I second that... my professors at IT undergrad (in physical school) were way behind the times too. Or at the very least, they weren't all round knowledgeable. Some of them I'm sure had some deep theoretical studies under their belts, but when it came to normal stuff, they were kind of baffling.
One professor once told me CDs were burnt from the outside in... I mean all it takes to realize that's not true is to flip a CD-R over and look.
Another professor was completely clueless when I asked him how a garbage collection worked. He had no notion of reference counts etc. Whadya gonna do?
To parent poster though, I must say: a good prof is a good prof. Regardless of whether you are in calculus or lit. A good calculus teacher will give you transcendental understanding of life in general that a book could never aspire to do - just like a good literature prof, when you think of it.
Re:Judge to do code review! - offtopic
on
SCO SCO SCO!
·
· Score: 1
Hardgrok is good stuff mang.
My salutes to you, Fnkmaster, as our paths cross like two shepard's in the country side.
While I agree with you about Samsung... I find your comment about North versus South quite an ignant one. (yes, I know how to spell ignorant)
If there is today such a division, we should thank the US and USSR. They are the perfect example of what happens when two god like powers smash their toy trucks at each other in a sandbox.
The whole point as they pointed out was the price of the HD. By soldering the thing right on the mobo, they've reduced on actual components (such as screws etc). That's why it's so cheap. That's why it's so good.
I personally can't wait to get a wristwatch sized mp3 player. MMMmmmmmm...
Re:12v Power Over CAT5?
on
PeltierBeer
·
· Score: 1
No apology necessary, I come on the slasdot playing ground with full hockey padding =)
I've heard about the theoretical systems you talk about. And while I like them, this approach being taken is not nearly anything as complete and fundamental as that. It looks like a band-aid of some sort, and it is only controling the MSHTML component (and not the entire system - via some sort of structural modifications to the kernel).
Now, I have a question for you... to me, my earlier posts seem rather clear. Do you think they still look ambiguous now that you understand what I meant? Or have I really done a bad job at explaining myself?
I used the word priviledge in two senses. The first one being the actual "Windows Priviledge" (as in Priviledge escalation attacks etc). These things include being able to load drivers, login users, debug/kill/spy other processes. But I was also using the word in a more general sense: being granted access to critical system files, or having write access to critical registry parts (both of which are necessary to install software in general).
The bottom line though is: IE inherits all of those things from the launching process. IE doesn't have backdoor access to any priviledge or access rights... nor can it set what priviledges it has.
What does this mean? IE has no more priviledges or access rights than the user running it. In fact, an application as an entity doesn't have 'priviledges' or access rights... a User has such properties (or rather its associated AccessToken for the nitpicky). An application can be run as a guest user, and have next to no priviledges, or be run as an admin user and have pretty much all priviledges and access rights. The information about what priviledges a running process has is not, and should not be stored as application meta-data. It is user meta-data.
What they have done, in response to incessant complaints about HTML exploits, is installed a priviledge limiting mechanism at the application level (into the APIs). They have fucked up a design that is sound.
If you think about it: running ActiveX components is 100% configurable. Launch dcomcnfg and you can set default behaviours and access rights. If for some reason, somebody is complaining that the HTML renderer shouldn't be able to launch COM objects, then disallow them in dcomcnfg (for all the users you don't want this to happen to). If you aren't going to dissallow the creation of COM objects for a given user, then disabling the HTML renderer from accessing these objects via this artificial policy scheme is just putting a brick on top of a weed... all a malicious user needs to do is find another way to instantiate the object (and there are many).
If OTOH you are concerned for example that trusted scripts can be compromised and turned into trojans on some sort of public stand alone machine... deny write access to those scripts (via ACLs) by the public users.
This reminds me of a 'bug' that was in NT a long time ago. You could rename cmd.exe to hh.exe (the help file application). Then all you had to do was hit F1 and wabang, you'd get a shell. Now, is this a bug? Hardly... it's a configuration problem: cmd.exe, along with most files (all if you ask me) in the Winnt directory should not have write access allowed for normal users (only administrators should be allowed to do that). Even further, trusted applications shouldn't even have read access allowed, only execute access. But this is all configuration, nobody in their right mind would want Microsoft to go and modify the file IO routines to check for malicious access to critical system files.
I hope this makes my point clearer. If not, oh well. Just know that my intentions were good, and that I am not a troll, nor do I bear a grudge on you (arevos) =)
So what would you have people do? Not point out the multitude of security flaws just to make sure the Microsoft Execs don't do something moronic?
No.
Moft definitely makes bad decisions [...]But that doesn't change the fact that the community bitches about the wrong things[...] IE has security flaws[... but] IE having too many priviledges is neither a flaw in IE, nor a flaw in the inherent user system (of the NT system). It's not a design flaw.
I'm complaining about the travesty. Not the fact that I can't work around it.
You realize the issue is simply this: some files need to be protected from accidental/malicious modification. Administrators should be allowed to do whatever they please with the computer. WFP simply is a new tier introduced on top of what is an established design (with ACLs and user priviledges). It is complete fluff. It shouldn't exist if ACLs and users were properly used.
You say it's poor form to work around WFP, I say it's poor form to run as root (and potentially crunch important system files).
Let me make an analogy of what I'm saying:
problem: smoking causes lung cancer.
solution 1: let's get this really funky new material that you can inhale that coats the inside of your lungs so that the carcinogenic materials that tobacco has don't get into your blood system. (WFP)
solution 2: let's not smoke. (proper user management)
No, shame on you for not wanting to have to do any work at all in order to have secure code.
I will say it one last time, to all the knee jerk reactions to my post saying it's a troll: IE having too many priviledges is neither a flaw in IE, nor a flaw in the NT (not consumer windows - granted) system.
This situation is completely analogous to having a new type introduced into the C language to express the number 42. If I want to avoid Priviledged use of my code, I take off the priviledges from the user. NOT THE API!
On a side note: is loaded into memory before a user logs on. That means that that part of the browser requires system level priveleges.
You don't know your NT system well, the fact that MSHTML (the dll) gets loaded into memory before anyone means nothing. Why? because NT can share memory regions between process (in a protected fashion). Do you think a new page of memory is commited each and every single time kernel32.dll is loaded? No. Once MSHTML is loaded into memory, it is used (with a Copy-on-write page protection) by all processes who need it. So no, it doesn't have system priviledges.
And one last thing for the other trollers out there: Windows 9x isn't an issue here. It has been phased out. So this new design will never actually be used on a Win 9x system (with effectively no users), it will only be used on NT based systems where lowering user priviledges is *easy*.
Moft definitely makes bad decisions... I never said anywhere for example that Win98 was a good system. I've never used consumer windows, I started with NT 3.51 and moved on up the NT chain.
But that doesn't change the fact that the community bitches about the wrong things. The example here is: IE has security flaws, sure. But IE's having too many priviledges is neither a flaw in IE, nor a flaw in the inherent user system (of the NT system). It's not a design flaw. Priviledges are things associated with users, if IE appears to have too many priviledges, it just means the user running it has too many priviledges.
The fact that people complained incessantly about it, made them change something that design wise wasn't flawed.
No it's definitely not a troll... I'm dead serious.
I don't know why you would think Microsoft would introduce a new security measure if it didn't think people wanted it. It would much rather invest money in making cool gimmicks.
Microsoft quite consistently responds to what people bitch about - whether these are legitimate things or not. You really have to distinguish between the crazy people at Moft (ie lawyers, execs etc) who only want to make money (by making stuff like webservives), and the actually skilled technicians who are asked to come up with a way to shut the crowds up.
Why on earth would anyone stop and think, let's add a new security policy to the HTML renderer if it wasn't a PR problem? it's not flashy, it's not useful, nobody cares about it... no exec would grant the time and money spent on it.
An important change of the IE Enhanced Security Configuration is that any HTML content hosted using Internet Explorer runs with lower privileges for example the MMC uses Internet Explorer to render HTML and therefore your HTML may run with lower privileges... privileges... by default Lower privileges means that by default script and activex among other things will be blocked. However, as an application developer you can add the URL of the content you need to work to the ESC Trusted sites list either through the API, the preferred way, or directly to the registry, in both scenarios though its VERY important to make sure you write to the ESC Trusted sites, not vanilla Trusted Sites [...]
I've always said it, and I always will, the community's incessant bitching about how insecure microsoft is has led to attrocities in design.
Example: Windows file protection - to avoid DLL Hell. DLL Hell was pure and simple bad user habits (running in Administrator mode etc etc). So they made a system that completely bypasses security, and disallows everyone on your system from changing files... even administrators. It's a travesty, that's what it is.
Well, here we see another travesty: because of simple HTML script exploits, which under normal circumstances (ie, if you weren't running as admin) would have very little consequences, Moft has come up with another travesty, has introduced 'state' into what should be stateless... And as a result, I just can feel the hours and hours of headache that is now set upon us programmers, for the rest of time.
I can clearly recall posts on slashdot, (but to be fair:/. isn't the only guilty body, every bitchy tech writer of the times is), saying how IE had too many priviledges.
All I have to say is BULLSHIT... IE has as many priviledges as the user running it - and as such, just as many, not any more than Mozilla running at the same user level.
Now, because of that bitching, we have a 'lowered priviledge set'... something which isn't based on users... it's a whole policy scheme... It's introducing complexity where there is no need for any... Yadi yada... *Sigh*...
Not to be a troll, but I find this to be clearly gimmicky.
This thing is neither multi user, nor multi tasking, nor protected memory addressing, nor io bound really... Why on earth would you want linux to be adapted to it, let alone even any sort of OS (aside from basic firmware).
To a certain extent, everytime I see about these very 'cool' little pieces of electronics said to be running on linux, I cringe and shake my head in disbelief... Sure linux is nice and all, but recognize what it's good for.
This being said, maybe I completely didn't realize you were trying to be funny (partially because you were modded informative). In which case... you are funny.
10-15 lines is 10-15 lines. End of story. It's a copy paste and that's what counts. One memory leak in there, and the OS can become unstable. So if it's a well written 15 lines, it's worth money.
Slashdot Mirror
One professor once told me CDs were burnt from the outside in... I mean all it takes to realize that's not true is to flip a CD-R over and look.
Another professor was completely clueless when I asked him how a garbage collection worked. He had no notion of reference counts etc. Whadya gonna do?
To parent poster though, I must say: a good prof is a good prof. Regardless of whether you are in calculus or lit. A good calculus teacher will give you transcendental understanding of life in general that a book could never aspire to do - just like a good literature prof, when you think of it.
My salutes to you, Fnkmaster, as our paths cross like two shepard's in the country side.
Head! Paper! Now!
Move that melon of yours and get the paper if you can!
Haulin' that gargantuan cranium about!
I'm not kidding, that boy's head's like Sputnik!
Spherical, but quick pointy in parts.
Well, that was off sides, wasn't it?
He'll be crying himself to sleep tonight on his *huge* pillow!
I bet he cries himself to sleep on his HUUUuuuge pillow at night.
(for the salivating Troll/Bameflait modders, do some research, it's called an inside joke).
I use it all the time, and recommend everyone else to use it too.
Read: a review of the code by *anyone* "means absolutely, positively nothing".
"We train young men to drop fire on people, but their commanders won't allow them to write 'Fuck' on their airplane... Because: it's obscene".
- Apocalypse Now
If there is today such a division, we should thank the US and USSR. They are the perfect example of what happens when two god like powers smash their toy trucks at each other in a sandbox.
I personally can't wait to get a wristwatch sized mp3 player. MMMmmmmmm...
Or this.
(Gee, I hope that server doesn't go down in flames because I linked to it)
It's just media. Whoever makes it has the power to put in valuable info, or just useless Hollywood shit.
<takes off helmet of bullet proof flame-retardant commando gear>
I think I was being kind of defensive with all the other posts =).
I've heard about the theoretical systems you talk about. And while I like them, this approach being taken is not nearly anything as complete and fundamental as that. It looks like a band-aid of some sort, and it is only controling the MSHTML component (and not the entire system - via some sort of structural modifications to the kernel).
Now, I have a question for you... to me, my earlier posts seem rather clear. Do you think they still look ambiguous now that you understand what I meant? Or have I really done a bad job at explaining myself?
Cheers.
I used the word priviledge in two senses. The first one being the actual "Windows Priviledge" (as in Priviledge escalation attacks etc). These things include being able to load drivers, login users, debug/kill/spy other processes. But I was also using the word in a more general sense: being granted access to critical system files, or having write access to critical registry parts (both of which are necessary to install software in general).
The bottom line though is: IE inherits all of those things from the launching process. IE doesn't have backdoor access to any priviledge or access rights... nor can it set what priviledges it has.
What does this mean? IE has no more priviledges or access rights than the user running it. In fact, an application as an entity doesn't have 'priviledges' or access rights... a User has such properties (or rather its associated AccessToken for the nitpicky). An application can be run as a guest user, and have next to no priviledges, or be run as an admin user and have pretty much all priviledges and access rights. The information about what priviledges a running process has is not, and should not be stored as application meta-data. It is user meta-data.
What they have done, in response to incessant complaints about HTML exploits, is installed a priviledge limiting mechanism at the application level (into the APIs). They have fucked up a design that is sound.
If you think about it: running ActiveX components is 100% configurable. Launch dcomcnfg and you can set default behaviours and access rights. If for some reason, somebody is complaining that the HTML renderer shouldn't be able to launch COM objects, then disallow them in dcomcnfg (for all the users you don't want this to happen to). If you aren't going to dissallow the creation of COM objects for a given user, then disabling the HTML renderer from accessing these objects via this artificial policy scheme is just putting a brick on top of a weed... all a malicious user needs to do is find another way to instantiate the object (and there are many).
If OTOH you are concerned for example that trusted scripts can be compromised and turned into trojans on some sort of public stand alone machine... deny write access to those scripts (via ACLs) by the public users.
This reminds me of a 'bug' that was in NT a long time ago. You could rename cmd.exe to hh.exe (the help file application). Then all you had to do was hit F1 and wabang, you'd get a shell. Now, is this a bug? Hardly... it's a configuration problem: cmd.exe, along with most files (all if you ask me) in the Winnt directory should not have write access allowed for normal users (only administrators should be allowed to do that). Even further, trusted applications shouldn't even have read access allowed, only execute access. But this is all configuration, nobody in their right mind would want Microsoft to go and modify the file IO routines to check for malicious access to critical system files.
I hope this makes my point clearer. If not, oh well. Just know that my intentions were good, and that I am not a troll, nor do I bear a grudge on you (arevos) =)
Cheers,
No.
Moft definitely makes bad decisions [...]But that doesn't change the fact that the community bitches about the wrong things[...] IE has security flaws[... but] IE having too many priviledges is neither a flaw in IE, nor a flaw in the inherent user system (of the NT system). It's not a design flaw.
Does that answer your question?
You realize the issue is simply this: some files need to be protected from accidental/malicious modification. Administrators should be allowed to do whatever they please with the computer. WFP simply is a new tier introduced on top of what is an established design (with ACLs and user priviledges). It is complete fluff. It shouldn't exist if ACLs and users were properly used.
You say it's poor form to work around WFP, I say it's poor form to run as root (and potentially crunch important system files).
Let me make an analogy of what I'm saying:
problem: smoking causes lung cancer.
solution 1: let's get this really funky new material that you can inhale that coats the inside of your lungs so that the carcinogenic materials that tobacco has don't get into your blood system. (WFP)
solution 2: let's not smoke. (proper user management)
I will say it one last time, to all the knee jerk reactions to my post saying it's a troll: IE having too many priviledges is neither a flaw in IE, nor a flaw in the NT (not consumer windows - granted) system.
This situation is completely analogous to having a new type introduced into the C language to express the number 42. If I want to avoid Priviledged use of my code, I take off the priviledges from the user. NOT THE API!
On a side note: is loaded into memory before a user logs on. That means that that part of the browser requires system level priveleges.
You don't know your NT system well, the fact that MSHTML (the dll) gets loaded into memory before anyone means nothing. Why? because NT can share memory regions between process (in a protected fashion). Do you think a new page of memory is commited each and every single time kernel32.dll is loaded? No. Once MSHTML is loaded into memory, it is used (with a Copy-on-write page protection) by all processes who need it. So no, it doesn't have system priviledges.
And one last thing for the other trollers out there: Windows 9x isn't an issue here. It has been phased out. So this new design will never actually be used on a Win 9x system (with effectively no users), it will only be used on NT based systems where lowering user priviledges is *easy*.
But that doesn't change the fact that the community bitches about the wrong things. The example here is: IE has security flaws, sure. But IE's having too many priviledges is neither a flaw in IE, nor a flaw in the inherent user system (of the NT system). It's not a design flaw. Priviledges are things associated with users, if IE appears to have too many priviledges, it just means the user running it has too many priviledges.
The fact that people complained incessantly about it, made them change something that design wise wasn't flawed.
I don't know why you would think Microsoft would introduce a new security measure if it didn't think people wanted it. It would much rather invest money in making cool gimmicks.
Microsoft quite consistently responds to what people bitch about - whether these are legitimate things or not. You really have to distinguish between the crazy people at Moft (ie lawyers, execs etc) who only want to make money (by making stuff like webservives), and the actually skilled technicians who are asked to come up with a way to shut the crowds up.
Why on earth would anyone stop and think, let's add a new security policy to the HTML renderer if it wasn't a PR problem? it's not flashy, it's not useful, nobody cares about it... no exec would grant the time and money spent on it.
I've always said it, and I always will, the community's incessant bitching about how insecure microsoft is has led to attrocities in design.
Example: Windows file protection - to avoid DLL Hell. DLL Hell was pure and simple bad user habits (running in Administrator mode etc etc). So they made a system that completely bypasses security, and disallows everyone on your system from changing files... even administrators. It's a travesty, that's what it is.
Well, here we see another travesty: because of simple HTML script exploits, which under normal circumstances (ie, if you weren't running as admin) would have very little consequences, Moft has come up with another travesty, has introduced 'state' into what should be stateless... And as a result, I just can feel the hours and hours of headache that is now set upon us programmers, for the rest of time.
I can clearly recall posts on slashdot, (but to be fair: /. isn't the only guilty body, every bitchy tech writer of the times is), saying how IE had too many priviledges.
All I have to say is BULLSHIT... IE has as many priviledges as the user running it - and as such, just as many, not any more than Mozilla running at the same user level.
Now, because of that bitching, we have a 'lowered priviledge set'... something which isn't based on users... it's a whole policy scheme... It's introducing complexity where there is no need for any... Yadi yada... *Sigh*...
Boo on everyone.
This thing is neither multi user, nor multi tasking, nor protected memory addressing, nor io bound really... Why on earth would you want linux to be adapted to it, let alone even any sort of OS (aside from basic firmware).
To a certain extent, everytime I see about these very 'cool' little pieces of electronics said to be running on linux, I cringe and shake my head in disbelief... Sure linux is nice and all, but recognize what it's good for.
This being said, maybe I completely didn't realize you were trying to be funny (partially because you were modded informative). In which case... you are funny.
10-15 lines is 10-15 lines. End of story. It's a copy paste and that's what counts. One memory leak in there, and the OS can become unstable. So if it's a well written 15 lines, it's worth money.
I can just see in the far far future, when there will be sentient computer programs, they will refer to China as "the anti-matter land"...
"Mother sentient program: In the anti-matter land, there is someone with the exact same IP address as yours son...
Child sentient program: Woooww..."
When you think about it though, the precisions we're talking about must be just incredible.