I must say that somewhat saddens me. I'm a very big fan of the Win32 subsystem: very consistent and concise <ducks past flying flame ball>. I wish it would always stay around as an alternative API.
'Microsoft builds leak regularly, Microsoft knows this, and Microsoft knows that the wider the distribution of the software, the faster it's going to spread all over the internet...
It's blatantly ignorant of the principles of cryptography which state that knowing the algorithm and implementation, or even part of the clear text should not compromise your security.
There is brute force as a means to an end, and then there is brute force as the end.
Let me illustrate: DNA based computers (of which btw I haven't heard in a long time - Slashdot?), or even quantum computers for that matter, will generate every possible solution after which a mechanism will select the only good one.
That is brute force as an implementation, a means to an end. Because ultimately what we are trying to reach with these computers is to implement some higher level language.
I personally agree with the grand-parent post, in that science used to be about brilliant minds who would find very qualitative results by pure thought. My personal favorite was Richard Feynmann's proof of all of Kepler's gravitational laws by using simple euclidean trigonometry.
Ultimately when I was reading the article, I was left wondering: if this guy is such a hot shot, why didn't he try to prove something mathematically, or short of that make a conjecture to be proven maybe 2 centuries from now (like Fermat's last conjecture). What's the value of running billions of cycles on an FSM? It completely short circuits the thought process.
more than that. Saying Client/Server architecture is dying is like saying electromagnetics is dying. Does he not realize any OS is a server and all applications are clients to its services?
n-tier architectures are basically n-client/server layers. Can someone say "buzz".
Man, I don't know what world 'you guys' live in... and I'm being perfectly honest and sincere here: I can't recall the last time I've had a BSOD. It's been over a year.
As for your system wide locks, I do know how the NT kernel works for locks, and let me tell you I've never heard of what you talk of, unless you have a link where I could read up, I don't think they exist either.
If the system ever appears to hang, it's because the IRQL has been raised: the IRQL is the *only* way you can mask interruptions in NT. In that respect, it is the only way you can mask pre-emption too, because the scheduler runs at DISPATCH_IRQL (that is PASSIVE_IRQL < APC_IRQL < DISPATCH_IRQL < AnyHardware_IRQL).
The only issue I know of that has always been annoying is the way NT deals with CD-ROM drives - but I don't see how that has anything to do with VS.net"
Enlighten us please. Oh, and please, I'm also curious, what does "more so preemtable" mean?
Given that BSODs are caused not because the system is in its final death bed, but rather because the driver violated some very very abstract conditions such as running at a higher DIRQL mainly, or throwing an exception, I suspect the incidence of BSOD causing events should decrease, not increase, since Linux kernel is not pre-emtible/interruptible as Windows' is, because the kernel is not pageable as Windows' is, and also because throwing an exception in kernel mode linux, AFAIK doesn't panic the kernel.
That being said, I readily say that what I know about linux is already outdated by at least a year, and so I don't know if the current kernel is in fact pre-emtpible or not...
All in all, I will state that my statement is as bullshit as yours. The answer to you is "things aren't that simple".
What's even more annoying is that they're only asking IE to pay up. I mean, it's good to a certain extent, because moft is probably the only company capable of affording such a situation, but since almost all browsers out there infringe on this but they're only targeting moft you can really easily tell they're cow milkers.
And there's nothing I hate more than cow milkers.
My obligatory Monty Python reference goes to:
"Rule number 1, NOOOooo 'pufters'.
[...]
Rule number 6, there is NOOOOOOOOOOOooooooooooooo rule number 6."
This is the first slashdot book review that I've seen in a long time that I'm seriously considering buying.
I'll tell it out loud flatly, the reason is because it's not a "my system is better then your system" kind of book from what it seems. Those are the books that annoy me the most "Well, you see, you could be using ASP, but then your app would be WAAAAAY more insecure."
On top of that, actually seeing equivalents of the same code on both system families will be a nice intro to some, including me, for equivalent APIs that we didn't know existed in other systems.
Btw, the Secure Coding book by microsoft is really good too (very few actual API references, so it's not really microsoft platform targeted).
Mind you, this is not a registry thing because you actually need code to run it. With this, caps lock will go uppercase, and CTRL will release the lock.
Hah ha... I can just imagine getting those horribly crooked fake Halloween teeth, a pair of very very thick glasses, and casually walking in with my fake ID. I mean, how fucking rude would it be if they made fun of the way I look?!
Set the filter to highlight ACCESS_DENIED (in Filemon) and ACCDND (? I think) (in Regmon). Run any program you want, and see what it does wrong.
Some programs are irreperably stupid. Others like trillian are relatively isolated.
The way I run trillian is that I set the "users/" directory ACL to Users rw-. And you will be able to run it as non admin.
I run SecureCRT and VShell too, I don't know for earlier version, but for later versions they run perfectly fine too. If you have issues, do the above method, and find out what they are trying to access.
Btw, if you get access denied's in the registry, you can change the ACL for a key as well using regedt32.exe in Win NT/2k, and regedit.exe in WinXP.
All part of sensible configuration. Granted, normal users wouldn't be able to figure this out, but normal users wouldn't use SecureCRT either.
You are correct that it is very difficult to run Windows NT, 2k, or XP without administrator privileges. It is a pain in the butt (I do it, and 99% of apps assume they have admin priveledges). Microsoft knows consumers don't want to be sysadmins.
I don't know what apps people run these days, but here's my list of apps I run perfectly fine *without* admin priviledges:
SQL Server (I actually run the service as a user that I created just for it, it isn't part of any group, so hijacking my SQL server doesn't grant access to any part of my system anyways).
MSDev studio (I can even attach debuggers to running programs by manually granting SE_DEBUG_PRIVILEDGE to my user group)
Photoshop
Macromedia (Flash and Dreamweaver)
Trillian, YM or MSN
winamp
Maya
Office (obviously)
WinDVD 5
Soulseek
winrar and the whole toolkit of utilities
SSH
VMWare (and fuck do I respect them for letting me run an entire virtual machine without being an administrator - ALL HAIL THE VMWAre)
Now... what isn't there that you just absolutely need to run that you can't otherwise? Cause I'll tell you this, I'm a developer and I tax my system to the very edge of what it can do. Most people just run windows XP with office on it to type emails and the occasional fax cover.
Macintosh, Java VM, and many Linux distros have solved this problem in a way that is user friendly.
Tell me this: run "rm -rf/*" without being su in linux. Tell me what you see... is it "ugh, could you please give me your su password?" or is it "access denied".
Besides windows allows you to "run as" a different user (read Admin) by simply shift-right clicking.
You are right when you say The correct solution is the find the cause of the problem, and fix it. But you are wrong when you say the fix is anywhere else then in RTFM.
Your post was just endless FUD.
You may disagree with the post, and with this one as well. But none of this is FUD. Can we stop applying that term to anyone we disagree with?
FUD is when someone cites bullshit data, like how 95% of all Russians are actually gay. Now, you may not agree with my opinion when I say, "well, since 95% of them are gay, we should nuke the country" (cause that's my opinion), but you certainly have a right to call bullshit on my facts.
I, and your parent post called bullshit about the claims made about Administrator priviledge necessities in windows.
that some software you talk about unfortunately sucks, and should be pressured (by voting with dollars, or by complaining) to be fixed. Blaming OS is not the solution. Said software would run improperly on any system that has a security subsystem.
PS. as much as it is a PITA for me to run as non admin too, I do get by. Here's two pieces of advice:
Shift right clicking on an executable will allow you to "Run As...". You can't complain about that because it's basically the equivalent of typing su in *nix and then typing your password. And with WindowsXP they've even made it intelligent enough that the interactive user's environment is loaded.
Also, the only time you really do need to run as power user or admin is if you want to attach debuggers to other process. Now, I think it's not well known by most people, but in WinXP, you still have the plain vanilla user managment MMC. By default now, users are in the Users group (where as in NT/2k they were in Power Users). You can always add users to the power user group in XP. You can also grant SE_DEBUG_PRIVILEDGE manually to a user group via the security policy manager.
Last point is loading device drivers. Again only Power Users and up can do that... and you can make yourself a power user, but you should realize you are basically allowing any code to tamper with your kernel by having this priviledge - use at your own discretion. Again, normal programs shouldn't have to load device drivers. The only real annoying thing I've seen is software that requires dongles... But even then, they generally run a seperate service with a different user credential that is in charge of loading the DevDriv.
All in all, really, there is absolutly no excuse for running as admin.
This reply is kind of off-topic... it's kind of a random conversation with you. What I want to say is that IMHO you shouldn't view change as being bad. Change is inevitable, and as some wise folk said, change is the only constant in the world.
Thinking about change always reminds me of Bruce Lee's famous quote, (and I'm only paraphrasing) I'm as strong yet as soft as water. I find it helps me a lot knowing that nothing is static in day to day life. It gives me a different perspective and lets me let go of things more easily.
You on the other hand have been socially engineered by Linux zealots to think that people who don't want to spend 38 consecutive hours to get their system up and working are idiots.
Besides, what's your point. In windows (NT/XP/2k), you can't run an installer without being an admin or power user. Which is the bottom line: a properly secured system doesn't care if the GUI consists of one big button in the middle of the screen that says "INSTALL A VIRUS".
In fact, how is anything you just said (remotely getting files, updating the system) different from apt-get? Look past the pretty pictures of a GUI. Does apt-get go over SSH? no. How do you know then that it's not being hijacked? Don't say MD5, you might have one fat mother sitting between you and your package distributions.
a trojan horse is code you run on your computer that doesn't do what you thought it did. In my opinion, these are mostly user stupidity.
a virus is code being injected into a program you run normally. How it gets there is not really part of 'viral activity'. Technically, we have very few virii left these days, most fall into the trojan horse category. Virii were especially popular back in the days of DOS, when modifying a file was rather easier than trying to hide it somewhere (just cause back then you had 3 files on a 5.25" floppy and a fourth file name "DOSKill.com" would arouse suspicion. (now, people just go ahead and hide a file deep inside the windows directory.
Worms on the other hand are completely external attacks. They propagate themselves without needing user help. Rootkits are 'manual worms'. Worms only work because of security flaws.
That's the main difference: virii can infect *any* system, so long as the user acts stupid enough. Worms can *only* infect systems which have flaws.
As far as I'm concerned virii are user responsability. I've never been infected with a virus or trojan horse (mainly because I never run as admin), and really a system is not really at fault if it gets a virus infection. It certainly can't be considered at fault for "making a virus writers job easier" by having easier APIs. After all, one of the ten security commandments are: If your enemy gets you to run code on your computer, it's not your computer anymore.
Slashdot Mirror
Here's an interesting, albeit incomplete change log.
I must say that somewhat saddens me. I'm a very big fan of the Win32 subsystem: very consistent and concise <ducks past flying flame ball>. I wish it would always stay around as an alternative API.
Uhh... see any paralels?
Just shut up already. You remind of CNN for technology. Unbiased "News". feh.
It's blatantly ignorant of the principles of cryptography which state that knowing the algorithm and implementation, or even part of the clear text should not compromise your security.
I hardly doubt Kepler sat down, took his 2000 observed (x,y) planet coordinates, and started crunching on a list of rules:
x = ln y false
x = ln y^2 false
x = ln y^3 false
ax^2 = by^2 + k true
"EUREKA, I've found rule number 5!"
Let me illustrate: DNA based computers (of which btw I haven't heard in a long time - Slashdot?), or even quantum computers for that matter, will generate every possible solution after which a mechanism will select the only good one.
That is brute force as an implementation, a means to an end. Because ultimately what we are trying to reach with these computers is to implement some higher level language.
I personally agree with the grand-parent post, in that science used to be about brilliant minds who would find very qualitative results by pure thought. My personal favorite was Richard Feynmann's proof of all of Kepler's gravitational laws by using simple euclidean trigonometry.
Ultimately when I was reading the article, I was left wondering: if this guy is such a hot shot, why didn't he try to prove something mathematically, or short of that make a conjecture to be proven maybe 2 centuries from now (like Fermat's last conjecture). What's the value of running billions of cycles on an FSM? It completely short circuits the thought process.
hah, it just said "fuck you"
-pVoid
HAh. I think you were right about the sig. Oh well.
My memory is hazy, but last I remember a patch breaking something was about 4 years ago for me. I think it was with the MDAC patch.
Who else has had problems on patches lately?
n-tier architectures are basically n-client/server layers. Can someone say "buzz".
As for your system wide locks, I do know how the NT kernel works for locks, and let me tell you I've never heard of what you talk of, unless you have a link where I could read up, I don't think they exist either.
If the system ever appears to hang, it's because the IRQL has been raised: the IRQL is the *only* way you can mask interruptions in NT. In that respect, it is the only way you can mask pre-emption too, because the scheduler runs at DISPATCH_IRQL (that is PASSIVE_IRQL < APC_IRQL < DISPATCH_IRQL < AnyHardware_IRQL).
The only issue I know of that has always been annoying is the way NT deals with CD-ROM drives - but I don't see how that has anything to do with VS.net"
Enlighten us please. Oh, and please, I'm also curious, what does "more so preemtable" mean?
That being said, I readily say that what I know about linux is already outdated by at least a year, and so I don't know if the current kernel is in fact pre-emtpible or not...
All in all, I will state that my statement is as bullshit as yours. The answer to you is "things aren't that simple".
Sure, except, that's not the basic rule when you're a monopoly.
And there's nothing I hate more than cow milkers.
My obligatory Monty Python reference goes to:
"Rule number 1, NOOOooo 'pufters'.
[...]
Rule number 6, there is NOOOOOOOOOOOooooooooooooo rule number 6."
I'll tell it out loud flatly, the reason is because it's not a "my system is better then your system" kind of book from what it seems. Those are the books that annoy me the most "Well, you see, you could be using ASP, but then your app would be WAAAAAY more insecure."
On top of that, actually seeing equivalents of the same code on both system families will be a nice intro to some, including me, for equivalent APIs that we didn't know existed in other systems.
Btw, the Secure Coding book by microsoft is really good too (very few actual API references, so it's not really microsoft platform targeted).
Mind you, this is not a registry thing because you actually need code to run it. With this, caps lock will go uppercase, and CTRL will release the lock.
Get Filemon and Regmon from sysinternals.
Set the filter to highlight ACCESS_DENIED (in Filemon) and ACCDND (? I think) (in Regmon). Run any program you want, and see what it does wrong.
Some programs are irreperably stupid. Others like trillian are relatively isolated.
The way I run trillian is that I set the "users/" directory ACL to Users rw-. And you will be able to run it as non admin.
I run SecureCRT and VShell too, I don't know for earlier version, but for later versions they run perfectly fine too. If you have issues, do the above method, and find out what they are trying to access.
Btw, if you get access denied's in the registry, you can change the ACL for a key as well using regedt32.exe in Win NT/2k, and regedit.exe in WinXP.
All part of sensible configuration. Granted, normal users wouldn't be able to figure this out, but normal users wouldn't use SecureCRT either.
I don't know what apps people run these days, but here's my list of apps I run perfectly fine *without* admin priviledges:
SQL Server (I actually run the service as a user that I created just for it, it isn't part of any group, so hijacking my SQL server doesn't grant access to any part of my system anyways).
MSDev studio (I can even attach debuggers to running programs by manually granting SE_DEBUG_PRIVILEDGE to my user group)
Photoshop
Macromedia (Flash and Dreamweaver)
Trillian, YM or MSN
winamp
Maya
Office (obviously)
WinDVD 5
Soulseek
winrar and the whole toolkit of utilities
SSH
VMWare (and fuck do I respect them for letting me run an entire virtual machine without being an administrator - ALL HAIL THE VMWAre)
Now... what isn't there that you just absolutely need to run that you can't otherwise? Cause I'll tell you this, I'm a developer and I tax my system to the very edge of what it can do. Most people just run windows XP with office on it to type emails and the occasional fax cover.
Macintosh, Java VM, and many Linux distros have solved this problem in a way that is user friendly.
Tell me this: run "rm -rf /*" without being su in linux. Tell me what you see... is it "ugh, could you please give me your su password?" or is it "access denied".
Besides windows allows you to "run as" a different user (read Admin) by simply shift-right clicking.
You are right when you say The correct solution is the find the cause of the problem, and fix it. But you are wrong when you say the fix is anywhere else then in RTFM.
Your post was just endless FUD.
You may disagree with the post, and with this one as well. But none of this is FUD. Can we stop applying that term to anyone we disagree with?
FUD is when someone cites bullshit data, like how 95% of all Russians are actually gay. Now, you may not agree with my opinion when I say, "well, since 95% of them are gay, we should nuke the country" (cause that's my opinion), but you certainly have a right to call bullshit on my facts.
I, and your parent post called bullshit about the claims made about Administrator priviledge necessities in windows.
software installation isn't a daily chore.
that some software you talk about unfortunately sucks, and should be pressured (by voting with dollars, or by complaining) to be fixed. Blaming OS is not the solution. Said software would run improperly on any system that has a security subsystem.
PS. as much as it is a PITA for me to run as non admin too, I do get by. Here's two pieces of advice:
Shift right clicking on an executable will allow you to "Run As...". You can't complain about that because it's basically the equivalent of typing su in *nix and then typing your password. And with WindowsXP they've even made it intelligent enough that the interactive user's environment is loaded.
Also, the only time you really do need to run as power user or admin is if you want to attach debuggers to other process. Now, I think it's not well known by most people, but in WinXP, you still have the plain vanilla user managment MMC. By default now, users are in the Users group (where as in NT/2k they were in Power Users). You can always add users to the power user group in XP. You can also grant SE_DEBUG_PRIVILEDGE manually to a user group via the security policy manager.
Last point is loading device drivers. Again only Power Users and up can do that... and you can make yourself a power user, but you should realize you are basically allowing any code to tamper with your kernel by having this priviledge - use at your own discretion. Again, normal programs shouldn't have to load device drivers. The only real annoying thing I've seen is software that requires dongles... But even then, they generally run a seperate service with a different user credential that is in charge of loading the DevDriv.
All in all, really, there is absolutly no excuse for running as admin.
Thinking about change always reminds me of Bruce Lee's famous quote, (and I'm only paraphrasing) I'm as strong yet as soft as water. I find it helps me a lot knowing that nothing is static in day to day life. It gives me a different perspective and lets me let go of things more easily.
Just a thought I thought I'd share...
Besides, what's your point. In windows (NT/XP/2k), you can't run an installer without being an admin or power user. Which is the bottom line: a properly secured system doesn't care if the GUI consists of one big button in the middle of the screen that says "INSTALL A VIRUS".
In fact, how is anything you just said (remotely getting files, updating the system) different from apt-get? Look past the pretty pictures of a GUI. Does apt-get go over SSH? no. How do you know then that it's not being hijacked? Don't say MD5, you might have one fat mother sitting between you and your package distributions.
Let me break it down to you:
a trojan horse is code you run on your computer that doesn't do what you thought it did. In my opinion, these are mostly user stupidity.
a virus is code being injected into a program you run normally. How it gets there is not really part of 'viral activity'. Technically, we have very few virii left these days, most fall into the trojan horse category. Virii were especially popular back in the days of DOS, when modifying a file was rather easier than trying to hide it somewhere (just cause back then you had 3 files on a 5.25" floppy and a fourth file name "DOSKill.com" would arouse suspicion. (now, people just go ahead and hide a file deep inside the windows directory.
Worms on the other hand are completely external attacks. They propagate themselves without needing user help. Rootkits are 'manual worms'. Worms only work because of security flaws.
That's the main difference: virii can infect *any* system, so long as the user acts stupid enough. Worms can *only* infect systems which have flaws.
As far as I'm concerned virii are user responsability. I've never been infected with a virus or trojan horse (mainly because I never run as admin), and really a system is not really at fault if it gets a virus infection. It certainly can't be considered at fault for "making a virus writers job easier" by having easier APIs. After all, one of the ten security commandments are: If your enemy gets you to run code on your computer, it's not your computer anymore.