First, is this whole process secure? For instance, what's to stop something from implementing ctrl-left-click and providing their own menu, where "secure keyboard" does nothing? But more importantly:
Now if only this option could be automatically activated for the time of a sudo/su/ssh/whatever password prompt (and be available on other virtual terminals than xterm) it would be very useful.
And what happens when they're already doing a MITM on your xterm? I know that sudo/su/ssh/whatever generally automatically force to read from a terminal, but that's not enough -- you can run them from inside screen, which proves another app can provide a "terminal" device between them and you, and once you have the password, you should be able to find some way, somehow, to grant yourself root through some command that doesn't force xterm exclusivity.
That brings up another point -- it's not just X-level keyloggers we have to worry about. Screen is proof of how easy it would be to implement a PTY-level keylogger.
You are correct that it would be possible to accidentally approve something, but you would have to hit the left arrow key (to move the focus to the allow button) followed by 'Enter'. By default, the "Cancel" button is selected on the UAC prompt, so just hitting enter would deny access to whatever program is trying to access restricted resources.
So it's not a security flaw, just a UI flaw. I don't want to hit "cancel" by default either. In fact, I don't want to hit anything by default. I want to have to acknowledge that I'm going to actually pay attention to UAC now.
As for dialogues popping up being rude and annoying, I belive that's the point. Programs that are written properly, should not write to areas that the user doesn't have access to during normal operation.
Let's try this: automatic updates automatically prompts me that it's time to download something. It interrupts what I'm doing, but I go ahead and click ok anyway. Then automatic updates finishes a download, and it's time to start installing. Automatic updates prompts me again for my password.
OS X updates already do this, but rather than pop over what I'm doing, they pop a dialog under what I'm doing, and bounce the dock icon. Unless you're extremely sloppy/lazy and have some 30 or 40 dock icons, all set to autohide, at least 5 of them bouncing at any given time, bouncing the dock icon is a good way to alert the user that something needs to happen. On Windows, the rough equivalent is flashing the pager button (where things minimize to). Making a new taskbar icon (by the clock, as Windows Update does now) is not a good way, because most people don't know what those are, and there's nothing to suggest that this particular one is demanding your attention.
And popping something up in front of the user is bad enough, but blocking out all other action is just obnoxious, because if you've used Ubuntu or OS X for long, you know that there are plenty of things that can and should require a UAC-like password prompt. If I was developing a Windows app, this would make me put an "are you sure" box in front of every time my program might trip a UAC prompt, so users know they're about to lose control of their computer -- and that's just a retarded design. Come on, an "are you sure" box in front of an "are you sure" box?
Anyway, making the box less annoying doesn't make it less likely that people will start developing their apps properly.
I can't say for certain but I don't think it's possible to produce a fake UAC prompt that behaves in the exact same way that the authetic one does. Authentic looking or not, a fake prompt put up by rougue code could certainly grab the user's password, but what would it do with that password?
Let's see:
Login to localhost with RDP, FTP, Samba, VNC, or some other service
Invoke runas, or some other setuid-like or sudo-like app. Or does absolutely everything have to go through UAC? Does runas actually throw up a GUI UAC prompt?
Email the password to someone who'd have a use for it, such as:
Logging in physically -- your roommate, or maybe it's a public terminal
Trying your password elsewhere, in case you use the same password for your email, your internet bank, whatever
I don't think absolutely every attempt to gain higher local privileges requires the almighty Allow button. If it does, that's pretty annoying -- it prevents ssh from working very well, for one thing.
SSH is a good idea here, but the implementation won't work for what I'm describing.
The problem is that Unix permissions are pretty flat. Root has access to everything, users only have access to their own stuff and their group's stuff. It's impossible to have a user that acts as root to another group of users. The idea would be to have my "sanity" user, but then a "sanity/firefox" user which only has access to ~/incoming, but which my "sanity" user has access to all of -- make an actual hierarchy of users.
Of course, that's if we want to do this in roughly the SSH model. I think someone mentioned another way to sandbox Firefox.
Does Plash also prevent Firefox from moving your mouse and clicking "open" in that dialog? Or simulating an "enter" keypress?
But it doesn't seem like it's on as deep a level as I'd like. It's better, but it still means that once I send a document to Firefox, I have no idea what Firefox will do with it. Still, that is a lot better.
Couple of obvious unintended consequences: It's not just the foot. DRM means the gun is designed not to fire at anything declared a "friendly" target (DRM), making it useless for law enforcement officials should the gun manufacturers themselves turn to crime. Plus, it still doesn't work: People will be able to blow their foot off now, it'll just happen a lot less often, and there's a chance that when shooting at any random object, the gun will jam and decide it's a friendly target (decide you're trying to crack the DRM).
No, it's too much plot for your typical porno. But it also has other things to keep you interested:
There was a man who sat each day looking out through a narrow vertical opening where a single board had been removed from a wooden fence. Each day a wild ass of the desert passed outside the fence and across the narrow opening -- first the nose, then the head, the forelegs, the long brown back, the hindlegs, and lastly the tail. One day the man leaped to his feet with a light of discovery in his eyes and he shouted for all who could hear him: "It is obvious! The nose causes the tail!"
And simply having it be about sex doesn't prevent deeper thoughts. The concept of sexual addiction is an interesting one, even outside of a porno. Plus, pornos don't need to have plots like "sexual witches destroy a whole planet".
It doesn't have to. The question is, can it do everything you need it to? Or close enough that you want to save yourself $50,000? Close enough that you could spend $25,000 to hire a programmer to add the functionality you need?
I realize it may not even be at this point yet, but saying it has to do everything Pro Tools does is like saying MySQL has to do everything Oracle does in order to be useful.
Oh, and note I said "more accessible", not "better". You said it would never be as accessible as the tools you mentioned, I'm suggesting it already is more accessible than one.
Think about it and you'll realize the fallacy of your logic. If you allow the user to route anything as high priority, and limit the high priority bandwidth, you get precisely what we have now.
How is that even remotely like what we have now?
For example, voip has high priority, 911 calls: highest.
And if I wanted to set that for myself, I could, without interfering with anyone else.
Right now the telecoms and ISP are very fragile if there's a "boom" of high bandwidth content, like happens with p2p downloads.
Boo hoo. It's their fault for not preparing for it. They made the same mistake we're making now, assuming that it will be decades before anyone needs 64-bit computing, but we'll be hitting the 4 gig RAM limit soon.
I'd rather have the essential services guaranteed and less emergent ones with lower priority.
I'd rather have the services I want guaranteed. Obviously I want my 911 calls prioritized, but will they support all VOIP, or just Skype? Will they make Gtalk audio fast? What about games? I don't want to lag in my game, but they can't be expected to know about every single one -- what about a game I just wrote? And what's to stop people from simply disguising BitTorrent traffic to look like VOIP traffic?
If you limit the amount of bandwidth which can be high-priority (say 128k on a 5 meg pipe), you can both prevent abuse -- there's no point in making BitTorrent use 128k high priority if it can get a meg or so medium-to-low priority -- and allow people to choose how their high priority bandwidth is spent.
There's a reason it was modded troll. I know exactly what it does without having to try, but this is no better than telling a Win98 user to "press ctrl+alt+del twice to enter full 3D chat mode!" Yeah, it might be hilarious, to you, but to most of us, it's just lame and possibly dangerous to newbies.
But, you had the right idea -- ctrl+alt+backspace is indeed difficult, if not impossible, to intercept with an application. Same with ctrl+alt+f8, except that can be made to do something useful, not just to make you laugh with glee.
Thank you. This is actually exactly what I was describing, if parent had bothered to read -- I did say there would be a limit to how much bandwidth each customer could QOS, but not how they do it.
This doesn't prevent ISPs from actually building new infrastructure and delivering "your bandwidth", the way they should. "Burst bandwidth" is a cop-out, especially when in many cases you will never, ever come even close to that speed, not even for a small "burst".
In the case of Ubuntu, I'm pretty sure that Sudo, in this case, is called by an absolute path. Of course, there's nothing to stop them changing the path in the Synaptic menu entry...
A money clip might be useful. Maybe. It would be a nuscience, but maybe not as much as unfolding the mangled messes that are my money after a few days.
Right now I just stick bills, coins, and cards into one pocket.
It's usually fairly easy to simply pull out the cards as one stack, then flip through them as if they were playing cards. None of these wallets, or the more interesting Flash demos people have linked to, have given me a reason to want something to put these cards in other than my pocket.
And that still gives me the other (front) pocket for a cell phone and a key ring.
There is another solution: Actually start lighting up all the dark fiber, build the infrastructure that our tax dollars are supposedly paying for, and deliver actual, real, reliable bandwidth. This will probably be a result of increasing the flat-rate cost, which will probably be a result of ever more people discovering ways to actually use the bandwidth they're given. I have a housemate who's not very technically inclined, but watches live baseball games on his Powerbook, so we are going to have to face up to the reality: Moore's Law of (CPU|bandwidth|storage|GPU|resolution|wireless) isn't going to let up anytime soon.
My local ISP is making a lot of noise about fiber to the home. Their goal seems to be a gigabit pipe to everyone's house. I doubt they'll be able to come close to filling it, but at least they're thinking ahead.
So why shouldn't I be able to choose how my traffic is allocated, whether by QOS at my own firewall (assuming they actually deliver the bandwidth they promise, which they often don't), or by QOS at the ISP that I can control (or at least disable) through a web interface? If there's fear of abuse, simply limit the amount of bandwidth that you can send at high priority.
I'm all for making my VOIP calls crystal clear, if and only if I get full control over what is considered VOIP on my connection.
And that eliminates any sane argument the telecoms have used so far against net neutrality, leaving only the lie of "Google uses our bandwidth for free!"
I'd much rather play a game as the Kool Aid guy. The ultimate in destructable environments. Just keep busting through walls till I find you and use your blood to add to my pitcher...
On second thought, it'd make a terrible game. It would, however, make a hilarious horror movie.
I absolutely love this advertising. It's different and gets people's attention. When's the last time an advertising campaign lasted for two years and maintained this much interest?
I don't know, how long have the Enzyte ads been running? Or the guy in the dollar bills suit who seems to be a meth-based lifeform? "THE GOVERNMENT IS GIVING AWAY FREE MONEY! MY BOOK TELLS YOU HOW TO GET IT!!!"
Personally, I find the King to be less creepy than Ronald McDonald.
Yes, Ronald is creepy, but I've never seen him wake up in your bed, or staring through your window. Now, the King...
Hilarious in a train wreck kind of way. Kind of like Snakes on a Plane. Hilarious enough to spawn many Slashdot jokes (revenge sequel: A Plane on Snakes!), but it gives you the whole movie in the title -- kind of like Texas Chainsaw Massacre. There's no point in actually watching it.
As for other fast food trying, there's the pathetic nerdy Sonic ads (the only Soquid you eat with a Fpoon), and have you been to an Arby's lately? Every cup, ketchup packet, sandwich wrapper, fry container -- maybe I'm exaggerating, but most everything had something funny, snarky, or at least strange and unique. My favorite was the packet of almonds (I think they were almonds) for my dad's salad. "Ingredients: Roasted almonds. This product contains almonds."
Or am I getting so old that this is considered "mainstream", and to be unique, you have to be retarded?
You're absolutely correct, yet this is not what this thread is about. If you are logged in as an Ubuntu admin, but not root, they don't necessarily have your password (required to sudo to root), and there is no root password.
But an exploit in the Linux kernel that requires root-access is as serious as any other exploit.
No, it's not, and you're an idiot for suggesting it. I really hope you're joking.
Average Joe: OK!
Average Joe will have already hosed his system, and there isn't a damned thing we can do about it other than send Average Joe to a newbie concentration camp. (Before you say anything, I was raised Jewish. I don't really condone newbie genocide. Think of it more like driver's ed.)
Let me put it this way: If Average Joe will type his password to add a precompiled binary to his kernel, he'll certainly type his password to install a custom kernel to his/boot. He also won't have a problem with rebooting -- Windows makes him do that all the time, whether or not the installed program really needs him to. Thus, even if we completely prevent the kernel from being modified at runtime, the kernel can be replaced wholesale.
That's ignoring the numerous other ways to modify a running kernel./proc/kmem is one. But this exploit in particular requires a module to be loaded. If you can convince the user to load a module, you don't NEED this exploit -- there is nothing to stop you from rampaging all over the kernel space anyway.
But even with modules disabled, it's far too easy for root to install a rootkit, or do other evil things to users. Hell, a rootkit could be as simple as writing a glibc wrapper. And if Average Joe will go root so easily, Average Joe is probably not a good target for a rootkit. How often is he going to actually look for files that a rootkit might otherwise hide? Couldn't malware simply hide in dot-files and be perfectly safe from Joe?
There simply isn't a way of giving the user enough power to do what they want, without also giving them the ability to screw it all up. The only solution for morons like Joe is to not give them that power. Reserve enough for admins, and Joe is not an admin.
Your statement is like saying a pistol you can shoot yourself in the foot with is just as dangerous as a pistol that explodes in your face. Look, it's simply not possible to make a useful handgun that you can't shoot yourself in the foot with -- by its very definition, a handgun will shoot wherever you point it, and it will always be physically possible to point it at your foot. You have these options to attempt to secure Average Joe:
Actually teach people about gun safety before you give them a gun. (Teach sane computer use in the store.)
Don't let people have a gun unless they can use it safely. (Test people's computer sanity in the store.)
Offer your services as a bodyguard or hitman instead. (Don't let them have the root password. Admin their computer for them, installing software when they ask, updating when they don't.)
Sell them an armored boot (firewall, online AV). Some will take it off because it's uncomfortable (blocks things they want), or to get a better shot at their foot (willingly let in known malware).
Sell them health insurance (antivirus) and emergency medical care (recovery tools, Geek Squad).
Sell them prosthetic feet, which they can blow off and replace at will. (Sell them a new, faster computer, rather than clean up their old one.)
I can't think of any other alternatives. Sure, you could give them a club instead of a pistol (UAC, Knoppix, restrict them to oblivion), but they'll still be able to beat their foot into a pulp (though it'll be harder), and it's a hell of a lot harder to club birds down than to shoot them down (insane restrictions make it harder to use the computer in the first place). The current approach seems to be to try to grab their hand every time they're about to, and say "Are you sure you want to blow your leg off?" But no one pays attention, because we do that anyway when they are shooting in the right direction (UAC being annoying), and sometimes
It's not just the keyboard that I want to be secure.
For a term, I don't want to have to enter a password, but I do want the xterm to only be visible to me. The nice thing about a SAK is that the password for such privilege escalation suddenly becomes irrelevant for a one-user computer.
But tell me: How can someone circumvent ctrl+alt+fn?
Anyway, I think what's really needed in the future is not privilege escalation, but privilege descalation. I want to be reasonably sure that my account is safe, although I still find root to be a useful distinction, and a necessary one for a multi-user system. I don't want to have to type passwords all the time -- one password, once, to unlock my X session, should be enough. If we are to assume that we want to avoid compromising the normal user account, then we should be prepared to run just about everything at an even lower level. Firefox should only have write access to ~/.mozilla/firefox and ~/incoming (my download folder), and read access to everything -- and it could get even more granular by splitting Firefox up; that is, only what's needed to upload a file or install an extension should have read access to everything. Quake 4 only needs ~/.quake4, opengl, and alsa. Firefox should never be allowed outside its window, except to open a new one. Quake 4 will usually want to take over the whole screen, keyboard, mouse, etc.
It would be a lot trickier to program for, but much easier to manage. For instance, if I can trust my X server and my terminal window, I can allow my own user to su without a password, or have an SSH and GPG key without a passphrase.
Of course, that wouldn't be any kind of solution against spyware, but I don't think there is any truly secure solution against spyware other than to remove user stupidity. Users can have their "are you sure" boxes, I'll stick to rm -rf -- I wouldn't have typed it if I wasn't sure. I would simply like the option of trusting my X server and terminal -- I wouldn't require it of Average Joe.
Let me apologize ahead of time for not actually trying this out first. I have a working XP, not really enough room to run both XP and Vista, my Linux would be difficult to resize, and I don't want to replace my working XP with a Vista RC that will start asking for money around when it actually becomes stable.
the little "Allow" button on the UAC prompt can only be touched by objects that alleady have "root-level" access to the system.
ctrl+alt+del can't be hit when you're intending to hit something else. The UAC "allow" button probably can. Specifically, if they allow a keystroke to do it (which they should -- makes it much faster), this keystroke may be hit accidently. The number of mis-sent IMs should be an indication here -- UAC box pops up while I'm IM-ing, keyboard focus switches, I accidently hit "allow" instead of "send IM".
Another problem: How does VNC/RDP work?
Yet another: Are apps allowed to trap the mouse? If so, couldn't an app move the cursor? Force it to stay on the "accept" button until the user clicks?
You cannot do ANYTHING else but answer the UAC prompt when it comes up,
From the screenshots I've seen, you can see the rest of the screen. But never mind.
This would also allow a damned annoying DOS attack, one which may be completely unintentional. Not many apps understand this, but popping a dialog over what the user is doing, especially if you're taking keyboard focus, is extremely rude and annoying. Adium, on OS X, has this nicely worked out -- the IM window always appears under whatever I'm doing, but it sends me a Growl notification and flashes the Dock icon. This means I'll definitely notice that something needs my attention, but I don't have to address it right away.
With UAC, this is even scarier. What if I want to Google for this particular message?
But more importantly, UAC is not the only thing that can do that. What's to stop an app from popping up a fake UAC prompt (always on top, you can't do anything else, looks identical) and intercepting my password? What I described requires a keyboard combination that cannot be intercepted and never means anything else, and furthermore, it would clear the screen and replace it with a completely new screen -- root's (limited) desktop. Thus, I not only guarantee that nothing can "click" the button, I also guarantee that I really am being presented with the prompt I think I am -- even in the case that it does require a password. There's the added benefits of not having to answer the prompt right away, and of having a separate screen full of admin tools that will always work -- I have had the XP Task Manager be unusable in a game due to the game having changed the resolution -- give them a high priority, and they'd also be much more effective against problems like popup spamming (even though Firefox blocks them).
I suddenly have this urge to prove the grandparent wrong by publishing a first draft.
Nah, nah, you're not getting me.
What you say after this is often true, but you're missing the point -- grandparent implied there aren't any (certainly not many) first drafts that are particularly good, and most are shockingly bad compared to the final, published work. I'm not saying that revising wouldn't make it better, but that a first draft may be good enough. Also, I don't think I've ever completely tossed out a first draft and rewritten it. I think the whole concept of "drafts", instead of "revisions", is a holdover from print media, and doesn't make a lot of sense unless you like to print out a draft to proofread.
Also, I have found that when I do revise -- true of programming also, and thank God for CVS and friends -- it's entirely possible for my first couple of revisions to be good, but my tenth revision can make it much worse than the original. It is really possible to screw up my work, and it can be very difficult to make a revision that's actually an improvement. You can see this effect in action by watching the original Star Wars trilogy, then the prequels, than the special edition -- while the revisions may not have been wholly bad, there is a very real danger of revising out what made the original so good. One word: Midichlorians.
Star wars isn't the only example. The Matrix was good, the sequels weren't as good, and the Path of Neo game changes much of it for the worse. Ok, the giant robot Smith was hilarious, but also not as good an ending, even for the video game. Take the bullet-stopping ease with which Neo defeats three agents in a hallway at the end of the first movie: In the game, this is a five-minute-long kung-fu brawl that destroys the whole floor.
I'll concede your bet, though. I don't work on grammar, vocabulary, or sentence structure. Not consciously, anyway. I try to make sure that my grammar, spelling, sentence structure, and punctuation is all decent, so that I don't drive pedants like myself into a fit of rage, and so that my point is clear. I have never bothered to work on vocabulary. I suspect you also have more practice doing what I consider my strong points: humor, imagery, and story. So, even in a fair overall grade, where you cannot win through big words alone, I would probably lose.
Keep the ctrl+alt+del (or similar), maybe switch to another VT (or find something equivalent under the same X server -- workspaces/desktops aren't secure enough), and lose the password. Prompt the user every time. It might even be simpler to launch configuration apps, like synaptic, on the separate "admin VT", so that no confirmation is required, just close it and switch back when you're done.
Now, pressing ctrl+alt+del to login from a cold boot still seems stupid, because if they can screw up your login prompt, they already have root -- hell, what's to stop them from modifying the system itself, so that ctrl+alt+del goes to them?
First, is this whole process secure? For instance, what's to stop something from implementing ctrl-left-click and providing their own menu, where "secure keyboard" does nothing? But more importantly:
And what happens when they're already doing a MITM on your xterm? I know that sudo/su/ssh/whatever generally automatically force to read from a terminal, but that's not enough -- you can run them from inside screen, which proves another app can provide a "terminal" device between them and you, and once you have the password, you should be able to find some way, somehow, to grant yourself root through some command that doesn't force xterm exclusivity.
That brings up another point -- it's not just X-level keyloggers we have to worry about. Screen is proof of how easy it would be to implement a PTY-level keylogger.
So it's not a security flaw, just a UI flaw. I don't want to hit "cancel" by default either. In fact, I don't want to hit anything by default. I want to have to acknowledge that I'm going to actually pay attention to UAC now.
Let's try this: automatic updates automatically prompts me that it's time to download something. It interrupts what I'm doing, but I go ahead and click ok anyway. Then automatic updates finishes a download, and it's time to start installing. Automatic updates prompts me again for my password.
OS X updates already do this, but rather than pop over what I'm doing, they pop a dialog under what I'm doing, and bounce the dock icon. Unless you're extremely sloppy/lazy and have some 30 or 40 dock icons, all set to autohide, at least 5 of them bouncing at any given time, bouncing the dock icon is a good way to alert the user that something needs to happen. On Windows, the rough equivalent is flashing the pager button (where things minimize to). Making a new taskbar icon (by the clock, as Windows Update does now) is not a good way, because most people don't know what those are, and there's nothing to suggest that this particular one is demanding your attention.
And popping something up in front of the user is bad enough, but blocking out all other action is just obnoxious, because if you've used Ubuntu or OS X for long, you know that there are plenty of things that can and should require a UAC-like password prompt. If I was developing a Windows app, this would make me put an "are you sure" box in front of every time my program might trip a UAC prompt, so users know they're about to lose control of their computer -- and that's just a retarded design. Come on, an "are you sure" box in front of an "are you sure" box?
Anyway, making the box less annoying doesn't make it less likely that people will start developing their apps properly.
Let's see:
I don't think absolutely every attempt to gain higher local privileges requires the almighty Allow button. If it does, that's pretty annoying -- it prevents ssh from working very well, for one thing.
SSH is a good idea here, but the implementation won't work for what I'm describing.
The problem is that Unix permissions are pretty flat. Root has access to everything, users only have access to their own stuff and their group's stuff. It's impossible to have a user that acts as root to another group of users. The idea would be to have my "sanity" user, but then a "sanity/firefox" user which only has access to ~/incoming, but which my "sanity" user has access to all of -- make an actual hierarchy of users.
Of course, that's if we want to do this in roughly the SSH model. I think someone mentioned another way to sandbox Firefox.
Does Plash also prevent Firefox from moving your mouse and clicking "open" in that dialog? Or simulating an "enter" keypress?
But it doesn't seem like it's on as deep a level as I'd like. It's better, but it still means that once I send a document to Firefox, I have no idea what Firefox will do with it. Still, that is a lot better.
Couple of obvious unintended consequences: It's not just the foot. DRM means the gun is designed not to fire at anything declared a "friendly" target (DRM), making it useless for law enforcement officials should the gun manufacturers themselves turn to crime. Plus, it still doesn't work: People will be able to blow their foot off now, it'll just happen a lot less often, and there's a chance that when shooting at any random object, the gun will jam and decide it's a friendly target (decide you're trying to crack the DRM).
Die, horse, die! *flog*
No, it's too much plot for your typical porno. But it also has other things to keep you interested:
And simply having it be about sex doesn't prevent deeper thoughts. The concept of sexual addiction is an interesting one, even outside of a porno. Plus, pornos don't need to have plots like "sexual witches destroy a whole planet".
I'm not sure about that, but Wendy's had some good ones, too. The raccoons: It's good to be nocturnal!
It doesn't have to. The question is, can it do everything you need it to? Or close enough that you want to save yourself $50,000? Close enough that you could spend $25,000 to hire a programmer to add the functionality you need?
I realize it may not even be at this point yet, but saying it has to do everything Pro Tools does is like saying MySQL has to do everything Oracle does in order to be useful.
Oh, and note I said "more accessible", not "better". You said it would never be as accessible as the tools you mentioned, I'm suggesting it already is more accessible than one.
How is that even remotely like what we have now?
And if I wanted to set that for myself, I could, without interfering with anyone else.
Boo hoo. It's their fault for not preparing for it. They made the same mistake we're making now, assuming that it will be decades before anyone needs 64-bit computing, but we'll be hitting the 4 gig RAM limit soon.
I'd rather have the services I want guaranteed. Obviously I want my 911 calls prioritized, but will they support all VOIP, or just Skype? Will they make Gtalk audio fast? What about games? I don't want to lag in my game, but they can't be expected to know about every single one -- what about a game I just wrote? And what's to stop people from simply disguising BitTorrent traffic to look like VOIP traffic?
If you limit the amount of bandwidth which can be high-priority (say 128k on a 5 meg pipe), you can both prevent abuse -- there's no point in making BitTorrent use 128k high priority if it can get a meg or so medium-to-low priority -- and allow people to choose how their high priority bandwidth is spent.
There's a reason it was modded troll. I know exactly what it does without having to try, but this is no better than telling a Win98 user to "press ctrl+alt+del twice to enter full 3D chat mode!" Yeah, it might be hilarious, to you, but to most of us, it's just lame and possibly dangerous to newbies.
But, you had the right idea -- ctrl+alt+backspace is indeed difficult, if not impossible, to intercept with an application. Same with ctrl+alt+f8, except that can be made to do something useful, not just to make you laugh with glee.
Thank you. This is actually exactly what I was describing, if parent had bothered to read -- I did say there would be a limit to how much bandwidth each customer could QOS, but not how they do it.
This doesn't prevent ISPs from actually building new infrastructure and delivering "your bandwidth", the way they should. "Burst bandwidth" is a cop-out, especially when in many cases you will never, ever come even close to that speed, not even for a small "burst".
In the case of Ubuntu, I'm pretty sure that Sudo, in this case, is called by an absolute path. Of course, there's nothing to stop them changing the path in the Synaptic menu entry...
A money clip might be useful. Maybe. It would be a nuscience, but maybe not as much as unfolding the mangled messes that are my money after a few days.
Right now I just stick bills, coins, and cards into one pocket.
It's usually fairly easy to simply pull out the cards as one stack, then flip through them as if they were playing cards. None of these wallets, or the more interesting Flash demos people have linked to, have given me a reason to want something to put these cards in other than my pocket.
And that still gives me the other (front) pocket for a cell phone and a key ring.
There is another solution: Actually start lighting up all the dark fiber, build the infrastructure that our tax dollars are supposedly paying for, and deliver actual, real, reliable bandwidth. This will probably be a result of increasing the flat-rate cost, which will probably be a result of ever more people discovering ways to actually use the bandwidth they're given. I have a housemate who's not very technically inclined, but watches live baseball games on his Powerbook, so we are going to have to face up to the reality: Moore's Law of (CPU|bandwidth|storage|GPU|resolution|wireless) isn't going to let up anytime soon.
My local ISP is making a lot of noise about fiber to the home. Their goal seems to be a gigabit pipe to everyone's house. I doubt they'll be able to come close to filling it, but at least they're thinking ahead.
So why shouldn't I be able to choose how my traffic is allocated, whether by QOS at my own firewall (assuming they actually deliver the bandwidth they promise, which they often don't), or by QOS at the ISP that I can control (or at least disable) through a web interface? If there's fear of abuse, simply limit the amount of bandwidth that you can send at high priority.
I'm all for making my VOIP calls crystal clear, if and only if I get full control over what is considered VOIP on my connection.
And that eliminates any sane argument the telecoms have used so far against net neutrality, leaving only the lie of "Google uses our bandwidth for free!"
I'd much rather play a game as the Kool Aid guy. The ultimate in destructable environments. Just keep busting through walls till I find you and use your blood to add to my pitcher...
On second thought, it'd make a terrible game. It would, however, make a hilarious horror movie.
I don't know, how long have the Enzyte ads been running? Or the guy in the dollar bills suit who seems to be a meth-based lifeform? "THE GOVERNMENT IS GIVING AWAY FREE MONEY! MY BOOK TELLS YOU HOW TO GET IT!!!"
Yes, Ronald is creepy, but I've never seen him wake up in your bed, or staring through your window. Now, the King...
Hilarious in a train wreck kind of way. Kind of like Snakes on a Plane. Hilarious enough to spawn many Slashdot jokes (revenge sequel: A Plane on Snakes!), but it gives you the whole movie in the title -- kind of like Texas Chainsaw Massacre. There's no point in actually watching it.
As for other fast food trying, there's the pathetic nerdy Sonic ads (the only Soquid you eat with a Fpoon), and have you been to an Arby's lately? Every cup, ketchup packet, sandwich wrapper, fry container -- maybe I'm exaggerating, but most everything had something funny, snarky, or at least strange and unique. My favorite was the packet of almonds (I think they were almonds) for my dad's salad. "Ingredients: Roasted almonds. This product contains almonds."
Or am I getting so old that this is considered "mainstream", and to be unique, you have to be retarded?
Why is parent modded Interesting? Mod parrent Funny!
You're absolutely correct, yet this is not what this thread is about. If you are logged in as an Ubuntu admin, but not root, they don't necessarily have your password (required to sudo to root), and there is no root password.
No, it's not, and you're an idiot for suggesting it. I really hope you're joking.
Average Joe will have already hosed his system, and there isn't a damned thing we can do about it other than send Average Joe to a newbie concentration camp. (Before you say anything, I was raised Jewish. I don't really condone newbie genocide. Think of it more like driver's ed.)
Let me put it this way: If Average Joe will type his password to add a precompiled binary to his kernel, he'll certainly type his password to install a custom kernel to his /boot. He also won't have a problem with rebooting -- Windows makes him do that all the time, whether or not the installed program really needs him to. Thus, even if we completely prevent the kernel from being modified at runtime, the kernel can be replaced wholesale.
That's ignoring the numerous other ways to modify a running kernel. /proc/kmem is one. But this exploit in particular requires a module to be loaded. If you can convince the user to load a module, you don't NEED this exploit -- there is nothing to stop you from rampaging all over the kernel space anyway.
But even with modules disabled, it's far too easy for root to install a rootkit, or do other evil things to users. Hell, a rootkit could be as simple as writing a glibc wrapper. And if Average Joe will go root so easily, Average Joe is probably not a good target for a rootkit. How often is he going to actually look for files that a rootkit might otherwise hide? Couldn't malware simply hide in dot-files and be perfectly safe from Joe?
There simply isn't a way of giving the user enough power to do what they want, without also giving them the ability to screw it all up. The only solution for morons like Joe is to not give them that power. Reserve enough for admins, and Joe is not an admin.
Your statement is like saying a pistol you can shoot yourself in the foot with is just as dangerous as a pistol that explodes in your face. Look, it's simply not possible to make a useful handgun that you can't shoot yourself in the foot with -- by its very definition, a handgun will shoot wherever you point it, and it will always be physically possible to point it at your foot. You have these options to attempt to secure Average Joe:
I can't think of any other alternatives. Sure, you could give them a club instead of a pistol (UAC, Knoppix, restrict them to oblivion), but they'll still be able to beat their foot into a pulp (though it'll be harder), and it's a hell of a lot harder to club birds down than to shoot them down (insane restrictions make it harder to use the computer in the first place). The current approach seems to be to try to grab their hand every time they're about to, and say "Are you sure you want to blow your leg off?" But no one pays attention, because we do that anyway when they are shooting in the right direction (UAC being annoying), and sometimes
It's not just the keyboard that I want to be secure.
For a term, I don't want to have to enter a password, but I do want the xterm to only be visible to me. The nice thing about a SAK is that the password for such privilege escalation suddenly becomes irrelevant for a one-user computer.
But tell me: How can someone circumvent ctrl+alt+fn?
Anyway, I think what's really needed in the future is not privilege escalation, but privilege descalation. I want to be reasonably sure that my account is safe, although I still find root to be a useful distinction, and a necessary one for a multi-user system. I don't want to have to type passwords all the time -- one password, once, to unlock my X session, should be enough. If we are to assume that we want to avoid compromising the normal user account, then we should be prepared to run just about everything at an even lower level. Firefox should only have write access to ~/.mozilla/firefox and ~/incoming (my download folder), and read access to everything -- and it could get even more granular by splitting Firefox up; that is, only what's needed to upload a file or install an extension should have read access to everything. Quake 4 only needs ~/.quake4, opengl, and alsa. Firefox should never be allowed outside its window, except to open a new one. Quake 4 will usually want to take over the whole screen, keyboard, mouse, etc.
It would be a lot trickier to program for, but much easier to manage. For instance, if I can trust my X server and my terminal window, I can allow my own user to su without a password, or have an SSH and GPG key without a passphrase.
Of course, that wouldn't be any kind of solution against spyware, but I don't think there is any truly secure solution against spyware other than to remove user stupidity. Users can have their "are you sure" boxes, I'll stick to rm -rf -- I wouldn't have typed it if I wasn't sure. I would simply like the option of trusting my X server and terminal -- I wouldn't require it of Average Joe.
Let me apologize ahead of time for not actually trying this out first. I have a working XP, not really enough room to run both XP and Vista, my Linux would be difficult to resize, and I don't want to replace my working XP with a Vista RC that will start asking for money around when it actually becomes stable.
ctrl+alt+del can't be hit when you're intending to hit something else. The UAC "allow" button probably can. Specifically, if they allow a keystroke to do it (which they should -- makes it much faster), this keystroke may be hit accidently. The number of mis-sent IMs should be an indication here -- UAC box pops up while I'm IM-ing, keyboard focus switches, I accidently hit "allow" instead of "send IM".
Another problem: How does VNC/RDP work?
Yet another: Are apps allowed to trap the mouse? If so, couldn't an app move the cursor? Force it to stay on the "accept" button until the user clicks?
From the screenshots I've seen, you can see the rest of the screen. But never mind.
This would also allow a damned annoying DOS attack, one which may be completely unintentional. Not many apps understand this, but popping a dialog over what the user is doing, especially if you're taking keyboard focus, is extremely rude and annoying. Adium, on OS X, has this nicely worked out -- the IM window always appears under whatever I'm doing, but it sends me a Growl notification and flashes the Dock icon. This means I'll definitely notice that something needs my attention, but I don't have to address it right away.
With UAC, this is even scarier. What if I want to Google for this particular message?
But more importantly, UAC is not the only thing that can do that. What's to stop an app from popping up a fake UAC prompt (always on top, you can't do anything else, looks identical) and intercepting my password? What I described requires a keyboard combination that cannot be intercepted and never means anything else, and furthermore, it would clear the screen and replace it with a completely new screen -- root's (limited) desktop. Thus, I not only guarantee that nothing can "click" the button, I also guarantee that I really am being presented with the prompt I think I am -- even in the case that it does require a password. There's the added benefits of not having to answer the prompt right away, and of having a separate screen full of admin tools that will always work -- I have had the XP Task Manager be unusable in a game due to the game having changed the resolution -- give them a high priority, and they'd also be much more effective against problems like popup spamming (even though Firefox blocks them).
I only see two advantages of UAC:
What you say after this is often true, but you're missing the point -- grandparent implied there aren't any (certainly not many) first drafts that are particularly good, and most are shockingly bad compared to the final, published work. I'm not saying that revising wouldn't make it better, but that a first draft may be good enough. Also, I don't think I've ever completely tossed out a first draft and rewritten it. I think the whole concept of "drafts", instead of "revisions", is a holdover from print media, and doesn't make a lot of sense unless you like to print out a draft to proofread.
Also, I have found that when I do revise -- true of programming also, and thank God for CVS and friends -- it's entirely possible for my first couple of revisions to be good, but my tenth revision can make it much worse than the original. It is really possible to screw up my work, and it can be very difficult to make a revision that's actually an improvement. You can see this effect in action by watching the original Star Wars trilogy, then the prequels, than the special edition -- while the revisions may not have been wholly bad, there is a very real danger of revising out what made the original so good. One word: Midichlorians.
Star wars isn't the only example. The Matrix was good, the sequels weren't as good, and the Path of Neo game changes much of it for the worse. Ok, the giant robot Smith was hilarious, but also not as good an ending, even for the video game. Take the bullet-stopping ease with which Neo defeats three agents in a hallway at the end of the first movie: In the game, this is a five-minute-long kung-fu brawl that destroys the whole floor.
I'll concede your bet, though. I don't work on grammar, vocabulary, or sentence structure. Not consciously, anyway. I try to make sure that my grammar, spelling, sentence structure, and punctuation is all decent, so that I don't drive pedants like myself into a fit of rage, and so that my point is clear. I have never bothered to work on vocabulary. I suspect you also have more practice doing what I consider my strong points: humor, imagery, and story. So, even in a fair overall grade, where you cannot win through big words alone, I would probably lose.
Not that it stops me from trying.
Keep the ctrl+alt+del (or similar), maybe switch to another VT (or find something equivalent under the same X server -- workspaces/desktops aren't secure enough), and lose the password. Prompt the user every time. It might even be simpler to launch configuration apps, like synaptic, on the separate "admin VT", so that no confirmation is required, just close it and switch back when you're done.
Now, pressing ctrl+alt+del to login from a cold boot still seems stupid, because if they can screw up your login prompt, they already have root -- hell, what's to stop them from modifying the system itself, so that ctrl+alt+del goes to them?