The same with Windows NT - Novell is jumping the Linux bandwagon now only because it got its ass kicked by early Windows NT sales, which made Novell look way over-priced. True, early Novell was technologically superior to early Windows NT, but as the market expanded, NT got better and Novell became the bottom-feeder.
Ugh... Well, I agree with you that Novell's software has always been viewed as "expensive" by the market, but IMHO this had little to do with their loss of marketshare. That said, Novell has no one to blame but themselves for their current position in the market.
You obviously remember the decline of Wordperfect in the early 90's, so you must have been around for the decline of NetWare in the mid 90's. You probably remember that Novell pretty much owned the server market with NetWare 3.
Then Novell released NetWare 4. Because it was bundled with NDS (which not everyone wanted), it was late, buggy, unstable, and expensive. I remember much of this firsthand because I was working for a company that developed software which used NDS at the time. The amount of defects in the DS APIs in those early days was unbelievable. I literally spent six months or more of my career doing nothing but implementing workarounds for Novell APIs that did not work as advertised.
When you add to this the fact that NetWare 4 did not have native TCP/IP support, it spelled the end of Novell's dominance. NetWare did not get native TCP/IP support until version 5 shipped, which was late '97 or early '98, IIRC.
Novell's problem was that they did not listen to their customers, plain and simple. Had they added native TCP/IP support in version 4 and NDS in version 5, (and taken the time to make it stable) things might have been different.
I am appalled at the number of people justifying what Oxford Univeristy is attempting to do. Have you heard of Whistleblowing, which I consider a fundamental service to any functioning democracy?
While Oxford may be overreacting a bit, their response is typical. Go check the pen-test list archives at securityfocus.com for lots of examples of this. I'm not a pen-tester, but I have been lurking on that list since it was created. Those guys will be the first ones to tell you how important it is to get a contract signed up front, and many of them even carry insurance for these types of situations. No matter what your intentions are, organizations often take a "kill the messenger" attitude in these types of situations.
That being said, what the students did was less than ethical, to say the least. If they want to probe the network, fine. There is nothing wrong with that IMO. But once they publish vulnerabilities without first notifying the admin, they are crossing a line. Obviously their real goal was to publish a sensational news story and draw attention to themselves.
I don't understand... Why are they saying the code is sloppy? It seems to me that what they are doing is intentional.
This is a very short article, and I don't think that the author thought this behavior was due to sloppy code. Note the first two paragraphs:
"There's a new mass mailing virus in town, and it's built to make life for AV researchers even more difficult.
Atak uses a variety of tactics in its attempts to escape antivirus analysis. Its main trick is to check to see if it's being run in a debugging environment. If so, it exits to avoid detection. The ploy prevents casual perusal of the code by researchers and (potentially) rival virus writers."
The reference to sloppy code is only is only made in the following quote from the article:
"I haven't seen such ruses used in a mass mailer in a long time. This piece of code is so sloppy, it's devious," said Mircea Ciubotariu, a researcher at Romanian AV firm BitDefender.
As another poster suggested, perhaps something got lost in the translation.
While this may make the virus a little harder to analyze, I don't see how it would slow the anti-virus companies down much. Anti-virus researchers would simply need to change the code, disabling the section that checks to see if a debugger is attached. This is likely a simple matter of disassembling the code and changing the appropriate jump statement.
Well take a look here and see the blog of a windows developer. He really does get upset when people say that MS doesn't care about security.
I have no doubt that there are developers at Microsoft who care about security. For all I know, this might even be the majority. Any developer who takes pride in his work will make security a priority. A few of the best developers that I've worked with in my career have taken jobs with Microsoft because of the pay and career opportunities available there.
That being said, I question how committed their management is, or how much they even understand the problem. When you have the MS Security Chief making comments like this, it tells me that either he does not understand the problem, or he is more concerned about bad publicity than security. I have yet to hear anyone from Microsoft state exactly how they know how many machines are compromised before a patch is released. There are lots of very bright black-hat types out there, and it seems likely that many of them discover and exploit problems before they are widely known. It seems equally likely that these guys would also know how to cover their tracks.
Problems of this nature should be discovered through the design review/code review process, assuming that Microsoft even conducts these. And if they don't, then how serious are they about security?
Recently we had a Microsoft sponsored security seminar where the MS guy said that most exploits occur when hackers reverse engineer Microsoft security patches. This is what he defined as a "0-day exploit". I was pretty disgusted by this twisted propaganda. Any regular subscriber to BugTraq is aware of many vulnerabilities in fully patched Microsoft systems that are not corrected for months.
Agreed, this type of statement is dishonest to say the very least. How do they know how many boxes were exploited before the vulnerabilities are discovered by white hats and posted to lists like BugTraq? They don't. No one does.
I find it hard to believe that defects like the RPC vulnerability, which was first introduced into NT4 back in 1996, were not in active use by some of the black hats out there for several years. These guys are not going to create a worm before a defect is made public because that would get the vendor's attention, and therefore likely get the defect fixed.
A more correct statement would be to say that these vulnerabilitys are not openly exploited until after the patch is released. In other words, they don't become a widespread problem until the script kiddies find out.
I have a funny suspicion the "code monkeys" are not necessarily the ones to blame. Given clear specs and sufficient time I bet they'd love to make good software.
The "code monkeys" at Microsoft deserve at least some of the blame. Both Blaster and Sasser used buffer overflow exploits. Not understanding the requirements is no excuse for leaving unchecked buffers in your code.
Now, perhaps management was putting pressure on these guys to meet a tight deadline, in which case management deserves part of the blame. However, IMHO the "code monkeys" should be writing quality code in the first place.
There were suddenly lots of people with computer skills available because the technology sector took a major dive, not because Jonny and Mary took Comp Sci 101. Obviously then it becomes an employers market and they are going to pay the minimum possible so lower salaries.
I think you're oversimplifing things a bit. When I was in college during the mid-late 90's, there were plenty of people who were in the Comp Sci program for the wrong reasons. These guys were there for the money, and most of them really struggled to finish. These guys were not the majority, but there was a significant amount of them - probably 15%-25% of the Comp Sci students at the time. As far as I know, none of these guys are still employed. At least, all of these guys who got jobs with local companies ended up getting laid off. Most (but not all) of the guys who were there for the right reasons that I keep in touch with, are still employed, but most are making less than they were a few years ago (no surprise here).
Outsourcing also help drive salaries down by allowing empoyers to offer take it or leave it terms. Gotta expect that in a free market given the preceding conditions.
Outsourcing, at least with my employer, is much more prevelant than it appears on the surface. I've been fortunate enough to work for the same employer for the past five years in this economy, and I have seen this company outsource a lot of jobs during that time. I recently picked up a new project, and every project that I've touched in the past is now developed in India. Just last year they laid off over 15% of the engineers here in the US, and very quitely hired a large number of programmers in India over the following six months. It's only a matter of time before my job gets cut, and then I'll be taking a pay cut just like my college friends did.
I know several guys who make good money and dont give a crap about coding, they just happen to be quite talented and adopt a professional attitude.
I love what I do and like to think that I have a professional attitude. My company has laid off enough people in the past few years that most of those who did not love their craft are gone. A professional attitude is important, but in my experience, most of the individuals in this field who do not love their craft simply are not very effective. I suspect that most of them are unemployed now, and and they're helping to drive down salaries for the rest of us.
The fact that Java VMs are primarily written in C or C++ indicates that at the time they were initially written, it was believed (I think correctly) that the C or C++ at that time would be a better platform for writing JVMs than the Java of that time, and that since then it has been considered better to extend the existing code than to scrap it and do a complete rewrite in Java.
That's all that this argument proves. Nothing more.
What I'm saying, though, should not be interpreted as a belief that today's Java would be a better choice than today's C++ for writing a Java JVM. I don't know what the relative advantages would be today.
Am I missing something, or did you just suggest writing a JVM in Java? Which language will you use to implement the JVM that will run your Java-implemented JVM?
My understanding is that JVM performance has improved because they are now doing things like selecting the appropriate instruction set for the processor at runtime. This is opposed to natively complied languages which are typically compiled to support the lowest common denominator.
you can plug all the individual holes you want, it is still a crappy designed dam.
if it designed differently, the number of cracks is smaller...
i wish reporters understood that. flame MS for not bringing lonhorn out sooner. XP is not good enough. everyone knows this, nobody in the popular press is saying it in the right way.
True, a good design is important, but that still does not address implementation flaws. Both Sasser and Blaster exploited buffer overflows, which seem more like implementation flaws to me. It does not matter how good your design is if the guys doing the implementation write poor code.
Seems like the worst XP security flaws were due to poor code and lack of thorough code reviews.
why would an NT box that doesn't have an internet connection require security patches?
What about internal threats? Sure, in a perfect world you could trust the entire crew, but that seems like a naive assmption.
Perhaps this thing won't be connected to the internet, but it seems likely to me that they would be connected to some sort of military network. What happens when that network gets infected with virus or worm?
IIRC, Microsoft was bound to stop support on windows NT 4. Are there any kind of provisions for systems such as this, which is going to be in service for quite some time? Or will the Swedish Navy be on its own if some glitch appears ?
Microsoft seems to at least be continuing to issue security patches for NT4. The Swedish Navy had better have a support contract with Microsoft that guarantees that they will at least be supported while this ship is in service.
IIRC, NT4 was released around 1996 or so. It was vulnerable to both blaster and sasser, both of which exploited remote root vulnerabilities. Makes one wonder how many other unpublished vulnerabilies of this nature the black hats out there already know about.
If I was the going to be serving on this ship, this would make me very nervous.
I don't think there are may "pointy-haired management types" reading slashdot, nor do I think many of them care much about what here. However, these guys do generally pay attention to firms like Gartner.
A year ago I could install a Windows box and put it on the network to download the latest patches from Microsoft without having to be overly concerned about the machine getting infected during the processes. Those days are now long gone. Even if the "pointy-haired management types" completely ignore the press, it will be harder for them to ignore the fact that their IT staff has to scramble every few months to patch the latest Windows vulnerability. At least Gartner has noticed.
It has not always been this way. MSBlaster is the first worm that I can remember which could compromise every unpatched NT4/Win2k/XP installation that it could reach because it exploited the RPC sub-system. And now Sasser is just as big of a threat because it exploits Local Security Authority Sub-System (LSASS).
Unlike some, I don't expect Linux to "take over the desktop" by next month. In fact, I question whether this will ever happen. However, issues like these security problems give management a compelling reason to switch, eventually some of them will. Diversity is good for everyone.
Of course this isn't news to the/. crowd. What is news is that this information is coming from a Gartner researcher, which means that some of the pointy-haired management types out there might actually pay attention to it.
Biggest Windows vulnerability ever, again. How many times have we said that this year? At work, it's begining to feel a bit like a duck and cover drill.
IMO, this vulnerability is a big deal. We're talking about a remotely exploitable hole in a service running as LocalSystem, which is running on every WinXP box out there. (Granted, some of these will have port 445 blocked, but anyone smart enough to do that has likely installed the patch already.)
IIRC, the last Windows vulnerability of this magnitude was the RPC hole that MSBlaster exploited. You may recall that there was widespread speculation that this worm was responsible for last year's power failure.
IMHO, the LSASS vulnerability is equal in severity to the RPC vulnerability that Blaster took advantage of. Both vulnerabilities allow LocalSystem access, are remotely exploitable, and are present in components that are part of the base Windows OS, and therefore these components cannot be deselected at install time. However, the LSASS vulnerability would make it easier for a worm to grab sensitive information (password hashes) out of the SAM.
To the receiver, not the sender, so this is not a limitation for them. And furthermore, if you had to pay to receive email, i think spammers would send you many times more spam...
I think you misunderstand. I'm not suggesting that anyone pay to recieve email. The grandparent to my original post said:
Funny part is snail mail has the same bugs and I don't hear anybody yelling "Snail mail must die!"
Perhaps the cost to the receiver has something to do with the reason that people tend to get more upset about spam than snail mail.
That's because there is a cost to the sender involved in sending snail mail.
There is also a cost involved to the receiver of spam. Most corporations these days have purchased and implemented spam filters. They must pay someone to maintain these systems and train their users. Although these filters are annoying (the one my employer uses frequently blocks legitimate messages to my account) they probably help to increase employee productivity overall and decrease liability (think sexual harassment lawsuit from porn spam).
While a legal solution to this problem may help a little, it's not going to be a sliver bullet. What we really need is a technological solution.
Could you please post a link directly to the playlist/url so I can open it in WinAmp?
You have to go through live365 and set up a free account with them to get the stream. You can then change the settings for your account to use an MP3 player like Winamp. I'm listening to this station through Winamp right now.
The default player for live365 uses a browser popup window. If you try to listen using by clicking the link on proggedradio.com, this is what you will get. Very annoying.
IMHO, this is what the RIAA should really be worried about. Once an independent artist can gain exposure to a large mainstream audience with relatively little invetement, then what need is there for record companines? This will level the playing field for the litle guy.
Once this happens, the many truly great independent artists out there will finally have their "fair shot" at the market. We might actually hear some diversity on the radio instead of the same old crap that the record companies think they can sell to the masses.
Yes, but now you can get stations from all around the world where ever you are...
Not only that, but get stations that don't just play the same five lousy songs over and over again.
I've been listening to this station for several months now, and it beats the hell out of anything I've heard on the airwaves. Lots of indie bands, and yes, lots of bands that are not from the US.
I look forward to the day when I can put one of these devices in my car and listen to internet radio as I drive around town. Of course, corporations like Clear Channel will use their money and political clout to prevent this from ever happening.
Strangely enough, it is the feds telling them to do this.
I suspect that this group is responsible. Microsoft does not want to take the blame when corporations fail to patch the next RPC bug in a timely manner.
From the report, I gather they want to define security and then they can make sure they meet that definition. Make the rules and play by them, at least in legal terms.
Exactly. They want to give the appearance of security, but they're not willing to "pony up" the resources required to implement any real security in their software. They only need to convince other executives and decision makers that buy their software. That's what this so-called Microsoft "Security" initative is all about.
I can't speak for CA and friends, but Microsoft's track record is very bad in this area, and seems to be getting worse! How can they possibly be serious about security when the head of their security business and technology unit is this ignorant?!
Microsoft claims to be taking security seriously, but what are they doing about these vulnerabilities, or or these? (Fortunately for the poor end-users, the Pivx "unpatched page" is not available to the general public anymore.)
This is just a "smoke-screen," something that Microsoft salespeople can point at when talking to executives to try and convience them that security is a priority to Microsoft.
As someone who rode a motorcycle when I was in college, I think the best solution to this problem is to require everyone to ride a motorcycle for three months before they can get a driver's license. This would:
1) Kill off all the idiots.
2) Make everyone who survived a much better driver. You have to learn to driver defensively on a motorcycle, or you won't live long.
Certainly corporations are motivated to protect their assets, they're just not as motivated to protect ours. I don't think it will be a problem for companines to protect their own assets and still give the appearance of compliance with the law. They already do this today.
Great idea, but how exactly to you plan to motivate these corporations to use their "pull" with the government? Corporations are in business to make money, and unless money is involved then they won't do a thing. Why take a business risk by refusing to comply with the law if you have nothing to gain from it?
Sure, all of us in the Slashdot crowd can "vote with our wallets," and switch from Time/Warner to some other ISP that respects our privacy. But chances are that Joe Sixpack is not going to know or care what Time Warner is doing, and there are a lot more Joe Sixpacks out there than Slashdotters.
Re:...and would this be useful for the newbie code
on
Exploiting Software
·
· Score: 4, Insightful
I would hope that no one lets a newbie coder get his grimy little paws anywhere near code that requires a careful consideration of security.
Everyone writing code should be giving careful consideration to security. In my experience few developers do, but that number is increasing...
Slashdot Mirror
You obviously remember the decline of Wordperfect in the early 90's, so you must have been around for the decline of NetWare in the mid 90's. You probably remember that Novell pretty much owned the server market with NetWare 3.
Then Novell released NetWare 4. Because it was bundled with NDS (which not everyone wanted), it was late, buggy, unstable, and expensive. I remember much of this firsthand because I was working for a company that developed software which used NDS at the time. The amount of defects in the DS APIs in those early days was unbelievable. I literally spent six months or more of my career doing nothing but implementing workarounds for Novell APIs that did not work as advertised.
When you add to this the fact that NetWare 4 did not have native TCP/IP support, it spelled the end of Novell's dominance. NetWare did not get native TCP/IP support until version 5 shipped, which was late '97 or early '98, IIRC.
Novell's problem was that they did not listen to their customers, plain and simple. Had they added native TCP/IP support in version 4 and NDS in version 5, (and taken the time to make it stable) things might have been different.
That being said, what the students did was less than ethical, to say the least. If they want to probe the network, fine. There is nothing wrong with that IMO. But once they publish vulnerabilities without first notifying the admin, they are crossing a line. Obviously their real goal was to publish a sensational news story and draw attention to themselves.
The reference to sloppy code is only is only made in the following quote from the article:
As another poster suggested, perhaps something got lost in the translation.
While this may make the virus a little harder to analyze, I don't see how it would slow the anti-virus companies down much. Anti-virus researchers would simply need to change the code, disabling the section that checks to see if a debugger is attached. This is likely a simple matter of disassembling the code and changing the appropriate jump statement.
That being said, I question how committed their management is, or how much they even understand the problem. When you have the MS Security Chief making comments like this, it tells me that either he does not understand the problem, or he is more concerned about bad publicity than security. I have yet to hear anyone from Microsoft state exactly how they know how many machines are compromised before a patch is released. There are lots of very bright black-hat types out there, and it seems likely that many of them discover and exploit problems before they are widely known. It seems equally likely that these guys would also know how to cover their tracks.
Problems of this nature should be discovered through the design review/code review process, assuming that Microsoft even conducts these. And if they don't, then how serious are they about security?
I find it hard to believe that defects like the RPC vulnerability, which was first introduced into NT4 back in 1996, were not in active use by some of the black hats out there for several years. These guys are not going to create a worm before a defect is made public because that would get the vendor's attention, and therefore likely get the defect fixed.
A more correct statement would be to say that these vulnerabilitys are not openly exploited until after the patch is released. In other words, they don't become a widespread problem until the script kiddies find out.
Now, perhaps management was putting pressure on these guys to meet a tight deadline, in which case management deserves part of the blame. However, IMHO the "code monkeys" should be writing quality code in the first place.
Outsourcing, at least with my employer, is much more prevelant than it appears on the surface. I've been fortunate enough to work for the same employer for the past five years in this economy, and I have seen this company outsource a lot of jobs during that time. I recently picked up a new project, and every project that I've touched in the past is now developed in India. Just last year they laid off over 15% of the engineers here in the US, and very quitely hired a large number of programmers in India over the following six months. It's only a matter of time before my job gets cut, and then I'll be taking a pay cut just like my college friends did.
I love what I do and like to think that I have a professional attitude. My company has laid off enough people in the past few years that most of those who did not love their craft are gone. A professional attitude is important, but in my experience, most of the individuals in this field who do not love their craft simply are not very effective. I suspect that most of them are unemployed now, and and they're helping to drive down salaries for the rest of us.
My understanding is that JVM performance has improved because they are now doing things like selecting the appropriate instruction set for the processor at runtime. This is opposed to natively complied languages which are typically compiled to support the lowest common denominator.
Seems like the worst XP security flaws were due to poor code and lack of thorough code reviews.
Perhaps this thing won't be connected to the internet, but it seems likely to me that they would be connected to some sort of military network. What happens when that network gets infected with virus or worm?
IIRC, NT4 was released around 1996 or so. It was vulnerable to both blaster and sasser, both of which exploited remote root vulnerabilities. Makes one wonder how many other unpublished vulnerabilies of this nature the black hats out there already know about.
If I was the going to be serving on this ship, this would make me very nervous.
I don't think there are may "pointy-haired management types" reading slashdot, nor do I think many of them care much about what here. However, these guys do generally pay attention to firms like Gartner.
A year ago I could install a Windows box and put it on the network to download the latest patches from Microsoft without having to be overly concerned about the machine getting infected during the processes. Those days are now long gone. Even if the "pointy-haired management types" completely ignore the press, it will be harder for them to ignore the fact that their IT staff has to scramble every few months to patch the latest Windows vulnerability. At least Gartner has noticed.
It has not always been this way. MSBlaster is the first worm that I can remember which could compromise every unpatched NT4/Win2k/XP installation that it could reach because it exploited the RPC sub-system. And now Sasser is just as big of a threat because it exploits Local Security Authority Sub-System (LSASS).
Unlike some, I don't expect Linux to "take over the desktop" by next month. In fact, I question whether this will ever happen. However, issues like these security problems give management a compelling reason to switch, eventually some of them will. Diversity is good for everyone.
Of course this isn't news to the /. crowd. What is news is that this information is coming from a Gartner researcher, which means that some of the pointy-haired management types out there might actually pay attention to it.
IIRC, the last Windows vulnerability of this magnitude was the RPC hole that MSBlaster exploited. You may recall that there was widespread speculation that this worm was responsible for last year's power failure.
IMHO, the LSASS vulnerability is equal in severity to the RPC vulnerability that Blaster took advantage of. Both vulnerabilities allow LocalSystem access, are remotely exploitable, and are present in components that are part of the base Windows OS, and therefore these components cannot be deselected at install time. However, the LSASS vulnerability would make it easier for a worm to grab sensitive information (password hashes) out of the SAM.
Perhaps the cost to the receiver has something to do with the reason that people tend to get more upset about spam than snail mail.
While a legal solution to this problem may help a little, it's not going to be a sliver bullet. What we really need is a technological solution.
The default player for live365 uses a browser popup window. If you try to listen using by clicking the link on proggedradio.com, this is what you will get. Very annoying.
IMHO, this is what the RIAA should really be worried about. Once an independent artist can gain exposure to a large mainstream audience with relatively little invetement, then what need is there for record companines? This will level the playing field for the litle guy.
Once this happens, the many truly great independent artists out there will finally have their "fair shot" at the market. We might actually hear some diversity on the radio instead of the same old crap that the record companies think they can sell to the masses.
I've been listening to this station for several months now, and it beats the hell out of anything I've heard on the airwaves. Lots of indie bands, and yes, lots of bands that are not from the US.
I look forward to the day when I can put one of these devices in my car and listen to internet radio as I drive around town. Of course, corporations like Clear Channel will use their money and political clout to prevent this from ever happening.
Exactly. They want to give the appearance of security, but they're not willing to "pony up" the resources required to implement any real security in their software. They only need to convince other executives and decision makers that buy their software. That's what this so-called Microsoft "Security" initative is all about.
I can't speak for CA and friends, but Microsoft's track record is very bad in this area, and seems to be getting worse! How can they possibly be serious about security when the head of their security business and technology unit is this ignorant?!
Microsoft claims to be taking security seriously, but what are they doing about these vulnerabilities, or or these? (Fortunately for the poor end-users, the Pivx "unpatched page" is not available to the general public anymore.)
This is just a "smoke-screen," something that Microsoft salespeople can point at when talking to executives to try and convience them that security is a priority to Microsoft.
As someone who rode a motorcycle when I was in college, I think the best solution to this problem is to require everyone to ride a motorcycle for three months before they can get a driver's license. This would:
1) Kill off all the idiots.
2) Make everyone who survived a much better driver. You have to learn to driver defensively on a motorcycle, or you won't live long.
Certainly corporations are motivated to protect their assets, they're just not as motivated to protect ours. I don't think it will be a problem for companines to protect their own assets and still give the appearance of compliance with the law. They already do this today.
Great idea, but how exactly to you plan to motivate these corporations to use their "pull" with the government? Corporations are in business to make money, and unless money is involved then they won't do a thing. Why take a business risk by refusing to comply with the law if you have nothing to gain from it?
Sure, all of us in the Slashdot crowd can "vote with our wallets," and switch from Time/Warner to some other ISP that respects our privacy. But chances are that Joe Sixpack is not going to know or care what Time Warner is doing, and there are a lot more Joe Sixpacks out there than Slashdotters.
Everyone writing code should be giving careful consideration to security. In my experience few developers do, but that number is increasing...