Slashdot Mirror


User: SanityInAnarchy

SanityInAnarchy's activity in the archive.

Stories
0
Comments
12,413
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 12,413

  1. Re:If it 'snot good enough for the feds... on Single Drive Wipe Protects Data · · Score: 1

    2) if the feds require multi-pass wipes for non-classified data and media destruction for classified data, why should I settle for anything less?

    Because the feds are not entirely functional -- even if they knew a single pass was good enough, they might require mulit-pass for CYA reasons, or because it sounds like a good idea.

    I'd like to see multiple independent studies come out and say this before I'm getting rid of my drive sanitizers.

    A wise precaution anyway. Better yet, encrypt everything before it hits the disk in the first place.

  2. Re:This is good for industry, what about end user? on Active Directory Comes To Linux With Samba 4 · · Score: 2, Informative

    Why not just create a front end for samba and distribute it with the server and client software rather than depend on distributors?

    I think SWAT was meant to be that, and it kind of sucked.

  3. Re:Well on Windows 7's Media Hype Having the Opposite Effect As Vista's · · Score: 1

    Please explain to me how billions of dollars would solve this problem more quickly than it's already being solved.

    They should at least be able to match the "many eyes" advantage.

    Keep in mind all the lessons learned from the Mythical Man Month, specifically that projects take longer to complete when you add more staff to them.

    Keep in mind that this also does not apply when the project can be cleanly split up into sub-projects. I would argue Windows is easily big enough to do that.

    I think you know absolutely nothing about software development, if you think billions of dollars could magically fix a problem of this nature.

    I've worked professionally for over a year.

    No, I don't think it could "magically" fix the problem. But I find it disturbing that a budget of essentially zero often produces a better project.

    If you're educated, and you know you're opening yourself up for attack, and you still do it... well you just made my brain explode.

    Mostly because there isn't really a better option, other than "Don't use Windows", or, say, "Don't get appropriate drivers. You didn't need that device anyway."

    I just let the OS take care of it. I haven't had to manually download drivers for anything since installing Vista.

    Anecdote. While most of my own experience here has been with XP, it's not uncommon to see fresh installations of Vista need drivers.

    Having to expressly give permission for a software install to make system-wide changes is a good thing.

    Agreed.

    The problem is that when people first install a new OS, they continue to install all the apps they use... so they see the UAC prompt over and over and over the first few days, and in Vista's case, people made the bad assumption that the OS was always that way.

    Which it is, whenever you (or anything else) is trying to make changes to the system. Contrast to Sudo, which both allows the possibility of running a shell as the root user (thus escalating everything you do for awhile), and by default will only prompt you once within a given time period (I think five minutes without sudoing resets.)

    Also, apparently a lot of Vista haters have a large stable of shitty software that was attempting to write in disallowed parts of the filesystem.

    You've also described a lot of Windows users, overall.

    How would you have solved this problem?

    Give up. Write a new system from the ground up, or pick one that's close enough and has a workable license (a BSD, maybe). Support old, broken apps written for the old system via an emulation layer.

    In other words, what Apple did with OS X and Classic.

    It's not. If anything, it's a "ripoff" of OS X's authentication.

    I can't say which came first, but I do know that OS X uses sudo on the commandline, same as anyone.

    Sudo is 1. CLI-based, and so no normal human being would ever use it

    See: gksudo, kdesu, etc. And so plenty of normal human beings -- any who own an Ubuntu machine, for instance -- use it very easily.

    2. doesn't automatically run itself when needed.)

    I consider that to be a feature, not a bug -- a poorly-written app will thus fail repeatedly, not spam sudo prompts repeatedly.

    However, from the user's perspective, this is not true -- any task which requires root access will be making a sudo call somewhere. Since most apps are written to run as a user, this is exactly as rare as it should be.

    What makes it "pitiful" in comparison? I'm curious.

    Mostly the sheer number of times it occurs.

    There are a number of things Sudo does by default that UAC does not -- among them the five minute trick mentioned earlier, the p

  4. Re:Well on Windows 7's Media Hype Having the Opposite Effect As Vista's · · Score: 1

    No-one in their sane mind reads their email from the server,

    Pine and mutt fans might, but I suppose that disqualifies them as "sane".

    But I think that proves the point. There's no particular reason that reading email needs to be a security hazard, other than that the server is maintained by real admins, whereas the desktop is maintained by end-users who don't want to know the first thing about security.

    Key point: Maintained. Worst I can do with Pine or Mutt is screw up my own account, which is probably backed up by the admin.

    On the servers, you only really need to be afraid of automated exploits,

    I'd argue you need to be equally afraid of manual exploits on both. That is, if the desktop in question, or the server in question, is really worth attacking, or if it's really trivial to stumble on and attack, then yes, you do need to worry about them.

    If there's nothing worthwhile on the machine, and you've taken reasonable precautions not to draw anyone's curiosity, then you probably only have to worry about automatic attacks. Probably.

    I think a server is more likely to have something valuable, and to be worth the effort to manually poke at it and see what breaks. If anything, it's more likely to have a human-detectable flaw (like a SQL injection) than a desktop, and the attacker is likely to have more opportunity to poke at it without being detected.

  5. Re:Obviously... on Chu's Final Breakthrough Before Taking Office · · Score: 1, Offtopic

    My kingdom for a mod point!

  6. Re:Well on Windows 7's Media Hype Having the Opposite Effect As Vista's · · Score: 1

    desktops are far easier to attack, not because of technological reasons, but because of social ones.

    The only social one that I can think of is: Server software, and servers, have a much higher incentive to be secure, and usually much more of a budget dedicated to that. Particularly, servers will have admins to secure them, whereas most desktop "admins" have no clue about security.

    And, of course, if we count e.g. MSSQL exploits, we should also count MySQL/PostgreSQL exploits.

    Fair enough, but count actual automated exploits. As in, when was the last time we had a worm that affected MySQL/PostgreSQL? Last I looked into it, several years ago, there had been two worms to affect Linux, ever, including the Ramen worm.

  7. Re:it will never die... on Dvorak Layout Claimed Not Superior To QWERTY · · Score: 1

    You misunderstand. It's not any kind of smug superiority -- it's not that I think I'm somehow "better" for having that layout, any more than I think I'm "better" because I know my password, and they don't.

    But, it is handy that it's an added hurdle to using my system, which I don't want them using anyway.

  8. Re:Also thwarted by changes in symbol frequencies on Dvorak Layout Claimed Not Superior To QWERTY · · Score: 1

    the dvorak layout is inappropriate for most uses apart from simply typing English - such as computer programming, working with spreadsheets, linux command line usage etc.

    I haven't done any work with spreadsheets in awhile, but I can say that I never really noticed much with the Linux commandline, except perhaps a few commands which were unnecessarily awkward -- ls is where you would find p and semicolon on QWERTY, for example.

    On the other hand, the Linux commandline doesn't matter that much -- keep in mind, it was designed to be usable over a teletype, so at any decent amount of typing speed, plus tab completion, it's fine.

    Programming, it might matter more, but I find that when I type descriptive variable names, comments, etc, it's still quite a lot of English -- while : may be common, e is at least as common, and with Ruby, I find myself typing 'do' and 'end' a bit more than { and }.

  9. Re:it will never die... on Dvorak Layout Claimed Not Superior To QWERTY · · Score: 1

    As long as it's not worse -- and, subjectively, it seems like it's better -- I enjoy watching other people try to type on my computer, and fail completely.

    As long as I can do that, no, it won't die.

  10. Re:Use Emacs or vi, not Dvorak on Dvorak Layout Claimed Not Superior To QWERTY · · Score: 1

    What would make a difference would be to make sure that you can press Control, Shift, Alt and at the same time press another key without dislocating your fingers.

    See, even on QWERTY, that kind of turns me off about Emacs. In vi, you hit one key at a time, no matter what you're doing.

    Being able to move around your cursor and delete and edit things without leaving your home position can easily *double* your editing speed.

    And yet, it's still not irrelevant. You're implying that we still spend at least half our time typing. Do that twice as fast, and it's a significant improvement -- and it doesn't prevent any of the other things you suggested.

  11. Re:Palantype, Velotype, Stenotype on Dvorak Layout Claimed Not Superior To QWERTY · · Score: 4, Informative

    dvorak is fine for coding, especially when you type verbose variable names and comments -- usually in English, because that is the defacto language for code.

    You're absolutely right about thinking keeping up, but this is also like the question of burst vs sustained bandwidth. I probably type very slowly most of the time, spend more time thinking. Occasionally, though, I get a burst of insight, or I find myself doing something repetitive, like unit tests. Then, it's useful to be able to type fast -- and again, English does help.

    I would also argue that substitution outside of unit tests hints at broken design, just as reliance on copy and paste would.

  12. Re:It's interesting. on Dvorak Layout Claimed Not Superior To QWERTY · · Score: 2, Interesting

    It took awhile, but I'm at the point now where the only place I really run into problems is games -- some don't let you change their mappings, and most are not written with alternate keymaps in mind.

    WASD doesn't work very well when you're actually typing something like comma, A, semicolon, or H.

    Solution: Learned it, got very proficient at everything except games, grudgingly change the mappings in games, and re-learned QWERTY at about 30-40 WPM so I'm not completely helpless when I borrow a computer.

  13. Re:i like dvorak but stick with the standard qwert on Dvorak Layout Claimed Not Superior To QWERTY · · Score: 1

    I dont want to veer off the standard layout.

    Why not, I wonder?

  14. Re:Not good enough on Dvorak Layout Claimed Not Superior To QWERTY · · Score: 5, Informative

    What about bouncing between Dvorak and QWERTY? I assume that you've had to type on a keyboard other than your own on more than one occasion.

    Well, at first, I figured out just how easy it is to switch keymaps on most modern OSes. Unfortunately, when I forgot to change it back, I left a wake of "My keyboard is broken!" computers in my wake.

    I've actually gotten to the point where I can use both, and QWERTY is reasonably fast, though still not as comfortable. It takes a bit to get used to, and my error rate goes way up, but the difference is basically kicking me back to 30-40 WPM -- I'm typing this sentence in QWERTY to prove that point.

    But, since I have a laptop, I can pretty much type the way I want most of the time. It also is yet another customization of said laptop that discourages others from using it without supervision.

  15. Re:It's Vista reloaded on Windows 7's Media Hype Having the Opposite Effect As Vista's · · Score: 1

    It will continue to support whatever functionality of your hardware your virtualization application chooses to present to the guest OS (and the guest OS knows what to do with). That's a pretty big difference.

    Not as big as you'd think -- there are purely FOSS virtualization applications, and if it's far enough in the future that it's a problem, there are purely FOSS emualtion applications. A tenth the speed, but on hardware ten times as powerful, and portable to anything with a C compiler without the guest OS noticing.

  16. Re:Well on Windows 7's Media Hype Having the Opposite Effect As Vista's · · Score: 1

    They'd never let some general repository keep control of their software.

    You mean like everyone else does, with Valve? Or like at least a few proprietary programs do, with Ubuntu? (Look at the Canonical repositories for one example.)

    It seems to me that the usual reaction is not rage at losing control, but relief that you now don't have to worry about developing a system for updating your stuff. It's outsourcing, and it's smart.

    The user would be trained to say "Yes" to any repository update, the same as they're trained to say "Yes" to any UAC notice now.

    There are a few silver linings, even in that nightmare scenario -- which I don't think is very likely anyway, but let's pretend:

    You still have all updates automatic and signed. Entirely too many apps, particularly freeware apps, do neither of these -- you are meant to go to the website and download a new EXE, with no way of verifying it. Your only alternative is to stay unpatched, and thus vulnerable that way.

    You also open up the possibility of third-party verification. Suppose I wanted to release a tool which had signatures for popular installers -- it would be absurd. I'd have to either sign hopelessly out of date versions, or re-download and re-sign each version, which would be a huge burden if I actually bothered to contact each company to compare fingerprints or something.

    However, with the repository, there's very likely one entity that I have to sign -- the set of currently valid keys for that repository. Once I've got those, it's possible to release new keys signed with the old keys, and it's be very easy to verify those -- but there would be less work overall.

    So, it's entirely possible that a third party, or even Microsoft itself (Windows Logo Repositories, maybe), would provide a single point of trust for the user. Install that, and all those other repositories are as secure as it is, and you've still got some protection against the "CILK YES" repository.

  17. Re:Well on Windows 7's Media Hype Having the Opposite Effect As Vista's · · Score: 1

    You make it sound as if this is something Microsoft isn't already hard at work on, but, maybe, JUST MAYBE, the decades of old code take more than 10 seconds to inspect and fix?

    Considering that Microsoft has billions of dollars to throw at the problem, and still manages to do worse than Apple or Linux, I think it's reasonable to assume that they're either not working as hard as they could be, or they're simply incompetent.

    And get nailed by more anti-trust actions?

    Don't you think this would help with antitrust? They already have a package manager -- it's called Microsoft Update. It's currently tied to Microsoft products, and cannot easily be used for anything else -- kind of anticompetitive. Opening it up means that competitors (Firefox, Openoffice) can distribute updates via the same mechanism.

    Suggesting there'd be antitrust problems with this is like suggesting that porting IE to Linux and OS X (again) would be an antitrust problem.

    The only suggestion on your list which is both possible and not already in-progress.

    It does, however, rely on the other ones. No matter how educated I am, every time I download an unsigned binary over vanilla http, I open myself up for attack.

    You mean like Vista already does?

    Question: Has Vista finally disabled autorun by default?

    And out of curiosity: On Vista, what is the recommended way of obtaining the basic stuff I need, including drivers (which will run in Ring 0), which the OS encourages? Is it at all secure?

    And no, bugging your users to the point where they have to disable the UAC service is not "encouragement", it's "badgering". I realize it's a ripoff of sudo, but it's a pitiful implementation compared to the way sudo actually works on other OSes.

  18. Re:Authenticode for free software repositories? on Windows 7's Media Hype Having the Opposite Effect As Vista's · · Score: 1

    Does your proposal include requiring every developer to pay a CA $200 per year for an Authenticode certificate?

    Of course not -- although I would think that a single certificate would be valid across multiple apps, and that $200/year starts looking less difficult as you do more...

    But no, all I'm proposing is that PKI is used, along with some kind of chain of trust.

    Keep in mind: On most Linux distros, every package is compiled from source, and then signed. Clearly, there are people willing to do this. If Microsoft ends up forcing $200/year, I'm sure competitors will emerge.

    The important point is to make the package manager able to use other repositories and other sets of keys/certs. Right now, both Windows/Microsoft Update and Apple's Software Update are each tied to a single source -- contrast this with something like Debian, where apt can plug into any repository I choose.

  19. Re:Well on Windows 7's Media Hype Having the Opposite Effect As Vista's · · Score: 1

    Servers on any OS are harder to attack, because most viruses (in fact, all viruses, if you go by the strict definition of a computer virus, as opposed to a worm) require human interaction at some point to aid them.

    However, servers of any OS are much easier to attack with, say, a worm. With a desktop, you can just put the entire thing behind a firewall, and not accept any incoming connections, meaning you have to trick the user into coming to you, and clicking "yes" a few times.

    With a server, it has to sit there, and it has to keep a few ports open.

    With a desktop, chances are the crappy, custom-written software can do its job without connecting to the Internet at all. Even if it does, it still very likely requires a sophisticated man-in-the-middle attack to exploit.

    With a server, your crappy, custom-written software must be listening for connections, meaning people can find SQL injections (or outright stupid design) at their convenience.

    With a desktop, you still need to run a server somewhere to infect it, and each successful exploit is likely an already malware-laden machine, not particularly high-end, with whatever connection the user can afford, and only when it's on and connected.

    With a server, the payoff is likely a very fast machine with access to a lot of bandwidth and storage -- in some cases, as much as you can use, with the only downside being that it will cost them more when they find out.

    So, servers are in many ways easier to crack, and certainly provide a juicier target, than clients. And we see that, in fact, there have been a number of successful worms which attack Windows servers. The attacks on Linux servers seem to be fewer and far less successful. Last I checked, the relative marketshare made this even more impressive -- because this was true before Microsoft had anything close to a competitive server marketshare.

    With desktop, all that's really needed is tricking the user into opening an infected file one way or another.

    On Linux, you also need to trick the user into either opening an archive (and then an executable file inside it), or into saving a file, then making it executable, then opening it.

    There's a lot less of a chance for someone to accidentally run a foreign program. There's also a lot more chance that savvy users will use the package manager, if deliberately installing software, rather than download a random file from the web -- so typosquatting things like mozilla.com or openoffice.org will buy you nothing, unless you also get the Ubuntu package signing key.

    On WIndows, you don't really have an alternative for savvy users. If you want to install software, you're extremely unlikely to get a signature for it from a source you trust -- your choices are to either buy it in a box, or download it, with little assurance either way that it's clean.

    you also need to trick the user to click the confirmation prompt to access files.

    On Ubuntu, you'd also have to trick them into entering their Sudo password.

  20. Re:Well on Windows 7's Media Hype Having the Opposite Effect As Vista's · · Score: 1

    Lies, damned lies, and statistics.

    First, look at the outliers. There are some crazy ones -- known vulnerabilities which go unpatched for years.

    And, how accurate are those "time to resolution" figures? If Microsoft doesn't announce a vulnerability until they're about to fix it, how does that address "time to resolution"?

    Finally, what's actually measured? Quite a lot of these studies will compare an entire distribution with just Windows.

    I'm not saying that it's impossible, but it seems unlikely, and it's actually really hard to get unbiased numbers, either way.

  21. Re:Well on Windows 7's Media Hype Having the Opposite Effect As Vista's · · Score: 1

    Why is Linux absurdly exploitable then?

    I don't think anyone said that, except you.

    My Linux webserver has been exploited a couple of times, even though it was kept up to date with the latest security patches.

    Mine hasn't, ever. It's been running for about the past seven years.

    And while I have worked with Linux shops which have had security issues, there was never an actual breach while I was admin.

    I think your story says more about you than it does about the relative security of Linux.

    Every OS is exploitable, even the most hardened security system can be exploited.

    Firstly, that's complete tripe, and you know it. It's trivial to write an OS which can't be exploited. Just don't write any network drivers, problem solved.

    Also: I'm betting you haven't seen particularly hardened security systems. It's true, they aren't necessarily Linux.

    Don't kid yourself that Linux or OS X won't have the same amount of viruses Windows has now if it had a 90% market share on the desktop, because they would.

    Well, I'm not the one whose machine has been pwned, so I could appeal to authority here...

    To get a virus to run on Linux, I have to: Download it, or save the attachment. Then, find the file and give it execute permission. Then, click on it.

    Or, I have to download it, then unpack it, then click one of the files.

    On Windows/IE, I have to: Click a download link, click "open" at the prompt, and game over. In Outlook, I have to double-click on the attachment.

    Things have changed since then. Windows has added a few "are you sure?" boxes, but the fundamental result is the same: You have to actually know what you're doing to execute a "linux virus", unless it finds a vulnerability in some software.

    Would more focus make a difference? Absolutely. But even if any OS can be exploited, it's not equally easy to do so.

    Consider one more thing, then I'm done: On Windows, if I put a CD in, or mount a network filesystem, or plug in a USB stick, and it has AUTORUN.INI on it, game over. There's an obscure registry setting to disable autorun -- if I recall, it also disables some of the nicer things that happen, such as automatically launching a media player (or offering to) when a music CD is inserted.

    On Linux, I still get prompted for various actions with a CD -- such as play the music CD, rip it, watch the DVD, etc. But no executable code is actually loaded from the disk -- it's usually mounted "noexec", instead, meaning no executables can run on the disk, even if I click on them. The one exception is a distro upgrade disk, but these are cryptographically signed.

    Remember how I mentioned my Linux server got hacked? Well, it invoked a javascript code that redirected to a PDF file on all my sites, and when I visited my blog, Acrobat automatically opened it without even prompting (bad Acrobat! Bad!) which contained an exploit with Acrobat itself that infected my PC. Had to format.

    Which has what to do with Linux?

    Ditched Reader and installed FoxIt instead.

    ...which has what to do with Linux?

    Some more food for though -- while there is a version of Adobe Reader available for Linux, PDF is now a standard, and most of them will work with other, lighter, more secure readers.

    Now, keep something else in mind: Your webserver has to accept connections. And end-user machine doesn't. There is no reason it should be possible to plug a machine in to the Internet and have it infected -- in seconds, not minutes -- clearly before it has time to fetch any patches.

  22. Re:Well on Windows 7's Media Hype Having the Opposite Effect As Vista's · · Score: 1

    Instead, computers are going to have to be more secure by default,

    True, and yet, there is a limit to how secure you can make it, and still have it be usable. There's a point where I'll gladly trade a bit of security for a bit of convenience.

    There needs to be a base amount of security for education to matter -- if the only effective measures are "Don't use the Internet, don't put any disks in the computer, ever..." then the battle is lost; users won't care enough.

    But, there needs to be a base amount of education for the security to measure, unless they are using Fischer Price's My First Computer. I really hope it doesn't come to that -- I kind of like my computer to be useful.

  23. Re:Well on Windows 7's Media Hype Having the Opposite Effect As Vista's · · Score: 1

    Have you disabled (in the registry) autorun/autoplay for all drives?

    Yes.

    I also very rarely mount anything on Windows in the first place -- I don't use Windows as my primary OS. If I had to, though, that seems like an acceptable solution.

    I used to think along the lines of what you're describing, until my Vista PC got infected by a virus which came from the factory on a USB mp3 player.

    Clearly, you didn't know what you were doing.

    I'll agree, it is broken that autorun is enabled by default. However, it is also broken that most users are trained to click "yes", "ok", "I agree", etc without thinking, just to get through the dialog box.

    And may I ask, what do you think now? What are the odds that, if you've got a virus which came from the factory, that your particular brand of antivirus has seen it already? For everything it blocks, someone must've been hit first. Any "learning" capability brings with it the possibility of false positives. And, all around, most antivirus will have a bigger impact on performance and usability than the actual virus -- the "cure" is worse than the disease.

  24. Re:Nice kneejerk reaction. on Stimulus Bill Contains Net Neutrality Provision · · Score: 1

    As for the pipe, there's no need to run more pipe

    Suppose we're talking about a different kind of pipe. Maybe a water pipe.

    After all, we do pay for our water usage -- why not have many different water pipes, to give power to the consumers?

  25. Re:I read, I downloaded, I installed on Windows 7's Media Hype Having the Opposite Effect As Vista's · · Score: 1

    You're right. How dare Microsoft have the audacity to release beta software with glitches in it. Is it like they expect us to do their testing for them or something?

    This was exactly what was said about Vista, right up until it was released.

    And when released, it was exactly as bad as we said it was, and worse.

    What you have to realize is that Microsoft is on the KDE4 versioning scheme -- Beta is Alpha, release is Beta, and service pack 1 (or minor version 1) is a release candidate.