I don't see how providing a link that an idividual must click on could ever be considered a DOS attack. That would make slashdot a DOS attack host already. But that is clearly not the case. And the fact that slashdot can easily handle traffic far greater than what is getting redirected to the sites it links to, could be used as evidence that the attack was not malicious.
The script on secunia is just a proof of concept. There are several things that can be improved. Masking the address bar would be the one of the very first improvements a hacker needs to make. Another may be fixing the code so that there is no need to refresh the original page before reclicking the link.
Maybe it's just me, but I would love to see what IE's source code must look like at this point with all the patching it has gone through over the years.
Even more amazing perhaps are the facts that:
90% of the planet still uses it
It is still the only way to get critical updates for about 50% of windows users out there
Other than (duh!) security bugs, it pretty much still works without a hitch
Most certainly the best built house of cards on the planet!
All technical considerations aside (3 day retry periods, no central spam DB etc.........) let's just read up on Exchange 2003 marketing literature (not that we should normally trust Microsoft marketing literature, but it suffices that they cannot outright lie about it). They claim to have all sort of *new* spam block features. Perhaps the author may have considered the hypothesis that his IT dept made the switch with these features in mind. At the very least it would be nice if he did a little due diligence (or if he did do some, that he would note that fact) to rule out simpler explanations? Why on earth would spammer's care about keeping lists clean anyway? It's not like they all of a sudden grew a conscience?
Didn't that Occum guy have something to say about crazy theories like this author's rant?
To call the tab browsing issue with the alert boxes a security vulnerability sounds like a bit of a stretch. A hell of a confusing UI issue, truth be told, but hardly seems like a security problem.
1) In my case, I have always had Firefox load tabs in the background. So when the dumb little dialog pops up I am still on the Secunia site.
2) I would probably be very suspicious of a non-standard JS popup coming up and asking me for any sort of sensitive information.
3) The user must consciously be using tab browsing (with tabs loading in the foreground) to have any chance of being dupped by this. Just clicking on the link to load the page in the same window cancels the setTimeout() call, and opening the link in a new window causes the secunia.com window to come to the foreground along with the popup. Since there is no html anchor target for a new tab, any one wanting to explore this vulnerability would have to be counting on catching users that have tabs that load in the foreground, and are unsavvy enough to fall for a Javascript dialog like that. My suspicion is that most users that would even know how to use tab browsing would have a mild clue.
Law enforcement is still required to get a court order to tap into your communications.
They are also supposed to have arrest warrants and follow do process to hold people. Especially if they are arrested inside the country. I think a few Muslims in our generation, and Japanese in our grandparents generation, may have something to say about that.
IANAL but I it seems to me that any programmer writing C code in this day and age who leaves a buffer unchecked in their code should be guilty of criminal negligence if that buffer can be used to execute malicious code. The dangers of unchecked buffers have been documented well enough to the point that it seems reasonable to argue it is a gross deviation of accepted professional standards of software development to allow such sloppy coding to pass through.
Completely Forgettable?
I Beg to differ. Any guy that watched that movie has got to remember Ashley Judd picking up men at bars for a little fun. How can I forget that?
Anyone ever try to search for the "best search engine" on the Web. I find that Google and MSN have something interesting to say about that.
Not even Google presumes to put themselves as the first search result (a.k.a. the "I'm Feeling Lucky" link). The winner is a somewhat informative article that breaks down each engines strength depending on what you are looking for.
Not so at MSN. Google Google Google. That is their chant for the best engine. Now is that a bug or a feature?
Judging by how reliably my laptop drops its connection everytime I approach it with my 2.4GHz cordless phone, it sounds like a pretty easy approach would be to install some fairly high powered interference generators spreading noise on that frequency in and around the FleetCenter. OH wait, that is probably against some FCC rule. Nevermind. We're doomed.
I filed a patent for a desktop operating system that can facilitate the process of marshalling computer resources across the internet to conduct distributed attacks on corporate websites. It got denied due to the existence of prior art created in Redmond, WA.
Hopefully the USPTO is too cheap to buy windows licenses and has you guys using desktop linux instead. Hence prior art should be right before your eyes then.
If you look at the NT 4 resource kit from Microsoft itself, you will notice a little app called TopDesk (copyrights held by MS and Sanford Staab) and originally created for Windows NT 3.1 (I thought NT started at 3.5 but I have not kept up with my Ancient History).
It seems like it does all that is described by this new patent. Funny it took them 15 years to get around to filling for the patent.
5. Remember to hit insert every damn time you need to type! 6. Realize you forgot to learn how to quit VI. 7. CTRL-Z to stop the process 8. kill the process
GUI users raised and born and bred on a GUI shouldn't be mucking about in a terminal
That statement would ensure the death of the command line wouldn't it? I don't see many schools these days offering anything but Windows and Macs for students to learn on.
Unfortunately though, the same cannot be said about the Powerbooks or the iBooks. How much would it take to offer a damn power user version with a three button trackpad? I understand your position when it comes to desktop users, but if you bought a powerbook, you are severely hindered by what I would call "a design flaw on an otherwise perfect machine".
Sure you can attach a mouse, but that severely limits where you can use your "LAP"top doesn't it?
The two most talented software developers I have ever worked with are both CMU graduates, as is one of the persons I most respect when it comes to networking. That said, I have also met many CMU types that could not tell male from female (and I am not speaking of biology).
The really important thing to keep in mind about college, and this is probably a lesson you will only learn later in life, is that in college, you will learn how to learn. It really does not matter what specifically you learn in college. By the time you have been out of college five years the technologies out there are going to be so different that the only way to keep up will be to use those learning skills you acquired in school.
That said, some schools will be much better than others at fostering an environment that promotes that kind of learning. CMU is probably one of them, as are MIT, Stanford, Berkeley, Harvard and many other schools. Then there are schools that actually take attendance in class. (I would highly recommend you stay away from those.)
My best advice: pick a few schools suggested by the posters and visit the ones you can. Talk to students, goto a class, see if the kind of stuff they are working on interests you and if undergrads can get in on those projects. At Harvard for example, many departments in science have tutorials for undergrads where they can join a graduate research group.
IF your company uses Visual Source safe for source control and you use a mac for development, then Wine would be mighty useful! A $100 PC does not cut out the tedium of having to switch to a whole new machine to checkout a file. One could use the emacs SS integration but that does not seem to work well, and it is useless if you want to use an IDE.
The only type of program I ever had a problem with in Windows 2000 are games. And they had the same problem in Windows XP, except that XP lets you run the program in compatibility mode.
In my view of the world, compatibility mode, does not mean the OS is more compatible. It is a hack, and having the user fumble through trial and error ("humm...is this Windows 98 SE or Windows ME compatible?") is not an elegant solution. It simply means Microsoft realized how many customers they were pissing off if people could no longer play Pac Man.
That is the beauty of investing though. A risk not worth taking on one side, becomes a risk worth taking on the other. If they get mired in litigation and lose, investors shorting SCO win.
Hey maybe that is their strategy. They come up with more and more ludicrous claims, fool all the ignorant investors into buying up their stock, and meanwhile they are in the backoffice shorting their own stuff.
Slashdot Mirror
I don't see how providing a link that an idividual must click on could ever be considered a DOS attack. That would make slashdot a DOS attack host already. But that is clearly not the case. And the fact that slashdot can easily handle traffic far greater than what is getting redirected to the sites it links to, could be used as evidence that the attack was not malicious.
I give it a month after the first public beta is released for someone to hack up a way to run OS X/Intel on a regular PC.
The script on secunia is just a proof of concept. There are several things that can be improved. Masking the address bar would be the one of the very first improvements a hacker needs to make. Another may be fixing the code so that there is no need to refresh the original page before reclicking the link.
Maybe it's just me, but I would love to see what IE's source code must look like at this point with all the patching it has gone through over the years.
Even more amazing perhaps are the facts that:
Most certainly the best built house of cards on the planet!
All technical considerations aside (3 day retry periods, no central spam DB etc.........) let's just read up on Exchange 2003 marketing literature (not that we should normally trust Microsoft marketing literature, but it suffices that they cannot outright lie about it). They claim to have all sort of *new* spam block features. Perhaps the author may have considered the hypothesis that his IT dept made the switch with these features in mind. At the very least it would be nice if he did a little due diligence (or if he did do some, that he would note that fact) to rule out simpler explanations? Why on earth would spammer's care about keeping lists clean anyway? It's not like they all of a sudden grew a conscience?
Didn't that Occum guy have something to say about crazy theories like this author's rant?
To call the tab browsing issue with the alert boxes a security vulnerability sounds like a bit of a stretch. A hell of a confusing UI issue, truth be told, but hardly seems like a security problem.
1) In my case, I have always had Firefox load tabs in the background. So when the dumb little dialog pops up I am still on the Secunia site.
2) I would probably be very suspicious of a non-standard JS popup coming up and asking me for any sort of sensitive information.
3) The user must consciously be using tab browsing (with tabs loading in the foreground) to have any chance of being dupped by this. Just clicking on the link to load the page in the same window cancels the setTimeout() call, and opening the link in a new window causes the secunia.com window to come to the foreground along with the popup. Since there is no html anchor target for a new tab, any one wanting to explore this vulnerability would have to be counting on catching users that have tabs that load in the foreground, and are unsavvy enough to fall for a Javascript dialog like that. My suspicion is that most users that would even know how to use tab browsing would have a mild clue.
Law enforcement is still required to get a court order to tap into your communications.
They are also supposed to have arrest warrants and follow do process to hold people. Especially if they are arrested inside the country. I think a few Muslims in our generation, and Japanese in our grandparents generation, may have something to say about that.
IANAL but I it seems to me that any programmer writing C code in this day and age who leaves a buffer unchecked in their code should be guilty of criminal negligence if that buffer can be used to execute malicious code. The dangers of unchecked buffers have been documented well enough to the point that it seems reasonable to argue it is a gross deviation of accepted professional standards of software development to allow such sloppy coding to pass through.
Completely Forgettable?
I Beg to differ. Any guy that watched that movie has got to remember Ashley Judd picking up men at bars for a little fun. How can I forget that?
Anyone ever try to search for the "best search engine" on the Web. I find that Google and MSN have something interesting to say about that.
Not even Google presumes to put themselves as the first search result (a.k.a. the "I'm Feeling Lucky" link). The winner is a somewhat informative article that breaks down each engines strength depending on what you are looking for.
Not so at MSN. Google Google Google. That is their chant for the best engine. Now is that a bug or a feature?
Judging by how reliably my laptop drops its connection everytime I approach it with my 2.4GHz cordless phone, it sounds like a pretty easy approach would be to install some fairly high powered interference generators spreading noise on that frequency in and around the FleetCenter. OH wait, that is probably against some FCC rule. Nevermind. We're doomed.
I filed a patent for a desktop operating system that can facilitate the process of marshalling computer resources across the internet to conduct distributed attacks on corporate websites. It got denied due to the existence of prior art created in Redmond, WA.
>> I work as an examiner
Hopefully the USPTO is too cheap to buy windows licenses and has you guys using desktop linux instead. Hence prior art should be right before your eyes then.
Case closed. Patent denied.
If you look at the NT 4 resource kit from Microsoft itself, you will notice a little app called TopDesk (copyrights held by MS and Sanford Staab) and originally created for Windows NT 3.1 (I thought NT started at 3.5 but I have not kept up with my Ancient History).
It seems like it does all that is described by this new patent. Funny it took them 15 years to get around to filling for the patent.
HINT: tcl it a little bit, and you will reach nirvana!
5. Remember to hit insert every damn time you need to type!
6. Realize you forgot to learn how to quit VI.
7. CTRL-Z to stop the process
8. kill the process
That statement would ensure the death of the command line wouldn't it? I don't see many schools these days offering anything but Windows and Macs for students to learn on.
Unfortunately though, the same cannot be said about the Powerbooks or the iBooks. How much would it take to offer a damn power user version with a three button trackpad? I understand your position when it comes to desktop users, but if you bought a powerbook, you are severely hindered by what I would call "a design flaw on an otherwise perfect machine".
Sure you can attach a mouse, but that severely limits where you can use your "LAP"top doesn't it?
The two most talented software developers I have ever worked with are both CMU graduates, as is one of the persons I most respect when it comes to networking. That said, I have also met many CMU types that could not tell male from female (and I am not speaking of biology).
The really important thing to keep in mind about college, and this is probably a lesson you will only learn later in life, is that in college, you will learn how to learn. It really does not matter what specifically you learn in college. By the time you have been out of college five years the technologies out there are going to be so different that the only way to keep up will be to use those learning skills you acquired in school.
That said, some schools will be much better than others at fostering an environment that promotes that kind of learning. CMU is probably one of them, as are MIT, Stanford, Berkeley, Harvard and many other schools. Then there are schools that actually take attendance in class. (I would highly recommend you stay away from those.)
My best advice: pick a few schools suggested by the posters and visit the ones you can. Talk to students, goto a class, see if the kind of stuff they are working on interests you and if undergrads can get in on those projects. At Harvard for example, many departments in science have tutorials for undergrads where they can join a graduate research group.
IF your company uses Visual Source safe for source control and you use a mac for development, then Wine would be mighty useful! A $100 PC does not cut out the tedium of having to switch to a whole new machine to checkout a file. One could use the emacs SS integration but that does not seem to work well, and it is useless if you want to use an IDE.
The only type of program I ever had a problem with in Windows 2000 are games. And they had the same problem in Windows XP, except that XP lets you run the program in compatibility mode.
In my view of the world, compatibility mode, does not mean the OS is more compatible. It is a hack, and having the user fumble through trial and error ("humm...is this Windows 98 SE or Windows ME compatible?") is not an elegant solution. It simply means Microsoft realized how many customers they were pissing off if people could no longer play Pac Man.
ERRR....You may want to ask Bill if he agrees with number 4. Just a hunch: he'll beg to differ.
and they still can't wring out enough power to avoid being slashdotted...
Hey maybe that is their strategy. They come up with more and more ludicrous claims, fool all the ignorant investors into buying up their stock, and meanwhile they are in the backoffice shorting their own stuff.
But you still need to write custom code to plug Majix and Word (though I assume someone has that around) into BIE.
It would still be a lot easier if word generated XML in the first place.