"Microsoft knew about the security hole in XP for 5 weeks"
Where did you find that out? Could you post a URL?
Re:Microsoft Passport vs. Liberty Alliance...
on
WinXP Security Flaw
·
· Score: 1
I have Windows Messenger still installed, and WinXP doesn't bug me about Passport at all. I do, however, have my taskbar set to always hide the Messenger icon, which might make a difference.
"The problem is in XP, the default user has Administrator access."
True--the XP install is bozo enough not to have the one installing to make a separate user account.
"restricted users are effectively useless in XP on home computers."
I've run WinXP as a user (non-Administrator), and I'd say that I can definitely get work done on WinXP. I have noted that some app vendors can be sloppy by assuming that stuff in the Program Files folder can be written to (which can often be solved by installing the app in a folder that a user has access to); however, most apps are content to work with only user privileges.
The problem is that Windows is often set up to hide known file types by default in certain file manager views, so users see "FOO.MP3" not "FOO.MP3.exe".
"You are now the only two people who know that it is easier than expected to perform a criminal act against the theater."
Ahem. You don't really know this. Someone else could have known about the problem with the theater door, not told anybody about it, and used it to his/her advantage.
Also, the bad theater door lock pretty much only affects a few people who can easily be found and told, namely the theater owners. Digital vulnerabilities, however, affect everyone who uses the software with the vunerabilities. Not all these people can be tracked and told of the vulnerability individually, so the best way to tell those affected is to broadcast the info on the vulnerability so that those who are affected can take steps to fix or workaround the problem.
"My question regarding this issue is: how do you feel about this issue? Do you really think that not fully disclosing a vulnerability will prevent exploits to be made? One of the arguments for full disclosure is that sysadmins are able to reproduce the error so that they can test if their system is vulnerable, but with limited disclosure this will only be possible for a small (and probably malicious) public."
How people *feel* about this issue is irrelevant. Full disclosure, for all its faults, has worked better than just telling the vendor or a select few. Generally what has happened when vulnerabilities were kept quiet was that the vendor sat on the problem or took care of it at its leisure, leaving systems open for crackers who could and did silently exploit the vulnerabilities. Full disclosure 1) lights a fire under the vendor so that it actually *does* something, and 2) allows others a chance to find ways of coping with the vulnerability until a fix comes.
This is not theory; it has been shown to work in practice.
Eowyn was interested in Aragorn, but not the other way round. Later she met Faramir, Boromir's brother, when they were both recuperating at Minas Tirith, and they fell in love.
. . . treated as an opportunity do things that would be prohibitively expensive in live action. Keep the interesting interrelationships and characters but also bring in more fantastic storylines. Heck, maybe even have vampires that fly.
"My wife is a school teacher in an inner-city neighborhood in southeast Washington, D.C. Four of the students in her 22 student class have been classified as autistic, and it's complete hooey."
"The common thread amongst those four students is that they essentially don't have any parents and no parenting. They're either being raised by grandparents who already have one foot in the nursing home, parents who are hooked on crack or other drugs, or parents who are working multiple jobs each to make ends meet"
Um, that "common thread" that you described applies to a lot of kids in the inner city, and it probably applies to many of the kids in the class that were not diagnosed with autism. Now if you were talking about kids in the relatively rosier suburbs, that "common thread" might mean something.
I'm familiar with the "Theory of Mind," and as an autistic myself, I'd have to say that it doesn't quite wash as an explanation of what is the core of autism.
For example, when playing hide-and-seek, Temple Grandin (relatively famous autistic, mentioned in the article) would make a decoy by taking off her jacket and stuffing it with leaves, leaving it out to distract the kid who was 'it' (the one looking for the
other kids who were hiding). Only those who understand that others have minds could do that because pulling the jacket-as-decoy trick means knowing that the kid who's 'it' doesn't have the same knowledge as the one pulling the trick, which implies that the kid who is 'it' has a separate mind.
Heck, even I know that others don't have my knowledge or know my thoughts.
And then of course the piece de la Resistance... the most important skill is...
programming itself
Let me get this straight, its CODING ? Not Design, not Engineering, requirements, risk analysis or whatever but banging the code out.
You obviously misunderstood the article. After Conway says that programming itself is the most important skill, he goes on to say,
Of course, to land a particular job it can be a huge advantage to have specific expertise inthe right area.
But without a deep and solid grounding in basic software design and construction, all the.NET or data mining knowledge in the world isn't going to help you keep that job once you've landed it. [emphasis mine]
He obviously includes design and a deep understanding of how software works as part of the discipline of programming. He is not talking about just "banging out code."
"If this bug in IE has really been around for two and a half years, how is it that no one has stumbled on to it until now?"
You are making the classic mistake of assuming that the first one to publicize the vulnerability is the first one to have found it. A malicious cracker could have known about the problem long before it was made public and exploited it silently.
That classic mistake is what is wrong with "security by obscurity." There is no guarantee that what is obscure to the general public is obscure to the bad guys.
> "If they wore T-shirts with their driver's license numbers writ large and visible from all angles, they wouldn't have formed lynch mobs."
"That conveniently ignores the fact that the county sheriff usually knew exactly who the members of the lynch mob were"
There's one thing that you are missing. Even if the sheriff knew who the local KKK members were, with the hoods, the sheriff could either feign total ignorance of the lynchers' identities, or simply say that the hoods kept him from identifying *which* KKK members were doing the lynching.
The show "Mutant X" used "cracker"
on
Hacker U.
·
· Score: 1
"It is about time people give up what they think is right usage and give in to popular usage."
It looks like use of the term "cracker" is *starting* to come into popular speech. I caught that TV show "Mutant X" (sort of a pseudo-X-Men, but not as smart) actually use the term "cracker" for someone that breaks into computers. Not much, but it's a start.
Now if Andromeda would've actually used the term "kluge" correctly . . .
That is a loose meaning of "contrived," especially when discussing quality of writing. "Contrived" here means something more like not hanging or fitting together, a lack of seamlessness.
"That said, I can imagine that for many users, high speed access is a frivolity. Let's face it: you need a high speed connection mainly for gaming, porn, and overwrought sites with lots of graphics."
Don't forget large or medium-size downloads, like StarOffice, or Windows shareware, or JVMs, or Linux free software, or mp3s.
"The worst Microsoft could do at this point is appeal
the new remedy, which would only revert them to the
same state they are in now (guilty, but unpunished)."
Ah, this is the rub. MS can drag its feet, if not indefinitely, then long enough to potentially make any DOJ decision irrelevant. This leaves the DOJ with a choice: do something to MS *now* to partially rein them in--which means the punishment must be palatable enough for MS to be willing to cooperate--or aim for a tougher penalty which would be enacted after MS had done its damage.
"You're missing the point that you're inserting a raftload of indirection in the picture when you use X as it's currently specified. Everything HAS to go through your TCP/IP stack."
Wrong. X does not require TCP/IP at all. If everything is running locally, Unix sockets and shared memory can be used. When running across a network, X can use another networking protocol lkie DECnet (though few would want to, AFAIK). TCP/IP is not necessarily part of the equation.
If Steve Ballmer said that to a German's face, there's a good chance he'd get punched in the nose. Most Germans have no love either for Hitler or today's neo-Nazis.
Slashdot Mirror
Microsoft, AFAIK, does not have the e-mail addresses of every WinXP customer. How could they send e-mail reminders then?
"Microsoft knew about the security hole in XP for 5 weeks"
Where did you find that out? Could you post a URL?
I have Windows Messenger still installed, and WinXP doesn't bug me about Passport at all. I do, however, have my taskbar set to always hide the Messenger icon, which might make a difference.
"The problem is in XP, the default user has Administrator access."
True--the XP install is bozo enough not to have the one installing to make a separate user account.
"restricted users are effectively useless in XP on home computers."
I've run WinXP as a user (non-Administrator), and I'd say that I can definitely get work done on WinXP. I have noted that some app vendors can be sloppy by assuming that stuff in the Program Files folder can be written to (which can often be solved by installing the app in a folder that a user has access to); however, most apps are content to work with only user privileges.
The problem is that Windows is often set up to hide known file types by default in certain file manager views, so users see "FOO.MP3" not "FOO.MP3.exe".
"You are now the only two people who know that it is easier than expected to perform a criminal act against the theater."
Ahem. You don't really know this. Someone else could have known about the problem with the theater door, not told anybody about it, and used it to his/her advantage.
Also, the bad theater door lock pretty much only affects a few people who can easily be found and told, namely the theater owners. Digital vulnerabilities, however, affect everyone who uses the software with the vunerabilities. Not all these people can be tracked and told of the vulnerability individually, so the best way to tell those affected is to broadcast the info on the vulnerability so that those who are affected can take steps to fix or workaround the problem.
"My question regarding this issue is: how do you feel about this issue? Do you really think that not fully disclosing a vulnerability will prevent exploits to be made? One of the arguments for full disclosure is that sysadmins are able to reproduce the error so that they can test if their system is vulnerable, but with limited disclosure this will only be possible for a small (and probably malicious) public."
How people *feel* about this issue is irrelevant. Full disclosure, for all its faults, has worked better than just telling the vendor or a select few. Generally what has happened when vulnerabilities were kept quiet was that the vendor sat on the problem or took care of it at its leisure, leaving systems open for crackers who could and did silently exploit the vulnerabilities. Full disclosure 1) lights a fire under the vendor so that it actually *does* something, and 2) allows others a chance to find ways of coping with the vulnerability until a fix comes.
This is not theory; it has been shown to work in practice.
I think the sword got repaired in The Two Towers. Didn't Aragorn grumble about having to leave it at the door of the hall of the king of Rohan?
Eowyn was interested in Aragorn, but not the other way round. Later she met Faramir, Boromir's brother, when they were both recuperating at Minas Tirith, and they fell in love.
. . . treated as an opportunity do things that would be prohibitively expensive in live action. Keep the interesting interrelationships and characters but also bring in more fantastic storylines. Heck, maybe even have vampires that fly.
"My wife is a school teacher in an inner-city neighborhood in southeast Washington, D.C. Four of the students in her 22 student class have been classified as autistic, and it's complete hooey."
"The common thread amongst those four students is that they essentially don't have any parents and no parenting. They're either being raised by grandparents who already have one foot in the nursing home, parents who are hooked on crack or other drugs, or parents who are working multiple jobs each to make ends meet"
Um, that "common thread" that you described applies to a lot of kids in the inner city, and it probably applies to many of the kids in the class that were not diagnosed with autism. Now if you were talking about kids in the relatively rosier suburbs, that "common thread" might mean something.
I'm familiar with the "Theory of Mind," and as an autistic myself, I'd have to say that it doesn't quite wash as an explanation of what is the core of autism.
For example, when playing hide-and-seek, Temple Grandin (relatively famous autistic, mentioned in the article) would make a decoy by taking off her jacket and stuffing it with leaves, leaving it out to distract the kid who was 'it' (the one looking for the
other kids who were hiding). Only those who understand that others have minds could do that because pulling the jacket-as-decoy trick means knowing that the kid who's 'it' doesn't have the same knowledge as the one pulling the trick, which implies that the kid who is 'it' has a separate mind.
Heck, even I know that others don't have my knowledge or know my thoughts.
"They are consistenly funny and inoffensive."
Funny, yes. Inoffensive is stretching it, although those most offended are probably misinterpreting it in the first place.
You obviously misunderstood the article. After Conway says that programming itself is the most important skill, he goes on to say,
He obviously includes design and a deep understanding of how software works as part of the discipline of programming. He is not talking about just "banging out code.""If this bug in IE has really been around for two and a half years, how is it that no one has stumbled on to it until now?"
You are making the classic mistake of assuming that the first one to publicize the vulnerability is the first one to have found it. A malicious cracker could have known about the problem long before it was made public and exploited it silently.
That classic mistake is what is wrong with "security by obscurity." There is no guarantee that what is obscure to the general public is obscure to the bad guys.
> "The KKK wore hoods."
> "If they wore T-shirts with their driver's license numbers writ large and visible from all angles, they wouldn't have formed lynch mobs."
"That conveniently ignores the fact that the county sheriff usually knew exactly who the members of the lynch mob were"
There's one thing that you are missing. Even if the sheriff knew who the local KKK members were, with the hoods, the sheriff could either feign total ignorance of the lynchers' identities, or simply say that the hoods kept him from identifying *which* KKK members were doing the lynching.
"It is about time people give up what they think is right usage and give in to popular usage."
It looks like use of the term "cracker" is *starting* to come into popular speech. I caught that TV show "Mutant X" (sort of a pseudo-X-Men, but not as smart) actually use the term "cracker" for someone that breaks into computers. Not much, but it's a start.
Now if Andromeda would've actually used the term "kluge" correctly . . .
That is a loose meaning of "contrived," especially when discussing quality of writing. "Contrived" here means something more like not hanging or fitting together, a lack of seamlessness.
"It's Sunnyvale 90210 now."
Umm, it's always been "Sunnydale 90210". That's part of its charm. If it were all about slaying, it would be boring.
"That said, I can imagine that for many users, high speed access is a frivolity. Let's face it: you need a high speed connection mainly for gaming, porn, and overwrought sites with lots of graphics."
Don't forget large or medium-size downloads, like StarOffice, or Windows shareware, or JVMs, or Linux free software, or mp3s.
The longer the trial goes, the more time MS has to abuse its monopoly and render any DOJ decision moot. That's why speed is needed.
"The worst Microsoft could do at this point is appeal
the new remedy, which would only revert them to the
same state they are in now (guilty, but unpunished)."
Ah, this is the rub. MS can drag its feet, if not indefinitely, then long enough to potentially make any DOJ decision irrelevant. This leaves the DOJ with a choice: do something to MS *now* to partially rein them in--which means the punishment must be palatable enough for MS to be willing to cooperate--or aim for a tougher penalty which would be enacted after MS had done its damage.
"You're missing the point that you're inserting a raftload of indirection in the picture when you use X as it's currently specified. Everything HAS to go through your TCP/IP stack."
Wrong. X does not require TCP/IP at all. If everything is running locally, Unix sockets and shared memory can be used. When running across a network, X can use another networking protocol lkie DECnet (though few would want to, AFAIK). TCP/IP is not necessarily part of the equation.
'Ve haff vays of makink you upgrade...'
If Steve Ballmer said that to a German's face, there's a good chance he'd get punched in the nose. Most Germans have no love either for Hitler or today's neo-Nazis.