No kidding. Stargate Universe is essentially House + BSG. It's just sad how much the Universe writers shamelessly rip off those two shows.
When they stop screwing around with the "background music montage" (aka House, aka "We don't know how to write a real ending for the episode so we'll just play music instead") and when they stop with the mind-numbing, shaky-cam filled "character-driven episodes" (aka BSG, aka "Writing interesting science fiction is hard, let's write a soap opera instead -- oh and shaky cam is hip and stylish!"), then the show isn't that bad. That said, I cannot believe how bad overall the 2nd season has been -- the subplot of Chloe turning into the alien thing has sucked up at least 15 minutes of every episode and it has contributed almost nothing to the plot since it was first mentioned.
It just seems like too many shows forget that developing good characters does not mean writing soap opera episodes. You can have interesting science and even some action while developing characters. BSG was very guilty of missing the ball on this one -- halfway through season 3 they should have just renamed the show All My Cylons.
I have played a pirated copy of Command & Conquer: Red Alert 2 for years.
I can vouch for TFA's claim.
I played RA2 quite the last year or two of high school with some friends in one of the computer labs. We ran into a problem though because the C: of the machines was re-imaged each night (via Deep Freeze). Ironically, the school wouldn't buy a full copy of Deep Freeze and relied on the trial version, which only let you Freeze one partition, and limited the size of that partition. Since the computers had extra room (as the D:\) we installed the game on there.
Unfortunately, the game's data in the Windows registry (stored on the C:) was erased each night and the next day when we went to play we'd see this exact behavior. Game would start fine and exactly 30 seconds in everything went boom.
I assumed the nightly wipe was part of it because it played fine until then. As a guess, I tried reinstalling the game and exported the entire RA2 registry key to a file. As long as we re-imported that file before playing each morning, the game would run fine.
No idea what the real mechanism is, but there you go.
They shouldn't. That's what makes this such a non-story. The problem is that there are a lot of people ("editors" they call themselves, until they get to level 2 and become an "admin") who take Wikipedia waaay too seriously. Take this gem from TFA:
Verizon didn't seem to care. -- T. Canens
Are you kidding me? That idiot wasted hundreds of hours of admins time, spent all his free time libeling people, outer hundreds of Wikipedia editors by mass-creating hundreds of accounts the included their phone numbers (or so I've heard) and they don't care? What is wrong with those people? -- Access Denied
My biggest problem with Wikipedia is the direct source of stories like this. It's become a little pool and everyone is trying to be the biggest fish, for two reasons: First, that way they can create their own little kingdom of articles which they've "adopted", bullying people into a consensus which matches their own ideals/agenda. Second, they just want to feel important. Take that Access Denied fellow's name/signature thing for example. Bright red, obnoxious, disrupts the page flow, and yells to everyone, "Look at me, look at me!"
Will Diablo 3 be sticking with the new model of requiring people to use real names to interact with other players significantly, or are they introducing some kind of way for people to pick a nickname?
Blizzard actually just barely released changes which makes Real ID optional. I got an email yesterday from Blizzard explaining the change and showing how to make changes to your profile so that Real ID is disabled, or to prevent friends of your Real ID friends from also seeing your full name.
I was happy to see the change, but two things still bother me about it. Why did it take them months after the retail release of the game to implement this? It should have been clear from day one that such a feature has as much potential for bad as good and should obviously be optional. Second, why is it so hard to make these changes? You have to go to the Battle.net webpage, log in to your profile, go to "communication settings" (less than obvious) and make the changes there. Why can't it just be a simple option in the game clients?
It gets rid of a lot of developer headaches, including finding a place with high bandwidth mirrors for consumers to download and fetch updates.
Yes, Apple gets a 30% chunk, but IMHO, it is a good thing to have long term.
Wow, and people talk about the "Microsoft tax". How long until the only way to get software on your Mac desktop is via Apple's store and all Mac developers are required to pay a 30% tribute to Apple? And, since taxes are passed on to consumers, every time you as a customer buys an "app" from the store it's really you who's paying that insane 30%.
But that's beside the main point. Do you really thing most smaller developers can't find a place to host their website and software which costs less than 30% of all their sales? Keep in mind that most developers don't need Steam/Microsoft/Amazon levels of bandwidth.
Wow, so apparently TFS == TFA (which in turn is nothing but a copypasta of an AP release from earlier today. Is there really no more information on this? For example, how hot is too hot? My laptop gets pretty freaking hot sometimes and I'd guess a fair bit of that heat finds its way into the battery.
- Heated cells vent flammable electrolyte gas - Cells begin venting at approx 470-500 Deg F - The electrolyte gas occasionally exploded due to hot surface ignition - Cells produce a pressure pulse when venting - As little as four cells can raise the pressure in a sealed 10m cubed chamber by one psi.
Kind of interesting. It looks like I probably don't need to worry about my laptop's head igniting the battery, but it does sound like either some batteries are a lot more susceptible to heat, or airplane cargo compartments get really hot. I would guess a lot of other stuff doesn't like being stored at those kinds of temperatures either. A quick look indicates most plastics melt at about 300-450 degrees F. In fact, ABS plastic (usually used in laptop battery enclosures) melts even lower at 221 degrees F.
By the way, if you haven't seen the Red Letter Media Star Wars reviews yet, shame on you. At the least, set aside an hour and watch the Phantom Menace review. He goes above and beyond a normal video review (Menace is an hour, Clones is almost 90 minutes) explaining exactly why the movies fail so horribly.
The Star Trek movie reviews are also fantastic -- even better than the Star Wars ones, I think. Funny as hell, dead on the mark, and well worth the time to watch them.
Because Firefox users have no need for flash or Ad blockers do they.
I presume you are implying that the reason people use Flash blocking tools is because all Flash content inherently needs to be blocked. This isn't true.
The overly-prevalent mindset on Slashdot that "Flash is evil", "Flash needs to die", and "Flash is only used for bad things" is just plain wrong and broken. Flash is used in many places to greatly enhance things beyond what browsers are normally capable of. Games are an obvious example, but other applications such as Google Finance and Amazon's song previews are simple but effective examples. As is usually the case, the technology itself isn't really good or bad, but what people do with it can be. And people, as a rule, are decidedly good at making technology do bad things.
This then leaves the question: Why do people block flash? Almost entirely it falls into two categories:
- Flash is used in the most perverse and annoying advertisements that contain video and audio and which load the CPU unnecessarily - Flash has security concerns
Consider these. People champion HTML5 as some kind of messiah which will bring the end to Flash's evil reign. Okay, what would that result in? I'll give you a hint: HTML5 blockers. Why? Because soon we'll transition to:
- HTML5 is used in the most perverse and annoying advertisements that contain video and audio and which load the CPU unnecessarily - HTML5 has security concerns
Personally, Flash doesn't really bother me, but that's largely because it can be controlled. I use NoScript, partially to block Flash, and that tamed beast can do useful work. I think most people who yearn for its demise either don't understand that the void Flash leaves behind will be filled with something (at least as "bad" as Flash, if not worse), or they're just mindless zealots regurgitating Jobs' claims.
In reality, I can really only think of a handful of "good" American studios, Bungie, Valve, Blizzard and BioWare. On the other hand, I can think of a lot of good Japanese studios which consistently make quality games, Namco, Square-Enix, Nintendo, Sony, etc.
I'm not a huge gamer, but I can easily add a few to that list: Bethesda, Obsidian, Epic, id, Infinity Ward. Some of these developers have waned a little recently or been acquired by some parent company, but they still produce some good games. Even going by a list on Wikipedia, there are only a few other Japanese companies I recognize (such as Konami and Capcom).
These days, I don't see a reason that Japan would be greatly superior at game development than any other country. Originally they had something of a head start in the industry (many consoles have been developed there), but any more there are many talented and experienced people all over the world. Any country which comes up with something new will initially be on top, but things will inevitably level out sooner or later.
Given the complete uselessness of the feature (as described in TFA), I always figured instant search as just being some bogus bling that Google can use to show how they're staying ahead of alternatives like Bing. Even phrases like "gone instant" reek of marketing slime.
The truth is that Bing, even with as few people around here that use it, really is working on keeping pace, or even surpassing Google in some areas. Microsoft's recent demos of their sliding and composited street-view, for example, were pretty impressive.
Hopefully Google has some real new features in store and hasn't fallen to relying on completely useless visual gimmicks to keep customers. Recently their work on improving search has been to make their text fields and buttons too big and to waste CPU cycles with stupid instant search. Whee.
I actually didn't think the Aiplex site was correct at first, just because of how awful it is. Maybe they got into the "anti-piracy" business because they failed so amazingly hard at website design.
This will be my last post in the thread because you clearly don't know what you're talking about and refuse to realize that.
Point is, they just fixed one that they think may bypass privileges.
Citation please.
Explain why.NET ClickOnce and other.NET exploits still infect machines that are locked down (up until Aug 10th supposedly).
Citation please.
Or perhaps, the malware authors will simply choose one of the other numerous attack vectors created by.NET's security holes. As has happened for almost the last 10 years with.NET and ActiveX.
They might. And maybe you could give a citation of a currently unpatched privilege escalation attack vector.
So, if a rootkit drops a piece of malware (hmmm, maybe named svchost or smss?) into a "secure" folder
If a standard user has write access to a "secure folder" it isn't very secure, is it? Oh, and the name of the file doesn't really matter.
maybe in the System Volume Information folder?
Administrator and/or SYSTEM rights are required to even read from that folder, let alone write to it.
does it matter that the account of the next person who logs in is a limited user account? Somehow I dont think so.
A user must have administrative rights to compromise a "secure folder". Administrators can (obviously) impact all users on the machine.
BTW, without going into technical details
Oh, please do. I'd love to see a single technical detail.
For instance, killing the fake svchost or smss services will cause Windows to reboot because it thinks they are vital system services
Just plain wrong. You can even kill legitimate svchost processes (they just host services) without rebooting. There are only a few processes which cause a reboot. You can't kill these without admin rights.
You seem set on the idea that multiple security patches for ".NET" means they're fixing the same thing over and over. Here's a tip:.NET is a big product. Multiple patches just might mean multiple security issues.
Take some classes or read some books or something. You really need to either educate yourself about Windows security or stop posting such incorrect FUD.
Wow, okay, let's take this slowly, piece by piece.
Wow, not just did you ignore most of the text in the advisory, but you dont know anything about how malware works either, do you?
I did read it, and I do understand.
Gee, adding things to the startup folder/registry means it might take what... two boots?
A standard user can only write to HKEY_CURRENT_USER. This key controls only their profile. So yes, malware run as a standard user can be set to run when that specific user logs in. Not upon machine startup.
to fully infect a machine with a piece of malware that has then gained full privileges?
Only if that user has administrative rights. If it was a standard user, then no, the malware did not magically gain more rights than the installing user had. That's why I asked about privilege escalation -- an exploit like that makes the situation much, much worse.
I've watched (on both Windows 7 and Vista) malware initiate itself using svchost and smss to, with admin privileges, install themselves with the same privileges.
Yes, it's common for malware to use existing system services to run. There are several methods from DLL injection, App_Init DLLs, remote thread creation, etc. However, ALL of these require administrative access. A process cannot play with system services unless it has rights to. A standard user cannot inject DLLs, write to shared memory, or do anything else to processes running with SYSTEM access unless the user itself has admin rights.
All it took, on a locked down machine, was a couple reboots.
There's nothing magic about rebooting Windows. Some registry keys aren't processed except at boot-time, but there are MANY ways to infect a machine with malware without rebooting the computer. Of course, these ALL require administrative rights.
So yeah, kernel mode drivers and full access may be worse, but in the end, it doesnt matter. The end results are the same.
No, they aren't. The results for malware infection via standard user and that via an administrator are drastically different, with the latter being terribly worse. A standard user's infection can be cleaned up in 5-10 minutes with ease. Simply deleting their user profile and creating a new one is the easiest method. Anyone can do it.
A machine that's been infected by somebody with administrative rights may as well be infinitely worse. Without taking the system offline and analyzing the hard drive in a separate computer (or maybe by booting to a different OS), you will never, ever know if the system is clean. Even offline analyzing isn't guaranteed to work unless you know of and can check every single infection vector, a very challenging task. You're almost always better off reinstalling the machine.
Thats inaccurate. A non-admin can very easily get infected with a userland rootkit with no exploits necessary.
It depends on your definition of "rootkit", I suppose. The term has been watered down drastically over the last few years with people using it to describe malware in general. If we take Wikipedia's word then:
A rootkit is software that enables continued privileged access to a computer, while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. [...] Once a rootkit is installed, it allows an attacker to mask his intrusion while gaining root or privileged access to the computer.
If the installing user does not have administrative rights then it's not possible for a rootkit to gain those rights (failing the requirement of gaining privileged access). A standard user might somehow get a user-mode "rootkit" on the machine, but it will only have access to their files and other users will be generally unaffected (barring some other kind of exploit [such as the recent DLL loading issue]). This means that an administrator who logs onto the system will easily be able to see and remove the compromised user's "rootkit", thereby failing the other requirement of remaining hidden.
Google "n00bkit".
It appears to be a user-mode rootkit. If an administrator installs it, then I suppose it would qualify as a full-blown rootkit on the machine. However, if installed by a standard user it would just fall under "tricky malware". Only machines can be "rooted", not users.
Yeah, as I indicated, it's called "Windows Updates" - check it out sometime!
Perhaps now you see what I am talking about... if not, check your hotfixes/ Windows updates, read what they supposedly fix, then look at the similarities between the multiple attempts to fix the same damn issue over and over again.
So the answer is... No, you don't have any real sources. The generic description that comes with a Windows Update is just that -- generic. They all sound pretty much the same. Even the MS security bulletins like you linked to are usually pretty scant on details because they're designed to give an overview, not the nitty-gritty exploit information found elsewhere. I did look around Google for references to privilege escalation issues with.NET and didn't find anything.
If multiple updates which all say "This security update resolves two privately reported vulnerabilities in Microsoft.NET Framework and Microsoft Silverlight." has you convinced they've been trying to patch the same vulnerability for 10 years, then you have other issues.
As it stands, the specific vulnerability you point out doesn't even mention privilege escalation! It's also blazingly obvious what "Users whose accounts are configured to have fewer user rights on the system could be less impacted" means. If you don't have admin rights the worst thing the malware can do is put some entries in your startup folder/registry. If you're a full-on admin then we're talking kernel-mode drivers, raw disk access, machine-wide registry changes, the whole shebang. Big difference between the two.
...unless a serious rootkit gets installed with whatever piece of malware infected your machine while you were using it
A user without administrative access cannot install a rootkit.
Sadly,.NET is still broken. The exploits still affect all versions of the OS. The exploits still dont need the user to have admin rights. The exploits still bypass security measures on a locked down machine.
It sounds like you're talking about a local privilege escalation exploit, and those are usually patched pretty quickly. Do you have any examples or sources to back up that claim?
Good suggestion, but keep in mind that CC licenses are not designed to be used with software. As they say on their FAQ:
Can I use a Creative Commons license for software?
We do not recommend it. Creative Commons licenses should not be used for software. We strongly encourage you to use one of the very good software licenses which are already available. We recommend considering licenses made available by the Free Software Foundation or listed at the Open Source Initiative. Unlike our licenses, which do not make mention of source or object code, these existing licenses were designed specifically for use with software.
CC is a great set of licenses, but as they say, if you're dealing with software you're probably better off using one of the licenses designed with it in mind.
A GOP blogger-for-hire estimates that 'at least half the bloggers that are out there' on the Republican side 'are getting remuneration in some way beyond ad sales.''
And the bullshit meter goes off the scale! Half of the intersection between the sets of "Bloggers" and "Republicans" are being paid for their postings? Yeah, sure they are.
Even if the GOP (or the Dems for that matter) are dumb enough to pay for that kind of coverage, who cares? Advertising has become much more subversive lately anyway, and often times you have to try pretty hard to figure out if what you're seeing is even an ad or not.
Daily Caller finds a couple of obscure liberal bloggers to mention too, but they fully disclosed payment and one of them even shut down his blog while doing consulting work
Ah, what kind and honest people all liberals must be, and especially their bloggers and politicians!
Much of California, for example, in its infinite government insanity, will not allow you to live in a trailer even in a rural area.
Pretty simple, I think. California has enough problems on their plate with earthquakes and wildfires. They don't need additional natural disasters to worry about -- and everyone knows that trailer parks attract tornadoes.
Interesting. You have an unknown number of users accessing the video feeds for free. The system has equilibrium and is yet unstable (they might find out at any time and block everyone). Now enter one prisoner who rats out everyone else. The end result? That one individual gets a free legitimate account and free access to the video streams while everyone else has their access blocked.
Honestly? It sounds like Michael Coates is a little bit of a douche. A small handful of users accessing the stream for free doesn't really hurt anything and it's not like this was some serious security vulnerability. Reading his blog post, he makes it sounds more like he uncovered some huge security exploit. Truth is all he really did is save a somewhat inept third party development company a little bandwidth money.
He should have just waited until the conference was finished and then notified them for future reference. That way everyone clever enough to notice the exploit got their little bonus and the company learns its lesson. No real harm done.
As someone who's barely used Eclipse, but uses VS pretty much constantly, what am I missing out on?
There were lots of small things, none of which are huge individually, but which I missed when I went back to my normal work in VS. Some can be provided by addons to VS, but I never have good luck with those.
Here's a few I can remember:
Spell checking - built in and designed for code. For example, it's smart enough to see CamelCase as two words.
Along the same lines, using keyboard shortcuts like CTRL+Arrow keys to move between word boundaries can be set to see CamelCase as two words. This makes highlighting a logical part of a variable name or method really easy.
Subclasses which override a parent's method have little up arrows in the margin which can be used to instantly jump to the overridden method. There is a similar mechanism for interfaces.
Clicking any kind of text (variable, method, etc) will temporarily highlight all instances of that "word" in the current document. Makes it easy to see everywhere something is being used. Notepad++ has a similar feature.
The whole "quick fixes" system is pretty nice. Few examples: fix misspellings, automatically fix code warnings such as a never-read variable by removing all references to it. All done by hovering over various parts of the code and using the flyout menus.
Fast scrolling through a document by holding CTRL plus mousewheel scrolling.
Best for last: Jumping to class/interface/variable/method declaration and definition. You can do this in VS via F12, but in Eclipse if you hold the CTRL key down, any code element you mouse over will turn into a hyperlink which you can click to jump to it's definition/declaration. Fantastic feature. The only thing VS has over this is it's almost unique support for mouse forward and back buttons. It's really neat to be able to jump to a definition then hit the mouse's Back button to go back to the file/line you were previously on. The two features combined would be perfect:)
Slashdot Mirror
Stargate Universe is boooooring. I blame BSG.
No kidding. Stargate Universe is essentially House + BSG. It's just sad how much the Universe writers shamelessly rip off those two shows.
When they stop screwing around with the "background music montage" (aka House, aka "We don't know how to write a real ending for the episode so we'll just play music instead") and when they stop with the mind-numbing, shaky-cam filled "character-driven episodes" (aka BSG, aka "Writing interesting science fiction is hard, let's write a soap opera instead -- oh and shaky cam is hip and stylish!"), then the show isn't that bad. That said, I cannot believe how bad overall the 2nd season has been -- the subplot of Chloe turning into the alien thing has sucked up at least 15 minutes of every episode and it has contributed almost nothing to the plot since it was first mentioned.
It just seems like too many shows forget that developing good characters does not mean writing soap opera episodes. You can have interesting science and even some action while developing characters. BSG was very guilty of missing the ball on this one -- halfway through season 3 they should have just renamed the show All My Cylons.
I have played a pirated copy of Command & Conquer: Red Alert 2 for years.
I can vouch for TFA's claim.
I played RA2 quite the last year or two of high school with some friends in one of the computer labs. We ran into a problem though because the C: of the machines was re-imaged each night (via Deep Freeze). Ironically, the school wouldn't buy a full copy of Deep Freeze and relied on the trial version, which only let you Freeze one partition, and limited the size of that partition. Since the computers had extra room (as the D:\) we installed the game on there.
Unfortunately, the game's data in the Windows registry (stored on the C:) was erased each night and the next day when we went to play we'd see this exact behavior. Game would start fine and exactly 30 seconds in everything went boom.
I assumed the nightly wipe was part of it because it played fine until then. As a guess, I tried reinstalling the game and exported the entire RA2 registry key to a file. As long as we re-imported that file before playing each morning, the game would run fine.
No idea what the real mechanism is, but there you go.
This seems silly to me... why would Verizon care?
They shouldn't. That's what makes this such a non-story. The problem is that there are a lot of people ("editors" they call themselves, until they get to level 2 and become an "admin") who take Wikipedia waaay too seriously. Take this gem from TFA:
Verizon didn't seem to care. -- T. Canens
Are you kidding me? That idiot wasted hundreds of hours of admins time, spent all his free time libeling people, outer hundreds of Wikipedia editors by mass-creating hundreds of accounts the included their phone numbers (or so I've heard) and they don't care? What is wrong with those people? -- Access Denied
My biggest problem with Wikipedia is the direct source of stories like this. It's become a little pool and everyone is trying to be the biggest fish, for two reasons: First, that way they can create their own little kingdom of articles which they've "adopted", bullying people into a consensus which matches their own ideals/agenda. Second, they just want to feel important. Take that Access Denied fellow's name/signature thing for example. Bright red, obnoxious, disrupts the page flow, and yells to everyone, "Look at me, look at me!"
Wikipedia "editors" are such cute little things.
Will Diablo 3 be sticking with the new model of requiring people to use real names to interact with other players significantly, or are they introducing some kind of way for people to pick a nickname?
Blizzard actually just barely released changes which makes Real ID optional. I got an email yesterday from Blizzard explaining the change and showing how to make changes to your profile so that Real ID is disabled, or to prevent friends of your Real ID friends from also seeing your full name.
I was happy to see the change, but two things still bother me about it. Why did it take them months after the retail release of the game to implement this? It should have been clear from day one that such a feature has as much potential for bad as good and should obviously be optional. Second, why is it so hard to make these changes? You have to go to the Battle.net webpage, log in to your profile, go to "communication settings" (less than obvious) and make the changes there. Why can't it just be a simple option in the game clients?
It gets rid of a lot of developer headaches, including finding a place with high bandwidth mirrors for consumers to download and fetch updates.
Yes, Apple gets a 30% chunk, but IMHO, it is a good thing to have long term.
Wow, and people talk about the "Microsoft tax". How long until the only way to get software on your Mac desktop is via Apple's store and all Mac developers are required to pay a 30% tribute to Apple? And, since taxes are passed on to consumers, every time you as a customer buys an "app" from the store it's really you who's paying that insane 30%.
But that's beside the main point. Do you really thing most smaller developers can't find a place to host their website and software which costs less than 30% of all their sales? Keep in mind that most developers don't need Steam/Microsoft/Amazon levels of bandwidth.
Wow, so apparently TFS == TFA (which in turn is nothing but a copypasta of an AP release from earlier today. Is there really no more information on this? For example, how hot is too hot? My laptop gets pretty freaking hot sometimes and I'd guess a fair bit of that heat finds its way into the battery.
Doing some quick looking, I came across a study which exposed lithium batteries to fire and heat (PDF). On page 32-34 it says (paraphrased):
- Heated cells vent flammable electrolyte gas
- Cells begin venting at approx 470-500 Deg F
- The electrolyte gas occasionally exploded
due to hot surface ignition
- Cells produce a pressure pulse when venting
- As little as four cells can raise the pressure in a
sealed 10m cubed chamber by one psi.
Kind of interesting. It looks like I probably don't need to worry about my laptop's head igniting the battery, but it does sound like either some batteries are a lot more susceptible to heat, or airplane cargo compartments get really hot. I would guess a lot of other stuff doesn't like being stored at those kinds of temperatures either. A quick look indicates most plastics melt at about 300-450 degrees F. In fact, ABS plastic (usually used in laptop battery enclosures) melts even lower at 221 degrees F.
~500 degrees F is hot.
There's a beautiful video of the lifting of the tank at Motherboard.
Or, if you're like me and tired of sites embedding a YouTube video and calling it "content", you can go directly to the video source.
Besides, with embedded videos you miss out on the best part of YouTube -- all the great and insightful comments! :)
By the way, if you haven't seen the Red Letter Media Star Wars reviews yet, shame on you. At the least, set aside an hour and watch the Phantom Menace review. He goes above and beyond a normal video review (Menace is an hour, Clones is almost 90 minutes) explaining exactly why the movies fail so horribly.
The Star Trek movie reviews are also fantastic -- even better than the Star Wars ones, I think. Funny as hell, dead on the mark, and well worth the time to watch them.
Oh, I don't know. It sounds somewhat promising.
Maybe the plots and characters will actually have some depth in these new versions!
Because Firefox users have no need for flash or Ad blockers do they.
I presume you are implying that the reason people use Flash blocking tools is because all Flash content inherently needs to be blocked. This isn't true.
The overly-prevalent mindset on Slashdot that "Flash is evil", "Flash needs to die", and "Flash is only used for bad things" is just plain wrong and broken. Flash is used in many places to greatly enhance things beyond what browsers are normally capable of. Games are an obvious example, but other applications such as Google Finance and Amazon's song previews are simple but effective examples. As is usually the case, the technology itself isn't really good or bad, but what people do with it can be. And people, as a rule, are decidedly good at making technology do bad things.
This then leaves the question: Why do people block flash? Almost entirely it falls into two categories:
- Flash is used in the most perverse and annoying advertisements that contain video and audio and which load the CPU unnecessarily
- Flash has security concerns
Consider these. People champion HTML5 as some kind of messiah which will bring the end to Flash's evil reign. Okay, what would that result in? I'll give you a hint: HTML5 blockers. Why? Because soon we'll transition to:
- HTML5 is used in the most perverse and annoying advertisements that contain video and audio and which load the CPU unnecessarily
- HTML5 has security concerns
Personally, Flash doesn't really bother me, but that's largely because it can be controlled. I use NoScript, partially to block Flash, and that tamed beast can do useful work. I think most people who yearn for its demise either don't understand that the void Flash leaves behind will be filled with something (at least as "bad" as Flash, if not worse), or they're just mindless zealots regurgitating Jobs' claims.
In reality, I can really only think of a handful of "good" American studios, Bungie, Valve, Blizzard and BioWare. On the other hand, I can think of a lot of good Japanese studios which consistently make quality games, Namco, Square-Enix, Nintendo, Sony, etc.
I'm not a huge gamer, but I can easily add a few to that list: Bethesda, Obsidian, Epic, id, Infinity Ward. Some of these developers have waned a little recently or been acquired by some parent company, but they still produce some good games. Even going by a list on Wikipedia, there are only a few other Japanese companies I recognize (such as Konami and Capcom).
These days, I don't see a reason that Japan would be greatly superior at game development than any other country. Originally they had something of a head start in the industry (many consoles have been developed there), but any more there are many talented and experienced people all over the world. Any country which comes up with something new will initially be on top, but things will inevitably level out sooner or later.
Given the complete uselessness of the feature (as described in TFA), I always figured instant search as just being some bogus bling that Google can use to show how they're staying ahead of alternatives like Bing. Even phrases like "gone instant" reek of marketing slime.
The truth is that Bing, even with as few people around here that use it, really is working on keeping pace, or even surpassing Google in some areas. Microsoft's recent demos of their sliding and composited street-view, for example, were pretty impressive.
Hopefully Google has some real new features in store and hasn't fallen to relying on completely useless visual gimmicks to keep customers. Recently their work on improving search has been to make their text fields and buttons too big and to waste CPU cycles with stupid instant search. Whee.
Seeing as the Slashdot editor/submitter were too lame to include links themselves, I'll give you all a hand at, um, investigating these fine websites.
Aiplex
MPAA
I actually didn't think the Aiplex site was correct at first, just because of how awful it is. Maybe they got into the "anti-piracy" business because they failed so amazingly hard at website design.
This will be my last post in the thread because you clearly don't know what you're talking about and refuse to realize that.
Point is, they just fixed one that they think may bypass privileges.
Citation please.
Explain why .NET ClickOnce and other .NET exploits still infect machines that are locked down (up until Aug 10th supposedly).
Citation please.
Or perhaps, the malware authors will simply choose one of the other numerous attack vectors created by .NET's security holes. As has happened for almost the last 10 years with .NET and ActiveX.
They might. And maybe you could give a citation of a currently unpatched privilege escalation attack vector.
So, if a rootkit drops a piece of malware (hmmm, maybe named svchost or smss?) into a "secure" folder
If a standard user has write access to a "secure folder" it isn't very secure, is it? Oh, and the name of the file doesn't really matter.
maybe in the System Volume Information folder?
Administrator and/or SYSTEM rights are required to even read from that folder, let alone write to it.
does it matter that the account of the next person who logs in is a limited user account? Somehow I dont think so.
A user must have administrative rights to compromise a "secure folder". Administrators can (obviously) impact all users on the machine.
BTW, without going into technical details
Oh, please do. I'd love to see a single technical detail.
For instance, killing the fake svchost or smss services will cause Windows to reboot because it thinks they are vital system services
Just plain wrong. You can even kill legitimate svchost processes (they just host services) without rebooting. There are only a few processes which cause a reboot. You can't kill these without admin rights.
You seem set on the idea that multiple security patches for ".NET" means they're fixing the same thing over and over. Here's a tip: .NET is a big product. Multiple patches just might mean multiple security issues.
Take some classes or read some books or something. You really need to either educate yourself about Windows security or stop posting such incorrect FUD.
Wow, okay, let's take this slowly, piece by piece.
Wow, not just did you ignore most of the text in the advisory, but you dont know anything about how malware works either, do you?
I did read it, and I do understand.
Gee, adding things to the startup folder/registry means it might take what... two boots?
A standard user can only write to HKEY_CURRENT_USER. This key controls only their profile. So yes, malware run as a standard user can be set to run when that specific user logs in. Not upon machine startup.
to fully infect a machine with a piece of malware that has then gained full privileges?
Only if that user has administrative rights. If it was a standard user, then no, the malware did not magically gain more rights than the installing user had. That's why I asked about privilege escalation -- an exploit like that makes the situation much, much worse.
I've watched (on both Windows 7 and Vista) malware initiate itself using svchost and smss to, with admin privileges, install themselves with the same privileges.
Yes, it's common for malware to use existing system services to run. There are several methods from DLL injection, App_Init DLLs, remote thread creation, etc. However, ALL of these require administrative access. A process cannot play with system services unless it has rights to. A standard user cannot inject DLLs, write to shared memory, or do anything else to processes running with SYSTEM access unless the user itself has admin rights.
All it took, on a locked down machine, was a couple reboots.
There's nothing magic about rebooting Windows. Some registry keys aren't processed except at boot-time, but there are MANY ways to infect a machine with malware without rebooting the computer. Of course, these ALL require administrative rights.
So yeah, kernel mode drivers and full access may be worse, but in the end, it doesnt matter. The end results are the same.
No, they aren't. The results for malware infection via standard user and that via an administrator are drastically different, with the latter being terribly worse. A standard user's infection can be cleaned up in 5-10 minutes with ease. Simply deleting their user profile and creating a new one is the easiest method. Anyone can do it.
A machine that's been infected by somebody with administrative rights may as well be infinitely worse. Without taking the system offline and analyzing the hard drive in a separate computer (or maybe by booting to a different OS), you will never, ever know if the system is clean. Even offline analyzing isn't guaranteed to work unless you know of and can check every single infection vector, a very challenging task. You're almost always better off reinstalling the machine.
Hopefully that helps clear things up.
Thats inaccurate. A non-admin can very easily get infected with a userland rootkit with no exploits necessary.
It depends on your definition of "rootkit", I suppose. The term has been watered down drastically over the last few years with people using it to describe malware in general. If we take Wikipedia's word then:
A rootkit is software that enables continued privileged access to a computer, while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. [...] Once a rootkit is installed, it allows an attacker to mask his intrusion while gaining root or privileged access to the computer.
If the installing user does not have administrative rights then it's not possible for a rootkit to gain those rights (failing the requirement of gaining privileged access). A standard user might somehow get a user-mode "rootkit" on the machine, but it will only have access to their files and other users will be generally unaffected (barring some other kind of exploit [such as the recent DLL loading issue]). This means that an administrator who logs onto the system will easily be able to see and remove the compromised user's "rootkit", thereby failing the other requirement of remaining hidden.
Google "n00bkit".
It appears to be a user-mode rootkit. If an administrator installs it, then I suppose it would qualify as a full-blown rootkit on the machine. However, if installed by a standard user it would just fall under "tricky malware". Only machines can be "rooted", not users.
Yeah, as I indicated, it's called "Windows Updates" - check it out sometime!
Perhaps now you see what I am talking about... if not, check your hotfixes/ Windows updates, read what they supposedly fix, then look at the similarities between the multiple attempts to fix the same damn issue over and over again.
So the answer is... No, you don't have any real sources. The generic description that comes with a Windows Update is just that -- generic. They all sound pretty much the same. Even the MS security bulletins like you linked to are usually pretty scant on details because they're designed to give an overview, not the nitty-gritty exploit information found elsewhere. I did look around Google for references to privilege escalation issues with .NET and didn't find anything.
If multiple updates which all say "This security update resolves two privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight." has you convinced they've been trying to patch the same vulnerability for 10 years, then you have other issues.
As it stands, the specific vulnerability you point out doesn't even mention privilege escalation! It's also blazingly obvious what "Users whose accounts are configured to have fewer user rights on the system could be less impacted" means. If you don't have admin rights the worst thing the malware can do is put some entries in your startup folder/registry. If you're a full-on admin then we're talking kernel-mode drivers, raw disk access, machine-wide registry changes, the whole shebang. Big difference between the two.
...unless a serious rootkit gets installed with whatever piece of malware infected your machine while you were using it
A user without administrative access cannot install a rootkit.
Sadly, .NET is still broken. The exploits still affect all versions of the OS. The exploits still dont need the user to have admin rights. The exploits still bypass security measures on a locked down machine.
It sounds like you're talking about a local privilege escalation exploit, and those are usually patched pretty quickly. Do you have any examples or sources to back up that claim?
Good suggestion, but keep in mind that CC licenses are not designed to be used with software. As they say on their FAQ:
Can I use a Creative Commons license for software?
We do not recommend it. Creative Commons licenses should not be used for software. We strongly encourage you to use one of the very good software licenses which are already available. We recommend considering licenses made available by the Free Software Foundation or listed at the Open Source Initiative. Unlike our licenses, which do not make mention of source or object code, these existing licenses were designed specifically for use with software.
CC is a great set of licenses, but as they say, if you're dealing with software you're probably better off using one of the licenses designed with it in mind.
It's the thing recieving it that's interesting.
Exactly. It also might explain why the transmitter isn't secreted away in some little corner of Siberia but rather smack next to Moscow.
If the Kremlin goes poof nuclear-style, so does the transmitter.
A GOP blogger-for-hire estimates that 'at least half the bloggers that are out there' on the Republican side 'are getting remuneration in some way beyond ad sales.''
And the bullshit meter goes off the scale! Half of the intersection between the sets of "Bloggers" and "Republicans" are being paid for their postings? Yeah, sure they are.
Even if the GOP (or the Dems for that matter) are dumb enough to pay for that kind of coverage, who cares? Advertising has become much more subversive lately anyway, and often times you have to try pretty hard to figure out if what you're seeing is even an ad or not.
Daily Caller finds a couple of obscure liberal bloggers to mention too, but they fully disclosed payment and one of them even shut down his blog while doing consulting work
Ah, what kind and honest people all liberals must be, and especially their bloggers and politicians!
Careful there, your bias is unzipped.
Much of California, for example, in its infinite government insanity, will not allow you to live in a trailer even in a rural area.
Pretty simple, I think. California has enough problems on their plate with earthquakes and wildfires. They don't need additional natural disasters to worry about -- and everyone knows that trailer parks attract tornadoes.
Interesting. You have an unknown number of users accessing the video feeds for free. The system has equilibrium and is yet unstable (they might find out at any time and block everyone). Now enter one prisoner who rats out everyone else. The end result? That one individual gets a free legitimate account and free access to the video streams while everyone else has their access blocked.
Honestly? It sounds like Michael Coates is a little bit of a douche. A small handful of users accessing the stream for free doesn't really hurt anything and it's not like this was some serious security vulnerability. Reading his blog post, he makes it sounds more like he uncovered some huge security exploit. Truth is all he really did is save a somewhat inept third party development company a little bandwidth money.
He should have just waited until the conference was finished and then notified them for future reference. That way everyone clever enough to notice the exploit got their little bonus and the company learns its lesson. No real harm done.
As someone who's barely used Eclipse, but uses VS pretty much constantly, what am I missing out on?
There were lots of small things, none of which are huge individually, but which I missed when I went back to my normal work in VS. Some can be provided by addons to VS, but I never have good luck with those.
Here's a few I can remember:
Spell checking - built in and designed for code. For example, it's smart enough to see CamelCase as two words.
Along the same lines, using keyboard shortcuts like CTRL+Arrow keys to move between word boundaries can be set to see CamelCase as two words. This makes highlighting a logical part of a variable name or method really easy.
Subclasses which override a parent's method have little up arrows in the margin which can be used to instantly jump to the overridden method. There is a similar mechanism for interfaces.
Clicking any kind of text (variable, method, etc) will temporarily highlight all instances of that "word" in the current document. Makes it easy to see everywhere something is being used. Notepad++ has a similar feature.
The whole "quick fixes" system is pretty nice. Few examples: fix misspellings, automatically fix code warnings such as a never-read variable by removing all references to it. All done by hovering over various parts of the code and using the flyout menus.
Fast scrolling through a document by holding CTRL plus mousewheel scrolling.
Best for last: Jumping to class/interface/variable/method declaration and definition. You can do this in VS via F12, but in Eclipse if you hold the CTRL key down, any code element you mouse over will turn into a hyperlink which you can click to jump to it's definition/declaration. Fantastic feature. The only thing VS has over this is it's almost unique support for mouse forward and back buttons. It's really neat to be able to jump to a definition then hit the mouse's Back button to go back to the file/line you were previously on. The two features combined would be perfect :)
That doesn't sound more palatable at all. "You're about to be audited" in most contexts implies, "you're about to be harassed".
Well, to be fair, their first choice was assimilate, but they found out it has certain negative attributes attached to it.
I mean, "You will be assimilated" has a certain pleasant ring to it, don't you think?