a) This phone is not aimed at the "average cell phone user". b) Any "virus" that needs to be downloaded and installed manually isn't going to spread very far. I expect that any security hole that allows a worm to spread will be closed fairly quickly. c) Symbian, Windows Mobile, and even J2ME already have the possibily of such nefarious applications being developed, but I am not aware of any such instances, despite having had Symbian-based phones for the last ~2.5 years and have recently switched to Windows Mobile.
But that won't stop a trojan from installing a spambot (since a normal user still needs permission to send emails) or stealing the user's data (since a normal user still needs access to their files and access to the internet).
What's really needed is a change from the "any program can do anything that the user can do" paradigm. Unfortunately, this can't be done without restricting the functionality of legitimate programs.
However, once you have convinced the user to download and attempt to run the program, it is a short step to getting them to approve administrator access.
By "seriously limiting the functionality of legitimate programs" I was referring to systems such as Bitfrost which, while providing strong protection against Trojans, also makes certain classes of application almost impossible to implement (i.e. a mass Flickr uploader or an FTP client).
You may laugh, but Mac OS X Panther (2003) ran just fine on a 500Mhz processor with 256MB RAM and a Rage 128, although its install size was more than 500MB and the installer was more complicated than dd.
I know 2003 was quite a while ago, but it just goes to show that modern OSs don't have to require GBs of RAM and malti-core multi-GHz processors.
The ARDAgent vulnerability is pretty serious and stupid, but social engineering is not OS specific. The "poker game" could just as easily be implemented on Windows or Linux.
There is nothing that any OS can do to prevent trojans. (At least not without seriously limiting the functionality of legitimate programs.)
Slashdot's own summarry of the ARDAgent vulnerability included a "proof-of-concept" it is trivially easy to exploit and should be fixed ASAP.
So trains are unattractive for would-be terrorists (you can bomb a passenger train, but it's more or less the same as bombing a crowded restaurant), and not a major problem for similar reasons. I think the residents of Madrid and London would disagree there.
Bombing trains, especially mass-transit systems, can cause severe disruption. The psychological effects are also a factor (especially with the London, where it plays on our natural fear of confined spaces and with the tube being a major symbol of London)
Hell, I was uneasy the first time I used the tube after 7/7 and that was more than a year later.
>As for the IDE, I gave the video a quick watch (using the 'no frills' version that had frills like page turn effects for no real reason) and nothing stood out. In fact things like "be constantly pestered by conversations within your IDE, not another window that you can hide" seem like a big negative.
I second this. In addition, I found the "multiplayer code editing" feature hilarious. Like that's not going to degenerate into real-time wikipedia-style edit wars within about 5 minutes. How on earth you get working code out of something like that I have no idea.
WEP does have a viable purpose however, it "marks" the network as "private". Thus, if somebody used a WEP-protected network without permission (no matter how easy that is) they can be prosecuted for computer hacking, but if they use an unprotected network they can legitimately say that they had no idea that it was private, especially if other circumstances support it (such as being in range from a place that does offer free wifi or having an SSID like "Open Access", etc).
I don't think you really understand just how poor some people (the people who get/spread AIDS) are in Africa (and other places where it is spreading). Spending even $.05 for a condom every time they have sex is more then they can afford (assuming they can even find someone willing to sell them and that they even wanted to use one - a social problem).
Who's fault is this? Partly the people themselves who do the actual spreading of the disease, often fully aware of this fact, partly the governments who do nothing, partly the foreign governments/NGOs/corporations who act to keep these countries poor, partly the religious organisations that condemn the use of contraception (mainly The Roman Catholic Church).
And while we are at it, I would also love decent 3D graphics acceleration and ability to use more than one monitor (actually working, not like that stuff called something like xinareama ).
This is actually possible, with the nVidia binary drivers, nVidia's config app even lets you set it up without having to manually edit xorg.conf. My EEE PC (Intel GMA) running Xubuntu is also happy with 3D on an (auto-detected) secondary monitor, so I guess you've got an ATi card?
"16-bit cardbus" does not exist, you mean plain PCMCIA (cardbus is a 32-bit extension to PCMCIA). Secondly, there are 16-bit, PCMCIA, Wifi adapters that work with Windows 95 (I've used them), the old Orinoco and Prism chipsets for instance (and they are also supported by Linux).
Using an ethernet-to-wifi setup is a workaround. Easy-to-use linux Wifi tools suck (but at least they exist, I've yet to see a comprehensive GUI for bluetooth for instance).
NetworkManager: No support for roaming. Doesn't properly handle wifi adapters than can be turned on/off or removed. Causes system to hang while it searches for the preferred network on boot. Wifi Radar: No WPA support. Never connects first time on my system, sometimes refuses to connect at without help from the command line. Wireless Assistant: WPA support does not work (for me), had to write a wpa_supplicant configuration file manually and set it to run wpa_supplicant before connecting.
Seriously, how hard is it to write a decent GUI wrapper for iwlist, iwconfig and wpa_supplicant?!
As I understand it, fines issued by the EU go to EU member states.
I also don't understand why the size of the fine "clearly" indicates that people are lining their pockets. This is not the largest fine ever issued. (ExxonMobil was fined $5 Billion for Exxon Valdez, later halved, but so far not paid.)
Having all services running in the same address space does not disqualify a system from being a microkernel. Otherwise it would be impossible to implement one on hardware that doesn't support virtual addressing.
Since Minix pre-v3 could run on the original 8086, which lacks any form of virtual addressing, memory protection or even privelege levels, it is obviously possible to implement a microkernel on such a system.
Thus, Mac OS X/Darwin could be considered a microkernel-based system as could Windows NT to a certian degree.
There is no definate boundary between a microkernel and a monolithic kernel, it is more of a scale where a system can be more microkernel-like or more monolithic.
In the case of your server, it is the physical security that is keeping things secure, *not* the DRM.
However, if one of the document display units is hacked, what stops it from printing? Even if the server validates the signature of the application, how can the server be sure that the signed application is the one actually running? If you ask the OS for the signature, how can you be certain that the OS hasn't been modified? If you ask the hardware, how can you be certain that the hardware hasn't been hacked? (Since a TPM chip is simply the equivalent of closed source software running on a dedicated microprocessor.)
DRM is simply this: 1)Give application/user encrypted data. 2)Give application encryption key. 3)Rely on restrictions implemented in the application to prevent the key or decrypted data from being used in "unauthorised" ways.
If the application is open source, you cannot rely on the application. You can't stop somebody from modifying it to do whatever they want, including dumping the decrypted data or key to disc.
What I would like to see would be a.net based macro system in Office. Something where we could write macros in VB, C#, Python, or any other CLR language.
Since.Net has built-in support for different trust levels, code signing, etc., security should be more manageable.
Most of the work is in fact already done. The Microsoft.Office.* hierarchy already exists in.Net, all that is really needed is a way to embed.Net code in MS Office documents.
Actually, there are 4 (consumer) editions of XP: Home, Pro, MCE, Tablet. That means there will be either 8 or 9 editions of Windows 7, depending on weather it is a geometric or arithmetic progression.
If we attempt to count Windows 2000 (1 desktop, 3 server editions, according to Wikipedia), then we get 1, 4, 6 for desktop versions and a resulting polynomial formula of 0.5(x^2)+4.5x-3 (where x is 1 for 2000, 2 for XP and 3 for Vista) meaning Windows 7 will have (if we take x as 4) 23 editions. If we instead use x=version no. (5 for 2000, 5.1 for XP and 6 for Vista) then we get the formula -27.778(x^2)+310.56x-857.33 then Windows 7 would have -44.532 editions.
For servers, 1, 2, 3 numbering gives a formula of -2.5(x^2)+12.5x-7 with Sever 7 having 3 editions. With version numbering (and assuming that Server 2008 releases with a 6.0 version number), we get -25(x^2)+280x-772 and Server 7 having -37 editions (assuming it has 7.0 version number).
However, it is best to disregard formulas with negative x^2 coefficients, since they will all eventually result in negative values, therefore 23 versions of Windows 7 seems the most reasonable answer here, unless we take negative edition counts as complete Microsoft failure (CMF).
Firstly, English is imprecise. It is not a programming language. Secondly, the quote said:
Microsoft said it had [...] taken down more than 50,000 "illegal and improper" online software auctions.'"
Because English is imprecise, that can have multiple valid meanings.
If we break the sentence down we could get: Microsoft said it had [...] taken down more than {50,000 [("illegal) and (improper")]} online software auctions.'" Meaning a number of illegal auctions were taken down and a number of improper auctions were taken down. The total is more than 50,000.
Equally, we could get: Microsoft said it had [...] taken down more than {50,000 ("illegal and improper")} online software auctions.'" Meaning more than 50,000 auctions that were both illegal and improper were taken down.
Note that either makes sense. Saying "More than 100 men and women ran in the race." does not mean "More than 100 entities that are both men and women ran in the race." It means "A number of men ran and a number of women ran. The total is greater than 100."
Since the line was written by PR people, who are notorious for twisting the meaning of language and, in the second interpretation, the word "improper" adds no meaning (since, implicitly, illegal => improper), I am inclined to believe that the first meaning was the one meant.
The only reason that the printer ports on old Macs are different to those on PCs is because they date back to the original Mac. Back then there were many different incompatible computers with no clear market leader. Every computer had it's own ports.
They did not require you to buy "special Apple printers". Although Macs initially only shipped with drivers for Apple printers (later Macs also included drivers for HP printers). The serial ports were RS-232 compatible, so, with an adaptor and the correct drivers, any serial printer could be used. Parallel printers could be used with a more expensive serial-to-parallel adaptor. Network printers could also be used where the print server supported AppleTalk (most Unices, Windows NT and Macs of course).
I second the agresiveness point. Being a university student (who doesn't own a TV), I am constantly being sent letters from the licencing authority (who are not the BBC). They tell you that you are 'under investigation' and that they will visit your premises (yet to see that happen) unless you send them a letter and arrange for them to visit(!) to verify your lack of equiptment.
The letter states that potentially licence-requiring equiptment includes 'PC with a Broadcast card' and 'Mobile Phone' - the wording of the PC statement seems to deliberately use incorrect terminoogy to confuse (everybody else calls it a TV Tuner), the mobile phone statement is just as bad, since I have only seen one model of handset capable of recieving TV in this country, plus devices that are powered soley by their internal batteries at the time of recieving TV are exempt.
IANAL, but I don't see anything there that would exclude software.
It does exclude patent and copyright licences, but EULAs are neither of those (explicitly so in most cases), they are simply a "use licence" which should be covered under the act.
Note that being photgraphed 300 times per day amounts to being within range of a security camera for ~12 seconds (camera at ~25fps). Seeing as it could take about that time to walk past a camera, it doesn't sound like very much surveilance at all.
Worm: A virus that spreads over a network without help*. Exploits in an image processing library cannot be used to spread a worm (unless you have some kind of network service that accepts image data for processing). Thus, no listening network ports, no worms can get in (unless they can find an exploit in the TCP/IP stack). *By 'without help' I mean that the user does not have to initiate the infection, eg by visiting a malicious website or opening an email/attachment.
TCP/IP Stack: The software necessary to allow applications to communicate over TCP/IP. This includes the interface driver (Ethernet is not the only network system that uses TCP/IP) and other software such as the protocol drivers (inc. "IP Driver", but also drivers for TCP, UDP, IGMP, ICMP, etc) as well as application libraries such as Sockets.
Because the C standard libs are governed by a standards authority. If you want to call your C library ANSI compliant, then you *must* have strcpy. This affects *all* operating systems. Maybe ANSI/ISO will make a "Secure C" standard or something that removes it, but until then, it *cannot* be removed (although the documentation could be replaced with "DO NOT USE THIS FUNCTION, use strncpy" or something to discourage use).
Slashdot Mirror
a) This phone is not aimed at the "average cell phone user".
b) Any "virus" that needs to be downloaded and installed manually isn't going to spread very far. I expect that any security hole that allows a worm to spread will be closed fairly quickly.
c) Symbian, Windows Mobile, and even J2ME already have the possibily of such nefarious applications being developed, but I am not aware of any such instances, despite having had Symbian-based phones for the last ~2.5 years and have recently switched to Windows Mobile.
But that won't stop a trojan from installing a spambot (since a normal user still needs permission to send emails) or stealing the user's data (since a normal user still needs access to their files and access to the internet).
What's really needed is a change from the "any program can do anything that the user can do" paradigm. Unfortunately, this can't be done without restricting the functionality of legitimate programs.
However, once you have convinced the user to download and attempt to run the program, it is a short step to getting them to approve administrator access.
By "seriously limiting the functionality of legitimate programs" I was referring to systems such as Bitfrost which, while providing strong protection against Trojans, also makes certain classes of application almost impossible to implement (i.e. a mass Flickr uploader or an FTP client).
You may laugh, but Mac OS X Panther (2003) ran just fine on a 500Mhz processor with 256MB RAM and a Rage 128, although its install size was more than 500MB and the installer was more complicated than dd.
I know 2003 was quite a while ago, but it just goes to show that modern OSs don't have to require GBs of RAM and malti-core multi-GHz processors.
The ARDAgent vulnerability is pretty serious and stupid, but social engineering is not OS specific. The "poker game" could just as easily be implemented on Windows or Linux.
There is nothing that any OS can do to prevent trojans. (At least not without seriously limiting the functionality of legitimate programs.)
Slashdot's own summarry of the ARDAgent vulnerability included a "proof-of-concept" it is trivially easy to exploit and should be fixed ASAP.
There is no news here.
Bombing trains, especially mass-transit systems, can cause severe disruption. The psychological effects are also a factor (especially with the London, where it plays on our natural fear of confined spaces and with the tube being a major symbol of London)
Hell, I was uneasy the first time I used the tube after 7/7 and that was more than a year later.
>As for the IDE, I gave the video a quick watch (using the 'no frills' version that had frills like page turn effects for no real reason) and nothing stood out. In fact things like "be constantly pestered by conversations within your IDE, not another window that you can hide" seem like a big negative.
I second this. In addition, I found the "multiplayer code editing" feature hilarious. Like that's not going to degenerate into real-time wikipedia-style edit wars within about 5 minutes. How on earth you get working code out of something like that I have no idea.
WEP does have a viable purpose however, it "marks" the network as "private".
Thus, if somebody used a WEP-protected network without permission (no matter how easy that is) they can be prosecuted for computer hacking, but if they use an unprotected network they can legitimately say that they had no idea that it was private, especially if other circumstances support it (such as being in range from a place that does offer free wifi or having an SSID like "Open Access", etc).
I don't think you really understand just how poor some people (the people who get/spread AIDS) are in Africa (and other places where it is spreading). Spending even $.05 for a condom every time they have sex is more then they can afford (assuming they can even find someone willing to sell them and that they even wanted to use one - a social problem).
Who's fault is this? Partly the people themselves who do the actual spreading of the disease, often fully aware of this fact, partly the governments who do nothing, partly the foreign governments/NGOs/corporations who act to keep these countries poor, partly the religious organisations that condemn the use of contraception (mainly The Roman Catholic Church).
And while we are at it, I would also love decent 3D graphics acceleration and ability to use more than one monitor (actually working, not like that stuff called something like xinareama ).
This is actually possible, with the nVidia binary drivers, nVidia's config app even lets you set it up without having to manually edit xorg.conf.
My EEE PC (Intel GMA) running Xubuntu is also happy with 3D on an (auto-detected) secondary monitor, so I guess you've got an ATi card?
"16-bit cardbus" does not exist, you mean plain PCMCIA (cardbus is a 32-bit extension to PCMCIA).
Secondly, there are 16-bit, PCMCIA, Wifi adapters that work with Windows 95 (I've used them), the old Orinoco and Prism chipsets for instance (and they are also supported by Linux).
Using an ethernet-to-wifi setup is a workaround. Easy-to-use linux Wifi tools suck (but at least they exist, I've yet to see a comprehensive GUI for bluetooth for instance).
NetworkManager: No support for roaming. Doesn't properly handle wifi adapters than can be turned on/off or removed. Causes system to hang while it searches for the preferred network on boot.
Wifi Radar: No WPA support. Never connects first time on my system, sometimes refuses to connect at without help from the command line.
Wireless Assistant: WPA support does not work (for me), had to write a wpa_supplicant configuration file manually and set it to run wpa_supplicant before connecting.
Seriously, how hard is it to write a decent GUI wrapper for iwlist, iwconfig and wpa_supplicant?!
As I understand it, fines issued by the EU go to EU member states.
I also don't understand why the size of the fine "clearly" indicates that people are lining their pockets. This is not the largest fine ever issued. (ExxonMobil was fined $5 Billion for Exxon Valdez, later halved, but so far not paid.)
Having all services running in the same address space does not disqualify a system from being a microkernel. Otherwise it would be impossible to implement one on hardware that doesn't support virtual addressing.
Since Minix pre-v3 could run on the original 8086, which lacks any form of virtual addressing, memory protection or even privelege levels, it is obviously possible to implement a microkernel on such a system.
Thus, Mac OS X/Darwin could be considered a microkernel-based system as could Windows NT to a certian degree.
There is no definate boundary between a microkernel and a monolithic kernel, it is more of a scale where a system can be more microkernel-like or more monolithic.
In the case of your server, it is the physical security that is keeping things secure, *not* the DRM.
However, if one of the document display units is hacked, what stops it from printing?
Even if the server validates the signature of the application, how can the server be sure that the signed application is the one actually running?
If you ask the OS for the signature, how can you be certain that the OS hasn't been modified?
If you ask the hardware, how can you be certain that the hardware hasn't been hacked? (Since a TPM chip is simply the equivalent of closed source software running on a dedicated microprocessor.)
DRM is simply this:
1)Give application/user encrypted data.
2)Give application encryption key.
3)Rely on restrictions implemented in the application to prevent the key or decrypted data from being used in "unauthorised" ways.
If the application is open source, you cannot rely on the application. You can't stop somebody from modifying it to do whatever they want, including dumping the decrypted data or key to disc.
What I would like to see would be a .net based macro system in Office. Something where we could write macros in VB, C#, Python, or any other CLR language.
.Net has built-in support for different trust levels, code signing, etc., security should be more manageable.
.Net, all that is really needed is a way to embed .Net code in MS Office documents.
Since
Most of the work is in fact already done. The Microsoft.Office.* hierarchy already exists in
Actually, there are 4 (consumer) editions of XP: Home, Pro, MCE, Tablet.
That means there will be either 8 or 9 editions of Windows 7, depending on weather it is a geometric or arithmetic progression.
If we attempt to count Windows 2000 (1 desktop, 3 server editions, according to Wikipedia), then we get 1, 4, 6 for desktop versions and a resulting polynomial formula of 0.5(x^2)+4.5x-3 (where x is 1 for 2000, 2 for XP and 3 for Vista) meaning Windows 7 will have (if we take x as 4) 23 editions.
If we instead use x=version no. (5 for 2000, 5.1 for XP and 6 for Vista) then we get the formula -27.778(x^2)+310.56x-857.33 then Windows 7 would have -44.532 editions.
For servers, 1, 2, 3 numbering gives a formula of -2.5(x^2)+12.5x-7 with Sever 7 having 3 editions. With version numbering (and assuming that Server 2008 releases with a 6.0 version number), we get -25(x^2)+280x-772 and Server 7 having -37 editions (assuming it has 7.0 version number).
However, it is best to disregard formulas with negative x^2 coefficients, since they will all eventually result in negative values, therefore 23 versions of Windows 7 seems the most reasonable answer here, unless we take negative edition counts as complete Microsoft failure (CMF).
Firstly, English is imprecise. It is not a programming language.
Secondly, the quote said:
Microsoft said it had [...] taken down more than 50,000 "illegal and improper" online software auctions.'"
Because English is imprecise, that can have multiple valid meanings.
If we break the sentence down we could get:
Microsoft said it had [...] taken down more than {50,000 [("illegal) and (improper")]} online software auctions.'"
Meaning a number of illegal auctions were taken down and a number of improper auctions were taken down. The total is more than 50,000.
Equally, we could get:
Microsoft said it had [...] taken down more than {50,000 ("illegal and improper")} online software auctions.'"
Meaning more than 50,000 auctions that were both illegal and improper were taken down.
Note that either makes sense. Saying "More than 100 men and women ran in the race." does not mean "More than 100 entities that are both men and women ran in the race." It means "A number of men ran and a number of women ran. The total is greater than 100."
Since the line was written by PR people, who are notorious for twisting the meaning of language and, in the second interpretation, the word "improper" adds no meaning (since, implicitly, illegal => improper), I am inclined to believe that the first meaning was the one meant.
Microsoft said it [...] [has] taken down more than 50,000 "illegal and improper" online software auctions.'
So that means that Microsoft have been getting perfectly legal auctions taken down because they deem then "improper" then.
The only reason that the printer ports on old Macs are different to those on PCs is because they date back to the original Mac.
Back then there were many different incompatible computers with no clear market leader. Every computer had it's own ports.
They did not require you to buy "special Apple printers". Although Macs initially only shipped with drivers for Apple printers (later Macs also included drivers for HP printers). The serial ports were RS-232 compatible, so, with an adaptor and the correct drivers, any serial printer could be used. Parallel printers could be used with a more expensive serial-to-parallel adaptor.
Network printers could also be used where the print server supported AppleTalk (most Unices, Windows NT and Macs of course).
Because they haven't released Safari 3 (beta) for Mac (yet).
This is a Windows port of a currently in development product, expect bugs.
I second the agresiveness point. Being a university student (who doesn't own a TV), I am constantly being sent letters from the licencing authority (who are not the BBC).
They tell you that you are 'under investigation' and that they will visit your premises (yet to see that happen) unless you send them a letter and arrange for them to visit(!) to verify your lack of equiptment.
The letter states that potentially licence-requiring equiptment includes 'PC with a Broadcast card' and 'Mobile Phone' - the wording of the PC statement seems to deliberately use incorrect terminoogy to confuse (everybody else calls it a TV Tuner), the mobile phone statement is just as bad, since I have only seen one model of handset capable of recieving TV in this country, plus devices that are powered soley by their internal batteries at the time of recieving TV are exempt.
IANAL, but I don't see anything there that would exclude software.
It does exclude patent and copyright licences, but EULAs are neither of those (explicitly so in most cases), they are simply a "use licence" which should be covered under the act.
Note that being photgraphed 300 times per day amounts to being within range of a security camera for ~12 seconds (camera at ~25fps).
Seeing as it could take about that time to walk past a camera, it doesn't sound like very much surveilance at all.
Some definitions:
Worm: A virus that spreads over a network without help*. Exploits in an image processing library cannot be used to spread a worm (unless you have some kind of network service that accepts image data for processing). Thus, no listening network ports, no worms can get in (unless they can find an exploit in the TCP/IP stack).
*By 'without help' I mean that the user does not have to initiate the infection, eg by visiting a malicious website or opening an email/attachment.
TCP/IP Stack: The software necessary to allow applications to communicate over TCP/IP. This includes the interface driver (Ethernet is not the only network system that uses TCP/IP) and other software such as the protocol drivers (inc. "IP Driver", but also drivers for TCP, UDP, IGMP, ICMP, etc) as well as application libraries such as Sockets.
Because the C standard libs are governed by a standards authority.
If you want to call your C library ANSI compliant, then you *must* have strcpy. This affects *all* operating systems.
Maybe ANSI/ISO will make a "Secure C" standard or something that removes it, but until then, it *cannot* be removed (although the documentation could be replaced with "DO NOT USE THIS FUNCTION, use strncpy" or something to discourage use).