A recent Technet (http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx) article claims that using the customErrors tag to set all error types to return the same error page will fix this security hole. But according to the research paper (linked in another comment), the POET tool can simply check the HTTP return code. I don't know enough about ASP.Net and IIS, but is the MS Technet blog article totally off here?
In one aspect, we can all thank Microsoft for this one with their MCSE mills which turned out a bunch of talentless mouse jockeys. Mind you, not ALL are talentless...but a lot I knew from the boom were. This had the unfortunate effect of taining a bunch of people who really didn't care about much more than dollar signs.
Though I haven't been in the IT industry long, and am not a high paid tech (yet), this makes perfect sence to me. The dot com era was a gold mine for a few years there, and many people with little or no real interest in technology jumped on the bandwagon in hopes of making a living. However, what about young people such as myself who are genuinely interested in technology and are working towards certs/BSCS in today's less than perfect IT industry? Do up and comer's with real desire have a chance to prove our worth?
One of my favorite repositories of internet "crap" is textfiles.com. In addition to the abundance of text files from old bbs's, Jason Scott has several defcon conferences in mp3 format amoung other interesting technical audio files.
Not completely true. In addition to being owned by Microsoft, Rob Enderle also makes little sense.
"Because the key ring was so large it was easy to find and exploit. This is not to say the approach of having a single, master key was more secure, only that the fix actually didn't mitigate the problem at all, in fact it actually made the keys easier to find."
What is he talking about? This analogy was pulled straight from the man's ass, obviously. He's comparing the virtual size of bits to the physical size of a keyring. Sure, size of files are noteworthy to crackers, but any descent sysadmin memorizes his 'keys' anyways. What a stretch this one was.
"For example, if a virus targeted Microsoft Office and an enterprise deployed Apple systems running Office, for compatibility reasons, that enterprise would probably be damaged by the attacks."
This is simpley not true. I can point to the example of internet explorer exploits that only worked on Apple versions of the software (www.w00w00.org, I believe). I'm sure folks here can come up with a hundred examples of why this is not true. Summed up, same applications work differently across different architectures. Its half of the reason why non-monoculture works well to secure networks. (The other half is having different OS's.)
"But he penetrated the site in under a day by attacking another company which had trusted links into the IBM-secured site."
I'll lay a bet this other company was running Windows servers.
"One of the biggest problems caused by diversity is that it become very difficult for the IT staff to maintain equal competence on all platforms."
Here is the only good point this guy makes, and he makes it at many different points throughout this article, but in different wording each time (I'm assuming he was having a hard time finding something constructive to say). There is an easy solution to this: use Linux on the entire network. There's a secure AND cheap solution for small, medium, and big businesses! In addition, having servers run Linux, and Windows on the client side (assuming your clients aren't smart enough to learn Linux) isn't an entirely infeasable solution.
Seriously though, Rob is making non-monoculture sound more difficult than it may be. As far as cost goes, since no one has done enough research to balance cost against security in multiplatform networks, he can't assume that the costs will outway the benefits any more than the anti-Microsoft security experts can do the opposite. This basis of his article relies on speculation at best.
Quote from article: "You have to ask yourself this: is there an advantage to having a proprietary standard in your country?" he added. To adopt unique regional technologies would mean "not participating in the rest of the world because you have a proprietary standard, and not being able to inter-operate with the rest of the world. I fail to see the benefit".
Proprietary standard? There is something here I don't understand. What exactly are these Asian governments doing? It is not possible to turn Linux proprietary; its use is copylefted under the GPL! What the hell does 'proprietary' have to do with anything? Are the Asian governments making a 'Linux-like' OS? Perhaps they should called it LnLinux (LnLinux is not Linux).
d
If you are serious about selling Linux, you have to advertise. Not only that, but you have to advertise more than just in Linux magazines and on the internet.
You really want to sell Linux to the average Joe? You want the masses to understand what Open Source software is really about? Start a TV commercial marketing campaign with groovy catch phrases and a touch of humor. Of course there is always the issue of how this is going to get paid for... who's got the big bucks around here?
Now, you won't be able to explain what Open Source is in a 15 second commercial, or even a 30 second commercial. But you will have the curiosity of the masses, and the word 'Linux' in the vocabulary of the average American Joe, which is all you really need.
Some of the other replies make some good points. I would just like to add that it seemsto me by one of the vids in a link from that article advertises actions that are less "controlled", and more "sporadic" such as the effect of a bioped model being knocked down to the ground or blown up. The site seems to suggest adding these unpredictable actions to your already strictly defined animation. So, you as the animator show your model how to wave "Hello", and then let the GA take over when you blow him up with TNT.
Dan
I doubt that "your favorite car" could be built by a genetic algorith. The whole idea is that you get something that you wouldn't expect. Now, you might be able to get some "interesting cars" out of them.
For those of you interested in a small open source project that deals with genetic algorithms, using Artificial Neural Networks, check out this sourceforge project:
For a couple of months I played Dark Age of Camelot and joined a large guild that had several female players. A lot of these folks knew eachother iRL as well. In fact, the two leaders of the guild were both females iRL, and damn fine RvR players.
d
p.s. This one's for you, Valkrye of Keepers of Vallhala.
Some people also work 40 hours a week. The stigma anti-gamers have with us "addicts" is that we are spending that 40 hours doing something "unproductive." To you I say its called a "hobby." Mind your own damn business! Whether I chose to golf on my free time, masterbate, or player Evercrack, it is none of your beez.
I love Linux as much as the next guy, but come on...
There are still idiots like Anonymous Coward who use MS, and there always will be. That's not so bad though; if everyone wasn't too lazy to think, I might not have gotten my next programming job. Yay for me!
Hm, maybe my shrink can stop my computer from suddenly going Blue Screen Of Death - MINUS TEXT - on a nightly basis. Afterall, it's only my own screwed up brain!
Of course now I have to blame Microsoft for my high shrink bills, so I still have a reason to hate MS!
Dan P.S. This happens about a month after I reinstall ME, so I installed Redhat 8.0.
Is it any surprise that you have similar complaints about small MUDs and MUSHes? I mean, sure they aren't the same class of complaints, but they are certainly related. 'Lack of staff support' is a huge problem on MUSHes these days.
Maybe online roleplaye gaming itself is doomed for failure. Diablo 2 suffers from much of the same problems as EverCrack.
Perhaps there will one day come a company that realizes that customer support and good game design will attract far more new customers and keep way more old customers loyal to the game.
Yes, script kiddies (or at least semi-intelligent crackers) run Linux more so than Windows. They use it to break into the Windows systems.
As for how free == better, well, that's why Eric Raymond and others have written books on the subject of Open Source. Read 'The Cathedral and the Bazaar' if you have not explored the argument for Open Source.
Please! Now you are just getting grandiose. The primary beneficiaries of the Gnome foundation's work are companies that sell products that incorporate Gnome and rich kids who like to play with it. Most computers in third-world countries are hard-pressed to run Windows 3.1, much less a GUI like Gnome.I assume you visit many third world countries or you wouldn't be making this statement? If so, I cannot argue because I haven't been. Well, maybe Gnome is premature as a charity. Once third world countries have computers that can run it, I'll donate to Gnome.
Slashdot Mirror
A recent Technet (http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx) article claims that using the customErrors tag to set all error types to return the same error page will fix this security hole. But according to the research paper (linked in another comment), the POET tool can simply check the HTTP return code. I don't know enough about ASP.Net and IIS, but is the MS Technet blog article totally off here?
Dan
http://pix.dontexist.com
Here's the audio
Dan
gay
Dan
Rob's icky company
Dan
"Because the key ring was so large it was easy to find and exploit. This is not to say the approach of having a single, master key was more secure, only that the fix actually didn't mitigate the problem at all, in fact it actually made the keys easier to find."
What is he talking about? This analogy was pulled straight from the man's ass, obviously. He's comparing the virtual size of bits to the physical size of a keyring. Sure, size of files are noteworthy to crackers, but any descent sysadmin memorizes his 'keys' anyways. What a stretch this one was.
"For example, if a virus targeted Microsoft Office and an enterprise deployed Apple systems running Office, for compatibility reasons, that enterprise would probably be damaged by the attacks."
This is simpley not true. I can point to the example of internet explorer exploits that only worked on Apple versions of the software (www.w00w00.org, I believe). I'm sure folks here can come up with a hundred examples of why this is not true. Summed up, same applications work differently across different architectures. Its half of the reason why non-monoculture works well to secure networks. (The other half is having different OS's.)
"But he penetrated the site in under a day by attacking another company which had trusted links into the IBM-secured site."
I'll lay a bet this other company was running Windows servers.
"One of the biggest problems caused by diversity is that it become very difficult for the IT staff to maintain equal competence on all platforms."
Here is the only good point this guy makes, and he makes it at many different points throughout this article, but in different wording each time (I'm assuming he was having a hard time finding something constructive to say). There is an easy solution to this: use Linux on the entire network. There's a secure AND cheap solution for small, medium, and big businesses! In addition, having servers run Linux, and Windows on the client side (assuming your clients aren't smart enough to learn Linux) isn't an entirely infeasable solution.
Seriously though, Rob is making non-monoculture sound more difficult than it may be. As far as cost goes, since no one has done enough research to balance cost against security in multiplatform networks, he can't assume that the costs will outway the benefits any more than the anti-Microsoft security experts can do the opposite. This basis of his article relies on speculation at best.
Dan
Where are the modern civic scientists? How come they are not important government officials any more?
Quote from article: "You have to ask yourself this: is there an advantage to having a proprietary standard in your country?" he added. To adopt unique regional technologies would mean "not participating in the rest of the world because you have a proprietary standard, and not being able to inter-operate with the rest of the world. I fail to see the benefit". Proprietary standard? There is something here I don't understand. What exactly are these Asian governments doing? It is not possible to turn Linux proprietary; its use is copylefted under the GPL! What the hell does 'proprietary' have to do with anything? Are the Asian governments making a 'Linux-like' OS? Perhaps they should called it LnLinux (LnLinux is not Linux). d
You really want to sell Linux to the average Joe? You want the masses to understand what Open Source software is really about? Start a TV commercial marketing campaign with groovy catch phrases and a touch of humor. Of course there is always the issue of how this is going to get paid for... who's got the big bucks around here?
Now, you won't be able to explain what Open Source is in a 15 second commercial, or even a 30 second commercial. But you will have the curiosity of the masses, and the word 'Linux' in the vocabulary of the average American Joe, which is all you really need.
Linux Geek
Some of the other replies make some good points. I would just like to add that it seemsto me by one of the vids in a link from that article advertises actions that are less "controlled", and more "sporadic" such as the effect of a bioped model being knocked down to the ground or blown up. The site seems to suggest adding these unpredictable actions to your already strictly defined animation. So, you as the animator show your model how to wave "Hello", and then let the GA take over when you blow him up with TNT. Dan
For those of you interested in a small open source project that deals with genetic algorithms, using Artificial Neural Networks, check out this sourceforge project:
http://sourceforge.net/projects/annevolve/
Dan
I am skeptical of anything with "Nigeria" and "Email" in it. Sorry, Dan
d
p.s. This one's for you, Valkrye of Keepers of Vallhala.
d
p.s. TURTH!
d
d
d
Ack, I've been Trolled!
Make love, not war,
Dan
Hm, maybe my shrink can stop my computer from suddenly going Blue Screen Of Death - MINUS TEXT - on a nightly basis. Afterall, it's only my own screwed up brain!
Of course now I have to blame Microsoft for my high shrink bills, so I still have a reason to hate MS!
Dan
P.S. This happens about a month after I reinstall ME, so I installed Redhat 8.0.
Dan
Maybe online roleplaye gaming itself is doomed for failure. Diablo 2 suffers from much of the same problems as EverCrack.
Perhaps there will one day come a company that realizes that customer support and good game design will attract far more new customers and keep way more old customers loyal to the game.
In the meantime, I'll be playing Counter-Strike.
Dan
As for how free == better, well, that's why Eric Raymond and others have written books on the subject of Open Source. Read 'The Cathedral and the Bazaar' if you have not explored the argument for Open Source.
Dan
Dan