Now let's try the Windows ones. One is a remote exploit, which can be triggered merely by convincing an Aero user to view a given image.
But that's a local exploit!
All exploits eventually touch the local system, of course. The question is where the exploit is triggered from.
In this case, it's classified as a remote exploit since you can "convince" an Aero user to view a given image by merely directing them to that image in a website. (I think.)
Updating the Windows kernel breaks more software than updating the Linux kernel? Oh right, Linux only has 3 apps.
APK, is that you?
You know what? I'm going to assume it is, since he can't be bothered to register. And he wonders why he's downmodded...
I don't think you trolls who are downmodding me understand that I can bypassthe "10 posts per 24 hour" unjust/unfair limitation upon us AC's,
Yet more evidence of trollish behavior. Accounts are free, you deliberately sign your posts to allow yourself to be tracked, yet you refuse to sign up. Then you deliberately bypass limitations like this -- pretty obviously breaking the rules.
On top of it all, you abuse capslock and bold to draw attention to yourself (even as you cower behind anonymity), and you have tons of grammatical and spelling mistakes, making the overall quality of your posts pretty poor.
And again, you wonder why you're downmodded? There'd have to be truly brilliant technical insights in there for a mod to overlook how childish you are about posting them.
There's also this:
/.'s default is to HIDE AC posts as "hidden posts" when javascript is on
No, the default is to hide posts with low scores (including -1's from logged-in users), and even that is contextual. For instance, this post was not automatically hidden.
And that's the default. Mods are encouraged to browse at lower thresholds to look for AC abuse -- to downmod the Frist Psots and such.
downmod my posts with regular frequency whether I am right or wrong
You're a jackass with regular frequency. You bitch about moderations (which is generally frowned on), you start posts with "open sores", and baselessly accuse people of conspiracy when things don't go your way.
You're downmodded because you have a bad attitude.
That said, you didn't start with "open sores" -- you did that one post in, and completely unprovoked -- but you didn't start with it, and I was wrong to say so.
if I have the sourcecode to an operating system, I have a FAR easier time of finding bugs in it than I would on a closed source OS, & for instance, using "fuzzers" (or worse, disassembly via debuggers) on it during pen testing...
Yes, that's pretty much exactly what I said. I also explained why this is a good thing.
You want to claim that this is somehow equally useful to good and bad people -- I respectfully disagree. See, even if I did try to find bugs in Windows, using all the tools you mention, I still have to go through Microsoft to get them patched, and it's Microsoft who will be doing the patching. And Microsoft has been known to sit on vulnerabilities for months without releasing a patch, or even acknowledging their existence until there's an embarrassing enough exploit.
By contrast, with Linux, I can provide the patch in the same post which discloses the vulnerability.
wouldn't you rather have a vulnerability found and fixed, or even found and marked "unpatched" on Securina, than found and exploited (hidden) elsewhere?
Microsoft has their regular "Patch Tuesday"
And what does that have to do with my question? Answer my question.
Workplace espionage happens man...
Not from a local DoS. Say it with me: Local. DoS.
It's still very not good. It still should be fixed. But it's not even in the same category as, say, remote escalation.
A security vulnerability is a security vulnerability.
Are you seriously implying all vulnerabilities are equally dangerous?
Local or not, you can take advantage of it, especially if a malware (or worse, a malscripted website's javascript does it, and that RUNS LOCALLY ON A USER'S MACHINE IN THEIR WEBBROWSER
Now you're just a moron.
No, JavaScript exploits would most likely be classified by Securina et al as remote exploits. It's local code, but it's sandboxed. Unless there's a vulnerability in the sandbox itself, JavaScript can't exploit local exploits.
Or just go read the exploits. Look, I did almost all the work for you. Most of them are fucking C system calls, which are about the farthest you can get from a sandboxed script.
Want proof? Go read the Windows Aero vulnerability. It was classified as a remote vulnerability, despite being techincally "local escalation", because an image viewed in a webpage could lead to said escalation.
Now, you note "local exploit". Think that doesn't happen in the workplace, on the same local area network?
Um, no, that's not what "local" means. "Local" means "on the same machine", which usually (though clearly not always) means physical access. Yes, it's still an issue, but having your webserver owned by someone who had a shell account is a lot easier to deal with than having it owned by some random bot over the Internet, and it's a lot less likely to happen.
And remember, we're talking about Google, and specifically, what people are running on their workstations. That makes all of these pretty much irrelevant -- from what I can tell, Google employees truly get to own and admin their own workstations, so they don't really have to share.
NOT ALL LINUX DISTROS USE SeLinux or AppArmor either
So what? I thought we were comparing the best and latest.
"Modifying video output could be very bad, but also very hard to exploit in a way to make it worse than rickrolling you. And again, local.
See my last paragraph in reply above - same ideas apply here too.
What? No they don't. You don't once explain how this is not very hard to exploit in a way that's worse than rickrolling you. Hint: That part has nothing to do with it being local.
One of the rules of moderation means you can't post on the same discussion. So of course the mods haven't posted their rationale. But I'll give you a hint:
"Open Sores" (lol)
That's how you started this conversation. Are you surprised you got downmodded? Oh, and people get downmodded for trolling about "M$", also.
It's not about technical justification, it's about playing nice. You're being a dick, so you got downmodded, whether or not you're right. Don't be a dick, it's not hard.
They can spend money to fix security issues as they discover them, rather than having no options, monetary or otherwise, other than waiting it out until Microsoft gets off their collective asses and releases a patch.
That's the important part. Linux always has more vulnerabilities publicly found and fixed due to it being open source, a process which leads to a more secure system -- wouldn't you rather have a vulnerability found and fixed, or even found and marked "unpatched" on Securina, than found and exploited (hidden) elsewhere?
And even more important is what those unpatched vulnerabilities actually are:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).
This is in the CIFS code, which presumably can be disabled. Should be fixed, but how many Linux systems actually need to defend themselves against local DoS attacks?
Tony Griffiths has reported a vulnerability in the Linux Kernel, which can be exploited malicious, local users to cause a DoS (Denial of Service).
Another local DoS. And another, and another... Yawn. Let's skip to the good stuff:
An error in the DRM (Direct Rendering Manager) drivers due to insufficient DMA lock checking can be exploited to crash the X server or modify video output.
Modifying video output could be very bad, but also very hard to exploit in a way to make it worse than rickrolling you. And again, local.
A race condition within the handling of "/proc/.../cmdline" may disclose the content of environment variables of spawning processes.
In other words, there's a race condition (hard to exploit) which may disclose sensitive information in your environment variables to other procesess you run. I honestly can't think of a single case where this would reveal anything exploitable. Clearly, it should be fixed, but right now, you're welcome to my environment variables.
A race condition within the memory management can be exploited to disclose the content of random physical memory pages.
That could be very, very bad, but also very difficult to exploit. Again, local.
The vulnerability is caused due to an unspecified error within the ide-cd SG_IO functionality. This allows a user with read-only access to bypass these permissions and perform write and erase operations on media in a drive.
So, in other words, anyone who uses an IDE CD-RW drive is vulnerable. Otherwise, you need a lightning-quick exploit to grab someone's blank media and burn something evil to it. I'm quaking in my boots.
The problem is caused due to signedness errors which can lead to integer overflows in the XDR decode functions in kNFSd. This can be exploited by sending packets with a write request larger than 2^31, causing the system to crash.
In other words, doesn't affect people who don't run NFS, or specifically kernel NFS (there's a userland NFS now). Oh, and you need to be on the local network.
Various functions in the IEEE 1394 driver contain integer overflows within the memory allocation scheme. This can potentially be exploited via specially crafted requests, which may cause a large amount of data to be copied into an insufficiently sized buffer.
That's probably the most serious one I've seen -- possible privilege escalation -- but what privileges do I have to have to access the raw FireWire device anyway? I bet most users can't.
So that brings it down to, what, one actually unpatched vulnerability that I'd be worried about. And it's still only local, and still a bitch to exploit.
Now let's try the Windows ones. One is a remote exploit, which can be triggered merely by convincing an Aero user to view a given image. Another is a remote exploit which may allow people to manipulate SSL-encrypted streams.
Security is not and never has been about numbers -- I only need one serious exploit.
I fail to see how this is fundamentally different that using a Linux/Unix sudo, except for not having to drop to the command line and enter a sudo command.
Modern Linux distros rarely require that -- there are GUI equivalents.
And the main difference is that for a long time, UAC behaved really, really stupidly. You could easily count on four or five UAC prompts per software install, and even one or two per Windows Update, making it a ludicrous number of times when setting up a new machine. And that's assuming everything works, which was far from a given.
Now, Windows 7 improved that a lot, and there's a lot of software which has been updated to work well, but contrast this to Linux, where the only programs which don't work properly (install to/usr or/opt as root, store user-specific stuff in dotfiles in $HOME) are programs which were sloppily ported from Windows -- basically, a few indie games and commercial apps (*cough* Oracle *cough*)
However, "UAC is worthless" just means this person hasn't followed the part where UAC has mostly caught up to where sudo was years ago. When Vista was launched, it really was useless.
Heroku had a web-based, cloud-based Rails IDE at one point. That's the only example I could think of right away, so I google'd "web-based IDE" and found plenty more examples.
Where's the Emacs for Android?
Ah, but now you're asking for a specific, legacy app, not a class of application. Or, depending on your point of view, Emacs is its own OS...
Might be interesting to migrate support staff, but that's not where the heart of Google is.
You're probably right, but I wouldn't assume. Ten years ago, it was ludicrous to think that people would give up desktop email clients like Outlook, but I'd be very surprised to find many of those at Google -- I'll bet they're dogfooding Gmail. I don't see that working well for code, but there's certainly no longer a technical barrier to writing a solid web-based IDE, even a web-based Emacs implementation.
Last I checked, Chromium OS is built on Gentoo, whether or not Canonical is contributing.
And there's really no point in Chrome OS if you're just going to run desktop Linux -- there's Ubuntu for that. The point of Chrome OS is for people who live on the Web.
Many of both would like their religious beliefs to be enacted as law.
Maybe I'm just not looking, but how many Christians would like to see those laws include a death penalty for rejecting your religion?
But you are inferring a general trend from a small set of experiences with a few individuals.
Something I often see reinforced, but maybe I'm not being fair.
There's nothing stopping you from creating your own broadcast network...
The FCC stops me from broadcasting it over the air.
That's true, and it's something I disagree with. It's also something rapidly becoming less relevant.
I'd say it is absolutely based in christianity. There's no scientific evidence...
No scientific evidence doesn't automatically imply Christianity, or any overtly religious motive. In particular:
It's just an idea leftover from christian mythology.
Show me where this exists in actual scripture?
No, I see this as being leftover from the Puritans, who added their own interpretation on top of their religion, and also from the Victorians, who had a large number of weird ideas about politeness and high society which simply aren't reflected in any religion I can think of.
If you watch only Fox news, or don't really watch international news,
I don't watch Fox "news", but you're right, I don't really watch the international news, either.
...Now further imagine someone publishes a blasphemous anti-christian video, say of jesus partaking in a rape or killing of muslim children that implies all christians are a violent threat, just the excuse used to invade Mexico.
Ok, I'm imagining...
So a mob of angry Texans...
Could happen. It's Texas.
Now picture local christian priests showing up to stop the protests and put their lives at risk by confronting an angry mob. Would it happen? I'd like to think so, but I'm by no means certain it would.
Priests? I'd think pastors, but I see your point. Of course, something similar happened in China recently...
Radicals are radicals and your assumption that most muslims want to impose their religion on others is simply that, your assumption.
Based on personal experience, speaking with intelligent Muslims who see that as the end goal. They don't want to impose their religion in that they don't want to violently overthrow anyone, but they do want to (eventually, through a peaceful, political process) institute Sharia law.
I was surprised. It's not as though I had some preconception here -- in fact, I went into the conversation expecting them to tell me that Sharia was not what Islam is about at all, just as Christian apologists will tell me that the Law of Moses isn't meant to be followed anymore. These were thoroughly Western, highly intelligent people. And they tried to justify Sharia's prescription of the death penalty for apostates.
There are quite a few moderate and progressive muslims.
I've seen very few, and those I've gotten into religious discussions with, again, have shown me what "moderate" means, as I said above.
Now, I don't mean to say that there were none at all -- This guy had an appropriate response, I thought.
There are also a lot of radical christians in the US these days.
No disagreement there.
Heck, you can't even publish nudity or sex on regular TV because of their religiously based censorship.
Define "regular" TV -- the Playboy Channel exists, among others. There's nothing stopping you from creating your own broadcast network, particularly one over the Internet, and distributing whatever you wish.
I'd also question whether it's entirely religiously based. Much of it is, but it sees to be more about the "think of the children" mantra, something which has the feel of a religion, but isn't particularly Christian.
It's not like christians have the high ground of tolerance and freedom of expression to pontificate from.
Good thing I'm not Christian, then, as if the "high ground" matters (ad-hominem, appeal to authority...)
Maybe I'm sheltered, and I'm sure they exist, but the most moderate, reasonable Muslims I've talked to have tried (peacefully) to convince me that Sharia is a good thing, and should take over the world.
The issue is that the radical Muslims are just that, radicals. just like the radical Christians, and the radical Jews, etc.
The issue is that moderate Muslims so rarely have anything bad to say about this, and what's more, "moderate" Muslims often do agree with two core principles: Sharia law is actually a good thing, and Islam (and Sharia) should take over the world.
In other words, the difference between a moderate Muslim and a radical Muslim is that the radicals go blow themselves up, and the moderates secretly cheer them on. At best, the moderates would say they disagree with their methods, but agree with their goals.
Saying "Respect us or we'll kill you!" makes you radical. And the "moderate" Muslims so rarely have anything to say about it. Moderate Christians aren't quite as bad.
With that beginning, surely you're going to display your intelligence, right?
So-called freedom of speech, doesn't really exists.
That'd be "doesn't really exist." And I'm the idiot?
Sure, there's more to intelligence than being able to string together a grammatically correct sentence, but it's not terribly hard to do so, and you did kind of set yourself up.
It has both social and legal limitations attached to it,
The legal limitations are very, very small. Essentially, the speech itself must cause a clear and present danger -- for example, shouting "Fire!" in a crowded theater. But it would be fallacious to try to compare that to the wholesale censoring of dissenting opinion, even offensive opinion.
The social limitations, I don't care too much about. You were saying something about how freedom of speech doesn't "exists", but societal pressure is much more easily overcome than laws. Civil disobedience can land you in jail, or, in countries ruled by Sharia Law, beheaded. Rejecting societal norms just means people think you're weird, but guess what? We accept weirdness and diversity as a good thing.
even in western world and especially in USA. And you readily accept and comply with those limitations.
This may surprise you, but partly because of our freedom of speech, we in the Western world are not a single voice. We are many voices, each with our own opinions.
For example, many Christians are trying to turn the USA into a theocracy, and among them are those who would protest things like violent videogames, and even see them banned, if that were possible. I, on the other hand, would much rather child pornography was not outlawed -- the production absolutely should be outlawed, and already is by statutory rape laws. Distribution and possession should not be a crime, certainly when there's no money involved. I would not be surprised to find the majority of the population disagrees with me, at least until they find themselves framed for that crime.
For example, it is also not allowed to practice freedom of speech where state and military secrets are concerned. it is, like you said, illegal to use your freedom of speech to issue death-threats.
Both of these fall under the "clear and present danger" clause I just mentioned.
Heck, you don't even have the freedom of speech to tell jokes about terrorists and bombs at airports anymore.
It's my understanding that airports are private, much like the airlines themselves, but I could be mistaken. Of course, I don't agree with this either, as I can't possibly see it enhancing security, and I'm not sure it would be worth it if it did.
I am sure you will get very far by telling them that any offense or threat they felt was out of their own choice(since you had no actual bomb).
Ah, but they weren't acting on feelings. They were acting on policies and procedures. Psychoanalyzing the individual who grabbed me would accomplish very little -- I'd have to take it up with the TSA, which isn't showing a lot of sanity right now.
Yet, you happily accept those limitations
Again, no I don't. I "accept" them to the extent that I don't joke about bombs in airports. I certainly don't accept them "happily."
But you are eager for the right to intentionally offend and harass someone else, simply out of pure malice,
I stated my intentions explicitly elsewhere on this thread. Even if I hadn't, why would you assume "pure malice"? I suppose it's easier to hate a group than an individual, especially when the individual doesn't fit the stereotypes of the group.
Since you introduced yourself by calling me a moron, I'm likely to respond in kind, but I actually bear you no grudge. I have no malicious in
Am I living under a rock or something? I'm vaguely aware that there's something called "4G", and it's supposed to be faster than "3G". Beyond that, I haven't really heard much.
Nothing like whether Avatar is "worth the hype"...
Though, judging from the things I see described this way on Slashdot, maybe hype itself is overhyped?
Writing a server side script to conditionally (dis)allow content delivery based on HTTP referral data will always be non-trivial.
What? It's trivial now. Maybe not as much as:
Adding one HTML tag to an HTML document is trivial.
Of course, the solution I've seen proposed -- an HTTP header -- is equally trivial, certainly to embed in HTML documents via the meta tag. Then again, if referer-checking is "non-trivial" for you, I suspect you'd find it similarly challenging to add a header to those images.
Changing many documents this way is non trivial
I shudder to think what happens the day you're presented a truly non-trivial programming task. I mean, really? It's hardly more than search-and-replace.
configuring the server to send the additional HTTP header it relatively trivial in this case, and is simpler / less processor intensive than conditionally disallowing content via referrer.
Granted, adding a static header is relatively simpler and less processor intensive than doing a referer-check. It's still trivial. We're well past the point where the disk and the network are the limiting factors, and the sheer speed of a modern CPU relative to that means the referer-check, even a really poorly written one, is still not going to make a blip on anything.
I mean, we're well past the point where on-the-fly gzipping makes sense, because the network is so much slower than the CPU.
If your server sends a new HTTP header that is unrecognized by the browser it will be gracefully ignored. The browser will also ignore any tag it doesn't understand.
Yes. What's your point?
The current HTTP, (X)HTML standards are designed to be extensible, yet a simple extension is hard to achieve.
Yes. The reasons it's hard are entirely sane.
Again: Do you want another blink tag?
The more stuff that gets standardized, the more difficult it is to write a standards-compliant browser, or to target the browser as a platform. Consider JavaScript -- the fact that the browser will ignore scripts it doesn't understand is useless if I build a page that requires JavaScript, and it makes my job more difficult if I have to support both.
On top of all of that is the problem of additional moving parts. Again, consider JavaScript -- pages that don't use it will work the same way they did, and browsers that don't support it will see what's in the noscript tag. So why wouldn't I implement it, both in pages I serve and in browsers I write? What could possibly go wrong?
Now, I'm not anti-Javascript by any means, but that kind of attitude is downright naive. Your idea seems reasonable, but it does make sense to be cautious, and to examine all the implications of any change, not to mention whether the change is needed.
Or you could hack together a solution with the existing standards, and you don't have to worry about any of that.
I agree it's implausible that a system will have no flaws, but once a flaw is found and a simple solution exists, and a new version of the system is released (4.01), and no fix is standardized and adopted...
Well, again, there was this existing hackish solution.
For security and privacy reasons many people disable HTTP-REFERER and/or JavaScript;
Doing so kills clickjacking anyway. As for referer, those "many people" are still not a large enough group that anyone would intentionally hotlink an image from a site that implemented referer-checking. Since it's not a security issue, but only a money issue, I think the fact that a majority leave referer on means referer is plenty good enough for images, as far as that goes.
A site should still (at least mostly) work with these disabled... It's not hard -- I wrote a chat site using only HTML/HTTP; no plugins or JS requ
Stopping the spill? Sure. They're throwing lots of money at the problem, and stuff's still not working. Of course, they have other motivations to do that -- for one, presuming they can eventually stop it, they can also turn it into a viable drilling operation again. Also, every second that leak isn't plugged is more waste -- the same oil that's ruining the local ecosystem is also oil they can't sell, unless it's cleaned up, which costs a lot more than just pumping it up from the ocean.
But what about cleaning up the coastline, now? What about doing proper fucking booming? And what about the sheer fucking carelessness that lead to the accident in the first place?
Second, they're not more expensive and go out of business because they get drowned in the loss.
Also a possibility, so long as you understand that this is an entire option. "Not more expensive" does not automatically imply "drowned in the loss."
There is a fifth possibility you missed: The "secure" version gouges their customers to compensate, and is required by law anyway to assume a fair amount of the risk. So you're paying more, getting marginally more security, at a lot less convenience. That's not a tradeoff most people find attractive.
But what I find most disturbing about this is that you made a baseless assertion that they would be more expensive, and even hypothetically, you pre-emptively refuse to find out whether your assumption is true. This is the pattern of stupidity -- shouting what you think you know, and being unwilling to verify whether it's actually true.
the version of Qt supporting Webkit wasn't released until well after the KDE 4.0 release...
Sure, but Webkit itself was available earlier, right? And I can't imagine it would be terribly difficult to migrate from Webkit compiled for Qt to Qt's internal Webkit.
It says at the bottom of their page that it supports flash memory through the use of card readers, so I don't see why it wouldn't work.
The main reason I'm skeptical is that this kind of stuff is, well, low-level. It can't possibly support all models of all cards, and it says nothing about what kind of flash. Could easily have been CF.
Slashdot Mirror
Now let's try the Windows ones. One is a remote exploit, which can be triggered merely by convincing an Aero user to view a given image.
But that's a local exploit!
All exploits eventually touch the local system, of course. The question is where the exploit is triggered from.
In this case, it's classified as a remote exploit since you can "convince" an Aero user to view a given image by merely directing them to that image in a website. (I think.)
Updating the Windows kernel breaks more software than updating the Linux kernel? Oh right, Linux only has 3 apps.
APK, is that you?
You know what? I'm going to assume it is, since he can't be bothered to register. And he wonders why he's downmodded...
I don't think you trolls who are downmodding me understand that I can bypassthe "10 posts per 24 hour" unjust/unfair limitation upon us AC's,
Yet more evidence of trollish behavior. Accounts are free, you deliberately sign your posts to allow yourself to be tracked, yet you refuse to sign up. Then you deliberately bypass limitations like this -- pretty obviously breaking the rules.
On top of it all, you abuse capslock and bold to draw attention to yourself (even as you cower behind anonymity), and you have tons of grammatical and spelling mistakes, making the overall quality of your posts pretty poor.
And again, you wonder why you're downmodded? There'd have to be truly brilliant technical insights in there for a mod to overlook how childish you are about posting them.
There's also this:
/.'s default is to HIDE AC posts as "hidden posts" when javascript is on
No, the default is to hide posts with low scores (including -1's from logged-in users), and even that is contextual. For instance, this post was not automatically hidden.
And that's the default. Mods are encouraged to browse at lower thresholds to look for AC abuse -- to downmod the Frist Psots and such.
So, on reflection:
downmod my posts with regular frequency whether I am right or wrong
You're a jackass with regular frequency. You bitch about moderations (which is generally frowned on), you start posts with "open sores", and baselessly accuse people of conspiracy when things don't go your way.
You're downmodded because you have a bad attitude.
That said, you didn't start with "open sores" -- you did that one post in, and completely unprovoked -- but you didn't start with it, and I was wrong to say so.
if I have the sourcecode to an operating system, I have a FAR easier time of finding bugs in it than I would on a closed source OS, & for instance, using "fuzzers" (or worse, disassembly via debuggers) on it during pen testing...
Yes, that's pretty much exactly what I said. I also explained why this is a good thing.
You want to claim that this is somehow equally useful to good and bad people -- I respectfully disagree. See, even if I did try to find bugs in Windows, using all the tools you mention, I still have to go through Microsoft to get them patched, and it's Microsoft who will be doing the patching. And Microsoft has been known to sit on vulnerabilities for months without releasing a patch, or even acknowledging their existence until there's an embarrassing enough exploit.
By contrast, with Linux, I can provide the patch in the same post which discloses the vulnerability.
wouldn't you rather have a vulnerability found and fixed, or even found and marked "unpatched" on Securina, than found and exploited (hidden) elsewhere?
Microsoft has their regular "Patch Tuesday"
And what does that have to do with my question? Answer my question.
Workplace espionage happens man...
Not from a local DoS. Say it with me: Local. DoS.
It's still very not good. It still should be fixed. But it's not even in the same category as, say, remote escalation.
A security vulnerability is a security vulnerability.
Are you seriously implying all vulnerabilities are equally dangerous?
Local or not, you can take advantage of it, especially if a malware (or worse, a malscripted website's javascript does it, and that RUNS LOCALLY ON A USER'S MACHINE IN THEIR WEBBROWSER
Now you're just a moron.
No, JavaScript exploits would most likely be classified by Securina et al as remote exploits. It's local code, but it's sandboxed. Unless there's a vulnerability in the sandbox itself, JavaScript can't exploit local exploits.
Or just go read the exploits. Look, I did almost all the work for you. Most of them are fucking C system calls, which are about the farthest you can get from a sandboxed script.
Want proof? Go read the Windows Aero vulnerability. It was classified as a remote vulnerability, despite being techincally "local escalation", because an image viewed in a webpage could lead to said escalation.
Now, you note "local exploit". Think that doesn't happen in the workplace, on the same local area network?
Um, no, that's not what "local" means. "Local" means "on the same machine", which usually (though clearly not always) means physical access. Yes, it's still an issue, but having your webserver owned by someone who had a shell account is a lot easier to deal with than having it owned by some random bot over the Internet, and it's a lot less likely to happen.
And remember, we're talking about Google, and specifically, what people are running on their workstations. That makes all of these pretty much irrelevant -- from what I can tell, Google employees truly get to own and admin their own workstations, so they don't really have to share.
NOT ALL LINUX DISTROS USE SeLinux or AppArmor either
So what? I thought we were comparing the best and latest.
"Modifying video output could be very bad, but also very hard to exploit in a way to make it worse than rickrolling you. And again, local.
See my last paragraph in reply above - same ideas apply here too.
What? No they don't. You don't once explain how this is not very hard to exploit in a way that's worse than rickrolling you. Hint: That part has nothing to do with it being local.
Which are just like what you'd n
One of the rules of moderation means you can't post on the same discussion. So of course the mods haven't posted their rationale. But I'll give you a hint:
"Open Sores" (lol)
That's how you started this conversation. Are you surprised you got downmodded? Oh, and people get downmodded for trolling about "M$", also.
It's not about technical justification, it's about playing nice. You're being a dick, so you got downmodded, whether or not you're right. Don't be a dick, it's not hard.
They can spend money to fix security issues as they discover them, rather than having no options, monetary or otherwise, other than waiting it out until Microsoft gets off their collective asses and releases a patch.
Unpatched 5% (11 of 217 Secunia advisories)
That's the important part. Linux always has more vulnerabilities publicly found and fixed due to it being open source, a process which leads to a more secure system -- wouldn't you rather have a vulnerability found and fixed, or even found and marked "unpatched" on Securina, than found and exploited (hidden) elsewhere?
And even more important is what those unpatched vulnerabilities actually are:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).
This is in the CIFS code, which presumably can be disabled. Should be fixed, but how many Linux systems actually need to defend themselves against local DoS attacks?
Tony Griffiths has reported a vulnerability in the Linux Kernel, which can be exploited malicious, local users to cause a DoS (Denial of Service).
Another local DoS. And another, and another... Yawn. Let's skip to the good stuff:
An error in the DRM (Direct Rendering Manager) drivers due to insufficient DMA lock checking can be exploited to crash the X server or modify video output.
Modifying video output could be very bad, but also very hard to exploit in a way to make it worse than rickrolling you. And again, local.
A race condition within the handling of "/proc/.../cmdline" may disclose the content of environment variables of spawning processes.
In other words, there's a race condition (hard to exploit) which may disclose sensitive information in your environment variables to other procesess you run. I honestly can't think of a single case where this would reveal anything exploitable. Clearly, it should be fixed, but right now, you're welcome to my environment variables.
A race condition within the memory management can be exploited to disclose the content of random physical memory pages.
That could be very, very bad, but also very difficult to exploit. Again, local.
The vulnerability is caused due to an unspecified error within the ide-cd SG_IO functionality. This allows a user with read-only access to bypass these permissions and perform write and erase operations on media in a drive.
So, in other words, anyone who uses an IDE CD-RW drive is vulnerable. Otherwise, you need a lightning-quick exploit to grab someone's blank media and burn something evil to it. I'm quaking in my boots.
The problem is caused due to signedness errors which can lead to integer overflows in the XDR decode functions in kNFSd. This can be exploited by sending packets with a write request larger than 2^31, causing the system to crash.
In other words, doesn't affect people who don't run NFS, or specifically kernel NFS (there's a userland NFS now). Oh, and you need to be on the local network.
Various functions in the IEEE 1394 driver contain integer overflows within the memory allocation scheme. This can potentially be exploited via specially crafted requests, which may cause a large amount of data to be copied into an insufficiently sized buffer.
That's probably the most serious one I've seen -- possible privilege escalation -- but what privileges do I have to have to access the raw FireWire device anyway? I bet most users can't.
So that brings it down to, what, one actually unpatched vulnerability that I'd be worried about. And it's still only local, and still a bitch to exploit.
Now let's try the Windows ones. One is a remote exploit, which can be triggered merely by convincing an Aero user to view a given image. Another is a remote exploit which may allow people to manipulate SSL-encrypted streams.
Security is not and never has been about numbers -- I only need one serious exploit.
Also worth
I fail to see how this is fundamentally different that using a Linux/Unix sudo, except for not having to drop to the command line and enter a sudo command.
Modern Linux distros rarely require that -- there are GUI equivalents.
And the main difference is that for a long time, UAC behaved really, really stupidly. You could easily count on four or five UAC prompts per software install, and even one or two per Windows Update, making it a ludicrous number of times when setting up a new machine. And that's assuming everything works, which was far from a given.
Now, Windows 7 improved that a lot, and there's a lot of software which has been updated to work well, but contrast this to Linux, where the only programs which don't work properly (install to /usr or /opt as root, store user-specific stuff in dotfiles in $HOME) are programs which were sloppily ported from Windows -- basically, a few indie games and commercial apps (*cough* Oracle *cough*)
However, "UAC is worthless" just means this person hasn't followed the part where UAC has mostly caught up to where sudo was years ago. When Vista was launched, it really was useless.
what IDE runs on ChromeOS?
Heroku had a web-based, cloud-based Rails IDE at one point. That's the only example I could think of right away, so I google'd "web-based IDE" and found plenty more examples.
Where's the Emacs for Android?
Ah, but now you're asking for a specific, legacy app, not a class of application. Or, depending on your point of view, Emacs is its own OS...
Might be interesting to migrate support staff, but that's not where the heart of Google is.
You're probably right, but I wouldn't assume. Ten years ago, it was ludicrous to think that people would give up desktop email clients like Outlook, but I'd be very surprised to find many of those at Google -- I'll bet they're dogfooding Gmail. I don't see that working well for code, but there's certainly no longer a technical barrier to writing a solid web-based IDE, even a web-based Emacs implementation.
Last I checked, Chromium OS is built on Gentoo, whether or not Canonical is contributing.
And there's really no point in Chrome OS if you're just going to run desktop Linux -- there's Ubuntu for that. The point of Chrome OS is for people who live on the Web.
Many of both would like their religious beliefs to be enacted as law.
Maybe I'm just not looking, but how many Christians would like to see those laws include a death penalty for rejecting your religion?
But you are inferring a general trend from a small set of experiences with a few individuals.
Something I often see reinforced, but maybe I'm not being fair.
There's nothing stopping you from creating your own broadcast network...
The FCC stops me from broadcasting it over the air.
That's true, and it's something I disagree with. It's also something rapidly becoming less relevant.
I'd say it is absolutely based in christianity. There's no scientific evidence...
No scientific evidence doesn't automatically imply Christianity, or any overtly religious motive. In particular:
It's just an idea leftover from christian mythology.
Show me where this exists in actual scripture?
No, I see this as being leftover from the Puritans, who added their own interpretation on top of their religion, and also from the Victorians, who had a large number of weird ideas about politeness and high society which simply aren't reflected in any religion I can think of.
I find it funny that people keep saying this:
If you watch only Fox news, or don't really watch international news,
I don't watch Fox "news", but you're right, I don't really watch the international news, either.
...Now further imagine someone publishes a blasphemous anti-christian video, say of jesus partaking in a rape or killing of muslim children that implies all christians are a violent threat, just the excuse used to invade Mexico.
Ok, I'm imagining...
So a mob of angry Texans...
Could happen. It's Texas.
Now picture local christian priests showing up to stop the protests and put their lives at risk by confronting an angry mob. Would it happen? I'd like to think so, but I'm by no means certain it would.
Priests? I'd think pastors, but I see your point. Of course, something similar happened in China recently...
Radicals are radicals and your assumption that most muslims want to impose their religion on others is simply that, your assumption.
Based on personal experience, speaking with intelligent Muslims who see that as the end goal. They don't want to impose their religion in that they don't want to violently overthrow anyone, but they do want to (eventually, through a peaceful, political process) institute Sharia law.
I was surprised. It's not as though I had some preconception here -- in fact, I went into the conversation expecting them to tell me that Sharia was not what Islam is about at all, just as Christian apologists will tell me that the Law of Moses isn't meant to be followed anymore. These were thoroughly Western, highly intelligent people. And they tried to justify Sharia's prescription of the death penalty for apostates.
There are quite a few moderate and progressive muslims.
I've seen very few, and those I've gotten into religious discussions with, again, have shown me what "moderate" means, as I said above.
Now, I don't mean to say that there were none at all -- This guy had an appropriate response, I thought.
There are also a lot of radical christians in the US these days.
No disagreement there.
Heck, you can't even publish nudity or sex on regular TV because of their religiously based censorship.
Define "regular" TV -- the Playboy Channel exists, among others. There's nothing stopping you from creating your own broadcast network, particularly one over the Internet, and distributing whatever you wish.
I'd also question whether it's entirely religiously based. Much of it is, but it sees to be more about the "think of the children" mantra, something which has the feel of a religion, but isn't particularly Christian.
It's not like christians have the high ground of tolerance and freedom of expression to pontificate from.
Good thing I'm not Christian, then, as if the "high ground" matters (ad-hominem, appeal to authority...)
Maybe I'm sheltered, and I'm sure they exist, but the most moderate, reasonable Muslims I've talked to have tried (peacefully) to convince me that Sharia is a good thing, and should take over the world.
The issue is that the radical Muslims are just that, radicals. just like the radical Christians, and the radical Jews, etc.
The issue is that moderate Muslims so rarely have anything bad to say about this, and what's more, "moderate" Muslims often do agree with two core principles: Sharia law is actually a good thing, and Islam (and Sharia) should take over the world.
In other words, the difference between a moderate Muslim and a radical Muslim is that the radicals go blow themselves up, and the moderates secretly cheer them on. At best, the moderates would say they disagree with their methods, but agree with their goals.
Asking for some respect doesn't make you radical.
Saying "Respect us or we'll kill you!" makes you radical. And the "moderate" Muslims so rarely have anything to say about it. Moderate Christians aren't quite as bad.
Apparently you don't. I'm a bit confused -- maybe they just blocked it for Pakistan?
You sir, are an idiot.
With that beginning, surely you're going to display your intelligence, right?
So-called freedom of speech, doesn't really exists.
That'd be "doesn't really exist." And I'm the idiot?
Sure, there's more to intelligence than being able to string together a grammatically correct sentence, but it's not terribly hard to do so, and you did kind of set yourself up.
It has both social and legal limitations attached to it,
The legal limitations are very, very small. Essentially, the speech itself must cause a clear and present danger -- for example, shouting "Fire!" in a crowded theater. But it would be fallacious to try to compare that to the wholesale censoring of dissenting opinion, even offensive opinion.
The social limitations, I don't care too much about. You were saying something about how freedom of speech doesn't "exists", but societal pressure is much more easily overcome than laws. Civil disobedience can land you in jail, or, in countries ruled by Sharia Law, beheaded. Rejecting societal norms just means people think you're weird, but guess what? We accept weirdness and diversity as a good thing.
even in western world and especially in USA. And you readily accept and comply with those limitations.
This may surprise you, but partly because of our freedom of speech, we in the Western world are not a single voice. We are many voices, each with our own opinions.
For example, many Christians are trying to turn the USA into a theocracy, and among them are those who would protest things like violent videogames, and even see them banned, if that were possible. I, on the other hand, would much rather child pornography was not outlawed -- the production absolutely should be outlawed, and already is by statutory rape laws. Distribution and possession should not be a crime, certainly when there's no money involved. I would not be surprised to find the majority of the population disagrees with me, at least until they find themselves framed for that crime.
For example, it is also not allowed to practice freedom of speech where state and military secrets are concerned. it is, like you said, illegal to use your freedom of speech to issue death-threats.
Both of these fall under the "clear and present danger" clause I just mentioned.
Heck, you don't even have the freedom of speech to tell jokes about terrorists and bombs at airports anymore.
It's my understanding that airports are private, much like the airlines themselves, but I could be mistaken. Of course, I don't agree with this either, as I can't possibly see it enhancing security, and I'm not sure it would be worth it if it did.
I am sure you will get very far by telling them that any offense or threat they felt was out of their own choice(since you had no actual bomb).
Ah, but they weren't acting on feelings. They were acting on policies and procedures. Psychoanalyzing the individual who grabbed me would accomplish very little -- I'd have to take it up with the TSA, which isn't showing a lot of sanity right now.
Yet, you happily accept those limitations
Again, no I don't. I "accept" them to the extent that I don't joke about bombs in airports. I certainly don't accept them "happily."
But you are eager for the right to intentionally offend and harass someone else, simply out of pure malice,
I stated my intentions explicitly elsewhere on this thread. Even if I hadn't, why would you assume "pure malice"? I suppose it's easier to hate a group than an individual, especially when the individual doesn't fit the stereotypes of the group.
Since you introduced yourself by calling me a moron, I'm likely to respond in kind, but I actually bear you no grudge. I have no malicious in
Am I living under a rock or something? I'm vaguely aware that there's something called "4G", and it's supposed to be faster than "3G". Beyond that, I haven't really heard much.
Nothing like whether Avatar is "worth the hype"...
Though, judging from the things I see described this way on Slashdot, maybe hype itself is overhyped?
Writing a server side script to conditionally (dis)allow content delivery based on HTTP referral data will always be non-trivial.
What? It's trivial now. Maybe not as much as:
Adding one HTML tag to an HTML document is trivial.
Of course, the solution I've seen proposed -- an HTTP header -- is equally trivial, certainly to embed in HTML documents via the meta tag. Then again, if referer-checking is "non-trivial" for you, I suspect you'd find it similarly challenging to add a header to those images.
Changing many documents this way is non trivial
I shudder to think what happens the day you're presented a truly non-trivial programming task. I mean, really? It's hardly more than search-and-replace.
configuring the server to send the additional HTTP header it relatively trivial in this case, and is simpler / less processor intensive than conditionally disallowing content via referrer.
Granted, adding a static header is relatively simpler and less processor intensive than doing a referer-check. It's still trivial. We're well past the point where the disk and the network are the limiting factors, and the sheer speed of a modern CPU relative to that means the referer-check, even a really poorly written one, is still not going to make a blip on anything.
I mean, we're well past the point where on-the-fly gzipping makes sense, because the network is so much slower than the CPU.
If your server sends a new HTTP header that is unrecognized by the browser it will be gracefully ignored. The browser will also ignore any tag it doesn't understand.
Yes. What's your point?
The current HTTP, (X)HTML standards are designed to be extensible, yet a simple extension is hard to achieve.
Yes. The reasons it's hard are entirely sane.
Again: Do you want another blink tag?
The more stuff that gets standardized, the more difficult it is to write a standards-compliant browser, or to target the browser as a platform. Consider JavaScript -- the fact that the browser will ignore scripts it doesn't understand is useless if I build a page that requires JavaScript, and it makes my job more difficult if I have to support both.
On top of all of that is the problem of additional moving parts. Again, consider JavaScript -- pages that don't use it will work the same way they did, and browsers that don't support it will see what's in the noscript tag. So why wouldn't I implement it, both in pages I serve and in browsers I write? What could possibly go wrong?
Now, I'm not anti-Javascript by any means, but that kind of attitude is downright naive. Your idea seems reasonable, but it does make sense to be cautious, and to examine all the implications of any change, not to mention whether the change is needed.
Or you could hack together a solution with the existing standards, and you don't have to worry about any of that.
I agree it's implausible that a system will have no flaws, but once a flaw is found and a simple solution exists, and a new version of the system is released (4.01), and no fix is standardized and adopted...
Well, again, there was this existing hackish solution.
For security and privacy reasons many people disable HTTP-REFERER and/or JavaScript;
Doing so kills clickjacking anyway. As for referer, those "many people" are still not a large enough group that anyone would intentionally hotlink an image from a site that implemented referer-checking. Since it's not a security issue, but only a money issue, I think the fact that a majority leave referer on means referer is plenty good enough for images, as far as that goes.
A site should still (at least mostly) work with these disabled... It's not hard -- I wrote a chat site using only HTML/HTTP; no plugins or JS requ
Stopping the spill? Sure. They're throwing lots of money at the problem, and stuff's still not working. Of course, they have other motivations to do that -- for one, presuming they can eventually stop it, they can also turn it into a viable drilling operation again. Also, every second that leak isn't plugged is more waste -- the same oil that's ruining the local ecosystem is also oil they can't sell, unless it's cleaned up, which costs a lot more than just pumping it up from the ocean.
But what about cleaning up the coastline, now? What about doing proper fucking booming? And what about the sheer fucking carelessness that lead to the accident in the first place?
what would you have BP do though - try nothing while they drill relief wells?
As I understand it, "Top Kill" had a significant chance to make things worse. Given that, "do nothing" may have been the right choice.
I don't know, because I don't have nearly enough information to make that call, but it's not automatically a bad choice.
Yeah, that was the WTF moment for me. 10 years in the industry, and she doesn't realize that PDF is an open standard with alternate implementations?
First, they're more expensive to compensate.
Could be, but you don't know this yet.
Second, they're not more expensive and go out of business because they get drowned in the loss.
Also a possibility, so long as you understand that this is an entire option. "Not more expensive" does not automatically imply "drowned in the loss."
There is a fifth possibility you missed: The "secure" version gouges their customers to compensate, and is required by law anyway to assume a fair amount of the risk. So you're paying more, getting marginally more security, at a lot less convenience. That's not a tradeoff most people find attractive.
But what I find most disturbing about this is that you made a baseless assertion that they would be more expensive, and even hypothetically, you pre-emptively refuse to find out whether your assumption is true. This is the pattern of stupidity -- shouting what you think you know, and being unwilling to verify whether it's actually true.
the version of Qt supporting Webkit wasn't released until well after the KDE 4.0 release...
Sure, but Webkit itself was available earlier, right? And I can't imagine it would be terribly difficult to migrate from Webkit compiled for Qt to Qt's internal Webkit.
It says at the bottom of their page that it supports flash memory through the use of card readers, so I don't see why it wouldn't work.
The main reason I'm skeptical is that this kind of stuff is, well, low-level. It can't possibly support all models of all cards, and it says nothing about what kind of flash. Could easily have been CF.