Nobody wants to expose all their internal addresses. Period. Which part of that can you dumb fucks not understand? No organisation is going to want to implement that.
Exposing your internal addresses should be irrelevant to security unless you're doing something else wrong. Those of us that understand that are OK with our internal addresses being exposed and want them to be. A lot of organizations already do implement that even with IPv4. Which part of that do you dumb fucks not understand?
That does nothing to solve the problem. Even if they somehow got a trusted CA to sign a separate routerlogin.net cert for every router they made an attacker could still use any one of them to spoof.
Lawns and streets and certain radio frequencies are not the private property of AT&T and Comcast (FTFY). You are quite naive if you think that they have to have access to this property. If people and local governments do not give them access to this property, they would not exist.
Except a brief run of ha-ha before the mail spools get moved off to their own partition which is mounted no-exec.
Well I hope they aren't laughing too hard. They forgot/tmp,/var/tmp,/var/run/exim4,/var/log/exim4... and anywhere else the exim user can write to. And of course, none of that wouldn't actually prevent exploitation anyway since they are already able to execute arbitrary commands as root without creating any executable files with 'exim -C' as the exim user and ${run...}.
It wasn't specifically reported as a security bug 2 years ago which is probably why the fix wasn't backported to debian. Someone probably went through the bug reports looking for a potential security bug that wasn't recognized as such and developed an exploit.
Droid, autonomous device that empowers the user through its open architecture.
Can you tell me when they're going to follow through and actually deliver this "empowers the user" and "open architecture" stuff people keep talking about? I have a droid 2. It came with some "CityID" nagware that asks me if I want to continue using the trial version every time I hang up a phone call. It also came with Quickoffice (some office suite, I guess) which a couple weeks ago sent me some notification saying the "professional version" or whatever was on sale that day. I'd like to get rid of all these worthless apps but the phone won't let me uninstall them - the option is greyed out. I'm not feeling very empowered.
Re-read. I did not say that Mozilla shouldn't provide an automatic plugin installation method because it would be bypassed. I said it is impossible for Mozilla to _prevent_ automatic installation of plugins.
They cannot add to the list without using the public key to crack the private key,
Or trojaning the program that prompts the user for the passphrase to intercept the passphrase or just install their malware at that time.
Microsoft, Apple, or Google wouldn't want to have headlines about how they are erasing user passwords just to install obnoxious toolbars.
I don't give them quite so much faith. You'd think they wouldn't want headlines about secretly installing obnoxious toolbars at all, yet here we are...
Because they can't make it impossible. If they do that installers will simply start directly modifying whatever file contains that list of explicitly approved plugins to add theirs to it.
Uh... no. You're wrong except for the part about unwanted messages not being delivered in the first place being better than just delievered to a special place. I've been doing that with plain old SMTP for years though.
they have said in the past if steam were ever to go offline permanently they'd patch all the games to remove the steamworks drm.
Where? Someone says this in every single steam discussion on slashdot, but I have yet to see it ever substantiated. Why don't they just say that in the terms of service if it is indeed the case?
At least if my desktop PC becomes infested with malware I can go to best buy and have it removed and possibly get better at not acquiring it in the first place. With Android phones the drive-by browser exploit malware installs have been replaced by uninstallable carrier-installed malware. Instead of popups about fake virus software I get notifications asking me to upgrade QuickOffice for 50% off and a message from City ID, whatever the fuck that is, asking me if I want to continue my trial or have it ask me again later every time I end a phone call.
Run the app to root the phone. You can reek plenty of havoc.
Like uninstalling this uninstallable piece of crapware on this verizon droid 2 which asks me if I want to buy or continue a trial after every single call when I hang up on?
That's not necessarily true. One could still do something like "type > file" or "copy con file" or whatever and have something on their client machine that automatically sends keystrokes to create the remote file (perhaps using alt-NNN as needed for special characters).
Lockdown is becoming increasingly common in the Android phone world. Soon you may not have much of a choice. Are there any completely open android phones sold today aside from the Nexus One?
Slashdot Mirror
Exposing your internal addresses should be irrelevant to security unless you're doing something else wrong. Those of us that understand that are OK with our internal addresses being exposed and want them to be. A lot of organizations already do implement that even with IPv4. Which part of that do you dumb fucks not understand?
That does nothing to solve the problem. Even if they somehow got a trusted CA to sign a separate routerlogin.net cert for every router they made an attacker could still use any one of them to spoof.
Lawns and streets and certain radio frequencies are not the private property of AT&T and Comcast (FTFY). You are quite naive if you think that they have to have access to this property. If people and local governments do not give them access to this property, they would not exist.
Well other people do. I wouldn't mind fewer machines in botnets trying to send me spam or DDoS me off the net.
Sounds like some pretty neat duct tape.
Does any IDS or IPS actually do that?
It might be covert if you support starttls. I agree, best to apply the patches...
Well I hope they aren't laughing too hard. They forgot /tmp, /var/tmp, /var/run/exim4, /var/log/exim4... and anywhere else the exim user can write to. And of course, none of that wouldn't actually prevent exploitation anyway since they are already able to execute arbitrary commands as root without creating any executable files with 'exim -C' as the exim user and ${run ...}.
Impossible to configure? No, not really, even in v3. It is actually pretty nice to use if you have a complicated configuration.
It wasn't specifically reported as a security bug 2 years ago which is probably why the fix wasn't backported to debian. Someone probably went through the bug reports looking for a potential security bug that wasn't recognized as such and developed an exploit.
Are there any android phones that are actually open besides the Nessus One/S?
The tenant is no longer there. Is the house still standing? Yes or no?
Can you tell me when they're going to follow through and actually deliver this "empowers the user" and "open architecture" stuff people keep talking about? I have a droid 2. It came with some "CityID" nagware that asks me if I want to continue using the trial version every time I hang up a phone call. It also came with Quickoffice (some office suite, I guess) which a couple weeks ago sent me some notification saying the "professional version" or whatever was on sale that day. I'd like to get rid of all these worthless apps but the phone won't let me uninstall them - the option is greyed out. I'm not feeling very empowered.
Re-read. I did not say that Mozilla shouldn't provide an automatic plugin installation method because it would be bypassed. I said it is impossible for Mozilla to _prevent_ automatic installation of plugins.
Oh I'm sure the sheysters in their legal department could come up with some weasel words to throw into the license blab to make it "consensual".
In the hypothetical situation the last poster came up with where some list of authorized plugins is singed or something...
Or trojaning the program that prompts the user for the passphrase to intercept the passphrase or just install their malware at that time.
I don't give them quite so much faith. You'd think they wouldn't want headlines about secretly installing obnoxious toolbars at all, yet here we are...
Encrypted with a key stored where?
Because they can't make it impossible. If they do that installers will simply start directly modifying whatever file contains that list of explicitly approved plugins to add theirs to it.
Uh... no. You're wrong except for the part about unwanted messages not being delivered in the first place being better than just delievered to a special place. I've been doing that with plain old SMTP for years though.
Where? Someone says this in every single steam discussion on slashdot, but I have yet to see it ever substantiated. Why don't they just say that in the terms of service if it is indeed the case?
At least if my desktop PC becomes infested with malware I can go to best buy and have it removed and possibly get better at not acquiring it in the first place. With Android phones the drive-by browser exploit malware installs have been replaced by uninstallable carrier-installed malware. Instead of popups about fake virus software I get notifications asking me to upgrade QuickOffice for 50% off and a message from City ID, whatever the fuck that is, asking me if I want to continue my trial or have it ask me again later every time I end a phone call.
Like uninstalling this uninstallable piece of crapware on this verizon droid 2 which asks me if I want to buy or continue a trial after every single call when I hang up on?
Kind of like how end users having direct control over their PCs has resulting in nearly all PCs made over the past 35 or so years being bricked?
That's not necessarily true. One could still do something like "type > file" or "copy con file" or whatever and have something on their client machine that automatically sends keystrokes to create the remote file (perhaps using alt-NNN as needed for special characters).
Lockdown is becoming increasingly common in the Android phone world. Soon you may not have much of a choice. Are there any completely open android phones sold today aside from the Nexus One?