On pre-Vista Windows boxes, most people ran their default account with godlike administrator privileges. It's either that or:
Run a restricted account Any time you want to install software DO:
log out of your restricted account
log into the admin account
install the software
then go back to your restricted account. REPEAT
You forgot the other option.
Any time you want to install software DO:
right-click
select RUN AS administrator
install the software
Not really much harder than typing 'sudo' before installing things.
Yeah, on the day when a decent size, very advanced botnet was to start changing behavior, it would have been really nice to have someplace to go to find out what the new changes were.
How did the authorities do at blocking the huge number of possible new domains the bad guys were going to try to use to pass out updates to the botnet?
Were updates actually successfully rolling out to the botnet? Is there any word on what the new updates do if so?
There are lots of questions about an interesting story. Instead, we get bullshit The Onion imitations.
CNN actually has some small about of real relevent news on it. Get your tech news from CNN or somewhere else today.
This is nothing new. At least we don't have to deal with that moronic 'OMG ponies' theme this year.
Time to tune out for the day and come back tomorrow when there might actually be 'news for nerds' instead of 'omgdz, we are as cool as the onion' idiocy from the so-called editors.
"Its easy to get "Kryptonite causes cancer" published."
That's because it's something that can readily be scientifically determined.
"But getting "Chemical X totally harmless" is a lot harder sell."
And no real scientist will ever tell you that, or try to get it publushed, because that's not science. Totally harmless includes a LOT of things besides testing if something is mutagenic. What exact series of tests are you going to use to scientifically conclude something is totally harmless? You don't have one because that's a big big question. All you can say is you cannot determine any know side effects.
It's not publishing bias to say only things you can actually prove, and not say stupid things you can't prove.
Whenever people say "The French are rude", when the inevitably really mean is "People in Paris are rude". Once you get out to the countryside, folks seem quite nice.
Certainly, MSSQL and Sybase are sane RDBMS's and will act the same as Oracle and DB2 in that situation. As will Postgresql, Firebird, etc.
I'm not sure if sqlite will, but that's forgivable for a database made to run on PDAs. (not forgivable if people try to use it as a real database on a real computer).
I use 2008 Server as my desktop OS. It doesn't load a ton of extra eye-candy crapola that makes vista machines so slow. It's a very good desktop OS if you don't mind spending a few minutes after the install tweaking it a tad for desktop use.
If a single guy making a site can figure out how to write a query in his code, he can figure out how to make a stored procedure/prepared statement that does the same thing, and just call on that from his code.
"Sanitize all inputs before getting to the database."
NO! How many times to people have to get hammered because their own or someone else's sanatizer didn't really sanitize (ex: php's mysql_escape_string vs mysql_REAL_escape_string, and other idiotic things) before folks will listen to DBAs and start using well parametrized stored procedures/prepared statements.
If you use a well parametrized stored procedures/prepared statements you don't have to worry about any idiots trying to do sql injection, nor how you or someone else may have botched your sanitizer.
You don't appear to understand the problem at all.
WSUS makes zero difference. Companies used their own patch system before WSUS was available. WSUS changes nothing about the window of vulnerability.
As soon as MS releases a patch, blackhats start reverse engineering it and release an exploit to take advantage of any unpatched machines.
If a company has a testing cycle that takes 14 days, and MS releases 1 patch a day for 12 days strait, the company has to have 12 concurrent testing phases going on (a waste of manpower and equipment according to the beancounters), or has to wait until all 12 patches are out, then start their testing cycle. That means that first exploit will possibly be out for 11 days before the company even begins their testing.
By the time testing is done they have been vulnerable for 25 days. If MS released all the patches to the world at once, their maximum window of vulnerability would have been 14 days.
That is why companies care about releasing of patches in scheduled batches. WSUS just helps them roll out the patches to groups of machines at the end after all the testing is done. It does absolutely nothing about the window of vulnerability.
Ok, the grandparent didn't explain things entirely clearly, but what is crystal clear is you've never used BeOS mr coward. It multitasked amazingly well.
It's not pointless. It's not an all or nothing. The point is not to get rid of the window of vulnerability totally. That's never going to happen anyhow.
It's a trade off to reduce the window of vulnerability to what they consider an acceptable risk, balanced with a more economically run testing/rollout system.
The big one was a long time ago. MS released service pack 2 for NT and trashed a lot of systems. Mention of that one still makes my skin crawl. It broke many things. They were lambasted for that one and haven't had that many bad patches since, but still take heat for it.
It's a way I don't agree with because I'm an OpenBSD user and put security high on my list. It's not at all a lame way to go about it for the bean counters.
The problem with your method (by their thinking) is that as soon as a patch is released, if it's not a publicly known one (and LOTS aren't), as soon as it's released the bad guys start reverse engineering it to find out exactly what ms changed, and what the likely hole was that they can exploit.
Some of the bad guys are really good and can often do this in as little as a day. They then make an exploit that takes advantage of the hole and release it.
Now all those big corporate users are exposed in a major way until their next patch cycle. Much more at risk than they were while the thing was unknown. They don't like that.
So at the expense of the home user and small biz user, they convinced MS to hold up patches for the monthly cycle. Since the big corps are cash cows for MS, and the typical home user's interest is "duh, what's a patch?", MS satisfied the corp customers.
As I said. It's not something I would choose or agree with, but they have very real reasoning for it with their priorities.
They claim it's a feature, because it's a feature their large corporate customers asked for. You aren't likely to get bonus points for going against that one.
Microsoft used to release patches as soon as they were discovered. They worked that way for decades. A hole was found, a fix was built, tested, and released. Patches would come out almost daily sometimes. The big companies didn't like that because besides the plethora of standard 3rd party apps that MS and others tested the patch against, they also all had tons of custom in-house software that each patch had to be tested against. When patches were coming out frequently (sometimes daily as I said), their testing teams would only get a start on one patch, when they'd have to begin the testing process again with another patch. Things stacked up in the queues and they blew a lot of money on large testing teams. They requesting less frequent, but scheduled patch releases from MS so that they could set a regular manageable cycle for testing. It's certainly a security risk, but the pointy-hairs and bean counters at the large corps thought it was a good risk for the dollar savings.
By attacking MS's patch cycle, you are attacking the pointy-hairs and bean counters at those companies you are trying convince open-source is good. Probably not the best approach.
Yeah, because it would have been absolutely freaking brilliant to have all the equipment delivered a decade ago. Having everything in place about 8 years before converter boxes were readily available would have been the smart move. It's not like electronics get cheaper over time or anything. (That's sarcasm in case you missed it)
If you'd like to complain they should have been 12 months ahead of the curve I might have taken your response seriously. This is just stupid.
As far as the hospital analogy goes, exactly. If they delay a few weeks it's no big deal. Idiots shouldn't get their panties in a bunch if a station is a few weeks late switching. There is no reason to bother having the TV out for a week. Is someone going to drop dead if they keep broadcasting on the old analog channel and temporary digital channel another few weeks? No. Delaying the switch a few weeks is fine.
Or maybe those 'lazy' people just aren't ignorant as you appear to be about the program.
As I already replied to other posters, the government sold a public resource, the airwaves, to a handful of private companies. Funds from that sale went to provide the coupons, so it's not a boondoggle of any size. It's a valid way of making up for loss of the use of those public airwaves.
American's are still "can do". Some are just more ignorant about how things work than others.
Slashdot Mirror
And when we are up against bad guys capable of jamming the UAV's communication back home to the guy controlling the joystick?
On pre-Vista Windows boxes, most people ran their default account with godlike administrator privileges. It's either that or:
Run a restricted account
Any time you want to install software
DO:
log out of your restricted account
log into the admin account
install the software
then go back to your restricted account.
REPEAT
You forgot the other option.
Any time you want to install software
DO:
right-click
select RUN AS administrator
install the software
Not really much harder than typing 'sudo' before installing things.
Yeah, on the day when a decent size, very advanced botnet was to start changing behavior, it would have been really nice to have someplace to go to find out what the new changes were.
How did the authorities do at blocking the huge number of possible new domains the bad guys were going to try to use to pass out updates to the botnet?
Were updates actually successfully rolling out to the botnet? Is there any word on what the new updates do if so?
There are lots of questions about an interesting story. Instead, we get bullshit The Onion imitations.
CNN actually has some small about of real relevent news on it. Get your tech news from CNN or somewhere else today.
Slashdot sucks at the 'news for nerds' stuff.
Slashdot is lame every year on April fools day.
This is nothing new. At least we don't have to deal with that moronic 'OMG ponies' theme this year.
Time to tune out for the day and come back tomorrow when there might actually be 'news for nerds' instead of 'omgdz, we are as cool as the onion' idiocy from the so-called editors.
"Its easy to get "Kryptonite causes cancer" published."
That's because it's something that can readily be scientifically determined.
"But getting "Chemical X totally harmless" is a lot harder sell."
And no real scientist will ever tell you that, or try to get it publushed, because that's not science. Totally harmless includes a LOT of things besides testing if something is mutagenic. What exact series of tests are you going to use to scientifically conclude something is totally harmless? You don't have one because that's a big big question. All you can say is you cannot determine any know side effects.
It's not publishing bias to say only things you can actually prove, and not say stupid things you can't prove.
Whenever people say "The French are rude", when the inevitably really mean is "People in Paris are rude". Once you get out to the countryside, folks seem quite nice.
Certainly, MSSQL and Sybase are sane RDBMS's and will act the same as Oracle and DB2 in that situation. As will Postgresql, Firebird, etc.
I'm not sure if sqlite will, but that's forgivable for a database made to run on PDAs. (not forgivable if people try to use it as a real database on a real computer).
Mysql on the other hand, utter crap.
I use 2008 Server as my desktop OS. It doesn't load a ton of extra eye-candy crapola that makes vista machines so slow. It's a very good desktop OS if you don't mind spending a few minutes after the install tweaking it a tad for desktop use.
VMWare player IS free.
VMWare server IS free.
If you need to install XP fresh each year...
YOU ARE DOING IT WRONG.
If a single guy making a site can figure out how to write a query in his code, he can figure out how to make a stored procedure/prepared statement that does the same thing, and just call on that from his code.
$5 million?
That will be burnt up in a single clinical trial.
"Sanitize all inputs before getting to the database."
NO! How many times to people have to get hammered because their own or someone else's sanatizer didn't really sanitize (ex: php's mysql_escape_string vs mysql_REAL_escape_string, and other idiotic things)
before folks will listen to DBAs and start using well parametrized stored procedures/prepared statements.
If you use a well parametrized stored procedures/prepared statements you don't have to worry about any idiots trying to do sql injection, nor how you or someone else may have botched your sanitizer.
That was in reguard to the 'busted' video, which seemed geared towards folks who were guilty of something and trying to avoid getting busted.
These videos show how you shouldn't talk to them even if you are innocent. It will do you zero good and can only hurt you.
I think the following videos from a lawyer/law-professor and an ex-cop are about 10000% more informative on the subject. Long, but worth it.
Part 1: http://www.youtube.com/watch?v=i8z7NC5sgik
Part 2: http://www.youtube.com/watch?v=08fZQWjDVKE
WSUS has absolutely zero to do with testing, or the problem at hand.
You don't appear to understand the problem at all.
WSUS makes zero difference. Companies used their own patch system before WSUS was available. WSUS changes nothing about the window of vulnerability.
As soon as MS releases a patch, blackhats start reverse engineering it and release an exploit to take advantage of any unpatched machines.
If a company has a testing cycle that takes 14 days, and MS releases 1 patch a day for 12 days strait, the company has to have 12 concurrent testing phases going on (a waste of manpower and equipment according to the beancounters), or has to wait until all 12 patches are out, then start their testing cycle. That means that first exploit will possibly be out for 11 days before the company even begins their testing.
By the time testing is done they have been vulnerable for 25 days. If MS released all the patches to the world at once, their maximum window of vulnerability would have been 14 days.
That is why companies care about releasing of patches in scheduled batches. WSUS just helps them roll out the patches to groups of machines at the end after all the testing is done. It does absolutely nothing about the window of vulnerability.
Ok, the grandparent didn't explain things entirely clearly, but what is crystal clear is you've never used BeOS mr coward. It multitasked amazingly well.
It's not pointless. It's not an all or nothing. The point is not to get rid of the window of vulnerability totally. That's never going to happen anyhow.
It's a trade off to reduce the window of vulnerability to what they consider an acceptable risk, balanced with a more economically run testing/rollout system.
The big one was a long time ago. MS released service pack 2 for NT and trashed a lot of systems. Mention of that one still makes my skin crawl. It broke many things. They were lambasted for that one and haven't had that many bad patches since, but still take heat for it.
It's a way I don't agree with because I'm an OpenBSD user and put security high on my list. It's not at all a lame way to go about it for the bean counters.
The problem with your method (by their thinking) is that as soon as a patch is released, if it's not a publicly known one (and LOTS aren't), as soon as it's released the bad guys start reverse engineering it to find out exactly what ms changed, and what the likely hole was that they can exploit.
Some of the bad guys are really good and can often do this in as little as a day. They then make an exploit that takes advantage of the hole and release it.
Now all those big corporate users are exposed in a major way until their next patch cycle. Much more at risk than they were while the thing was unknown. They don't like that.
So at the expense of the home user and small biz user, they convinced MS to hold up patches for the monthly cycle. Since the big corps are cash cows for MS, and the typical home user's interest is "duh, what's a patch?", MS satisfied the corp customers.
As I said. It's not something I would choose or agree with, but they have very real reasoning for it with their priorities.
They claim it's a feature, because it's a feature their large corporate customers asked for. You aren't likely to get bonus points for going against that one.
Microsoft used to release patches as soon as they were discovered. They worked that way for decades. A hole was found, a fix was built, tested, and released. Patches would come out almost daily sometimes. The big companies didn't like that because besides the plethora of standard 3rd party apps that MS and others tested the patch against, they also all had tons of custom in-house software that each patch had to be tested against. When patches were coming out frequently (sometimes daily as I said), their testing teams would only get a start on one patch, when they'd have to begin the testing process again with another patch. Things stacked up in the queues and they blew a lot of money on large testing teams. They requesting less frequent, but scheduled patch releases from MS so that they could set a regular manageable cycle for testing. It's certainly a security risk, but the pointy-hairs and bean counters at the large corps thought it was a good risk for the dollar savings.
By attacking MS's patch cycle, you are attacking the pointy-hairs and bean counters at those companies you are trying convince open-source is good. Probably not the best approach.
Yeah, because it would have been absolutely freaking brilliant to have all the equipment delivered a decade ago. Having everything in place about 8 years before converter boxes were readily available would have been the smart move. It's not like electronics get cheaper over time or anything. (That's sarcasm in case you missed it)
If you'd like to complain they should have been 12 months ahead of the curve I might have taken your response seriously. This is just stupid.
As far as the hospital analogy goes, exactly. If they delay a few weeks it's no big deal. Idiots shouldn't get their panties in a bunch if a station is a few weeks late switching. There is no reason to bother having the TV out for a week. Is someone going to drop dead if they keep broadcasting on the old analog channel and temporary digital channel another few weeks? No. Delaying the switch a few weeks is fine.
If you'd bother to read, there was a delay getting the equipment from the manufacturers. Not bad planning by the station.
Or maybe those 'lazy' people just aren't ignorant as you appear to be about the program.
As I already replied to other posters, the government sold a public resource, the airwaves, to a handful of private companies. Funds from that sale went to provide the coupons, so it's not a boondoggle of any size. It's a valid way of making up for loss of the use of those public airwaves.
American's are still "can do". Some are just more ignorant about how things work than others.