the OS
3) Compile and Implement (note! No complicated code here for dealing with malicious data- no authorization code either!
4) User visits website and begins using it immediately. HE DOES NOT HAVE TO ENTER USERNAME OR PASSWORD (assuming they have perms to the directory). I.E. Internet Explorer Passes Active Directory Data from the O.S. to the server only for authentication (A Kerberos ticket! NO EXPENSIVE AD QUERYING!)
Does that help? Do you understand the distinction here?
This article provides great information on presentation and rendering issues, but it leaves out any reference to the strongest reason to create Internet Explorer only Intranet Webapps: Windows Authentication.
For those that don't know- you can develop web ASP.net applications that leverage 3 types of authentication- Forms, Windows and Passport. Forms and Passport will work for all browsers. Passport authentication costs a lotta $$$ so you only see it on MS sites and large commerce sites like Expedia. Forms is the simple authentication that every browser will render- it requires you to write custom code to handle authentication. This means your code needs to do work like checking a password file, looking into a database, etc. You'll also need to write code that meets your company's security policies. It adds a lot of time and expense to application development. Windows authentication uses your Active Directory session- none of the custom code in forms authentication is necessary. You just set the acls on the directory of the app, and as long as the user is logged into the domain and their group has access permissions, the domain handles authentication and authorization issues. No worrying about password complexity algorithms, password aging or user account management. You save cash and you ensure that security requirements are applied consistently.
Single sign-on (in this instance, windows authentication asp.net apps) solves a significant number of organizational security problems. Reducing inconsistency in password complexity, password aging, access management, etc, should be a primary goal in business web applications. This is an instance where IE only solutions are better than Netscape, Mozilla & Firefox apps. This article is missing the only reference that is really necessary- how can I offload my security concerns into a single clearinghouse with Firefox/Netscape/Mozilla. If someone does a samba like project to figure out how to kludge in Windows Authentication into the other browsers, then this article will be complete.
I'm sticking with I.E. only solutions for Intranet business applications because it contributes to centralized security.
They're hoping for a certain Russian Tony Soprano to pony up. I speculate that they imagine it would benefit certain organizations attempting to gaining some leverage with online casino sites come Superbowl Sunday.
A vulnerability is a security weakness. This article goes on to list technologies that are often implemented insecurely. The difference is not so subtle that this article is exuseable. It is indicative of a much larger problem.
The first 'vulnerability' listed is "Web Servers/ Web Services." While these can be implemented insecurely, they are not implicitly security weaknesses. A more useful list would have stated implicit examples of the most common mistakes implementing the most commonly used technologies- things like open SMTP relays, DNS servers that accept false dns responses, etc.
This article is some proof showing that the security 'industry' is infected by a lot of frauds who don't even understand it's terminology.
I would avoid a rescue dog if you're looking for a working animal. Rescue dogs are exteremely variable. They may have been abused, might have undetermined breeding and are potentially unpredictable. These are not problems that are always easily identifiable. It can take weeks before it will become apparent.
Don't get me wrong. I love my rescued coonhound/shepard mix, but we've discovered some areas where he has 'issues' that don't really mesh well with our active lifestyle. He tends to spook at really odd things (The wind, for example) and is variably aggressive to other dogs. We've done about a hundred hours of training with him and had little luck adjusting his behavior. Many trainers have recommended we give up on certain training with him.
The next dog we get will be from a breeder if we're looking for a working animal.
So, if timestamp is a seperate binary, why doesn't the app just do a checksum of the timestamp binary and verify against a central server. Is there something I'm missing?
The recommendations in the whitepaper seem overly complicated. Anyone care to explain why a checksum would be inadequate?
It also means(and this is what I think)that you will not be able to play XBox games on the XBox 2, they will have to re-write DirectX, build a RISC OS for it and then there is Live I would say there will have to re-write most of that as well. MS has never writen software for RISC in the past and I think that the time frame they have set themself is very unrealistic.
Are there seperate Internets for Apple and Windows computers? Do you think that hardware architecture changes imply that networking changes have to take place?
Good gravy! Live is unaffected by a hardware upgrade.
"Hi. This is the year 2003! How are you? I just called to let you know that while I was on the scene, the Motorola MPX-200 smartphone came out. It supports 3-D games. Check out Interstellar flames at XenGames."
"Yeah, I don't know what the hell is wrong with the article. Sorry about that."
When I was a teenager, I refereed D2 and D3 soccer games for the u-17 crowd. I ended up in a rather heated debate with one of the parents after I cancelled a late august afternoon game.
It was overcast, the temperature was in the low 90's with high humidity and no wind. We were about 35 minutes into the first half when suddenly everyone's hair, both on and off the field began to stick straight up- almost as if they'd been vigorously rubbing balloons across their heads.
I pretty quickly made up my mind that the last place I wanted to be was on this field with nothing high except for the 8 60 foot tall light poles surrounding the field. My departure was delayed, however, by the home team coach. He was insisting that because there was no smell of Ozone, that we were perfectly safe.
I didn't see any reason to try and argue with the guy, so I got in my car and left.
If worms, viruses and other attacks can alter or remove financial accounting data, then the execs currently are accountable thanks to Sarbanes Oxley 404. This legislation creates work like Y2k did. If you haven't been impacted by it at your job yet, start reading up now.
Slashdot Mirror
If I remember correctly, Steve was briefly famous for claiming the sky was falling based on some changes to how Windows XP was being architected to handle sockets. The hacker community came back around and roasted this guy. He's an 'interesting' fellow. Thanks for the security community flashback, Slashdot! It's been a long time since I thought about happyhacker, antionline, grc and the like. :)
If you don't tend to your garden, your vegetables may perish.
If you don't take care of your herd, you cattle might fall ill.
If you don't properly manager your systems, regardless of OS, your boxes might get compromised.
I'm not sure what will happen as a consequence, but when this story gets re-posted, it's sure to have the same sentence in the description, like, 4 times.
Knock it off you knuckle head! *bops curly on head*
Any addressing scheme that requires two hands to configure will ensure global productivity takes a hit. America, reject IPv6! Think of the children! It's the devil's plot to give babies carpal tunnel!
And :p on those moaning about DNS. :p
Four months ago when I last tried Start.com/2, the opml import wasn't working. But I'm not busting anyone's chops over an incubation project. *grin*
It's called OPML. Look into it. I thought it was busted on start.com, but it looks like you found something where it works :)
or /2 or /3 for that matter.
Time is a limited resource. The nature of the problem isn't difficulty, it's availability. My understanding is the start.com site is actually a bit of a hobby project developed primarily by only 2 devs. It is supposed to be somewhat of an RSS reader... It'd be great if it properly imported OPML files, but the guys working on it are maxed out I think...
You can hack out some php code to integrate Active Directory, but if the company has more than one custom application, you're wasting their money re-writing authentication & authorization code that also may be insecure. Oh, and by the way, this code-based AD integration is not what I am talking about in the parent post when I'm referencing windows authentication. What you're refering to falls under forms authentication.
Your world:
1) Write code that queries against Active Directory
2) Write cleaning code that looks at form fields for malicious input
3) Write AD Authorization handling code
4) Compile and Implement
5) User must type in a username and password in a form
6) Server deals with overhead for passing data back and forth against AD (note this is more expensive than my solution- you'll see why in a second)
My world:
1) Write web application that uses one line of code to reference Windows Authentication
2) Set acls on the web application directory giving users permissions to the app through the OS
3) Compile and Implement (note! No complicated code here for dealing with malicious data- no authorization code either!
4) User visits website and begins using it immediately. HE DOES NOT HAVE TO ENTER USERNAME OR PASSWORD (assuming they have perms to the directory). I.E. Internet Explorer Passes Active Directory Data from the O.S. to the server only for authentication (A Kerberos ticket! NO EXPENSIVE AD QUERYING!)
Does that help? Do you understand the distinction here?
For those that don't know- you can develop web ASP.net applications that leverage 3 types of authentication- Forms, Windows and Passport. Forms and Passport will work for all browsers. Passport authentication costs a lotta $$$ so you only see it on MS sites and large commerce sites like Expedia. Forms is the simple authentication that every browser will render- it requires you to write custom code to handle authentication. This means your code needs to do work like checking a password file, looking into a database, etc. You'll also need to write code that meets your company's security policies. It adds a lot of time and expense to application development. Windows authentication uses your Active Directory session- none of the custom code in forms authentication is necessary. You just set the acls on the directory of the app, and as long as the user is logged into the domain and their group has access permissions, the domain handles authentication and authorization issues. No worrying about password complexity algorithms, password aging or user account management. You save cash and you ensure that security requirements are applied consistently.
Single sign-on (in this instance, windows authentication asp.net apps) solves a significant number of organizational security problems. Reducing inconsistency in password complexity, password aging, access management, etc, should be a primary goal in business web applications. This is an instance where IE only solutions are better than Netscape, Mozilla & Firefox apps. This article is missing the only reference that is really necessary- how can I offload my security concerns into a single clearinghouse with Firefox/Netscape/Mozilla. If someone does a samba like project to figure out how to kludge in Windows Authentication into the other browsers, then this article will be complete.
I'm sticking with I.E. only solutions for Intranet business applications because it contributes to centralized security.
If you want the best business, hire the realist, not the obstructionist.
Xbox live is a .Net application:
http://channel9.msdn.com/ShowPost.aspx?PostID=1702 0
Xbox Live is a .net application.
http://channel9.msdn.com/ShowPost.aspx?PostID=1702 0#17020
Way to go out on a limb there, Oregon. This should jumpstart your economy
http://winfx.msdn.microsoft.com/?//winfx.msdn.micr osoft.com/winfx/core/overviews/about%20xaml.aspx/
duh!
The first 'vulnerability' listed is "Web Servers/ Web Services." While these can be implemented insecurely, they are not implicitly security weaknesses. A more useful list would have stated implicit examples of the most common mistakes implementing the most commonly used technologies- things like open SMTP relays, DNS servers that accept false dns responses, etc.
This article is some proof showing that the security 'industry' is infected by a lot of frauds who don't even understand it's terminology.
I would avoid a rescue dog if you're looking for a working animal. Rescue dogs are exteremely variable. They may have been abused, might have undetermined breeding and are potentially unpredictable. These are not problems that are always easily identifiable. It can take weeks before it will become apparent.
Don't get me wrong. I love my rescued coonhound/shepard mix, but we've discovered some areas where he has 'issues' that don't really mesh well with our active lifestyle. He tends to spook at really odd things (The wind, for example) and is variably aggressive to other dogs. We've done about a hundred hours of training with him and had little luck adjusting his behavior. Many trainers have recommended we give up on certain training with him.
The next dog we get will be from a breeder if we're looking for a working animal.
The recommendations in the whitepaper seem overly complicated. Anyone care to explain why a checksum would be inadequate?
Are there seperate Internets for Apple and Windows computers? Do you think that hardware architecture changes imply that networking changes have to take place?
Good gravy! Live is unaffected by a hardware upgrade.
"Hi. This is the year 2003! How are you?
I just called to let you know that while I was on the scene, the Motorola MPX-200 smartphone came out. It supports 3-D games. Check out Interstellar flames at XenGames."
"Yeah, I don't know what the hell is wrong with the article. Sorry about that."
Channel9
And here's everything coming up for the month of July at MSDN Events:
MSDN EVENTS
COME AND GET ME, YOU MICROSOFT LUDDITE SLASHDOT MOTHER FUGGERS!
It was overcast, the temperature was in the low 90's with high humidity and no wind. We were about 35 minutes into the first half when suddenly everyone's hair, both on and off the field began to stick straight up- almost as if they'd been vigorously rubbing balloons across their heads.
I pretty quickly made up my mind that the last place I wanted to be was on this field with nothing high except for the 8 60 foot tall light poles surrounding the field. My departure was delayed, however, by the home team coach. He was insisting that because there was no smell of Ozone, that we were perfectly safe.
I didn't see any reason to try and argue with the guy, so I got in my car and left.
If worms, viruses and other attacks can alter or remove financial accounting data, then the execs currently are accountable thanks to Sarbanes Oxley 404. This legislation creates work like Y2k did. If you haven't been impacted by it at your job yet, start reading up now.