So let's say that Microsoft tests Windows Vista in this way.
What information do they learn? Remember - the bad guys don't have access to Windows Vista, so they can't know about exploits in the new code in Windows Vista.
It's a chicken and egg problem - the bad guys can't know about 0day Windows Vista exploits because they don't have access to Windows Vista to exploit it.
If they find exploits in Windows Vista, it's because they're also in XP. If they're in XP, they can simply test with XP.
A honeymonkey does absolutely no good BEFORE the OS is released.
This is actually a GOOD thing. The reason that the system's asking you to reboot is that you have an unpatched vulnerability on your machine, and you'll continue to have an unpatched vulnerability until you reboot.
That means that until you reboot, you're vulnerable to the hacker who drops a worm that exploits the bug.
Rebooting (and being obnoxious about rebooting) is important to ensuring that the patch gets applied.
If you don't like it, turn off the auto-update feature, it's not that hard to do (Start/My Computer/Properties/Automatic Updates, select "Download updates for me, but let me choose when to install them" or "Notify me, but don't automatically download or install them".
It means that your exposure to a vulnerability is higher, but you get to control when the update happens.
Actually Netscape introduced the need for a UA string. That's why the UA string starts with Mozilla... Because web sites depended on that to feed their proprietary Netscape-only extensions.
But a large part of what spreads viruses are users. Users download unsafe code from the internet (or receive it in their email application) and they launch it.
And don't say that privilege separation is somehow a magic bullet that solves the problem, it's very clearly not. For example, one of the recent derivatives of Beagle spread itself via a password encoded.zip file. To be infected, the user had to type in the password to the zip file.
When a user receives an attachment that says "Click here to see the dancing bears", they're going to follow whatever instructions come with the attachment.
Why? Because they want to see the dancing bears.
You can put hurdles in front of the user, but you're not going to stop them from doing whatever is necessary to see the bears.
Actually, from what I understand the reason that the election was changed was as much a reaction to the terrorists as it was a backlash against a government that decided that the cause of the bombings was ETA, even after overwhelming evidence pointed to Al Qaida.
Re:Headlines running together in my head
on
Longhorn Preview
·
· Score: 2, Informative
This is/., so I'm going to get pedantic.
A virus does not rely on any vulnerability in the platform to propogate. Instead, a virus attaches itself to an executable and spreads itself when the executable is launched. So, by definition, Longhorn will be as vulnerable as XP to a virus. And Linux 2. will be just as vulnerabile as Linux 2.. And OSX 10.4 will be as vulnerable as OSX 10.3. As long as you can run binary content, your platform is vulnerable to viruses.
Now worms are another story, since they're self propogating. It would make sense to ensure that Longhorn can't be infected by any XP worms.
And trojans are a third category of malware - the thing about trojans is that they're spread by user interaction - the user wants to see the dancing penguins so they click on an attachment. And along with the dancing penguins comes a rootkit.
What's interesting about the 3rd category is that it applies to all platforms. For example, Beagle spread itself by using a password protected Zip file - in order to be infected, the user had to type in the password to the Zip file. If the user will type in a password to see the dancing penguins, then they'll safe the file to disk, and chmod +e the file so that they can execute it.
The patent's actually not about treating email addresses as objects.
The patent's about tagging the origin of an email address and altering the display of that email address based on the origin of the email address - if the email address came from the address book it looks one way if it comes from the internet it looks differently.
And whatever else they added to the patent.
It's NOT about patenting.sig files.
I'm not aware of prior art in this one - do you know of an email client that visually differentiated between internet based email addresses and ones from the address book?
Second, that was my mistake. I meant to say unsigned ActiveX controls can't be downloaded. Unsigned binaries can still be downloaded (but all downloaded executables are tagged so that the shell warns you whenever you launch them).
That gets you onto the box, but it doesn't get you onto the network.
And for Win9x machines, passwords are all about access to the network - there isn't anything on the Win9x box to protect, since there isn't any security on the Win9x box.
I'm not sure that there's necessarily any correlation between can-spam and spam levels.
Certainly the spam I'm receiving isn't conforming to can-spam, which would be expected if there was a correlation.
Most of what I see is either fake viagra, hosting services, free rolexes, or Nigerians that just want me to take their money. None of which complies with can-spam.
Just because spam has increased in the period since can-spam was passed doesn't mean that can-spam's responsible for it.
It's REALLY clear that consumers don't give a rip about DRM - DVDs come with DRM and consumers don't seem to be avoiding them like the plague, do they? All consumers want to be able to do is to put the shiny silver disk in their player and play it. As long as DRM doesn't get in the way, it doesn't matter.
YOU care about DRM. Most of the/. crowd cares about DRM. But the vast majority of consumers out there don't.
They'll buy something if it has clear benefits over the existing technology. CDs had clear benefits over LPs and tape. DVDs had clear benefit over videotapes. So people flocked to those technologies.
SACD or DVD-Audio simply don't provide enough of a benefit over CDs to justify the expense of buying a new player. Multi-channel audio? Users don't care about it - they only have 2 channels anyway. Longer play time? Maybe, but that's not how SACDs and DVD-Audio is being marketet - the reality is that 85ish minuts really IS about the sweet-spot for content length.
So CDs are "good enough". And that's why they aren't dislodged. It's not the DRM.
Slashdot Mirror
Ummm... I think the study was funded by DARPA, not Microsoft (for a change)...
.Net runtime is loaded, they're calling it a platform vulnerability, NOT a .NET vulnerability.
Also, since the vulnerability occurs BEFORE the
I'm not sure I agree with them, but that's what they're claiming.
Ummm...
So let's say that Microsoft tests Windows Vista in this way.
What information do they learn? Remember - the bad guys don't have access to Windows Vista, so they can't know about exploits in the new code in Windows Vista.
It's a chicken and egg problem - the bad guys can't know about 0day Windows Vista exploits because they don't have access to Windows Vista to exploit it.
If they find exploits in Windows Vista, it's because they're also in XP. If they're in XP, they can simply test with XP.
A honeymonkey does absolutely no good BEFORE the OS is released.
Reference please? You'd think that Lotus 1-2-3 being broken by MS-DOS 3.0 and all subsequent releases would be all over the net.
I'm gonna catch high heck for this, but...
This is actually a GOOD thing. The reason that the system's asking you to reboot is that you have an unpatched vulnerability on your machine, and you'll continue to have an unpatched vulnerability until you reboot.
That means that until you reboot, you're vulnerable to the hacker who drops a worm that exploits the bug.
Rebooting (and being obnoxious about rebooting) is important to ensuring that the patch gets applied.
If you don't like it, turn off the auto-update feature, it's not that hard to do (Start/My Computer/Properties/Automatic Updates, select "Download updates for me, but let me choose when to install them" or "Notify me, but don't automatically download or install them".
It means that your exposure to a vulnerability is higher, but you get to control when the update happens.
Actually Netscape introduced the need for a UA string. That's why the UA string starts with Mozilla... Because web sites depended on that to feed their proprietary Netscape-only extensions.
IE's just following the crowd here.
But a large part of what spreads viruses are users. Users download unsafe code from the internet (or receive it in their email application) and they launch it.
.zip file. To be infected, the user had to type in the password to the zip file.
And don't say that privilege separation is somehow a magic bullet that solves the problem, it's very clearly not. For example, one of the recent derivatives of Beagle spread itself via a password encoded
When a user receives an attachment that says "Click here to see the dancing bears", they're going to follow whatever instructions come with the attachment.
Why? Because they want to see the dancing bears.
You can put hurdles in front of the user, but you're not going to stop them from doing whatever is necessary to see the bears.
Actually, from what I understand the reason that the election was changed was as much a reaction to the terrorists as it was a backlash against a government that decided that the cause of the bombings was ETA, even after overwhelming evidence pointed to Al Qaida.
This is /., so I'm going to get pedantic.
A virus does not rely on any vulnerability in the platform to propogate. Instead, a virus attaches itself to an executable and spreads itself when the executable is launched. So, by definition, Longhorn will be as vulnerable as XP to a virus. And Linux 2. will be just as vulnerabile as Linux 2.. And OSX 10.4 will be as vulnerable as OSX 10.3. As long as you can run binary content, your platform is vulnerable to viruses.
Now worms are another story, since they're self propogating. It would make sense to ensure that Longhorn can't be infected by any XP worms.
And trojans are a third category of malware - the thing about trojans is that they're spread by user interaction - the user wants to see the dancing penguins so they click on an attachment. And along with the dancing penguins comes a rootkit.
What's interesting about the 3rd category is that it applies to all platforms. For example, Beagle spread itself by using a password protected Zip file - in order to be infected, the user had to type in the password to the Zip file. If the user will type in a password to see the dancing penguins, then they'll safe the file to disk, and chmod +e the file so that they can execute it.
This was posted in Microsoft Technet magazine way back in January.
s /2005/01/AnatomyofaHack/default.aspx
http://www.microsoft.com/technet/technetmag/issue
The same way that a remote execution overflow was in libXPM.
Google integer overflow vulnerability for more information.
I know this is /., but RTFP.
.sig files.
The patent's actually not about treating email addresses as objects.
The patent's about tagging the origin of an email address and altering the display of that email address based on the origin of the email address - if the email address came from the address book it looks one way if it comes from the internet it looks differently.
And whatever else they added to the patent.
It's NOT about patenting
I'm not aware of prior art in this one - do you know of an email client that visually differentiated between internet based email addresses and ones from the address book?
MS-DOS was one of three different operating systems offered on IBM PCs when they first came out.
And it wasn't even the cheapest one (I believe that was the UCSD P-System).
But it WAS the only one that ran Lotus 1-2-3.
It's the apps, silly.
First, FF is now signed. Check it.
Second, that was my mistake. I meant to say unsigned ActiveX controls can't be downloaded. Unsigned binaries can still be downloaded (but all downloaded executables are tagged so that the shell warns you whenever you launch them).
My bad.
So does IE. ActiveX controls have ALWAYS prompted.
And with XP SP2 (released in AUGUST) unsigned binaries simply can't be installed, and the default is "NO" for signed binaries...
Somebody thought they had a cool feature and didn't think about the consequences.
s/apple/Microsoft/g
Now read the same comment again.
And then please explain to me why MacOS is immune to spyware?
I dunno. Maybe we should stop running all those stories about how evil WindowsUpdate is, and how Microsoft is spying on your computer?
And proclaiming to the heavens that <insert my linux distro> doesn't need updates because it's secure?
And humorously enough, ActiveX and BHO's have absolutely NOTHING to do with IE's integration with the OS.
Firefox can (and does) have equivlant mechanisms, and it's not a part of the operating system.
That gets you onto the box, but it doesn't get you onto the network.
And for Win9x machines, passwords are all about access to the network - there isn't anything on the Win9x box to protect, since there isn't any security on the Win9x box.
Nah, Windows NT has always supported 256 character passwords. Win9x and below only supported 14 character passwords.
If you're not planning on using a Win9x machine, then 200ish characters should be enough.
Maybe, maybe not - it depends on where the time's being spend.
There's only so much that the compiler can do.
No amount of optimization can change the performance of a bubble sort to O(n ln n) - Bubble sort will always be O(n^2).
So optimization can't help algorithmic inefficiencies, the only thing that can help that is changing the source code.
Being optimized only means it runs faster on a CPU bound task.
Browsing the web is NOT cpu bound (normally). Instead it's typically bandwidth bound.
And all the optimizations in the world won't make your net go faster.
Don't forget Bob Metcalf, Larry Ellison, and Scott McNealy. Oh, and Nathan Myrvhold.
The bidding on some of these pieces is going to be insane.
I'm not sure that there's necessarily any correlation between can-spam and spam levels.
Certainly the spam I'm receiving isn't conforming to can-spam, which would be expected if there was a correlation.
Most of what I see is either fake viagra, hosting services, free rolexes, or Nigerians that just want me to take their money. None of which complies with can-spam.
Just because spam has increased in the period since can-spam was passed doesn't mean that can-spam's responsible for it.
Exactly: In order to exploit this, you need to find a program with:
1) An exploitable memory overwrite error in a system component.
2) A heap allocation pattern that exactly matches the pattern demonstrated here.
If you don't have BOTH of these criteria met, then it won't matter.
Software DEP was never intended as anything more than a really big speedbump.
As a PoC, it's interesting, but as "the end of XP SP2?" I don't think so....
It's REALLY clear that consumers don't give a rip about DRM - DVDs come with DRM and consumers don't seem to be avoiding them like the plague, do they? All consumers want to be able to do is to put the shiny silver disk in their player and play it. As long as DRM doesn't get in the way, it doesn't matter.
/. crowd cares about DRM. But the vast majority of consumers out there don't.
YOU care about DRM. Most of the
They'll buy something if it has clear benefits over the existing technology. CDs had clear benefits over LPs and tape. DVDs had clear benefit over videotapes. So people flocked to those technologies.
SACD or DVD-Audio simply don't provide enough of a benefit over CDs to justify the expense of buying a new player. Multi-channel audio? Users don't care about it - they only have 2 channels anyway. Longer play time? Maybe, but that's not how SACDs and DVD-Audio is being marketet - the reality is that 85ish minuts really IS about the sweet-spot for content length.
So CDs are "good enough". And that's why they aren't dislodged. It's not the DRM.