The real problem here is that if Updater requires high level privs on windows, then it's going to be compromisable no matter what MS does. The entire DLL loading process is just one huge security hole. If you have access within your code to load a DLL under an admin privileged token no matter how masked (and possibly even without, I didn't bother going that far) the machine is yours. This is because Windows Security is upside down, and no sensible security system would ever has this design strategy.
That's a video, still no story? And no, I didn't watch it, I don't do videos, so I'm taking it on faith that your statement and the description on the video are correct.
I'd have a better question - since the response was modded up drawing attention to your post, why are you worried about it? I have posts that were modded negatively, in several cases merely because the moderators didn't like the sentiment. In several cases those negatively moderated posts generated additional postings of which some were thoughtful or good. It's irrelevant if they were moderated highly or negatively, what matters to me is the discussion is interesting, which is the only reason I still read/. The stories themselves are usually already known, it's the commentary that makes it interesting.
You could just not have certain subjective phrases combined with other subjective phrases. Yes, people will find creative ways around whatever filters you put up, but eventually your weighting system will generally represent non-inflammatory searches unless you specifically type them in. Which is likely what should be happening anyways, but for reasons other than to not offend some specific snowflake. It should be easy enough for there to be a child-safe layer for those under 8 and between 9 and 14, for example. If your search shows up in porn or hate related searches, it likely shouldn't show up for those 2 classes. Why Google hasn't figured out how to do this is truly beyond belief as it's actually a simple application of weighting applied to their current data that they already have in hand.
You have obviously never programmed in MS land. The contract is built upon sand.
I actually have developed in the MS land (as well as Linux) for the last 20 years. The MS Land you speak of is actually the best for maintaining compatibility, sometimes to the point of pain where to avoid some fringe cases of breaking compatibility they will create a new version of the API instead. So I would say your comment tells me you have obviously never programmed in the MS Land.
Yeah, right. Take a look at the security token manipulation routines for threads and processes (oh wait, they've all been quietly broken) Backwards compatibility be damned.
For the very very first initial verification, you use your buildable system and verify the codebase and build it. Compare to what you installed. Now reinstall with an alternate system from a different source, build your target system and compare the 2 builds. If you're really wanting to verify, do a third install (or LiveCD) and repeat. Then, after you're all done verifying and building your now validated source, you install your verified build and you have a trusted initial install. It's a lot of work, but if you want to be sure, it's the only way.
Or you trust common components built and used by many others for your base system.
But, IMHO, the original posting was referring to components you include in your own products that you develop. In this case, you should only include things you build yourself. The Maven repo is not a trusted source no matter what a bunch of people think. You should create source copies in your build system for every component you use, and build and test each one. This puts the entire source code you're working with under your control, and you can vouch for it, as is necessary for certain levels of security and accountability. And yes, this is a pain in the ass if you only need 1 function from a library. It forces you to do some reckoning instead of haphazardly including 100 Apache libraries. In some cases, you'll wind up just copying the base functionality that you need into your codebase base, reducing your exposure. Which is the idea.
Easy to do if you've implemented it like that from the start. Quite a bit harder if this API has been public since 2007 and you don't want to cause incompatibility issues.
How happy would you be as a developer if you did things according to the documentation at the time and then years later were told you have to change because the API contract is changed? Pray that we don't change it further?
You have obviously never programmed in MS land. The contract is built upon sand.
Look at what has happened to Star Wars between the novels in the 70s until TPM came out, then look at how bad it has gotten post-TPM.
I hate to break it to you, but RotJ was already a major let down for us "real fans". Everything since RotJ, and actually including RotJ, was a major letdown. The cartoons were... bad. Since you're a cartoon fan, I'm guessing you weren't around when there were calls for Lucas to either direct Foster's Splinter of the Mind's Eye,
or step aside and allow it to be made, because the whole Ewoks thing was so... stupid. It's been too long, but I'm guessing that Lucas reined in the rights for distributive works when he went on to create that terrible series of cartoons that almost no one but children watched, the same target as the He-Man generation.
Disney's sequels have shat all over the non-canon 'canon' for the vast majority of old Star Wars fans. The ones who are fans now are mostly children and people who might've been casual fans in decades past. But much like religion and various other bits of popular culture, the new fans never go through old material chronologically and instead start at the newest and work back, invalidating old works rather than choosing a point to schism based on where the newer works started to diverge.
Disney has actually injected some reasonable life into the SW property. Rogue One was fantastic, and everything that Ep 1-3 wasn't (good, engaging, build up of an intertwined story line) Granted, TFA was a rehash, but then so was RotJ. TFA was far better, IMHO (no stupid Ewoks, yes, I really disliked them to the point that they distracted from the story line almost as much as Jar-Jar) and I thought TLJ was a fitting end to the old guard. Disney effectively brought back the story line and then set it up to move along without any of the original characters. The "world" has been setup, some things were clarified, and now the storyline can move forward unhindered.
Same thing happened with Star Trek when TNG came out and retconned the klingons, who had a whole culture built up between pre-TNG TOS era klingon fiction and RPG source books.
Actually, TNG was fine, and no one cares about RPG source books - they're a deviation from the main story universe by definition. TNG was set a hundred plus years after TOS, given how things change and the lifespans implied in the movies, there's no chance that the universe changed over that time and that the Klingons made peace with the ever strengthening Federation? Now DS9 and Voyager both lost me - those were in your face moralistic with not enough storyline to keep me interested. Much like the rebooted BG seasons 2+, far too much yappity yap oh noes crap, and too little action or driving storyline.
It could very easily get to the point where pretty much every conservative voice is blacklisted across almost the entire internet as we know it.
It's part of the weakness of letting so many large left-coast/urban-elite companies basically have a monopoly on the mainstream internet. Conservatives need to start founding and funding more large-scale startups of their own in areas outside of Silicon Valley and Seattle to offer a counter-point and an alternative place for blacklisted voices and viewpoints. Otherwise, they could come to the harsh realization very soon that there are basically no mainstream internet platforms left for conservative (or even classic liberal) speech.
Oh no! Let it not be so!!! If it removes numbnuts like O-Reilly, Hannity, and Alex Jones from the mainstream consciousness, I'm all for it. As long as the SJWs are interleaved with them on the way out, I'll be the happiest internet user out there. I'd love me a little more mid-stream common sense balanced rhetoric that doesn't paint everything from the "we're good, they're evil" viewpoint.
FYI: true "Conservative" voices have been blacklisted for the past 30 years. Instead we got the progressively nuttier "Abortion = Murder" ever more religious hypocritical whack jobs who made even moderately true conservatives look like SJWs. As soon as you find some real conservatives being blacklisted, let me know.
The thing about open source is that, for all the arguments and chaos, a technically correct solution more often wins out. This is because it's inherently a meritocracy. I have no confidence that this is the case with corporate software development.
And that is why we have such excellent solutions like systemd, wayland, and gnome 3 that are technically more correct solutions than the alternatives. </ sarcasm>
FWIW, I have seen mostly bad corporate software development from the perspective of the more technically correct solutions. However, it should be mentioned that there's more to corporate software development than merely technically correct solutions, because sometimes you have to work with what is there and make something new out of it. That's almost invariably a messy sloppy sub-optimal result. But, it maintains current business and builds new business without betting the farm. Those are the justifiable cases. I've also seen just flat out bad solutions attempt to be rolled out because of egos. These are generally the projects that fail or cause much turmoil and chaos internally, easily comparable to the arguments and chaos in open source and sometimes much more vicious, as people actually sit across the table from each other... FYI popcorn is never provided.
Windows 3.1 ran on a wide variety of hardware. System requirements are fairly modest. It will even run on a 286, though you really need a 386 to make the most of it.
Windows NT was the one with somewhat high requirements back in the day.
I was discussing Windows NT v3.1, the initial release of Windows NT. It's requirements were not modest, and it was incredibly slow and ponderous. It also looked like Windows 3.1/3.11 graphically.
...would even run on 64 MB but wasn't happy about it. That's assuming no anti-virus.
Of course you run without AV. Why would you need it? What's really funny is that if you run XP with a minimal services configuration and don't install any other MS Software, you're actually safer than any other configuration.
Some crazy guys determined that it would boot in as little as 20 MB but was basically unusable.
It was quite usable, just not for running MS Office and the like. Note that the OS booting in 20MB doesn't mean your system had to be limited to 20MB.
Vista really just started enforcing the security rules that had been in place in Windows NT all along, but didn't really matter because everyone ran as administrator. If the program followed those rules (in other words, it worked fine in XP running as non-admin account) the software generally worked perfectly fine in Vista too
I can attest this is not true, at least not for applications that handled security tokens. Those were completely broken by API changes MS inflicted upon their users back in 2010 IIRC. Even applications that ran fine on Vista/7 prior to those SPs were broken afterwards. Now, you can argue that MS "enforced" its token masking rules, but it allowed per thread security tokens prior to those updates which are quite handy for services programs that run on 0 privs, like networked appliances. At least you want the process/thread to run at 0 privs just as best practices. Post SP, your process had to run with the highest privs needed by any thread, and be masked. That's the exact opposite of how you run a secure system. We made it work, but the solution became considerably more complex to maintain the same level of security in earlier solutions.
People bitched when Windows 95 was released. What? I need 16 megabytes of ram?
IIRC, no one bitched, everyone wanted the "awesomeness" of the win95 GUI. It was soo pretty.
Windows NT needs 32 megabytes of ram? forget it.
This one was more hilarious, 3.1 required the highest end system of the day when it was released, with very very specific hardware. It wouldn't run on 99% of the systems users owned. Top it off that almost no software worked on it, that was enough reason to completely kill it.
Win 3.5x/4.x required 16/32MB to run, poorly, IIRC but at least it would work on a larger subset of hardware and could run some Win95 software (mostly MS, but that was ok for business needs)
Windows XP requires 128mb of ram? NO WAY.
Win XP will actually run in less than 32MB even with SP6. Yes, you have to do some significant registry editing, but you can get the running services down to about 7 with a commensurate startup time of about 15s from initial HD load. On P4 hardware no less.
Windows Vista requires 1 gigabyte of ram? FUCK THAT
It was the same story, endlessly.
Vista broke large amounts of 3rd party software, and even some MS software, IIRC. I never ran Vista although I have run W7/2003/2008/R2 and can say that while moving to a non-priv default user was necessary, it's still not handled very well. The security model is upside down, internally.
Simple legal compliance is a big thing OSS just doesnt really do. Its a rare OSS project that is compliant with the ADA, for instance. They dont have to be because there is nothing to file suit again. Microsoft on the other hand...
You are free to add ADA compliance. You have the source, after all. No one is stopping you.
Do you mean servers at home or in a datacenter? Not all cities have a home ISP that allows servers, and colocating a dedicated server in a datacenter tends to be far more expensive than leasing a VPS.
> Yardwork
Already automated, adoption will spread as people get tired of doing it themselves or paying the yard guy
> Finance industry
IBM already has proven it can be done
> Medical industry
IBM already has proven diagnostics can be done more effectively than average PA or DR. Robotic surgery will be fully autonomous soon as well.
> Presence of authorized force
We're about 1-2 years out from this. You can already see it happening overseas, and drones doing search and rescue is just the last step before arming them for "regular" protection
> Rescue someone
Already happening, see previous comment
Last one that you missed: Legal contracts review - already automated and better than a horde of jr lawyers at a firm - IBM again.
I have script blockers - so no third party scripts. The real problem are the web turds, those 1x1 pixel trackers that actually give a lot of info away.
I last checked this years ago, I lived in 27 different states with more than 50 addresses (almost all incorrect) and had ages ranging from 13 to 95. Apparently they ignored my 1901 birthdate entries.
I'm curious how Seagate screwed things up so badly. They bought Samsung's HDD division some years ago and I found that Samsung produced some incredibly reliable drives
Probably because they shutdown Samsung? Buying a rival and all.
I picture Ringworld the movie being on the order of 2001 or Contact if done true to the book. I'd have to reread it to see if there's enough story/action to make something else out of it.
Slashdot Mirror
The real problem here is that if Updater requires high level privs on windows, then it's going to be compromisable no matter what MS does. The entire DLL loading process is just one huge security hole. If you have access within your code to load a DLL under an admin privileged token no matter how masked (and possibly even without, I didn't bother going that far) the machine is yours. This is because Windows Security is upside down, and no sensible security system would ever has this design strategy.
Microsoft simply felt that it's UI wasn't modern enough, ... it has to be really bright and contrasty colors, like a Fisher-Price toy.
So, back to XP?
That's a video, still no story? And no, I didn't watch it, I don't do videos, so I'm taking it on faith that your statement and the description on the video are correct.
I'd have a better question - since the response was modded up drawing attention to your post, why are you worried about it? I have posts that were modded negatively, in several cases merely because the moderators didn't like the sentiment. In several cases those negatively moderated posts generated additional postings of which some were thoughtful or good. It's irrelevant if they were moderated highly or negatively, what matters to me is the discussion is interesting, which is the only reason I still read /. The stories themselves are usually already known, it's the commentary that makes it interesting.
And now you need to tell us how to identify these terms. Is the cult of scientology a church?
You're asking the question wrong: is a church a cult?
Answer: yes, by definition.
You could just not have certain subjective phrases combined with other subjective phrases. Yes, people will find creative ways around whatever filters you put up, but eventually your weighting system will generally represent non-inflammatory searches unless you specifically type them in. Which is likely what should be happening anyways, but for reasons other than to not offend some specific snowflake. It should be easy enough for there to be a child-safe layer for those under 8 and between 9 and 14, for example. If your search shows up in porn or hate related searches, it likely shouldn't show up for those 2 classes. Why Google hasn't figured out how to do this is truly beyond belief as it's actually a simple application of weighting applied to their current data that they already have in hand.
You have obviously never programmed in MS land. The contract is built upon sand.
I actually have developed in the MS land (as well as Linux) for the last 20 years. The MS Land you speak of is actually the best for maintaining compatibility, sometimes to the point of pain where to avoid some fringe cases of breaking compatibility they will create a new version of the API instead. So I would say your comment tells me you have obviously never programmed in the MS Land.
Yeah, right. Take a look at the security token manipulation routines for threads and processes (oh wait, they've all been quietly broken) Backwards compatibility be damned.
For the very very first initial verification, you use your buildable system and verify the codebase and build it. Compare to what you installed. Now reinstall with an alternate system from a different source, build your target system and compare the 2 builds. If you're really wanting to verify, do a third install (or LiveCD) and repeat. Then, after you're all done verifying and building your now validated source, you install your verified build and you have a trusted initial install. It's a lot of work, but if you want to be sure, it's the only way.
Or you trust common components built and used by many others for your base system.
But, IMHO, the original posting was referring to components you include in your own products that you develop. In this case, you should only include things you build yourself. The Maven repo is not a trusted source no matter what a bunch of people think. You should create source copies in your build system for every component you use, and build and test each one. This puts the entire source code you're working with under your control, and you can vouch for it, as is necessary for certain levels of security and accountability. And yes, this is a pain in the ass if you only need 1 function from a library. It forces you to do some reckoning instead of haphazardly including 100 Apache libraries. In some cases, you'll wind up just copying the base functionality that you need into your codebase base, reducing your exposure. Which is the idea.
So TOFU (trust on first use), as I suspected. Use of TOFU raises two follow-up questions:
I would hope you'd verify the codebase on first use. If not... well, there's some other word for what you are...
Easy to do if you've implemented it like that from the start. Quite a bit harder if this API has been public since 2007 and you don't want to cause incompatibility issues.
How happy would you be as a developer if you did things according to the documentation at the time and then years later were told you have to change because the API contract is changed? Pray that we don't change it further?
You have obviously never programmed in MS land. The contract is built upon sand.
Look at what has happened to Star Wars between the novels in the 70s until TPM came out, then look at how bad it has gotten post-TPM.
I hate to break it to you, but RotJ was already a major let down for us "real fans". Everything since RotJ, and actually including RotJ, was a major letdown. The cartoons were... bad. Since you're a cartoon fan, I'm guessing you weren't around when there were calls for Lucas to either direct Foster's Splinter of the Mind's Eye, or step aside and allow it to be made, because the whole Ewoks thing was so... stupid. It's been too long, but I'm guessing that Lucas reined in the rights for distributive works when he went on to create that terrible series of cartoons that almost no one but children watched, the same target as the He-Man generation.
Disney's sequels have shat all over the non-canon 'canon' for the vast majority of old Star Wars fans. The ones who are fans now are mostly children and people who might've been casual fans in decades past. But much like religion and various other bits of popular culture, the new fans never go through old material chronologically and instead start at the newest and work back, invalidating old works rather than choosing a point to schism based on where the newer works started to diverge.
Disney has actually injected some reasonable life into the SW property. Rogue One was fantastic, and everything that Ep 1-3 wasn't (good, engaging, build up of an intertwined story line) Granted, TFA was a rehash, but then so was RotJ. TFA was far better, IMHO (no stupid Ewoks, yes, I really disliked them to the point that they distracted from the story line almost as much as Jar-Jar) and I thought TLJ was a fitting end to the old guard. Disney effectively brought back the story line and then set it up to move along without any of the original characters. The "world" has been setup, some things were clarified, and now the storyline can move forward unhindered.
Same thing happened with Star Trek when TNG came out and retconned the klingons, who had a whole culture built up between pre-TNG TOS era klingon fiction and RPG source books.
Actually, TNG was fine, and no one cares about RPG source books - they're a deviation from the main story universe by definition. TNG was set a hundred plus years after TOS, given how things change and the lifespans implied in the movies, there's no chance that the universe changed over that time and that the Klingons made peace with the ever strengthening Federation? Now DS9 and Voyager both lost me - those were in your face moralistic with not enough storyline to keep me interested. Much like the rebooted BG seasons 2+, far too much yappity yap oh noes crap, and too little action or driving storyline.
It could very easily get to the point where pretty much every conservative voice is blacklisted across almost the entire internet as we know it.
It's part of the weakness of letting so many large left-coast/urban-elite companies basically have a monopoly on the mainstream internet. Conservatives need to start founding and funding more large-scale startups of their own in areas outside of Silicon Valley and Seattle to offer a counter-point and an alternative place for blacklisted voices and viewpoints. Otherwise, they could come to the harsh realization very soon that there are basically no mainstream internet platforms left for conservative (or even classic liberal) speech.
Oh no! Let it not be so!!! If it removes numbnuts like O-Reilly, Hannity, and Alex Jones from the mainstream consciousness, I'm all for it. As long as the SJWs are interleaved with them on the way out, I'll be the happiest internet user out there. I'd love me a little more mid-stream common sense balanced rhetoric that doesn't paint everything from the "we're good, they're evil" viewpoint.
FYI: true "Conservative" voices have been blacklisted for the past 30 years. Instead we got the progressively nuttier "Abortion = Murder" ever more religious hypocritical whack jobs who made even moderately true conservatives look like SJWs. As soon as you find some real conservatives being blacklisted, let me know.
The thing about open source is that, for all the arguments and chaos, a technically correct solution more often wins out. This is because it's inherently a meritocracy. I have no confidence that this is the case with corporate software development.
And that is why we have such excellent solutions like systemd, wayland, and gnome 3 that are technically more correct solutions than the alternatives. </ sarcasm>
FWIW, I have seen mostly bad corporate software development from the perspective of the more technically correct solutions. However, it should be mentioned that there's more to corporate software development than merely technically correct solutions, because sometimes you have to work with what is there and make something new out of it. That's almost invariably a messy sloppy sub-optimal result. But, it maintains current business and builds new business without betting the farm. Those are the justifiable cases. I've also seen just flat out bad solutions attempt to be rolled out because of egos. These are generally the projects that fail or cause much turmoil and chaos internally, easily comparable to the arguments and chaos in open source and sometimes much more vicious, as people actually sit across the table from each other... FYI popcorn is never provided.
Windows 3.1 ran on a wide variety of hardware. System requirements are fairly modest. It will even run on a 286, though you really need a 386 to make the most of it.
Windows NT was the one with somewhat high requirements back in the day.
I was discussing Windows NT v3.1, the initial release of Windows NT. It's requirements were not modest, and it was incredibly slow and ponderous. It also looked like Windows 3.1/3.11 graphically.
...would even run on 64 MB but wasn't happy about it. That's assuming no anti-virus.
Of course you run without AV. Why would you need it? What's really funny is that if you run XP with a minimal services configuration and don't install any other MS Software, you're actually safer than any other configuration.
Some crazy guys determined that it would boot in as little as 20 MB but was basically unusable.
It was quite usable, just not for running MS Office and the like. Note that the OS booting in 20MB doesn't mean your system had to be limited to 20MB.
Vista really just started enforcing the security rules that had been in place in Windows NT all along, but didn't really matter because everyone ran as administrator. If the program followed those rules (in other words, it worked fine in XP running as non-admin account) the software generally worked perfectly fine in Vista too
I can attest this is not true, at least not for applications that handled security tokens. Those were completely broken by API changes MS inflicted upon their users back in 2010 IIRC. Even applications that ran fine on Vista/7 prior to those SPs were broken afterwards. Now, you can argue that MS "enforced" its token masking rules, but it allowed per thread security tokens prior to those updates which are quite handy for services programs that run on 0 privs, like networked appliances. At least you want the process/thread to run at 0 privs just as best practices. Post SP, your process had to run with the highest privs needed by any thread, and be masked. That's the exact opposite of how you run a secure system. We made it work, but the solution became considerably more complex to maintain the same level of security in earlier solutions.
People bitched when Windows 95 was released. What? I need 16 megabytes of ram?
IIRC, no one bitched, everyone wanted the "awesomeness" of the win95 GUI. It was soo pretty.
Windows NT needs 32 megabytes of ram? forget it.
This one was more hilarious, 3.1 required the highest end system of the day when it was released, with very very specific hardware. It wouldn't run on 99% of the systems users owned. Top it off that almost no software worked on it, that was enough reason to completely kill it.
Win 3.5x/4.x required 16/32MB to run, poorly, IIRC but at least it would work on a larger subset of hardware and could run some Win95 software (mostly MS, but that was ok for business needs)
Windows XP requires 128mb of ram? NO WAY.
Win XP will actually run in less than 32MB even with SP6. Yes, you have to do some significant registry editing, but you can get the running services down to about 7 with a commensurate startup time of about 15s from initial HD load. On P4 hardware no less.
Windows Vista requires 1 gigabyte of ram? FUCK THAT
It was the same story, endlessly.
Vista broke large amounts of 3rd party software, and even some MS software, IIRC. I never ran Vista although I have run W7/2003/2008/R2 and can say that while moving to a non-priv default user was necessary, it's still not handled very well. The security model is upside down, internally.
Maybe they can meet in the middle and we could have WinLux.
It would still be better than windows.
Simple legal compliance is a big thing OSS just doesnt really do. Its a rare OSS project that is compliant with the ADA, for instance. They dont have to be because there is nothing to file suit again. Microsoft on the other hand...
You are free to add ADA compliance. You have the source, after all. No one is stopping you.
To clarify - nextcloud is a service for sharing files etc. A VPS is a service that gives you a presence on the internet that you control, in theory.
Do you mean servers at home or in a datacenter? Not all cities have a home ISP that allows servers, and colocating a dedicated server in a datacenter tends to be far more expensive than leasing a VPS.
Leasing a VPS is akin to using a host.
> Car repair
Already partially automated
> HVAC repair
Soon to be partially automated
> Yardwork
Already automated, adoption will spread as people get tired of doing it themselves or paying the yard guy
> Finance industry
IBM already has proven it can be done
> Medical industry
IBM already has proven diagnostics can be done more effectively than average PA or DR. Robotic surgery will be fully autonomous soon as well.
> Presence of authorized force
We're about 1-2 years out from this. You can already see it happening overseas, and drones doing search and rescue is just the last step before arming them for "regular" protection
> Rescue someone
Already happening, see previous comment
Last one that you missed: Legal contracts review - already automated and better than a horde of jr lawyers at a firm - IBM again.
For Cloud - why aren't you using your own servers or host? It's simple enough if you're looking to save cash.
I have script blockers - so no third party scripts. The real problem are the web turds, those 1x1 pixel trackers that actually give a lot of info away.
I last checked this years ago, I lived in 27 different states with more than 50 addresses (almost all incorrect) and had ages ranging from 13 to 95. Apparently they ignored my 1901 birthdate entries.
I'm curious how Seagate screwed things up so badly. They bought Samsung's HDD division some years ago and I found that Samsung produced some incredibly reliable drives
Probably because they shutdown Samsung? Buying a rival and all.
I picture Ringworld the movie being on the order of 2001 or Contact if done true to the book. I'd have to reread it to see if there's enough story/action to make something else out of it.