A few years back Mohammed al Fayed (Egyptian millionaire, owns Harrods) was mad because the UK government had stopped a previous agreement that he would be allowed to pay a fixed sum every year regardless of how much he made as it was "too difficult" to do all the sums.
I considered writing to my local tax office saying "I had no idea tax was negotiable. I find the sums difficult, may I suggest I pay you £100 in full and final settlement for all my taxes this year?".
Perhaps you folks in the US should write to your congressmen with a similar question regarding getting laws passed.
1 - Trojans are not meant to cripple a computer, viruses are... and botnets use trojan-like programs.
How many viruses in the traditional sense of the word (ie. hide themselves in otherwise benign programs, require no user intervention to execute, attempt to mess around with the user's data) have you seen lately? Spyware - yes, lots. Trojans? More than you can count. Worms, not requiring a host program in order to spread? Hey, someone's got to keep Sophos in business. Viruses spreading through the Internet with the express intent of hooking in somewhere to corrupt data? They're somewhat rarer.
Just looking at a few websites, I see the latest threats are listed as:
W32/Agobot-SJ - a worm. W32/Kelvir-Gen - another worm. Troj/Banker-HC - a trojan. W32/Anzae-A - another worm. W32/Bagz-D - yet another worm.
2 - Most viruses actually don't even try to destroy everything. But once it manages to control your system, you can't argue that it could very well destroy everything (including some hardware).
I'd be disturbed if any recent operating system allowed a user-land program close enough to hardware to risk damaging it.
Of course Linux is not inmune to malware. But you are basically implying that since everythin you said is theoretically possible, then using a Windows machine is as secure as using a Linux machine.
It took a few years for things to get as bad as they are today with Windows.
I don't have a crystal ball. I would like to believe that Linux will become a serious competitor to Windows on the desktop while retaining its current almost entirely virus/malware free state. The only reason it isn't at that point right now probably has more to do with marketing than technology.
Having said all that, a good theoretical exploit is only a few lines of code away from being a real one. A lousy theoretical exploit requires more code and a whole plethora of pre-conditions. To argue that suitable pre-conditions can never exist on Unix I would consider dangerous.
You said properly configured, which is exactly WTF I was talking about. Joe sixpack doesn't care if it is or not. Neither does MSFT for that matter, or they would do it.
As Linux rises in popularity, more people will be attracted to it because it's "not Windows".
I've already noticed a distinct drop in the signal to noise ratio in a lot of Linux newsgroups and web based forums - reasonably easy questions are given answers which are just way out wrong.
Also, you fail to even acknowledge the fact that a virus executed on a "standard" Windows install will cripple the entire machine.
Which is why all these "crippled" machines are still working well enough to act as part of botnets sending spam all over the world and taking part in DDOS attacks, yes?
If you mean "it's much harder for a virus to take over the entire machine such that it's totally screwed beyond all hope of recovery", then I agree - more or less any Unix workalike is secure by that definition.
However, if we take a theoretical exploit which runs from email to its logical conclusion, what's to stop it bringing up a window saying "Please enter your root password"? Or taking advantage of a known bug which hasn't been patched by the user (because it's not remotely exploitable, right?) to get root access?
All that aside, there are still all sorts of other potential attack vectors which open up as soon as you can talk a user into double-clicking an icon in their email.
There seems to be a/. attitude that Unix is totally, permanently immune to any form of malware because "it doesn't work like Windows". Malware can still exist, it just can't format your hard disk anymore. At least, not until it can use a locally-exploitable bug to get root access, then all bets are off.
I was referring to theoretical exploits via a mail client rather than a web browser.
Email viruses didn't used to exist at all, then Microsoft decided to make Outlook Express and Outlook render HTML and by default (certainly in versions around 1997-2000, not sure now) it wasn't possible to disable this functionality.
At most, it would wipe out their home directory. Not bring the entire machine, and all users on it down.
Wrong. At most it would wipe out their home directory, but not before emailing itself to their entire address book. Then it could attempt to remotely gain access to anything sitting on the local network - likely much easier than if you're attacking from outside - and email the results to the author. Insecure servers beware.
This isn't dramatically different to the worst that can happen in a properly configured Windows environment. The killer is a combination of the virus and the effect on the network of everyone in the organisation trying to send a hundred emails at the same time.
The strongest layer of protection in that is that it's much harder to predict how an organisation will have set up a bunch of Linux desktops. What works on one probably won't work on another, so the exploit is self-limiting.
Remember, email viruses didn't exist until Microsoft made it easy for email attachments to execute themselves.
There's something to be said for investing in something which is the polar opposite of what your employer (or in Michael Dell's case, company) is doing. In very simplistic terms, it's reasonable to assume that if Linux usage does increase significantly, it'll be at the cost of Microsoft.
This could bite Dell (the company) pretty hard given their close ties with Microsoft. However, as far as Michael Dell is concerned, he's hedging his bets. If Microsoft remains strong, his company wins. If Microsoft loses significantly to Linux (and he can't turn his company into a Linux-lovin' company rather than Just Another Microsoft Box-Shifter pretty quickly), he's still covered.
RealID is specifically crafted to address those specific issues.
Which is all very nice. We in the UK are going through similar legislation right now, but I'm sure this argument will pretty much hold water across the pond.
Tell me, how exactly do you know who you are? What defines your identity? Does your birth certificate have your DNA profile on it? No? So how do you know you're the person named on it?
OK, so what about your other ID. Passport? Was it issued on the strength of your birth certificate? If so, what value does it have as a proof of ID? Driving license? Same question. Credit cards? Bank details?
No form of ID is perfect. All have the exact same issues, and short of taking a DNA profile of everyone in the country and then refusing to recognise any ID which doesn't carry this DNA profile there's no easy solution. Even then, £50,000 in the back pocket of the right person at the issuing office, or for that matter some big men in dark suits hanging around the school where their kids go, can go a long way towards getting your DNA registered on the database against a false name and address.
Easy. Disallow all connections except those to WindowsUpdate and all the major Anti-virus FTP servers.
Of course, the problem with doing that is it might be seen as censorship - and as soon as an ISP is seen as being able and prepared to exercise censorship, I can see a whole world of legal issues on the horizon.
Remember the good old days when viruses did real damage? Remember when they actually did format your hard drive or screw up you boot sector? That made people sit up and take notice.
When they got infected, yes. Trouble was, the more destructive viruses had a tendency to self destruct as part of their destruction, so they had a limited opportunity to spread.
Then, as now, people didn't sit up and take notice until it was THEIR data that was lost.
The slight problem is that the Internet is just that - an International Network.
In order to stop a particular type of traffic going out on it (eg. viruses), you'd need to guarantee that EVERYONE who's got any form of Internet access (from small users right up to Tier 1 ISPs) has exactly the same minimum security configuration.
Perhaps more common use of the "evil" bit will help here.
A nice side to it is that if they STILL complain (maybe because of some automated scripts they're using), you can point to them "How can it not be a proper.DOC file if Word can open it?".
Employer/Agency: Well, if we STILL can't read it, I guess that's one person we won't be interviewing. Next!
I fail to see how a car with a computer built into it, is simpler than a computer.
I think you're thinking of a computer as "PC with any one of a few hundred motherboards, a few hundred videocards, a few hundred soundcards, a few hundred CD-ROM/DVD-ROM drives, a few thousand hard disks and Heaven only knows what other crazy peripherals".
In this context, a computer will be built out of few, well-tested, reasonably reliable parts and these parts won't vary from vehicle to vehicle. They probably won't vary much from year to year. Helluva lot easier to write a stable OS when you only have to support a couple of hardware combinations.
Age in this case is misleading. As you say, it could have happened with anything.
What it should be emphasising is the importance of risk evaluation in the context of "disaster recovery". Had the business sat down to write a proper disaster recovery plan on the basis of "OK, what happens if this system goes completely kaput and all we have left are the offsite backups?" then it would have become clear that here was a business critical system which had no coherent DR plan.
How do you know it has worked out nicely? Perhaps there is a God, perhaps Evolution is His tool and perhaps what he had in mind was rather more advanced than what we have on Earth today. That's allright - God's infinite, he can happily wait a few more millennia.
Always strikes me as extremely arrogant to assume that Earth as it is is perfect.
Well done, you've just described VMS' native filesystem.
The problem isn't "keeping track of lots of files as they get updated and their versions change". If it was, CVS would be the perfect solution.
The problem is "ensuring my changes don't break something you've just added", "integrating this with a bug management system so we know who committed what in order to fix what bugs", "making it easy for me to work on a long-term pet project, while not being obliged to commit this project to the main source tree in order to ensure it doesn't get broken by other people's changes over the course of time" and several others.
AFAIK, there is no free (as in speech and/or beer) solution which handles all of the above in a particularly neat manner.
Computers by definition aren't too hot at random numbers. The only way you can get a truly random number is by measuring a truly random thing - say, the brownian motion in a cup of hot tea.
For 99+% of uses, pseudo-random numbers are perfectly acceptable. For the remainder, there's likely to be enough money to build a true hardware-based random number generator. Or if there isn't enough money, then clearly the project doesn't need truly random numbers that much.
There's a problem with "TV license if you have Internet access"; vis: what format will the BBC make its work available in? And, more to the point, what systems will they support? At least all television tuners are much the same - the same cannot be said of computers.
I am not installing Windows just for the privilege of watching TV over the 'net. And if they won't make a Linux player available for whatever format they choose, I am not paying a license fee. That's not something I'm prepared to negotiate on.
I've heard that one and I'm honestly at a push to see how they can get away with it.
If it becomes a tax on computers - fine. I'll get a ZX spectrum.
If it becomes a tax on Internet-capable computers - fine, I'll plug an ISA ethernet card into a 386, put Linux on it and put it on the Internet. "Try watching streaming video on that, your honour."
Seems to me that we have technology giving us infinitely more flexibility in how we do things and media companies who aren't prepared for this and so are trying to get their income through taxing the technology to death. True whether it's the RIAA, MPAA, BBC, RAC, VGA or XLA.
STOP SAYING THAT! It's as annoying as those people who insist on made-up gender-neutral pronouns liks "hesh". Stealing is NOT defined as depriving someone of their property.
In colloquial terms, you're correct. But in legal terms, the two are quite different.
In any event, the net result is much the same - depriving someone of something that is rightfully theirs. The only real difference is that in the strict "walked off without paying" scenario, it's easy to see what's missing and easy to work out how much money the victim is owed. In the copyright infringement scenario, that's a lot harder.
There is more to that sentence than simply the words you hear. I can think of a few examples.
"We've used 'X' software for 10 years and we know it works so we are never changing" (not everything needs changing...)
"We've used 'X' software for 10 years and major software migration projects are pretty prone to failure so we are never changing"
"We've used 'X' software for 10 years largely because the CEO is a good friend of mine and we regularly play golf so we are never changing"
A few years back Mohammed al Fayed (Egyptian millionaire, owns Harrods) was mad because the UK government had stopped a previous agreement that he would be allowed to pay a fixed sum every year regardless of how much he made as it was "too difficult" to do all the sums.
I considered writing to my local tax office saying "I had no idea tax was negotiable. I find the sums difficult, may I suggest I pay you £100 in full and final settlement for all my taxes this year?".
Perhaps you folks in the US should write to your congressmen with a similar question regarding getting laws passed.
There are two replies to that:
1 - Trojans are not meant to cripple a computer, viruses are... and botnets use trojan-like programs.
How many viruses in the traditional sense of the word (ie. hide themselves in otherwise benign programs, require no user intervention to execute, attempt to mess around with the user's data) have you seen lately? Spyware - yes, lots. Trojans? More than you can count. Worms, not requiring a host program in order to spread? Hey, someone's got to keep Sophos in business. Viruses spreading through the Internet with the express intent of hooking in somewhere to corrupt data? They're somewhat rarer.
Just looking at a few websites, I see the latest threats are listed as:
W32/Agobot-SJ - a worm.
W32/Kelvir-Gen - another worm.
Troj/Banker-HC - a trojan.
W32/Anzae-A - another worm.
W32/Bagz-D - yet another worm.
2 - Most viruses actually don't even try to destroy everything. But once it manages to control your system, you can't argue that it could very well destroy everything (including some hardware).
I'd be disturbed if any recent operating system allowed a user-land program close enough to hardware to risk damaging it.
Of course Linux is not inmune to malware. But you are basically implying that since everythin you said is theoretically possible, then using a Windows machine is as secure as using a Linux machine.
It took a few years for things to get as bad as they are today with Windows.
I don't have a crystal ball. I would like to believe that Linux will become a serious competitor to Windows on the desktop while retaining its current almost entirely virus/malware free state. The only reason it isn't at that point right now probably has more to do with marketing than technology.
Having said all that, a good theoretical exploit is only a few lines of code away from being a real one. A lousy theoretical exploit requires more code and a whole plethora of pre-conditions. To argue that suitable pre-conditions can never exist on Unix I would consider dangerous.
You said properly configured, which is exactly WTF I was talking about. Joe sixpack doesn't care if it is or not. Neither does MSFT for that matter, or they would do it.
/. attitude that Unix is totally, permanently immune to any form of malware because "it doesn't work like Windows". Malware can still exist, it just can't format your hard disk anymore. At least, not until it can use a locally-exploitable bug to get root access, then all bets are off.
As Linux rises in popularity, more people will be attracted to it because it's "not Windows".
I've already noticed a distinct drop in the signal to noise ratio in a lot of Linux newsgroups and web based forums - reasonably easy questions are given answers which are just way out wrong.
Also, you fail to even acknowledge the fact that a virus executed on a "standard" Windows install will cripple the entire machine.
Which is why all these "crippled" machines are still working well enough to act as part of botnets sending spam all over the world and taking part in DDOS attacks, yes?
If you mean "it's much harder for a virus to take over the entire machine such that it's totally screwed beyond all hope of recovery", then I agree - more or less any Unix workalike is secure by that definition.
However, if we take a theoretical exploit which runs from email to its logical conclusion, what's to stop it bringing up a window saying "Please enter your root password"? Or taking advantage of a known bug which hasn't been patched by the user (because it's not remotely exploitable, right?) to get root access?
All that aside, there are still all sorts of other potential attack vectors which open up as soon as you can talk a user into double-clicking an icon in their email.
There seems to be a
I was referring to theoretical exploits via a mail client rather than a web browser.
Email viruses didn't used to exist at all, then Microsoft decided to make Outlook Express and Outlook render HTML and by default (certainly in versions around 1997-2000, not sure now) it wasn't possible to disable this functionality.
At most, it would wipe out their home directory. Not bring the entire machine, and all users on it down.
Wrong. At most it would wipe out their home directory, but not before emailing itself to their entire address book . Then it could attempt to remotely gain access to anything sitting on the local network - likely much easier than if you're attacking from outside - and email the results to the author. Insecure servers beware.
This isn't dramatically different to the worst that can happen in a properly configured Windows environment. The killer is a combination of the virus and the effect on the network of everyone in the organisation trying to send a hundred emails at the same time.
The strongest layer of protection in that is that it's much harder to predict how an organisation will have set up a bunch of Linux desktops. What works on one probably won't work on another, so the exploit is self-limiting.
Remember, email viruses didn't exist until Microsoft made it easy for email attachments to execute themselves.
No, it's only illegal when you're a gangster and making thousands.
When you're a company and making billions, it's called "capitalism".
With all the OEMs that ship Norton or McAffee or whatever with their computers, I have to wonder how Microsoft is going to approach marketing this.
In spite of all the anti-trust action, I forsee a meeting a bit like this:
MS Rep: "Ship XP with our antivirus product or when we release Longhorn you'll be bottom of the list for OEM licenses."
Business as usual, really.
the zombies don't run on port 25 anyway.
Would you mind explaining to me how a zombie sends email to a mail server other than the ISP's own if port 25 outbound is blocked?
There's another benefit.
There's something to be said for investing in something which is the polar opposite of what your employer (or in Michael Dell's case, company) is doing. In very simplistic terms, it's reasonable to assume that if Linux usage does increase significantly, it'll be at the cost of Microsoft.
This could bite Dell (the company) pretty hard given their close ties with Microsoft. However, as far as Michael Dell is concerned, he's hedging his bets. If Microsoft remains strong, his company wins. If Microsoft loses significantly to Linux (and he can't turn his company into a Linux-lovin' company rather than Just Another Microsoft Box-Shifter pretty quickly), he's still covered.
RealID is specifically crafted to address those specific issues.
Which is all very nice. We in the UK are going through similar legislation right now, but I'm sure this argument will pretty much hold water across the pond.
Tell me, how exactly do you know who you are? What defines your identity? Does your birth certificate have your DNA profile on it? No? So how do you know you're the person named on it?
OK, so what about your other ID. Passport? Was it issued on the strength of your birth certificate? If so, what value does it have as a proof of ID? Driving license? Same question. Credit cards? Bank details?
No form of ID is perfect. All have the exact same issues, and short of taking a DNA profile of everyone in the country and then refusing to recognise any ID which doesn't carry this DNA profile there's no easy solution. Even then, £50,000 in the back pocket of the right person at the issuing office, or for that matter some big men in dark suits hanging around the school where their kids go, can go a long way towards getting your DNA registered on the database against a false name and address.
Easy. Disallow all connections except those to WindowsUpdate and all the major Anti-virus FTP servers.
Of course, the problem with doing that is it might be seen as censorship - and as soon as an ISP is seen as being able and prepared to exercise censorship, I can see a whole world of legal issues on the horizon.
Remember the good old days when viruses did real damage? Remember when they actually did format your hard drive or screw up you boot sector? That made people sit up and take notice.
When they got infected, yes. Trouble was, the more destructive viruses had a tendency to self destruct as part of their destruction, so they had a limited opportunity to spread.
Then, as now, people didn't sit up and take notice until it was THEIR data that was lost.
The slight problem is that the Internet is just that - an International Network.
In order to stop a particular type of traffic going out on it (eg. viruses), you'd need to guarantee that EVERYONE who's got any form of Internet access (from small users right up to Tier 1 ISPs) has exactly the same minimum security configuration.
Perhaps more common use of the "evil" bit will help here.
A nice side to it is that if they STILL complain (maybe because of some automated scripts they're using), you can point to them "How can it not be a proper .DOC file if Word can open it?".
Employer/Agency: Well, if we STILL can't read it, I guess that's one person we won't be interviewing. Next!
I fail to see how a car with a computer built into it, is simpler than a computer.
I think you're thinking of a computer as "PC with any one of a few hundred motherboards, a few hundred videocards, a few hundred soundcards, a few hundred CD-ROM/DVD-ROM drives, a few thousand hard disks and Heaven only knows what other crazy peripherals".
In this context, a computer will be built out of few, well-tested, reasonably reliable parts and these parts won't vary from vehicle to vehicle. They probably won't vary much from year to year. Helluva lot easier to write a stable OS when you only have to support a couple of hardware combinations.
Age in this case is misleading. As you say, it could have happened with anything.
What it should be emphasising is the importance of risk evaluation in the context of "disaster recovery". Had the business sat down to write a proper disaster recovery plan on the basis of "OK, what happens if this system goes completely kaput and all we have left are the offsite backups?" then it would have become clear that here was a business critical system which had no coherent DR plan.
until it finally worked out nicely.
How do you know it has worked out nicely? Perhaps there is a God, perhaps Evolution is His tool and perhaps what he had in mind was rather more advanced than what we have on Earth today. That's allright - God's infinite, he can happily wait a few more millennia.
Always strikes me as extremely arrogant to assume that Earth as it is is perfect.
My fellow invertebrates. I am pleased to tell you today that I have signed legislation that will outlaw Canada forever. We begin bombing in 5 minutes.
Well done, you've just described VMS' native filesystem.
The problem isn't "keeping track of lots of files as they get updated and their versions change". If it was, CVS would be the perfect solution.
The problem is "ensuring my changes don't break something you've just added", "integrating this with a bug management system so we know who committed what in order to fix what bugs", "making it easy for me to work on a long-term pet project, while not being obliged to commit this project to the main source tree in order to ensure it doesn't get broken by other people's changes over the course of time" and several others.
AFAIK, there is no free (as in speech and/or beer) solution which handles all of the above in a particularly neat manner.
Computers by definition aren't too hot at random numbers. The only way you can get a truly random number is by measuring a truly random thing - say, the brownian motion in a cup of hot tea.
For 99+% of uses, pseudo-random numbers are perfectly acceptable. For the remainder, there's likely to be enough money to build a true hardware-based random number generator. Or if there isn't enough money, then clearly the project doesn't need truly random numbers that much.
There's a problem with "TV license if you have Internet access"; vis: what format will the BBC make its work available in? And, more to the point, what systems will they support? At least all television tuners are much the same - the same cannot be said of computers.
I am not installing Windows just for the privilege of watching TV over the 'net. And if they won't make a Linux player available for whatever format they choose, I am not paying a license fee. That's not something I'm prepared to negotiate on.
I've heard that one and I'm honestly at a push to see how they can get away with it.
If it becomes a tax on computers - fine. I'll get a ZX spectrum.
If it becomes a tax on Internet-capable computers - fine, I'll plug an ISA ethernet card into a 386, put Linux on it and put it on the Internet. "Try watching streaming video on that, your honour."
Seems to me that we have technology giving us infinitely more flexibility in how we do things and media companies who aren't prepared for this and so are trying to get their income through taxing the technology to death. True whether it's the RIAA, MPAA, BBC, RAC, VGA or XLA.
STOP SAYING THAT! It's as annoying as those people who insist on made-up gender-neutral pronouns liks "hesh". Stealing is NOT defined as depriving someone of their property.
In colloquial terms, you're correct. But in legal terms, the two are quite different.
In any event, the net result is much the same - depriving someone of something that is rightfully theirs. The only real difference is that in the strict "walked off without paying" scenario, it's easy to see what's missing and easy to work out how much money the victim is owed. In the copyright infringement scenario, that's a lot harder.