You laugh but i recently dug up 14 floppies of the original Windows 95 release, thats pre-SP1 (which was only released months later). It totals 21mB's and i'm tempted to install it for fun.
The IE5 SP2 package (weighing in at 84.4mB it was the version of IE before IE6) still gets Windows 95 users access to windows update I believe, just no water running in them pipes now.
Add/Remove Programs -> Remove the unofficial hotfix first and then reboot, this'll totally clear the unofficial hotfix from memory (it's a runtime patch not an on disk fix).
So, they basically used exactly the same workaround as the 3rd party patch that's been out for a week.
The MS patch removes the call in the WMF rendering engine that calls the gdi32 Escape() function with the SETABORTPROC parameter. The 3rd party runtime patch thats been around 'for a week' killed the Escape() function's ability to receive the SETABORTPROC procedure in _all user32.dll bound applications_ called by _anything_ for _any purpose_, 'breaking' more than just the WMF rendering caller.
Microsoft couldn't have done any better because this wasn't a coding error like a buffer overflow, it was an ancient long forgotten genuine feature.
Even with the latest MPEG-4 AVC/H.264 encoding if you want guaranteed quality at DVD resolution (720x576/480) you're going to need a bitrate of about 2 Mbps (megabits per sec), just as a ballpark figure. 1080i has a resolution of 1440x1080 (i'm looking these figures up quick, there are all sorts of complexities like effective res and stuff i don't really follow).
So compared to PAL DVD you're looking at a pixel, and let's assume bitrate, factor of 3.75. That puts you back up to 7.5 Mbps, which on an 8.5 GB dual layer DVD google informs me...
(8.5 gigabytes) / (7.5 (megabits per second)) = 2.57896296 hours = 2 hours and ~35 minutes.
So yes it is feasible to squash a 1080i film onto a DVD disc, but it doesn't leave much breathing room once you take into account my horrible estimations and assumptions, which no doubt work against a happy result.
And of course there's the issue that for the average computer user who don't have any blackhats after them, Linux, BSD or OS X is going to a lot more secure in a practical sense just because they aren't the main target.
So 'security through obscurity' (i'm beginning to dislike that phrase) is fine when you're not 'the main target' and hence works to Linux's advantage but it's not OK, at the same level, for Windows to make it more difficult to find vulnerabilities in the first place by not revealing it's source code?
It's been said by a few that there are more black hats out there than white hats looking for vulnerabilities, and for Windows thats probably maybe just possibly true. Maybe people should consider the possibility that, of course, from a theoretical standpoint, being closed source has a strong negative effect on Window's security but in practice, all software by it's nature contains abuse-able features, bugs and vulnerabilities from day one, and while such a black/white hat imbalance exists, given Window's domination of the market, maybe it is just better for all of us to have them difficult to find.
Writing a free modern and upto date operating system without bugs and vulnerabilities is just not feasible. If you took a year, feature locked the Linux kernel, and got every single contributor to scrounge through the code tightening it up, you're still, almost definately, going to still end up with a vulnerable system, although it would be very very difficult find such a hole and exploit it. The 'obscurity' or difficulty in seeing the holes in this scenario has only been increased, but so has the overall genuine security of the kernel.
The debate is:
The benefit of rapid open source response to vulnerabilities (Will Microsoft ever be able to match this? Probably not)
vs.
The benefit of Windows binary vulnerabilities being 'harder' to find than in open source code audits (and it's unclear just to what extent this is true)
Or maybe the real question is, 'Is security tangible?'
I don't think this debate can be closed conclusively until Linux and Windows have a 50/50 share of the market and, more importantly, a 50/50 split in the comparable effort (in (wo)?man-hours?) going into finding holes. There are too many variables to consider.
Personally though, I think Linux has the more important edge, I can always download some kludge of a.patch file and recompile the broken component. Although, it has been demonstated with the current WMF hole that once a binary vulnerability has been discovered in Windows, unofficial kludge fixes and workarounds can be put out, however rare these may be.
BTW, it also looks clear that it's going to be closed source. After the kinds of experiences people have had with closed-source p2p clients on Windows installing spyware...
This just struck a cord with me, as an extension this software will have complete access to everything you do in your browser. The installation of spyware (unlikely given the publicity) is a bit moot.
I actually do use Opera which has an e-mail client and an IRC client built right, but neither feature of which I actually use. I of course visit webpages, in tabs under the Opera process, that load videos inline but only as a matter of convenience. I often push inline videos to the external equivalent player (For instance, when viewing 'Man stroke Woman' on the BBC site, excellent by the way for UK readers). I've also used Opera's built in BitTorrent client (in the snapshot build's), but very tentatively for unimportant leeching.
Perhaps, all things considered, the slight sluggishness of Firefox combined with the sluggishness of some P2P apps, in my mind is just making me feel rather queezy?
I can't really see AllPeers being integrated into my browser as being more convenient than an external program.
Looks like a load of hype to me. I've never been a fan of mergin applications into "suite"'s or such. I don't even like media player's in my P2P apps, too many bad experiences with fudged partial videos or mp3/ogg's trashing the process.
Give me simplicity without the unnecessary integration.
From grandparent: At this moment however systems are fast enough to process current video data faster than realtime.
From parent: Pretty much any new machine you buy nowadays will have enough CPU to decode 1080i in realtime.
Have either of you tried 1080i MPEG-4/AVC playback? Your average entry level PC these days is probably an AMD64 3000-3500 or a low-end-ish P4 (The Intel model numbering scheme is fudge and I can never be bothered to get to grips with it, I think I should). From what i've been reading on doom9.org, and from my own tests, these machines just can't hack it at the moment.
Localisation and verion mismatch shouldn't be an issue. I was not inferring to distribute a pre-patched library, just doing the exact same match-and-patch procedure once on the gdi32.dll file should have the same success rate.
Matching the actual library file _could_ leave your OS cripped (as no doubt core Windows ignores the hook used but would have to take a hard patched GDI) but then again it might not. Personally I think it'd have been a cleaner and more efficient solution, and the uninstall/install operation wouldn't have been any harder to my knowledge.
I'm not trying to poke at the patch author or anything, the guys obviously an asm demon, i'm just curious as to why he chose the runtime patch over a more traditional patch. So my question really is, was the runtime solution just chosen for safety?
Why an in memory/runtime patch? Personally i would have probably gone for hexediting gdi32.dll and would have dumped a backup to gdi32.old. Microsoft will most likely replace this file when a hotfix arrives.
The user32.dll envoked hook this hotfix DLL uses doesn't effect the core operating system (only applications), thus not fucking with the core OS, correct? If so doesn't this _still_ leave the hole open for some windows components or apps that are deliberately designed not to link with user32.dll?
Well the cost of customers having viruses and spyware maybe but not the license:-)
Some of the time thats the fault of the OEM's. Some even come with (spy|crap)ware out of the box ffs. A friend of mine recently bought a cheap OEM machine which had SP2 installed just fine, but not a single hotfix since. Spybot S&D found several (albeit minor) issues straight away.
Worse still is most OEM's give you a rubbish recovery disc that restores this poor condition, with no Windows disc to be found. (I always use Magic Jelly Bean's keyfinder, to find the CDKEY used by the OEM, and burn off an XP OEM disc myself, with SP2 and all the post-SP2 hotfixes slipsteamed using nLite. For my friend I also made his disc as unattended as possible and included some useful batch files and drivers)
If you want to avoid the second issue you mentioned you have to goto a small time box builder that'll give you a quality installation, unfortunately I suspect you're going to get hit with the real cost of the Windows license.
Running "entirely unique code"? Lmao. More like "running an operating system the bad guys can't be arsed with yet because it has less market share than what's produced when Microsoft passes wind".
Running as a limited user doesn't prevent the user from executing something malicious, something setting itself up to run on startup, a key logger or other trickware reporting home, or anything that exploits Windows from effecting other user accounts via elevated priveleges.
More importantly it doesn't help protect any of your data (which will have been created and therefore accessible as said limited user).
Whether your machine get's hosed is a bit moot, spyware and malware does the worst of it's damage by exploiting the user, not the machine.
Oh I almost forgot...SquirrelMail uses frames...oh wonderous frames. If you click 'check mail' in the left/folder frame while you're composing a message using the nice clean interface in the right frame and the whole IMAP tree will reload to show you the number of new messages you have in all of your folders. Middle click such a folder to see your messages in a new tab or window, all without interrupting what you were doing.
Try doing that with Google Mail. Despite all the AJAX there just isn't a way to refresh your inbox to see if you have new email while composing or reading a message. Maybe it polls automatically? But how can I be sure?
Try setting up a filter while half way through composing a message on GMail. AJAX really doesn't help you do things the way you as the user want to do them.
SquirrelMail: your script seems to have the momentum of a runaway freight train. Why are you so popular?
I recently switched back to a fast reliable IMAP provider that provides SquirrelMail, Horde, and Roundcube. Roundcube is OK, fresh and sort of fast but still buggy and featureless. Horde is horrible.
SquirrelMail can be made to look good, really it can. The penguin theme that comes with SqM 1.5 (I think) is pretty attractive, I like hierarchical folders over labels, I like actual links that let me open up messages in new tabs or windows and view their source, I like the sieve script rule editor, and I think the whole thing looks less crowded and much more minimalistic than Gmail. And i'm pretty sure messages load faster to boot.
SquirrelMail is popular because it works the way you expect it to work and doesn't try to be more fancy than necessary. Hope that answers your question.
If that simple webpage (presumeably not sensitive or particuarly important) is part of a domain, and on another subdomain of said domain a more critical page sets "thedomain.com" as the domain part of it's cookies, it becomes trivial to read these cookies (if the user has any) and send the data somewhere sinister.
There are many ways it can become dangerous, most of the time these exploits are compounded to cause a serious problem and don't work alone.
It shouldn't all be down to web developers though (you have to take your security into your own hands sometime). A really proactive antiphishing enabled web browser would alert the user when part of the query string in an url from an offsite referrer is about to be used in the receiving page by javascript. This of course, wouldn't solve server side XSS attacks, but it'd be a nice start.
Slashdot Mirror
I know your comment is both off topic and just plain silly but the correct conversion between deg F and deg C is F=(C*1.8)+32
shouldn't that be '1.44st post'...the mind is torn between math and grammar.
You laugh but i recently dug up 14 floppies of the original Windows 95 release, thats pre-SP1 (which was only released months later). It totals 21mB's and i'm tempted to install it for fun.
The IE5 SP2 package (weighing in at 84.4mB it was the version of IE before IE6) still gets Windows 95 users access to windows update I believe, just no water running in them pipes now.
Add/Remove Programs -> Remove the unofficial hotfix first and then reboot, this'll totally clear the unofficial hotfix from memory (it's a runtime patch not an on disk fix).
THEN install the official patch.
So, they basically used exactly the same workaround as the 3rd party patch that's been out for a week.
The MS patch removes the call in the WMF rendering engine that calls the gdi32 Escape() function with the SETABORTPROC parameter. The 3rd party runtime patch thats been around 'for a week' killed the Escape() function's ability to receive the SETABORTPROC procedure in _all user32.dll bound applications_ called by _anything_ for _any purpose_, 'breaking' more than just the WMF rendering caller.
Microsoft couldn't have done any better because this wasn't a coding error like a buffer overflow, it was an ancient long forgotten genuine feature.
Even with the latest MPEG-4 AVC/H.264 encoding if you want guaranteed quality at DVD resolution (720x576/480) you're going to need a bitrate of about 2 Mbps (megabits per sec), just as a ballpark figure. 1080i has a resolution of 1440x1080 (i'm looking these figures up quick, there are all sorts of complexities like effective res and stuff i don't really follow).
So compared to PAL DVD you're looking at a pixel, and let's assume bitrate, factor of 3.75. That puts you back up to 7.5 Mbps, which on an 8.5 GB dual layer DVD google informs me...
(8.5 gigabytes) / (7.5 (megabits per second)) = 2.57896296 hours = 2 hours and ~35 minutes.
So yes it is feasible to squash a 1080i film onto a DVD disc, but it doesn't leave much breathing room once you take into account my horrible estimations and assumptions, which no doubt work against a happy result.
So 'security through obscurity' (i'm beginning to dislike that phrase) is fine when you're not 'the main target' and hence works to Linux's advantage but it's not OK, at the same level, for Windows to make it more difficult to find vulnerabilities in the first place by not revealing it's source code?
It's been said by a few that there are more black hats out there than white hats looking for vulnerabilities, and for Windows thats probably maybe just possibly true. Maybe people should consider the possibility that, of course, from a theoretical standpoint, being closed source has a strong negative effect on Window's security but in practice, all software by it's nature contains abuse-able features, bugs and vulnerabilities from day one, and while such a black/white hat imbalance exists, given Window's domination of the market, maybe it is just better for all of us to have them difficult to find.
Writing a free modern and upto date operating system without bugs and vulnerabilities is just not feasible. If you took a year, feature locked the Linux kernel, and got every single contributor to scrounge through the code tightening it up, you're still, almost definately, going to still end up with a vulnerable system, although it would be very very difficult find such a hole and exploit it. The 'obscurity' or difficulty in seeing the holes in this scenario has only been increased, but so has the overall genuine security of the kernel.
The debate is:
Or maybe the real question is, 'Is security tangible?'
I don't think this debate can be closed conclusively until Linux and Windows have a 50/50 share of the market and, more importantly, a 50/50 split in the comparable effort (in (wo)?man-hours?) going into finding holes. There are too many variables to consider.
Personally though, I think Linux has the more important edge, I can always download some kludge of a
I would have thought it's a good idea to turn off the display of PHP errors and make sure log_errors is on, as well.
Not only is the site totally b0rked, but so are the caches because of this.
This just struck a cord with me, as an extension this software will have complete access to everything you do in your browser. The installation of spyware (unlikely given the publicity) is a bit moot.
I actually do use Opera which has an e-mail client and an IRC client built right, but neither feature of which I actually use. I of course visit webpages, in tabs under the Opera process, that load videos inline but only as a matter of convenience. I often push inline videos to the external equivalent player (For instance, when viewing 'Man stroke Woman' on the BBC site, excellent by the way for UK readers). I've also used Opera's built in BitTorrent client (in the snapshot build's), but very tentatively for unimportant leeching.
Perhaps, all things considered, the slight sluggishness of Firefox combined with the sluggishness of some P2P apps, in my mind is just making me feel rather queezy?
I can't really see AllPeers being integrated into my browser as being more convenient than an external program.
Looks like a load of hype to me. I've never been a fan of mergin applications into "suite"'s or such. I don't even like media player's in my P2P apps, too many bad experiences with fudged partial videos or mp3/ogg's trashing the process.
Give me simplicity without the unnecessary integration.
From grandparent:
At this moment however systems are fast enough to process current video data faster than realtime.
From parent:
Pretty much any new machine you buy nowadays will have enough CPU to decode 1080i in realtime.
Have either of you tried 1080i MPEG-4/AVC playback? Your average entry level PC these days is probably an AMD64 3000-3500 or a low-end-ish P4 (The Intel model numbering scheme is fudge and I can never be bothered to get to grips with it, I think I should). From what i've been reading on doom9.org, and from my own tests, these machines just can't hack it at the moment.
Let us pray for optimisation.
Maybe they could evolve on the rock they hit us with...i mean that hit's us?
I for one welcome our new rock steering wormy overlords.
Localisation and verion mismatch shouldn't be an issue. I was not inferring to distribute a pre-patched library, just doing the exact same match-and-patch procedure once on the gdi32.dll file should have the same success rate.
Matching the actual library file _could_ leave your OS cripped (as no doubt core Windows ignores the hook used but would have to take a hard patched GDI) but then again it might not. Personally I think it'd have been a cleaner and more efficient solution, and the uninstall/install operation wouldn't have been any harder to my knowledge.
I'm not trying to poke at the patch author or anything, the guys obviously an asm demon, i'm just curious as to why he chose the runtime patch over a more traditional patch. So my question really is, was the runtime solution just chosen for safety?
Disregard the last bit about apps 'deliberately' not linking to user32.dll, wasn't thinking. Rest of my comment still stands :)
Why an in memory/runtime patch? Personally i would have probably gone for hexediting gdi32.dll and would have dumped a backup to gdi32.old. Microsoft will most likely replace this file when a hotfix arrives.
The user32.dll envoked hook this hotfix DLL uses doesn't effect the core operating system (only applications), thus not fucking with the core OS, correct? If so doesn't this _still_ leave the hole open for some windows components or apps that are deliberately designed not to link with user32.dll?
It's default behaviour.
Well the cost of customers having viruses and spyware maybe but not the license :-)
Some of the time thats the fault of the OEM's. Some even come with (spy|crap)ware out of the box ffs. A friend of mine recently bought a cheap OEM machine which had SP2 installed just fine, but not a single hotfix since. Spybot S&D found several (albeit minor) issues straight away.
Worse still is most OEM's give you a rubbish recovery disc that restores this poor condition, with no Windows disc to be found. (I always use Magic Jelly Bean's keyfinder, to find the CDKEY used by the OEM, and burn off an XP OEM disc myself, with SP2 and all the post-SP2 hotfixes slipsteamed using nLite. For my friend I also made his disc as unattended as possible and included some useful batch files and drivers)
If you want to avoid the second issue you mentioned you have to goto a small time box builder that'll give you a quality installation, unfortunately I suspect you're going to get hit with the real cost of the Windows license.
Running "entirely unique code"? Lmao. More like "running an operating system the bad guys can't be arsed with yet because it has less market share than what's produced when Microsoft passes wind".
Running as a limited user doesn't prevent the user from executing something malicious, something setting itself up to run on startup, a key logger or other trickware reporting home, or anything that exploits Windows from effecting other user accounts via elevated priveleges.
More importantly it doesn't help protect any of your data (which will have been created and therefore accessible as said limited user).
Whether your machine get's hosed is a bit moot, spyware and malware does the worst of it's damage by exploiting the user, not the machine.
Wouldn't the closest thing to that be BSD? ..:)
http://www.cooltechzone.com/index.php?option=conte nt&task=view&id=2108
Please please please tell me this is wrong.
Oh I almost forgot...SquirrelMail uses frames...oh wonderous frames. If you click 'check mail' in the left/folder frame while you're composing a message using the nice clean interface in the right frame and the whole IMAP tree will reload to show you the number of new messages you have in all of your folders. Middle click such a folder to see your messages in a new tab or window, all without interrupting what you were doing.
Try doing that with Google Mail. Despite all the AJAX there just isn't a way to refresh your inbox to see if you have new email while composing or reading a message. Maybe it polls automatically? But how can I be sure?
Try setting up a filter while half way through composing a message on GMail. AJAX really doesn't help you do things the way you as the user want to do them.
SquirrelMail: your script seems to have the momentum of a runaway freight train. Why are you so popular?
I recently switched back to a fast reliable IMAP provider that provides SquirrelMail, Horde, and Roundcube. Roundcube is OK, fresh and sort of fast but still buggy and featureless. Horde is horrible.
SquirrelMail can be made to look good, really it can. The penguin theme that comes with SqM 1.5 (I think) is pretty attractive, I like hierarchical folders over labels, I like actual links that let me open up messages in new tabs or windows and view their source, I like the sieve script rule editor, and I think the whole thing looks less crowded and much more minimalistic than Gmail. And i'm pretty sure messages load faster to boot.
SquirrelMail is popular because it works the way you expect it to work and doesn't try to be more fancy than necessary. Hope that answers your question.
If that simple webpage (presumeably not sensitive or particuarly important) is part of a domain, and on another subdomain of said domain a more critical page sets "thedomain.com" as the domain part of it's cookies, it becomes trivial to read these cookies (if the user has any) and send the data somewhere sinister.
There are many ways it can become dangerous, most of the time these exploits are compounded to cause a serious problem and don't work alone.
It shouldn't all be down to web developers though (you have to take your security into your own hands sometime). A really proactive antiphishing enabled web browser would alert the user when part of the query string in an url from an offsite referrer is about to be used in the receiving page by javascript. This of course, wouldn't solve server side XSS attacks, but it'd be a nice start.