Given that corporations get to enjoy many "rights" as if they are a person, perhaps they need to be punished in the same way as well. If you or I "rooted" that many computers, let alone military computers, we'd be headed to federal prison.
If some Sony executives were sent off to prison, I don't think we'd see many instances of this sort of copy protection again.;)
When choosing an operating system for government use, particularly in areas such as law enforcement, taxation, military, or legislative administration, the choice between open and closed source operating systems boils down to national security.
By choosing an open source system such as Linux, a nation has the power to audit and fix holes in the operating system which leave the government open to espionage. Choose Windows, and you will have to count on an American company to keep your computers secure from such glaring problems as the WMF bug. Choose Windows, and you will have to hope that American intelligence agencies and Microsoft billionaires and their buddies are honest enough to proactively discover problems, inform you of them, and fix them. Choose Windows, and you bank on Microsoft spending its money towards improving its existing products, (through, for example, exhaustive security audits), as opposed to earmarking that money towards ridiculous expansionistic endeavors into other business markets (too many to list here), and polishing up the next versions of their cash cows: Office and Windows.
Now, interestingly enough, this argument can be expanded to encompass concerns about corporate espionage. Do you trust your corporate secrets to Bill Gates?
If I was a MP in Taiwan, I'd introduce legislation to BAN government use of proprietary, closed-source operating systems. It's a matter of national security.
The press focuses on the delay between when the WMF exploit became common knowledge and when the fix was released. That's an important concern, but it distracts from a far more scary question:
How much privacy has been violated in the last 15 years using this exploit?
Before info on the exploit was splashed on news websites, it may very well have been known to intelligence agencies, Microsoft, and organized crime. We will likely never know. However, it is the window of time between when an exploit is privately found and it is made common knowledge that the real mischief occurs. For the WMF exploit, that window may have been 15 years!
It's not hard to see how this simple exploit could have been used for corporate espionage, perhaps against you or your company, and you would be none the wiser today. Government agencies at every level use Windows. Your doctor probably does. Your bank probably does. Someone with knowledge of this exploit before it was widely known would have been in "god mode" in the monoculture of Windows. They could have made a ton of cash rooting a few stock brokers.
There's LOTS of nasty things that could have happened, that it is just as reasonable to assume happened as to not. We'll never know, because digital tracks are very easy to cover up. Why the press isn't asking the bigger question: how could Microsoft (or someone else) NOT have known about this, and how do we deal with a world where some people, right now, might know about the next WMF exploit and might currently be using it to make a quick buck.
So let's not focus totally on the cost to clean up the mess once the problem is known to the script kiddies. The unknown cost of the undetected zero-day exploits is quite possibly much higher.
(And for those who say "there's nothing we can do about that!", I suggest you compare Windows security to something like SELinux.)
I completely agree. Anyone with a basic understanding of computer security would be able to see this was a wide open gaping hole. And according to the news sites I've seen, it's been in Windows for 15 years.
ANY DECENT AUDIT of such an "important" piece of code should have seen this with big flashing red signs. Registering a callback in a DATA DOCUMENT is patently stupid.
I agree with you that the real question is: who has known about this and for how long?
Because of how easy it is to get someone to view one of these files, how silent and universally easy the callback is (doesn't even need a stack or heap overflow!!!), how easily it can evade intrusion detection signatures, how rediculously easy it would be for an expoloiter to erase their tracks after breaking in -- it is downright scandalous.
Microsoft, organized crime, the NSA, North Korea, the zit-faced kid across the street could have used this bug to: spy on competitors, spy on the government, spy on YOU. And you'd never know. And only now after 15 years is it getting fixed, because HACKERS revealed it.
This should be the pearl harbor for data security. This should be on every tech blog. There should be congressional hearings. People should be talking under oath about this.
What I'd like to know is -- how long has this exploit been "in the wild?"
If it has been there since WMFs began, that's a long, long time. We're talking Windows '95 or earlier. It all depends when the GDI callbacks feature was added.
So here's what you need to consider: since this exploitable code first "shipped" with Windows, anyone "in the know", e.g. potentially FOLKS AT MICROSOFT, the NSA, your neighbor, whomever... they could have EASILY breached your Windows box, done whatever the hell they wanted, erased all their tracks... and you'd have to convince a judge and jury it wasn't you.
If I build and sell a car that is advertised as having a security system, but that security system is defeatable by running a magnet over the car lock, and that information is "out in the wild" for years and years, maybe even by folks in my company... what is the legal liability?
The only three external things that will adjust Microsoft's behavior regarding security are: (1) customers switching to other products, (2) criminal justice investigations, and (3) lawsuits. I don't see #1 happening so long as customers remain locked in, #2 is a joke as we know, but #3... ?
When attending a seminar on Microsoft Exchange (or a precursor) back in ~1995/1996 (dates escape me) we had a Microsoft representative tell the audience about a "feature" that would allow Visual Basic to run "forms" that people could send each other in your office.
I asked the rep if the VB forms had any restrictions on what they could do. NO! he bragged; it was so powerful. Your business could automate so many things. I asked, "what's to stop one person from creating a VB form that looked like a football pool, but actually took over their computer?" The guy looked at me like I was nuts. His words, and I directly quote: "if you have that kind of problem in your organization, then you've got bigger problems than this."
I was shocked. This Microsoft employee was telling me that it wasn't their problem if their sh*tty security model allowed this kind of (obvious) exploit. I tried to follow up by saying, "well we don't just put our H.R. files in the hallway; it's basic security." But he cut me off, and took another question. I tried to follow up in person after the seminar, while the other folks were eating the rediculously expensively catered lunch (gotta love monopoly money), but he basically treated me like I was an ass. Fortunately, the other people there from my (Fortune 500 tech) company were similarly surprised, and we all had a good laugh. We thought "how can they do well in the mail server space with that attitude?" Answer: just fine.
So folks, keep in mind that Microsoft doesn't really need to give a f*ck about these problems, because they don't get sued for them, they don't lose many customers from them, and they've got bigger and better things to do, like force another upgrade on the masses. (And I would bet dollars to donuts Vista will be riddled with holes.)
It's a cultural thing: absolute power means everything else is other people's problems.
Nice plug for AppArmor, but it really isn't anywhere near the same as SELinux.
- AppArmor is not Open Source Software. Selinux is.
- The version of AppArmor ("Lite") that ships with Suse 10 (not OpenSuse) is restricted to the preprovided set of application profiles; e.g. no Xine. Selinux ships with Fedora and has no such restrictions.
- AppArmor costs ~$1,250 per machine (yes, you read that correctly) to have an unrestricted version to create your own profiles (e.g. Xine, mplayer). Selinux is free ($0). Did I mention that AppArmor costs at least $263/year for upgrades?
- Setting up MAC and doing it right isn't easy no matter which system you use. AppArmor may hide details that SELinux exposes, but simplicity and flexibility are ALWAYS a trade off.
Anyways, SELinux is the answer unless you want to run Suse 10 and live with the limited profiles available; (or shell out $1,250+.)
>I don't have to stand in line for nine hours to get half >a kilo of bread to be able to judge the value of communism, do I?
I like your analogy on the surface, and this may be somewhat off topic, but let me supply another analogy:
Bread-lines are to communism what Diebold is to (representative) democracy.
A broken implementation far more representative of the corruption of those in power than the ideals of the system. It is truly sad that the ideals of communism and socialism are tainted by Soviet corruption in the same way that (representative) democracy will be tainted by the ongoing corruption in the U.S.
Anyways, good analogy otherwise;)
And to put this back on track for Objective C vs. C++, I'd weigh in having used both by saying that I find myself far more productive in VM environments that focus on references and GC. Reliability, security, and stability trump performance.
Why not run those dynamic languages and newfangled frameworks on the JVM? There's always JRuby and Jython. Not to mention Groovy, if you prefer the Java syntax.
Granted, some of the frameworks, like Stackless and Rails, may not run on these tools, YET... but there's really no reason to start totally from scratch and throw out a nice VM and a nice set of libraries...
Nice holiday gift for corporate America. We know who Senator Claus thinks was good this year. Nice coal in the shoes of the working stiffs. We must have been naughty, you know, working to earn the economy the money to pay for those bribes.
How did they find time to put this into committee and not time to file orders of impeachment for our government spying on its citizens without court supervision.
I must be fuzzy on the "Good Samaritan" parable. Did it involve the Good Samaritan cheating and stealing their way to being the wealthiest person in the world, and then giving that unethically and illegally gained money away, non-anonymously, to pump his ego and buy good will?
"A man lay robbed and dying on the side of the road. Many men walked buy but did nothing. Then along came the Good Samaritan. He was the guy that robbed the dying guy. He mercifully killed the dying man by cutting off his air supply. Then the Good Samaritan went back to his village and built a huge house, and lived like a God on earth, not humbly at all. Later, the Good Samaritan donated a portion of his stolen wealth in front of all the people of his village, so that he would look like a great guy, and they would forget his ego, crimes, and greed. Remember, my children, that is why he is the Good Samaritan -- because he is good at fooling that masses."
I see nothing in that quote that goes on record to state that, even as recently as a month ago, anything less than 100% of wiretaps had these vulnerabilities.
1. I.E. is far and away the most used browser in the world. 2. Microsoft has consistently had zero-day exploits available for their software. 3. Many of these exploits, once found & announced, have sat unpatched for a considerable time. 4. Anyone "in the know" of said zero-day exploits, e.g. government agencies, terrorist organizations, organized crime: they've all had an easy way of taking over the majority of personal computers in the world. 5. The US Government hasn't bothered to react to thisNational Security risk by forcing corrective action on Microsoft. You don't see the Senate ordering a proactive security review of the software being used for billions of dollars of transactions this holiday season. 6. Today, once again, we hear that IE users have been vulnerable for quite some time. 7. Silence from US DOJ.
To me, that equals conspiracy. The federal government has the authority to do something here, and it isn't, when clearly action is needed. So if you're sitting in another country, or worse yet, a government of another country, and you're using Microsoft Internet Explorer: the CIA appreciates your loyalty to Microsoft.
(Before anyone jumps in about how Firefox has had zero day exploits, or bugs that have gone unpatched, or could be infiltrated by spys, etc.... that's all well and good, but firefox isn't the 70%+ market share browser, requires a download to install on any new PC, has the complete source code available to the world, and above all else: isn't run by a group of convicted criminals who were spared any punitive action by the US DOJ in part because they collectively are the wealthiest people in the world.)
Enjoy. And remember, computer crime is now more profitable than drug crime, so you can bet your ass the organized crime syndicates of the world aren't going to any happier about the idea of a security-audited IE than they would be about legal marijuana and cocaine.
I think it's important to keep in mind that Microsoft would likely try to turn any resulting settlement around on the open source community. In other words, they'd want to establish legal precident that prevented "the little guys" from distributing software, for fear of being sued due to security holes. Microsoft has their (illegally maintained) Windows/Office monopoly, providing them the war chest to pay off those harmed and yet continue to do harm.
Also, I'm not a lawyer, but I suspect that the EULA limits damages to the point where there is little to be gained but karma.
Sure an avalanche of torts that hurt Microsoft financially would be great fodder for the press, but what we really need is an ethical Department of Justice in America.
Like, say, an attorney general that remembered that Microsoft abused its monopoly to gain the majority share of web browsers. Now, with that huge percentage of users, Microsoft has consistently delivered software with critical security holes. I'd be surprised to find a point of time in the last 5 years where there wasn't at least one zero-day exploit possible on IE.
Of course, maybe the US government likes IE being full of security holes, as it allows the NSA/CIA/FBI to have a nice back door for their own use.
Any way you look at it, if you are still using IE: you're Microsoft's chump.
Go out and try a new MMO. Stop running around in the same body, pounding the same keys, fretting because of the same stupid game management that launched the game in a beta state. Free yourself.
It's not that damn hard to get started again in a new game, and you know what... you'll have more fun being a newbie and seeing a fresh new world as a level 1 than you have as an uber jedi running around the same damn planets collecting more crap to put in a building that few people have ever seen.
When information on corporate plans gets leaked like this, who is responsible for its affect on the markets? Anyone who had any advance information on this, up to and including Forbes, its editors, and anyone they emailed to say "check out this story", --- all those people had an unfair jump on the rest of the market in terms of the affect of this news on Dell, AMD, etc. stock prices.
I know this kind of crap happens all the time, but wtf is the SEC doing to make sure information isn't leaked through the good ol boy system?
The best quote is here and in a few other articles...
Gonzales said the new laws are needed because evolving technology is "encouraging large-scale criminal enterprises to get involved in intellectual-property theft." He added that proceeds from copyright piracy is used, "quite frankly, to fund terrorism activities." [Emphasis added]
There you have it folks. The US Attorney General says that this technology is funding terrorism, presumably with zero-dollar bills. I don't know about you, but I'd say 99% of the intellectual property "theft" (his words, not mine) are going on TOTALLY FOR FREE.
In fact, if they did succeed in shutting down these new technologies for the common man, you can bet that would be the only time the criminals started making massive money on this. Gonzales's plans will actually encourage criminal profits and, therefore by his logic, encourage terrorism. Gonzales is actually taking steps to put the money into this for terrorism and crime lords, not the other way around!
So if you ever wanted damning evidence that our AG both doesn't understand the issues, and is in the back pocket of the content corporations (RIAA, etc.), and that he wants to play the "terrorism" card (like they did about Drugs)... there you go.
Relying on Computer, U.S. Seeks to Prove Iran's Nuclear Aims"
Yes, that's right. The same government that'd believe the bytes on a harddrive somewhere "prove" somebody searched for something on Google, also would trust the contents of a hard drive containing "intelligence" on Iran.
Right now, the US is trying to build a case against Iran armed with a "stolen" hard drive. Sure, Mossad could have just cooked up the same data, but hey -- it's on a computer right? It's gotta be true.
It's just like those TV ads where the graph shows "3 out of 4 dentists blah blah"... hey, it's a graph on a computer; on TV; it's gotta be true?!?
Slashdotters know that systems are too easily compromised, bytes on a harddrive too easily planted, and tracks too easily erased for this to be used as evidence in a capital crime. A good defense attorney should be able to blast holes in this via "reasonable doubt."
Unfortunately, unless the Judge knows enough to block this outright, the jury will hear it. And they, nontechnical as they are, will probably lean towards this as being a smoking gun. This is how the DAs use computer forensics like this as a shortcut to "justice." Just as bad, they can sometimes coerce or fool someone into confessing when that person's attorney (or lack of one at the time) doesn't know enough to say, "that's not reasonable evidence; don't respond to it."
It sure would be nice if the people who pass laws in this country would take some time out of their schedule to pass legislation that addresses this kind of "evidence." It shouldn't be admissible.
1. Refund for the time wasted on the game.
2. Raph Koster forced to play the original Kings Quest on a PC Jr until he repents from his transgressions. Membrane keyboard NOT negotiable.
3. John Smedly sent into exile to head the Sony DRM division.
That is all.
If your client faces "evidence" found on a hard drive somewhere (I'll call it System A), projects like the one described in this article give you a good shot of getting that evidence thrown out.
Why? Simple:
It is easy to establish that there have been vectors of attack which would have allowed unrestricted access to System A, either remotely or by anyone with physical access to the machine. Simply look up what alerts have been issued for the operating system in question after the time the accuser claims System A had the "evidence" in question. It should also be possible to establish that there are "unknown" zero-day exploits, but if System A has Windows XP, (ie. in the greatest percentage of cases), this shouldn't be necessary -- exploit after exploit should exist in the alert records, giving multiple vectors of attack at the time the "evidence" was supposed to be created on System A.
So now there is a clear way to show the material could have been planted on the system, indistinguishable from whether your client caused it to be created.
Now to establish that the planter of said data could have easily covered there tracks, again -- looking at this article, it is trivial to show this. Root access to the system will allow any data to be written anywhere to the drives on System A. Therefore, any fingerprints left by the attacker who planted the "evidence" could be cleaned up. Just like the system described in this article, although it purports to simply look for data, not plant it.
Stop letting clients be sent away on "email" evidence or "cookie" evidence or whatever. It's crap! Systems are too easy to penetrate, evidence is too easily planted, and tracks are too easily erased.
Slashdot Mirror
Given that corporations get to enjoy many "rights" as if they are a person, perhaps they need to be punished in the same way as well. If you or I "rooted" that many computers, let alone military computers, we'd be headed to federal prison.
;)
If some Sony executives were sent off to prison, I don't think we'd see many instances of this sort of copy protection again.
When choosing an operating system for government use, particularly in areas such as law enforcement, taxation, military, or legislative administration, the choice between open and closed source operating systems boils down to national security.
By choosing an open source system such as Linux, a nation has the power to audit and fix holes in the operating system which leave the government open to espionage. Choose Windows, and you will have to count on an American company to keep your computers secure from such glaring problems as the WMF bug. Choose Windows, and you will have to hope that American intelligence agencies and Microsoft billionaires and their buddies are honest enough to proactively discover problems, inform you of them, and fix them. Choose Windows, and you bank on Microsoft spending its money towards improving its existing products, (through, for example, exhaustive security audits), as opposed to earmarking that money towards ridiculous expansionistic endeavors into other business markets (too many to list here), and polishing up the next versions of their cash cows: Office and Windows.
Now, interestingly enough, this argument can be expanded to encompass concerns about corporate espionage. Do you trust your corporate secrets to Bill Gates?
If I was a MP in Taiwan, I'd introduce legislation to BAN government use of proprietary, closed-source operating systems. It's a matter of national security.
How much privacy has been violated in the last 15 years using this exploit?
Before info on the exploit was splashed on news websites, it may very well have been known to intelligence agencies, Microsoft, and organized crime. We will likely never know. However, it is the window of time between when an exploit is privately found and it is made common knowledge that the real mischief occurs. For the WMF exploit, that window may have been 15 years!
It's not hard to see how this simple exploit could have been used for corporate espionage, perhaps against you or your company, and you would be none the wiser today. Government agencies at every level use Windows. Your doctor probably does. Your bank probably does. Someone with knowledge of this exploit before it was widely known would have been in "god mode" in the monoculture of Windows. They could have made a ton of cash rooting a few stock brokers.
There's LOTS of nasty things that could have happened, that it is just as reasonable to assume happened as to not. We'll never know, because digital tracks are very easy to cover up. Why the press isn't asking the bigger question: how could Microsoft (or someone else) NOT have known about this, and how do we deal with a world where some people, right now, might know about the next WMF exploit and might currently be using it to make a quick buck.
So let's not focus totally on the cost to clean up the mess once the problem is known to the script kiddies. The unknown cost of the undetected zero-day exploits is quite possibly much higher.
(And for those who say "there's nothing we can do about that!", I suggest you compare Windows security to something like SELinux.)
Wow, with that resolution, we'll finally be able to take a picture of Microsoft's concern for security.
I completely agree. Anyone with a basic understanding of computer security would be able to see this was a wide open gaping hole. And according to the news sites I've seen, it's been in Windows for 15 years.
ANY DECENT AUDIT of such an "important" piece of code should have seen this with big flashing red signs. Registering a callback in a DATA DOCUMENT is patently stupid.
I agree with you that the real question is: who has known about this and for how long?
Because of how easy it is to get someone to view one of these files, how silent and universally easy the callback is (doesn't even need a stack or heap overflow!!!), how easily it can evade intrusion detection signatures, how rediculously easy it would be for an expoloiter to erase their tracks after breaking in -- it is downright scandalous.
Microsoft, organized crime, the NSA, North Korea, the zit-faced kid across the street could have used this bug to: spy on competitors, spy on the government, spy on YOU. And you'd never know. And only now after 15 years is it getting fixed, because HACKERS revealed it.
This should be the pearl harbor for data security. This should be on every tech blog. There should be congressional hearings. People should be talking under oath about this.
What I'd like to know is -- how long has this exploit been "in the wild?"
... they could have EASILY breached your Windows box, done whatever the hell they wanted, erased all their tracks ... and you'd have to convince a judge and jury it wasn't you.
... ?
If it has been there since WMFs began, that's a long, long time. We're talking Windows '95 or earlier. It all depends when the GDI callbacks feature was added.
So here's what you need to consider: since this exploitable code first "shipped" with Windows, anyone "in the know", e.g. potentially FOLKS AT MICROSOFT, the NSA, your neighbor, whomever
If I build and sell a car that is advertised as having a security system, but that security system is defeatable by running a magnet over the car lock, and that information is "out in the wild" for years and years, maybe even by folks in my company... what is the legal liability?
The only three external things that will adjust Microsoft's behavior regarding security are: (1) customers switching to other products, (2) criminal justice investigations, and (3) lawsuits. I don't see #1 happening so long as customers remain locked in, #2 is a joke as we know, but #3
This is just standard Microsoft Philosophy.
When attending a seminar on Microsoft Exchange (or a precursor) back in ~1995/1996 (dates escape me) we had a Microsoft representative tell the audience about a "feature" that would allow Visual Basic to run "forms" that people could send each other in your office.
I asked the rep if the VB forms had any restrictions on what they could do. NO! he bragged; it was so powerful. Your business could automate so many things. I asked, "what's to stop one person from creating a VB form that looked like a football pool, but actually took over their computer?" The guy looked at me like I was nuts. His words, and I directly quote: "if you have that kind of problem in your organization, then you've got bigger problems than this."
I was shocked. This Microsoft employee was telling me that it wasn't their problem if their sh*tty security model allowed this kind of (obvious) exploit. I tried to follow up by saying, "well we don't just put our H.R. files in the hallway; it's basic security." But he cut me off, and took another question. I tried to follow up in person after the seminar, while the other folks were eating the rediculously expensively catered lunch (gotta love monopoly money), but he basically treated me like I was an ass. Fortunately, the other people there from my (Fortune 500 tech) company were similarly surprised, and we all had a good laugh. We thought "how can they do well in the mail server space with that attitude?" Answer: just fine.
So folks, keep in mind that Microsoft doesn't really need to give a f*ck about these problems, because they don't get sued for them, they don't lose many customers from them, and they've got bigger and better things to do, like force another upgrade on the masses. (And I would bet dollars to donuts Vista will be riddled with holes.)
It's a cultural thing: absolute power means everything else is other people's problems.
Nice plug for AppArmor, but it really isn't anywhere near the same as SELinux.
- AppArmor is not Open Source Software. Selinux is.
- The version of AppArmor ("Lite") that ships with Suse 10 (not OpenSuse) is restricted to the preprovided set of application profiles; e.g. no Xine. Selinux ships with Fedora and has no such restrictions.
- AppArmor costs ~$1,250 per machine (yes, you read that correctly) to have an unrestricted version to create your own profiles (e.g. Xine, mplayer). Selinux is free ($0). Did I mention that AppArmor costs at least $263/year for upgrades?
- Setting up MAC and doing it right isn't easy no matter which system you use. AppArmor may hide details that SELinux exposes, but simplicity and flexibility are ALWAYS a trade off.
Anyways, SELinux is the answer unless you want to run Suse 10 and live with the limited profiles available; (or shell out $1,250+.)
>I don't have to stand in line for nine hours to get half
;)
>a kilo of bread to be able to judge the value of communism, do I?
I like your analogy on the surface, and this may be somewhat off topic, but let me supply another analogy:
Bread-lines are to communism what Diebold is to (representative) democracy.
A broken implementation far more representative of the corruption of those in power than the ideals of the system. It is truly sad that the ideals of communism and socialism are tainted by Soviet corruption in the same way that (representative) democracy will be tainted by the ongoing corruption in the U.S.
Anyways, good analogy otherwise
And to put this back on track for Objective C vs. C++, I'd weigh in having used both by saying that I find myself far more productive in VM environments that focus on references and GC. Reliability, security, and stability trump performance.
Granted, some of the frameworks, like Stackless and Rails, may not run on these tools, YET ... but there's really no reason to start totally from scratch and throw out a nice VM and a nice set of libraries...
How did they find time to put this into committee and not time to file orders of impeachment for our government spying on its citizens without court supervision.
This is gonna be one hell of a New Year.
I must be fuzzy on the "Good Samaritan" parable. Did it involve the Good Samaritan cheating and stealing their way to being the wealthiest person in the world, and then giving that unethically and illegally gained money away, non-anonymously, to pump his ego and buy good will?
"A man lay robbed and dying on the side of the road. Many men walked buy but did nothing. Then along came the Good Samaritan. He was the guy that robbed the dying guy. He mercifully killed the dying man by cutting off his air supply. Then the Good Samaritan went back to his village and built a huge house, and lived like a God on earth, not humbly at all. Later, the Good Samaritan donated a portion of his stolen wealth in front of all the people of his village, so that he would look like a great guy, and they would forget his ego, crimes, and greed. Remember, my children, that is why he is the Good Samaritan -- because he is good at fooling that masses."
nt
I see nothing in that quote that goes on record to state that, even as recently as a month ago, anything less than 100% of wiretaps had these vulnerabilities.
Do you see that word "today"? (emphasis added)
It's pretty simple.
1. I.E. is far and away the most used browser in the world.
2. Microsoft has consistently had zero-day exploits available for their software.
3. Many of these exploits, once found & announced, have sat unpatched for a considerable time.
4. Anyone "in the know" of said zero-day exploits, e.g. government agencies, terrorist organizations, organized crime: they've all had an easy way of taking over the majority of personal computers in the world.
5. The US Government hasn't bothered to react to thisNational Security risk by forcing corrective action on Microsoft. You don't see the Senate ordering a proactive security review of the software being used for billions of dollars of transactions this holiday season.
6. Today, once again, we hear that IE users have been vulnerable for quite some time.
7. Silence from US DOJ.
To me, that equals conspiracy. The federal government has the authority to do something here, and it isn't, when clearly action is needed. So if you're sitting in another country, or worse yet, a government of another country, and you're using Microsoft Internet Explorer: the CIA appreciates your loyalty to Microsoft.
(Before anyone jumps in about how Firefox has had zero day exploits, or bugs that have gone unpatched, or could be infiltrated by spys, etc.... that's all well and good, but firefox isn't the 70%+ market share browser, requires a download to install on any new PC, has the complete source code available to the world, and above all else: isn't run by a group of convicted criminals who were spared any punitive action by the US DOJ in part because they collectively are the wealthiest people in the world.)
Enjoy. And remember, computer crime is now more profitable than drug crime, so you can bet your ass the organized crime syndicates of the world aren't going to any happier about the idea of a security-audited IE than they would be about legal marijuana and cocaine.
Also, I'm not a lawyer, but I suspect that the EULA limits damages to the point where there is little to be gained but karma.
Sure an avalanche of torts that hurt Microsoft financially would be great fodder for the press, but what we really need is an ethical Department of Justice in America.
Like, say, an attorney general that remembered that Microsoft abused its monopoly to gain the majority share of web browsers. Now, with that huge percentage of users, Microsoft has consistently delivered software with critical security holes. I'd be surprised to find a point of time in the last 5 years where there wasn't at least one zero-day exploit possible on IE.
Of course, maybe the US government likes IE being full of security holes, as it allows the NSA/CIA/FBI to have a nice back door for their own use.
Any way you look at it, if you are still using IE: you're Microsoft's chump.
Not meant to be a troll, but ...
Seriously, why is anyone still playing SWG?
Go out and try a new MMO. Stop running around in the same body, pounding the same keys, fretting because of the same stupid game management that launched the game in a beta state. Free yourself.
It's not that damn hard to get started again in a new game, and you know what... you'll have more fun being a newbie and seeing a fresh new world as a level 1 than you have as an uber jedi running around the same damn planets collecting more crap to put in a building that few people have ever seen.
With Microsoft it's:
"Fool me once, shame on you,
Fool me 109+E909 times, shame on me."
When information on corporate plans gets leaked like this, who is responsible for its affect on the markets? Anyone who had any advance information on this, up to and including Forbes, its editors, and anyone they emailed to say "check out this story", --- all those people had an unfair jump on the rest of the market in terms of the affect of this news on Dell, AMD, etc. stock prices.
I know this kind of crap happens all the time, but wtf is the SEC doing to make sure information isn't leaked through the good ol boy system?
The continued big-name backing of AMD (e.g. Sun, Cray) makes me wonder how sweet a deal Apple must have gotten to go with Intel over AMD. :)
Gonzales said the new laws are needed because evolving technology is "encouraging large-scale criminal enterprises to get involved in intellectual-property theft." He added that proceeds from copyright piracy is used, "quite frankly, to fund terrorism activities." [Emphasis added]
There you have it folks. The US Attorney General says that this technology is funding terrorism, presumably with zero-dollar bills. I don't know about you, but I'd say 99% of the intellectual property "theft" (his words, not mine) are going on TOTALLY FOR FREE.
In fact, if they did succeed in shutting down these new technologies for the common man, you can bet that would be the only time the criminals started making massive money on this. Gonzales's plans will actually encourage criminal profits and, therefore by his logic, encourage terrorism. Gonzales is actually taking steps to put the money into this for terrorism and crime lords, not the other way around!
So if you ever wanted damning evidence that our AG both doesn't understand the issues, and is in the back pocket of the content corporations (RIAA, etc.), and that he wants to play the "terrorism" card (like they did about Drugs)... there you go.
Relying on Computer, U.S. Seeks to Prove Iran's Nuclear Aims"
Yes, that's right. The same government that'd believe the bytes on a harddrive somewhere "prove" somebody searched for something on Google, also would trust the contents of a hard drive containing "intelligence" on Iran.
Right now, the US is trying to build a case against Iran armed with a "stolen" hard drive. Sure, Mossad could have just cooked up the same data, but hey -- it's on a computer right? It's gotta be true.
It's just like those TV ads where the graph shows "3 out of 4 dentists blah blah"... hey, it's a graph on a computer; on TV; it's gotta be true?!?
God help us.
Slashdotters know that systems are too easily compromised, bytes on a harddrive too easily planted, and tracks too easily erased for this to be used as evidence in a capital crime. A good defense attorney should be able to blast holes in this via "reasonable doubt."
Unfortunately, unless the Judge knows enough to block this outright, the jury will hear it. And they, nontechnical as they are, will probably lean towards this as being a smoking gun. This is how the DAs use computer forensics like this as a shortcut to "justice." Just as bad, they can sometimes coerce or fool someone into confessing when that person's attorney (or lack of one at the time) doesn't know enough to say, "that's not reasonable evidence; don't respond to it."
It sure would be nice if the people who pass laws in this country would take some time out of their schedule to pass legislation that addresses this kind of "evidence." It shouldn't be admissible.
1. Refund for the time wasted on the game. 2. Raph Koster forced to play the original Kings Quest on a PC Jr until he repents from his transgressions. Membrane keyboard NOT negotiable. 3. John Smedly sent into exile to head the Sony DRM division. That is all.
If your client faces "evidence" found on a hard drive somewhere (I'll call it System A), projects like the one described in this article give you a good shot of getting that evidence thrown out.
Why? Simple:
It is easy to establish that there have been vectors of attack which would have allowed unrestricted access to System A, either remotely or by anyone with physical access to the machine. Simply look up what alerts have been issued for the operating system in question after the time the accuser claims System A had the "evidence" in question. It should also be possible to establish that there are "unknown" zero-day exploits, but if System A has Windows XP, (ie. in the greatest percentage of cases), this shouldn't be necessary -- exploit after exploit should exist in the alert records, giving multiple vectors of attack at the time the "evidence" was supposed to be created on System A.
So now there is a clear way to show the material could have been planted on the system, indistinguishable from whether your client caused it to be created.
Now to establish that the planter of said data could have easily covered there tracks, again -- looking at this article, it is trivial to show this. Root access to the system will allow any data to be written anywhere to the drives on System A. Therefore, any fingerprints left by the attacker who planted the "evidence" could be cleaned up. Just like the system described in this article, although it purports to simply look for data, not plant it.
Stop letting clients be sent away on "email" evidence or "cookie" evidence or whatever. It's crap! Systems are too easy to penetrate, evidence is too easily planted, and tracks are too easily erased.