I cannot claim for certain that a similar exploit couldn't be done in a more secure, by design, operating system. However I suspect that it would be unlikely that you would find an operating system like Linux, OSX, Solaris, or AIX running a word processor application (or any productivity application) that can install a rootkit or other package allowing access to the local system (beyond the current user's rights), let alone the network. Such a design would be "insecure" and not tolerated by the community.
There have been plenty of privilege escalation vulnerabilities in all sorts of obscure packages in Linux.
And a local privilege escalation vulnerability is arguably just some pretty packaging and an email away from being a remote privilege escalation vulnerability.
Even without that, there's a strong chance that some sort of single sign-on will be present in a large system. Think Kerberos/LDAP or Active Directory. Now, if the computer's running an app as a particular user, it can do anything that user can - and that could include all sorts of interesting things like "access the latest report on the situation in Iraq".
In the real world, the chances are you'd get hundreds of documents back about inconsequential spending in departments you neither know nor care about. But you only need to get lucky once.
You joke, but I'd point out that a government department (particularly in a large, powerful country like the US) will always be a very attractive target - particularly for blackhats who know what they're doing rather than script kiddies.
Yet the same government has politicians who are nobbled by Microsoft into saying that open source is less secure because anyone can look through it for security bugs.
Christ on a stick! That's a bloody good reason to hide EVERY problem from the IT Nazis.
Does anyone ever get any work done?
Depending on your environment, that can actually be the quickest, easiest way to solve a problem.
The GP didn't explain his environment, but in a lot of larger companies you'll find things are standardised as much as is humanly possible. In IT departments, "as much as is humanly possible" quite often isn't very much, so reimaging PCs there is a PITA for all concerned.
But in a call centre, it's fine. In any office where all the people have clear, well-defined roles and you know in advance what software they need (let's say Office, one or two proprietary apps and that's about it), again, it's OK. Things only get complicated when the tools people need to fulfil their roles varies substantially from person to person and even from week to week.
If your app benefits from SSE4 optimizations, the gains compared to the current Core 2 can be giganormous (DivX encoder: +85% at equal clock). Otherwise, expect a per clock advantage of about 10%.
Particularly bloody awkward, then, that hardly anyone codes anything for general-purpose PC usage in assembler any more, and compilers don't get updated and optimised to take full advantage of new instruction sets that quickly.
I think I've seen these before, incidentally. But it seems that the whole point is to fuck up their disks exactly enough that they won't play on certain players (God knows which ones, if mplayer can play it), but not enough that they won't play on real players. Thus, it's based not at all on actual standards (like CSS), and entirely on existing DVD players.
IOW, a variation on the copy-protection used on some CDs. And about as useful, purely because (as we've seen before), it is not physically possible to break the specifications a little bit and in doing so accurately target a subsection of the number of players out there. That's the whole point of standardised specifications.
Note that BluRay/HD-DVD accounts for this by design. (I don't think it will do a jot of good, because sooner or later a means of avoiding the issue altogether will appear, but that's by the bye.)
It would be like selling regent grade sulfuric acid on the shelves of Wal*Mart as a drain cleaner and expecting people to handle it safely and not dispose of it down the nearest storm drain.
The alternative would be a drain cleaner with a warning on the back saying "WARNING: Do not pour this product down the drain".
Sounds more like an obfuscation system than en encryption system. The point with encryption is that no one except those you give the key to, should be able to decrypt the information.
You're technically correct. But it hasn't stopped lots of things which claimed to offer "encryption" being sold on the open market.
The people with the political influence want the money.
Neither of those groups include the average person.
Not until you add the third line.
The people with the political influence also want votes.
The average person has the votes
Of course, seeing as (certainly in the US and UK) relatively few people vote, and you can always "buy" votes with ever smarter ads, suddenly the group with the voting power is essentially also the one with the money. (I'll ignore possibly corrupt voting machines, but that's another real issue).
I keep hearing this. Yet I've also seen entire faulty batches of DVDs. Presumably if the store doesn't have a DVD from a non-faulty batch, all they can do is a credit note or a refund.
There is a finite number of any given DVD in a store.
1. UI inconsistencies across the suite and even within products.
Oh sweet jesus yes.
And particularly in Office 2007. I've installed that myself and this "new UI" stuff is a bit disingenous. There are quite a few bits (particularly in Outlook; haven't looked elsewhere in any detail yet) which haven't been updated with the new look & feel and you have no idea when you'll hit one. You're just getting th hang of the way everything's done slightly differently (but by and large most things are a lot fewer clicks and fewer badly-designed Wizzards getting in the way) when suddenly you click on what you want to do and you're dropped into a wizard which has existed since Office '97 and wasn't terribly good back then.
A completely OT observation, but anyone who's worked in tech support (probably many here) will empathise with that, yet if you admit to having disabled such a feature company-wide in a thread which discusses running any sort of system across a large organisation, you'll be inundated in people saying "How dare you presume to tell people how they are most productive by setting up their PC for them!" (or words to that effect).
Even more annoying still are the automated phone systems that you talk to which cut you off rather than put you through to a person if they don't understand you or (and I swear I'm not making this up) if you swear at them.
Me: The proxy server with IP address [XXX.XXX.XXX.XXX] in your cluster is broken. It returns the Microsoft IIS page to everything that connects. Them: OK, go to start, settings, control panel... Me: I'm running Linux and I'm trying to hit Google. There are no Microsoft boxes of any description involved except for yours. Them: We don't support Linux Me: I'm not asking you to support Linux, I'm asking you to support your own proxy. Them: Well, we still don't support... Me: Tell you what. Can you set a specific proxy on your PC? Them: Yes. Me: Right, then set it to [IP ADDRESS]. Then try hitting Google. Them: OK...(obviously thinking "anything for a quiet life") oh. Can you hold the line please?
Lather, rinse and repeat about once or twice a week for a year.
It took about 6-8 months before they even started to treat such reports seriously. I wouldn't have minded that bit except that it was a small company, they only had two people doing first line support and both soon got to know who I was.
I don't care how often it's the case that the customer's wrong, after a year of conversations like that I basically gave up contacting tech support unless I can be certain that the person on the other end will have half a brain.
There was a time when the very real fear that if Microsoft achieve total dominance on the client that they could (and would) leverage that influence to the server by coupling new extension that only work with IE/IIS combination. The WWW would become the WMW:(
I was under the impression that this was the purpose of ActiveX, ASP and.Net.
I would like to write my site using modern CSS features. I can't, because people viewing the site with ie wouldn't see them properly.
Look at it this way: the rate things are going you won't need to worry about that.
My memory may be failing me in my old age, byt I'm sure I recall W3C recommending people design sites in valid XHTML/CSS and anyone whose browser didn't support it would find themselves forced to upgrade.
Not that I can see this idea getting much traction in the business market, but there you go.
IOW, completely impractical for most business purposes.
Probably acceptable in critical systems where you're more concerned about "how can we be certain this won't screw up" rather than "how can we add pretty bells and whistles".
Firstly, many countries don't have a concept of "class action".
Secondly, how am I as a customer (assuming I didn't know about this) supposed to know whether or not it's a one-off problem?
1. Consumer law says "product must be fit for the purpose for which it was sold". 2. DVD doesn't play in my DVD player, which is perfectly happy to play anything else. Therefore, it's reasonable to assume that the fault lies with the DVD being not fit for this purpose rather than the player. Therefore: 3. I have the right to return it.
Whether 1 person, 100 people, 1000 people return the DVD - not my problem. I neither know nor care.
Chains may not have much power with their suppliers over small things but if the supplier is directly responsible for them having to eat the cost of several thousand returns, I bet you anything you like they'll start to arm the lawyer cannons.
Yeah, that's the copy protection feature. Hollywood finally figured out that if you can view it, you can copy it. If they simply make the content unplayable, nobody can pirate the movie!
I was under the impression they were trying a variation on this theme. If you make the content unwatchable, nobody will want to pirate the movie.
In Australia a DVD that fails to play in a significant number of DVD players meets the statutory definition of unmerchantability, which requires goods to be suitable for every purpose for which they are normally bought (unlike other places where they have to be suitable for just one of the purposes for which they are normally bought).
What purpose other than "to watch in my DVD player" would normally be applied to a video DVD?
If it doesn't work in my DVD player yet every other disk I own does - along with a number of other new ones purchased at the same time - it's perfectly reasonable for me to conclude that the disk is broken and demand a replacement. If several replacements don't work - must have been a bad batch at the factory. The folk on minimum wage or very near it at my local record store aren't likely to be experts on Sony's copy protection, and it's totally unreasonable for them to expect their customers to be.
I suspect the latter is the case - but that suspicion is based mainly on computer science theory (which amongst other things holds that it's quite possible to mathematically verify that a function will behave as expected under all circumstances).
In the real world, there are just too many variables, both in software and hardware - OSs and hardware are much more complicated than they were 20 years ago - for that to be practical unless you're prepared to sacrifice a lot of functionality (ie. use a platform that's 20 years old in design terms). And as soon as you have to exchange data with some other organisation, your data is subject to their vulnerabilities.
For a real-world example of what can be done to make software reliable (security and reliability arguably being two sides of the same coin), see NASA's development process. They're well known for using hardware that's antiquated by modern standards, and they spend ages on designing and testing their software to death - but the sheer cost attached must be astronomical (pun fully intended).
1. Adds complication and hence cost. Bit of a problem in a cost-sensitive world. 2. Doesn't solve the problem - the security risk now moves to a box plugged into your ethernet card. With the added bonus that the only way you'll be able to fix it is via a firmware upgrade - so it's quite possible to brick the box when you upgrade. (Granted, this can be designed around - but I've yet to see a set of "rescue damaged firmware" instructions which were easy for my own mother to follow - and it's the likes of her who can benefit most from a more secure approach. 3. Far and away the biggest group of people who regularly use wireless do so on a laptop - and by definition, you want everything on a laptop to take up the least amount of extra space/weight possible.
Until he's proven wrong, this statement is true. There ARE NO free groupware solutions, there never have been, and I'm starting to think there never will be. The support costs are simply to brutal and impassible an issue for the open source community to deal with
However, it doesn't integrate with Outlook and is entirely web-based. It's also slightly clunkier and requires more work to set up. That may not be a problem for you, I've found that most people are so conditioned to Outlook/Exchange that a pure web-based solution for it simply not going to happen.
This is what makes Outlook the killer app as far as businesses are concerned. The fact that it is Outlook + Exchange as a combination is largely overlooked by most non-technical people. At best they mix them up to some extent.
Hallelujah, someone who understands!
The only vaguely open thing which claims to come anywhere close to being an Exchange replacement is Scalix (http://www.scalix.com) - and that costs money if you want the "full outlook integration for all your clients" bit. I asked them to quote me a price to include 50 client licenses to use Outlook and it was almost identical to Microsoft's Core CAL price (which provides client licenses for Exchange, Sharepoint and Windows Server).
But of course, if I use Scalix there's a very real risk that a software update in Office could break compatability with it. Not ideal, and a lot less likely with Exchange. How can I justify Scalix when it'll cost the same and potentially introduce more, unknown problems?
I cannot claim for certain that a similar exploit couldn't be done in a more secure, by design, operating system. However I suspect that it would be unlikely that you would find an operating system like Linux, OSX, Solaris, or AIX running a word processor application (or any productivity application) that can install a rootkit or other package allowing access to the local system (beyond the current user's rights), let alone the network. Such a design would be "insecure" and not tolerated by the community.
There have been plenty of privilege escalation vulnerabilities in all sorts of obscure packages in Linux.
And a local privilege escalation vulnerability is arguably just some pretty packaging and an email away from being a remote privilege escalation vulnerability.
Even without that, there's a strong chance that some sort of single sign-on will be present in a large system. Think Kerberos/LDAP or Active Directory. Now, if the computer's running an app as a particular user, it can do anything that user can - and that could include all sorts of interesting things like "access the latest report on the situation in Iraq".
In the real world, the chances are you'd get hundreds of documents back about inconsequential spending in departments you neither know nor care about. But you only need to get lucky once.
You joke, but I'd point out that a government department (particularly in a large, powerful country like the US) will always be a very attractive target - particularly for blackhats who know what they're doing rather than script kiddies.
Yet the same government has politicians who are nobbled by Microsoft into saying that open source is less secure because anyone can look through it for security bugs.
Christ on a stick! That's a bloody good reason to hide EVERY problem from the IT Nazis.
Does anyone ever get any work done?
Depending on your environment, that can actually be the quickest, easiest way to solve a problem.
The GP didn't explain his environment, but in a lot of larger companies you'll find things are standardised as much as is humanly possible. In IT departments, "as much as is humanly possible" quite often isn't very much, so reimaging PCs there is a PITA for all concerned.
But in a call centre, it's fine. In any office where all the people have clear, well-defined roles and you know in advance what software they need (let's say Office, one or two proprietary apps and that's about it), again, it's OK. Things only get complicated when the tools people need to fulfil their roles varies substantially from person to person and even from week to week.
If your app benefits from SSE4 optimizations, the gains compared to the current Core 2 can be giganormous (DivX encoder: +85% at equal clock). Otherwise, expect a per clock advantage of about 10%.
Particularly bloody awkward, then, that hardly anyone codes anything for general-purpose PC usage in assembler any more, and compilers don't get updated and optimised to take full advantage of new instruction sets that quickly.
My DVD player plays every other DVD, including another new one I bought last week.
There have been bad batches of discs released. What's to say this isn't another?
I think I've seen these before, incidentally. But it seems that the whole point is to fuck up their disks exactly enough that they won't play on certain players (God knows which ones, if mplayer can play it), but not enough that they won't play on real players. Thus, it's based not at all on actual standards (like CSS), and entirely on existing DVD players.
IOW, a variation on the copy-protection used on some CDs. And about as useful, purely because (as we've seen before), it is not physically possible to break the specifications a little bit and in doing so accurately target a subsection of the number of players out there. That's the whole point of standardised specifications.
Note that BluRay/HD-DVD accounts for this by design. (I don't think it will do a jot of good, because sooner or later a means of avoiding the issue altogether will appear, but that's by the bye.)
It would be like selling regent grade sulfuric acid on the shelves of Wal*Mart as a drain cleaner and expecting people to handle it safely and not dispose of it down the nearest storm drain.
The alternative would be a drain cleaner with a warning on the back saying "WARNING: Do not pour this product down the drain".
Sounds more like an obfuscation system than en encryption system. The point with encryption is that no one except those you give the key to, should be able to decrypt the information.
3 0223
You're technically correct. But it hasn't stopped lots of things which claimed to offer "encryption" being sold on the open market.
For instance:
http://it.slashdot.org/article.pl?sid=07/04/13/12
The people with the political influence want the money.
Neither of those groups include the average person.
Not until you add the third line.
The people with the political influence also want votes.
The average person has the votes
Of course, seeing as (certainly in the US and UK) relatively few people vote, and you can always "buy" votes with ever smarter ads, suddenly the group with the voting power is essentially also the one with the money. (I'll ignore possibly corrupt voting machines, but that's another real issue).
I keep hearing this. Yet I've also seen entire faulty batches of DVDs. Presumably if the store doesn't have a DVD from a non-faulty batch, all they can do is a credit note or a refund.
There is a finite number of any given DVD in a store.
I rather prefer the idea of the stores got together in a class action lawsuit.
I bet you anything you like Walmart won't accept several thousand vouchers to give them a free Sony Pictures DVD of their choice.
1. UI inconsistencies across the suite and even within products.
Oh sweet jesus yes.
And particularly in Office 2007. I've installed that myself and this "new UI" stuff is a bit disingenous. There are quite a few bits (particularly in Outlook; haven't looked elsewhere in any detail yet) which haven't been updated with the new look & feel and you have no idea when you'll hit one. You're just getting th hang of the way everything's done slightly differently (but by and large most things are a lot fewer clicks and fewer badly-designed Wizzards getting in the way) when suddenly you click on what you want to do and you're dropped into a wizard which has existed since Office '97 and wasn't terribly good back then.
A completely OT observation, but anyone who's worked in tech support (probably many here) will empathise with that, yet if you admit to having disabled such a feature company-wide in a thread which discusses running any sort of system across a large organisation, you'll be inundated in people saying "How dare you presume to tell people how they are most productive by setting up their PC for them!" (or words to that effect).
Even more annoying still are the automated phone systems that you talk to which cut you off rather than put you through to a person if they don't understand you or (and I swear I'm not making this up) if you swear at them.
Particularly the clueless-ISP-type ones:
Me: The proxy server with IP address [XXX.XXX.XXX.XXX] in your cluster is broken. It returns the Microsoft IIS page to everything that connects.
Them: OK, go to start, settings, control panel...
Me: I'm running Linux and I'm trying to hit Google. There are no Microsoft boxes of any description involved except for yours.
Them: We don't support Linux
Me: I'm not asking you to support Linux, I'm asking you to support your own proxy.
Them: Well, we still don't support...
Me: Tell you what. Can you set a specific proxy on your PC?
Them: Yes.
Me: Right, then set it to [IP ADDRESS]. Then try hitting Google.
Them: OK...(obviously thinking "anything for a quiet life") oh. Can you hold the line please?
Lather, rinse and repeat about once or twice a week for a year.
It took about 6-8 months before they even started to treat such reports seriously. I wouldn't have minded that bit except that it was a small company, they only had two people doing first line support and both soon got to know who I was.
I don't care how often it's the case that the customer's wrong, after a year of conversations like that I basically gave up contacting tech support unless I can be certain that the person on the other end will have half a brain.
There was a time when the very real fear that if Microsoft achieve total dominance on the client that they could (and would) leverage that influence to the server by coupling new extension that only work with IE/IIS combination. The WWW would become the WMW :(
.Net.
I was under the impression that this was the purpose of ActiveX, ASP and
I would like to write my site using modern CSS features. I can't, because people viewing the site with ie wouldn't see them properly.
Look at it this way: the rate things are going you won't need to worry about that.
My memory may be failing me in my old age, byt I'm sure I recall W3C recommending people design sites in valid XHTML/CSS and anyone whose browser didn't support it would find themselves forced to upgrade.
Not that I can see this idea getting much traction in the business market, but there you go.
IOW, completely impractical for most business purposes.
Probably acceptable in critical systems where you're more concerned about "how can we be certain this won't screw up" rather than "how can we add pretty bells and whistles".
Firstly, many countries don't have a concept of "class action".
Secondly, how am I as a customer (assuming I didn't know about this) supposed to know whether or not it's a one-off problem?
1. Consumer law says "product must be fit for the purpose for which it was sold".
2. DVD doesn't play in my DVD player, which is perfectly happy to play anything else. Therefore, it's reasonable to assume that the fault lies with the DVD being not fit for this purpose rather than the player.
Therefore: 3. I have the right to return it.
Whether 1 person, 100 people, 1000 people return the DVD - not my problem. I neither know nor care.
Chains may not have much power with their suppliers over small things but if the supplier is directly responsible for them having to eat the cost of several thousand returns, I bet you anything you like they'll start to arm the lawyer cannons.
Yeah, that's the copy protection feature. Hollywood finally figured out that if you can view it, you can copy it. If they simply make the content unplayable, nobody can pirate the movie!
I was under the impression they were trying a variation on this theme. If you make the content unwatchable, nobody will want to pirate the movie.
In Australia a DVD that fails to play in a significant number of DVD players meets the statutory definition of unmerchantability, which requires goods to be suitable for every purpose for which they are normally bought (unlike other places where they have to be suitable for just one of the purposes for which they are normally bought).
What purpose other than "to watch in my DVD player" would normally be applied to a video DVD?
If it doesn't work in my DVD player yet every other disk I own does - along with a number of other new ones purchased at the same time - it's perfectly reasonable for me to conclude that the disk is broken and demand a replacement. If several replacements don't work - must have been a bad batch at the factory. The folk on minimum wage or very near it at my local record store aren't likely to be experts on Sony's copy protection, and it's totally unreasonable for them to expect their customers to be.
I suspect the latter is the case - but that suspicion is based mainly on computer science theory (which amongst other things holds that it's quite possible to mathematically verify that a function will behave as expected under all circumstances).
In the real world, there are just too many variables, both in software and hardware - OSs and hardware are much more complicated than they were 20 years ago - for that to be practical unless you're prepared to sacrifice a lot of functionality (ie. use a platform that's 20 years old in design terms). And as soon as you have to exchange data with some other organisation, your data is subject to their vulnerabilities.
For a real-world example of what can be done to make software reliable (security and reliability arguably being two sides of the same coin), see NASA's development process. They're well known for using hardware that's antiquated by modern standards, and they spend ages on designing and testing their software to death - but the sheer cost attached must be astronomical (pun fully intended).
Excellent idea, with only 3 minor problems:
1. Adds complication and hence cost. Bit of a problem in a cost-sensitive world.
2. Doesn't solve the problem - the security risk now moves to a box plugged into your ethernet card. With the added bonus that the only way you'll be able to fix it is via a firmware upgrade - so it's quite possible to brick the box when you upgrade. (Granted, this can be designed around - but I've yet to see a set of "rescue damaged firmware" instructions which were easy for my own mother to follow - and it's the likes of her who can benefit most from a more secure approach.
3. Far and away the biggest group of people who regularly use wireless do so on a laptop - and by definition, you want everything on a laptop to take up the least amount of extra space/weight possible.
Until he's proven wrong, this statement is true. There ARE NO free groupware solutions, there never have been, and I'm starting to think there never will be. The support costs are simply to brutal and impassible an issue for the open source community to deal with
Not true. There are:
http://www.horde.org/
However, it doesn't integrate with Outlook and is entirely web-based. It's also slightly clunkier and requires more work to set up. That may not be a problem for you, I've found that most people are so conditioned to Outlook/Exchange that a pure web-based solution for it simply not going to happen.
This is what makes Outlook the killer app as far as businesses are concerned. The fact that it is Outlook + Exchange as a combination is largely overlooked by most non-technical people. At best they mix them up to some extent.
Hallelujah, someone who understands!
The only vaguely open thing which claims to come anywhere close to being an Exchange replacement is Scalix (http://www.scalix.com) - and that costs money if you want the "full outlook integration for all your clients" bit. I asked them to quote me a price to include 50 client licenses to use Outlook and it was almost identical to Microsoft's Core CAL price (which provides client licenses for Exchange, Sharepoint and Windows Server).
But of course, if I use Scalix there's a very real risk that a software update in Office could break compatability with it. Not ideal, and a lot less likely with Exchange. How can I justify Scalix when it'll cost the same and potentially introduce more, unknown problems?