You're mixing concepts. Darwin is the open-sourced BSD-based core of OS X. That can be (note I'm not saying it is, but it can be) emulated pretty easily in Linux. The problem is when you try to do it with any of the libraries above Darwin, i.e. quartz. If you try to clone those libraries, Apple will hit you with a lawsuit so fast you'll wish you were being sodomized by Bill and Steve. The short answer is, no. No OSX apps for you.
But, thats not to say I lack ethics, am a cracker, or am out to get my client.
How many times have we all heard, duhh.... I forgot my admin password, but I cant reinstall, I need the data.
So yes, I backdoor, and I document it internally (hardcopy stored in a safe). Its just an extra insurance policy for when some moron that I worked for 6 years ago does something stupid.
That said, coding backdoors for the sake of getting access to a web farm so you can host your own services is certainly a bad thing(tm). But hell, what are you gonna do? Everyone backdoors. Don't believe me? Watch someone 'in the know' log in to a random windows box using the System account and come talk to me.
RANT
The current state of video on Linux sucks ass. Especially on RH7.2. You dont want to have to patch your kernel or change distros? Ok, I can see that. Don't want to install Gnome2? Hey, it's your decision.
All that said, if you dont like it the way it is, break out your EMacs, and Write something better, otherwise, quit bitching!
Enough of these stupid reviews, you have all the code of these shitty projects. Rewrite the GUI for one. What? You dont feel like it? Then stop bitching.
Developers code this stuff to work how they want, they're sharing it out of the goodness of their hearts (politics and BS aside, they really dont have to, and no one can make them). Be grateful its out there at all, and quit bitching.
I dont think they really care... And I don't think the RIAA will really try hard to challenge them. Why?
We all know this RIAA shit wont hold up in any court where any technical knowledge at all is available. We also know that only the likes of Apple and M$ have the cash and resources to provide a true legal test to MPAA/RIAA.
So, while I'm personally against piracy, even if I wasnt a single p2p network is still a good thing. I'd love to have some popcorn and watch an Apple/RIAA match. They'd cease to be an issue.
Yeah, youre right. Heaven forbid they take away our right to do something illegal.
What if this network has DRM? Or forces you to prove you own the CD? Or reads your mind to see if you own it? Or whatever the hell else Apple comes up with?
And what if it is a target for RIAA? Once the software its out, its out. Corporations know this as well as we do. They'll ship it, go to bat with RIAA (Lose), but the p2p plugin will already be out and floating on every newsgroup across the globe. So great, Apple stops shipping it (and presumably keeps competition down like it did here), the plugin is still out, and its still that single, united network, the one that would be so nice.
I'm sure redhat desktops are important to you, but get your head out of your ass, stop being a typical troll, and think a few steps ahead.
The next release of iTunes is slated to include P2P technology over Rendezvous(sp).
As much as I hate to see projects killed, in this case, its not necessarily a Bad Thing(tm). In windows-land, I've got a plethora of networks to hound for one file, depending on who has it. With my mac, I'll only have one, and if the file is out there, it's on that network.
Like I said killed OSS projects are bad, mmmkay? But, a single, united, SUPPORTED p2p network is (maybe) worth it.
But the CC info bothers me. Presumably, this is a corporate drive that got resold (Unless you know of 170 ppl with 25 credit cards a piece, in which case it's time to re-evaluate the financial system in this country).
Personally, I have a standing policy in my department to take apart every HDD, take a magnet to each platter, and send the platters to Iron Mountain for destruction. Then again, we deal with large financial institutions, so we have to be extreme and obsessive-compulsive, which brings me to my actual point;
This stuff should be regulated. If you store personal info on an HDD for business purposes, you should have a legal responsibility (i.e. one that comes with repricussions if not met) to ensure that even after a drive is retired, the data is safe.
In all seriousness, the Turing test is really old hat. We've had Eliza the shrink for years, hell, I remember in a CS class a story about an app that emulated a paranoid schitzophrenic(sp) that talked with Eliza.
We've passed the test. It doesn't really mean much as far as AI goes, what's the point? Emulation is NOT simulation. A parrot can emulate a human, that doesnt mean he thinks like one.
The Open Web Application Security Project (OWASP) is dedicated to helping organizations understand and improve the security of their web applications and web services. This list was created to focus government and industry on the most serious of these vulnerabilities. Web application security vulnerabilities are highly exploitable and the consequence of an attack can be devastating. These vulnerabilities represent an equivalent magnitude of risk as network security problems, and should be given the same degree of attention.
Using this list, organizations can send a message to web site developers that "we want you to make sure that you won't make these mistakes." The security issues raised here are not new. In fact, some have been well understood for decades. Yet for some reason, major software development projects are still making these mistakes and jeopardizing not only their customers' security, but also the security of the entire Internet. You can download the entire report in PDF format here
Top Vulnerabilities in Web Applications
A1
Unvalidated Parameters
Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backside components through a web application.
A2
Broken Access Control
Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorized functions.
A3
Broken Account and Session Management
Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users' identities.
A4
Cross-Site Scripting (XSS) Flaws
The web application can be used as a mechanism to transport an attack to an end user's browser. A successful attack can disclose the end user's session token, attack the local machine, or spoof content to fool the user.
A5
Buffer Overflows
Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components.
A6
Command Injection Flaws
Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application.
A7
Error Handling Problems
Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.
A8
Insecure Use of Cryptography
Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.
A9
Remote Administration Flaws
Many web applications allow administrators to access the site using a web interface. If these administrative functions are not very carefully protected, an attacker can gain full access to all aspects of a site.
A10
Web and Application Server Misconfiguration
Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box.
Press Release
Washington, D.C. -- A new report detailing the ten most critical web application security problems was unveiled today by the Open Web Application Security Project. OWASP is dedicated to helping organizations understand and improve the security of their web applications and web services. Download the report from the OWASP website at http://www.owasp.org.
"The OWASP Top Ten list shines a spotlight directly on one of the most serious and often overlooked risks facing government and commercial organizations," said Jeffrey Williams, CEO of web application security firm Aspect Security. "A stunning number of organizations spend big bucks securing the network and somehow forget about the applications."
These flaws are surprisingly common and can be exploited by unsophisticated attackers with easily available tools. When an organization deploys a web application, they invite the world to send HTTP requests. Attacks buried in these requests sail past firewalls, filters, platform hardening, SSL, and IDS without notice because they are inside legal HTTP requests. Therefore, web application code is part of the security perimeter and cannot be ignored.
"This list is an important development for consumers and vendors alike," said Stephen Christey, Mitre CVE editor. "It will educate vendors to avoid the same mistakes that have been repeated countless times in other web applications. But it also gives consumers a way of asking vendors to follow a minimum set of expectations for web application security and, just as importantly, to identify which vendors are not living up to those expectations"
"This 'Ten-Most-Wanting' List acutely scratches at the tip of an enormous iceberg," said Peter G. Neumann, moderator of the ACM Risks Forum. "The underlying reality is shameful: most system and Web application software is written oblivious to security principles, software engineering, operational implications, and indeed common sense."
The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteer experts from across the world. Project chair Mark Curphey said, "the OWASP Top Ten Project was formed to capture our collective wisdom and present it in a way that would bring the attention web application security deserves."
Questions or comments about the OWASP Top Ten should be sent to: topten@owasp.org
Slashdot Mirror
You're mixing concepts. Darwin is the open-sourced BSD-based core of OS X. That can be (note I'm not saying it is, but it can be) emulated pretty easily in Linux. The problem is when you try to do it with any of the libraries above Darwin, i.e. quartz. If you try to clone those libraries, Apple will hit you with a lawsuit so fast you'll wish you were being sodomized by Bill and Steve. The short answer is, no. No OSX apps for you.
Company dies, investors seek an exit... Next on slashdot: Pants put on, one leg at a time.
Take a look at the owner of the services on your box. SYSTEM isn't just an internal thing, its an actual account. Think root^2
But, thats not to say I lack ethics, am a cracker, or am out to get my client.
How many times have we all heard, duhh.... I forgot my admin password, but I cant reinstall, I need the data.
So yes, I backdoor, and I document it internally (hardcopy stored in a safe). Its just an extra insurance policy for when some moron that I worked for 6 years ago does something stupid.
That said, coding backdoors for the sake of getting access to a web farm so you can host your own services is certainly a bad thing(tm). But hell, what are you gonna do? Everyone backdoors. Don't believe me? Watch someone 'in the know' log in to a random windows box using the System account and come talk to me.
All of a sudden, those old ten dollar cd-roms become THE pirating tool. Everyone should stock up, the value will skyrocket!!!
Incidentally, I have about 60 in my basement. Will sell for the low-low price of $500 each!
RANT The current state of video on Linux sucks ass. Especially on RH7.2. You dont want to have to patch your kernel or change distros? Ok, I can see that. Don't want to install Gnome2? Hey, it's your decision.
/RANT
All that said, if you dont like it the way it is, break out your EMacs, and Write something better, otherwise, quit bitching!
Enough of these stupid reviews, you have all the code of these shitty projects. Rewrite the GUI for one. What? You dont feel like it? Then stop bitching.
Developers code this stuff to work how they want, they're sharing it out of the goodness of their hearts (politics and BS aside, they really dont have to, and no one can make them). Be grateful its out there at all, and quit bitching.
Responses that are sure to follow:
I dont think they really care... And I don't think the RIAA will really try hard to challenge them. Why?
We all know this RIAA shit wont hold up in any court where any technical knowledge at all is available. We also know that only the likes of Apple and M$ have the cash and resources to provide a true legal test to MPAA/RIAA.
So, while I'm personally against piracy, even if I wasnt a single p2p network is still a good thing. I'd love to have some popcorn and watch an Apple/RIAA match. They'd cease to be an issue.
Yeah, youre right. Heaven forbid they take away our right to do something illegal.
What if this network has DRM? Or forces you to prove you own the CD? Or reads your mind to see if you own it? Or whatever the hell else Apple comes up with?
And what if it is a target for RIAA? Once the software its out, its out. Corporations know this as well as we do. They'll ship it, go to bat with RIAA (Lose), but the p2p plugin will already be out and floating on every newsgroup across the globe. So great, Apple stops shipping it (and presumably keeps competition down like it did here), the plugin is still out, and its still that single, united network, the one that would be so nice.
I'm sure redhat desktops are important to you, but get your head out of your ass, stop being a typical troll, and think a few steps ahead.
The next release of iTunes is slated to include P2P technology over Rendezvous(sp).
As much as I hate to see projects killed, in this case, its not necessarily a Bad Thing(tm). In windows-land, I've got a plethora of networks to hound for one file, depending on who has it. With my mac, I'll only have one, and if the file is out there, it's on that network.
Like I said killed OSS projects are bad, mmmkay? But, a single, united, SUPPORTED p2p network is (maybe) worth it.
But the CC info bothers me. Presumably, this is a corporate drive that got resold (Unless you know of 170 ppl with 25 credit cards a piece, in which case it's time to re-evaluate the financial system in this country).
Personally, I have a standing policy in my department to take apart every HDD, take a magnet to each platter, and send the platters to Iron Mountain for destruction. Then again, we deal with large financial institutions, so we have to be extreme and obsessive-compulsive, which brings me to my actual point;
This stuff should be regulated. If you store personal info on an HDD for business purposes, you should have a legal responsibility (i.e. one that comes with repricussions if not met) to ensure that even after a drive is retired, the data is safe.
Just my $.02
Was this post written by wetware or hardware?
In all seriousness, the Turing test is really old hat. We've had Eliza the shrink for years, hell, I remember in a CS class a story about an app that emulated a paranoid schitzophrenic(sp) that talked with Eliza.
We've passed the test. It doesn't really mean much as far as AI goes, what's the point? Emulation is NOT simulation. A parrot can emulate a human, that doesnt mean he thinks like one.
The Open Web Application Security Project (OWASP) is dedicated to helping organizations understand and improve the security of their web applications and web services. This list was created to focus government and industry on the most serious of these vulnerabilities. Web application security vulnerabilities are highly exploitable and the consequence of an attack can be devastating. These vulnerabilities represent an equivalent magnitude of risk as network security problems, and should be given the same degree of attention.
Using this list, organizations can send a message to web site developers that "we want you to make sure that you won't make these mistakes." The security issues raised here are not new. In fact, some have been well understood for decades. Yet for some reason, major software development projects are still making these mistakes and jeopardizing not only their customers' security, but also the security of the entire Internet. You can download the entire report in PDF format here
Top Vulnerabilities in Web Applications
A1
Unvalidated Parameters
Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backside components through a web application.
A2
Broken Access Control
Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorized functions.
A3
Broken Account and Session Management
Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users' identities.
A4
Cross-Site Scripting (XSS) Flaws
The web application can be used as a mechanism to transport an attack to an end user's browser. A successful attack can disclose the end user's session token, attack the local machine, or spoof content to fool the user.
A5
Buffer Overflows
Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components.
A6
Command Injection Flaws
Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application.
A7
Error Handling Problems
Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.
A8
Insecure Use of Cryptography
Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.
A9
Remote Administration Flaws
Many web applications allow administrators to access the site using a web interface. If these administrative functions are not very carefully protected, an attacker can gain full access to all aspects of a site.
A10
Web and Application Server Misconfiguration
Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box.
Press Release
Washington, D.C. -- A new report detailing the ten most critical web application security problems was unveiled today by the Open Web Application Security Project. OWASP is dedicated to helping organizations understand and improve the security of their web applications and web services. Download the report from the OWASP website at http://www.owasp.org.
"The OWASP Top Ten list shines a spotlight directly on one of the most serious and often overlooked risks facing government and commercial organizations," said Jeffrey Williams, CEO of web application security firm Aspect Security. "A stunning number of organizations spend big bucks securing the network and somehow forget about the applications."
These flaws are surprisingly common and can be exploited by unsophisticated attackers with easily available tools. When an organization deploys a web application, they invite the world to send HTTP requests. Attacks buried in these requests sail past firewalls, filters, platform hardening, SSL, and IDS without notice because they are inside legal HTTP requests. Therefore, web application code is part of the security perimeter and cannot be ignored.
"This list is an important development for consumers and vendors alike," said Stephen Christey, Mitre CVE editor. "It will educate vendors to avoid the same mistakes that have been repeated countless times in other web applications. But it also gives consumers a way of asking vendors to follow a minimum set of expectations for web application security and, just as importantly, to identify which vendors are not living up to those expectations"
"This 'Ten-Most-Wanting' List acutely scratches at the tip of an enormous iceberg," said Peter G. Neumann, moderator of the ACM Risks Forum. "The underlying reality is shameful: most system and Web application software is written oblivious to security principles, software engineering, operational implications, and indeed common sense."
The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteer experts from across the world. Project chair Mark Curphey said, "the OWASP Top Ten Project was formed to capture our collective wisdom and present it in a way that would bring the attention web application security deserves."
Questions or comments about the OWASP Top Ten should be sent to: topten@owasp.org