Poor input validation is the result of the software being designed in such a way as to have absolutely no tolerance for bad inputs. That is where the OS needs to step in as referree and blow the whistle and prevent further damage.
Because I'm sure if I coded my application to have pisspoor input validation, BSD, Linux and Mac OS would all leap in and stop the program from accepting invalid input!
The Yorktown failure was caused by user error and poor input validation, not Windows.
In September 21, 1997 while on maneuvers off the coast of Cape Charles, Virginia, a crew member entered a zero into a database field causing a divide by zero error in the ship's Remote Data Base Manager which brought down all the machines on the network, causing the ship's propulsion system to fail.
No, not unless Smith and Wesson were selling guns to people they knew were going to misuse them. Microsoft knows that many of their users are totally security clueless.
Smith and Wesson sell guns to (almost) everyone, but they can't make the guns discriminate based on who's holding it. They don't know if people are going to use their gun to go hunting, shoot up a school or blow their brains out.
It's the same deal with Windows; Microsoft doesn't know whether people are going to be security conscious or if they just don't care. They sell you the OS, you're allowed to do whatever you like, and so long as it's within the limits of the EULA they don't care. In this kind of environment, where people have more or less free rein over what they install and run, how could they be liable for every little instance of malware?
Your scenarios (and AKAImBatman's) are all examples of failed offline security policies. If someone is able to physically plug a pendrive into a mission critical computer or even physically touch the thing without appropriate credentials, you may as well blow up the damn warship yourself.
These aren't corporate desktops. The military are not stupid enough to make such attacks easy.
I'm sorry, but when you're taking men into combat, you want equipment that has been designed to do what needs to be done, not pretty features that let the GIs open their email attachments.
Which is why they're presumably using a heavily locked down version of Windows 2000 Server with no Internet access.
That's quite different, and a bit of a strawman. Of course they should be held responsible for security holes which they introduced in messenger, DCOM etc; it's a different matter entirely when it comes to third party programs which they have no involvement with or approval of doing malicious or dangerous things, especially when the user explicitly allowed those things to happen. They might as well slap a "well it's not our fault" on the design, if only to make it clear that it isn't their fault if a program you installed and ran fucks something up.
(Of course this is all moot, since the EULA disclaims all responsibility and absolves Microsoft of all guilt. Nice of them.)
UAC doesn't actually protect the user, but it enables Microsoft, in response to any virus/worm/trojan/botnet/class action lawsuit to say "well, you clicked allow. It wasn't our fault."
It wouldn't be their fault. Nor should it be their fault.
Microsoft shouldn't be required to take the blame for harm that results to their installation or data because of third party programs that they themselves didn't supply. You allowed the program to run, you deal with the consequences; it isn't Microsoft's fault at all that you decided to allow NastyShitware.exe to run. Why should it be? If you shoot yourself, are Smith and Wesson liable?
If Microsoft was held liable for the actions of third party applications, it would open up the way for lawsuits against pretty much every other OS provider that gave their customers a chance to run nasty programs on their OS. Imagine the lunacy that would result from that. Imagine the ass-covering lockdown that would most likely result. Not very nice at all...
Re:welcome to the watchlist
on
Tor Open To Attack
·
· Score: 0, Flamebait
ELL OH ELL.
Erm, "free software sucks"? I've coded some free software (a tiny useless piece of public domain stuff, but still) before, released it, got it put into the Debian archive (yes, you can apt-get a tiny little piece of jb.hl.com now. Get you paranoid yet?). I use Firefox, OpenOffice.org, Thunderbird and the GIMP almost daily, and up until recently used Linux pretty much full time. What planet are you on? Microsoft don't rule, they do a lot of suspect things, I just find Windows to be the best platform available for what I want to do, and they're certainly undeserving of the kind of irrational hatred you specialise in.
I don't hate Slashdot. I just don't like you. Get that, Twit? I don't like you, or your FUD, or your baseless accusations, or your bizarre messianic complex. The fact you seriously think a multi-billion dollar corporation is sending footsoldiers out to get you because you post bad things about them on Slashdot is testament to your utter lunacy. It is not Slashdot I dislike, it is you personally. Got that? Good.
Another hearty LOL at you for posting that link to you annotating my comments again. You do realise it's all bullshit, and anyone reading the comments can see as such, don't you? I hope so.
My last Asus mobo came with a bootable CD with FreeDOS on it, which could be used to perform BIOS upgrades.
Of course, for all other purposes it was useless (its main function, I found out, was to annoy the tits off me if I rebooted and left the CD in the drive).
Again with that link. You don't think it actually proves anything, do you? The only thing it might possibly prove is that I think you're a prick, and get a kick out of proving you wrong. And I think you get that same kick with me, otherwise you wouldn't bother posting that silly, easily refuted link every time I hit a nerve.
You've not seen many of twitter's "funny" posts. Really, it's sort of like watching an anti-Semite try and put a few jokes into his conspiracy-theory laden rants about how the Jews own everything.
See, people complain about UK ISPs, but as the post above shows things are infinitely better than in the US...not WONDERFUL, but still far better than in the US. I'm with TalkTalk, for christ's sake (for the Yanks, TalkTalk introduced a free broadband offer and were completely and totally unable to satisfy demand), and they haven't given me any trouble whatsoever despite all the bad press, and recently just bumped me up to a consistent 6mbps download (even on torrents). It's quite impressive. Compare with some of the American horror stories...
Puts down Linux, says good things about Windows: EVIL BIASED PAID FOR GET THE FACTS PROPAGANDA MARKETING BALLMER CHAIRS RAWR Puts down Windows, says good things about Linux: Learned research from an expert in his field, dispute it and you're a shill
If you buy things, anything at all in any industry, then you are a consumer. If you're buying something from a specific place, you're a customer of that place. If you're a member of a nation state, you're a citizen.
They're not mutually exclusive though. Nothing to get your panties in a bunch about. If it really bugs you that much then just read "consumer" as "economically active individual", because the meaning is pretty much the same.
Well no, they don't all have perl and python installed.
Debian ships with Perl as standard, IIRC. So does Ubuntu. Red Hat and Fedora ship with Python and Perl, and their config tools relied on Python last I saw. You could, of course, install the system without Perl, but very few do that as it's that useful. Remember, it doesn't need all, it needs most, an overwhelming majority. That's as effective a monoculture as any other.
They don't have the same directory structure by a long shot and that has kernel module implications.
This makes no sense.
Yes, different distros put different things in different places. That is to be expected. However writing a test to check whether files that you want to play with are installed in the Debian location, the Ubuntu location, the Fedora location etc would be simple, even in say bash scripting. Checking for any other distros? Not worth it. Ubuntu, Debian and Debian-based distros and Fedora make up a large part of the Linux market. Again, you wouldn't need all, just most.
I'm not entirely sure what you're talking about with your "module" remark. Modules on pretty much all systems I've seen go in/lib/modules and then a subdir with the version of the kernel. Directory structure has little to no relevance to kernel modules. I'm going to assume that you're pulling this out of your ass.
They don't all run samba by choice, though they may have clients, and sshd is not installed by default on most.
SSHD is installed on Ubuntu by default, same with Samba. Debian installed SSHD by default last I checked, as did Fedora.
Not all...most.
They may or may not be running xorg, but the configurations will be different.
It's safe to assume that 99.999% of desktop systems would be running X.org. How precisely does the configuration of X.org matter at all, though?
Many have their own kernel versions and compiles.
That, in itself, would stop a worm doing anything kernel-level on a huge scale, although by making assumptions (i.e. that newbies don't upgrade the kernel or whatever) that could be got around by just including a module or whatever for the default kernel of the big three distros.
The only way you could think anything else is to have never done any real work on as much as one distribution. The differences are easy for a human to navigate, but difficult for a worm - and this is why there is not a Linux Monoculture and one of the reasons there are no gnu/Linux hosted worms of any significance.
Like I said, you wouldn't need a "monoculture" with 100% of users using 100% the same software and configurations, you would need a fair percentage of users using enough of the same distros to be able to make reasonable assumptions about what software and configurations they have.
As for why there isn't a Linux worm yet, well, all it takes is one sloppy coding error... And then we could get back into the debate on market share, but I'd rather not, as that (as I've said in previous comments) is almost entirely based upon hypotheticals and what ifs. No point to it.
Endemol don't handle DVD sales directly, IIRC, and in Brooker's case the DVDs would be sold by the BBC's commercial arm, BBC Worldwide.
Although it's moot in this instance; Brooker's show (Screenwipe...excellent show btw) has so many clips of things that just getting the rights for any putative DVD of the show would be completely impossible. UKNova is your friend:)
Being outside of that, I'm free to say whatever I want about the tin-horns who are busy calling free software "a cancer", "communist" and all that jazz. No respect has been earned and none is paid.
And by the same token, people are free to call you a FUD-spouting cretin who for some reason is megalomaniacal enough to think that his witterings (or should that be twitterings? LOLOL) on a piddling discussion website are of any kind of import to a massive corporation with actual critics who write things about them in actual journals/magazines.
By the way, I've never called free software "a cancer", "communist" or anything else in that vein. Nice try though. At least this time you're not quoting yourself to make a point.
This is a valid concern. But all Microsoft has to do is to provide 99% of all requested software, and then strongly discourage the clueless from using alternative methods of installation (which must be available, duh).
Do you honestly think OpenOffice.org, Gaim and other such programs would last long under this scenario? Of course, NOT allowing them would be incredibly bad PR, but this move would introduce all sorts of complications, not least being that people wouldn't be able to get new software fast enough. What about boxed software? How would that work? Would you have to have a sort of Steam for all the software on the system? Wouldn't that introduce a whole new range of privacy violations and such?
The way it is in Debian now is a good way. I've written my little program, and if I want to get it in the Debian Archive then I have to test it, run lintian on it to make sure the package is in good shape, run it past Debian QA etc...but then, if I really want to I can just host the.deb or the.tar.gz on my program's website and leave it at that.
If anything, if Microsoft offered some kind of certification scheme, where you could submit your program to Microsoft and get it certified for a nominal sum ($20 or so) that would be handy. But even that introduces even MORE complications...
Slashdot Mirror
I seem to recall seeing /usr/home on FreeBSD before. Maybe I'm hallucinating :)
That's cos Britain's hogging it all.
Poor input validation is the result of the software being designed in such a way as to have absolutely no tolerance for bad inputs.
That is where the OS needs to step in as referree and blow the whistle and prevent further damage.
Because I'm sure if I coded my application to have pisspoor input validation, BSD, Linux and Mac OS would all leap in and stop the program from accepting invalid input!
Methinks you expect a little too much of an OS.
The Yorktown failure was caused by user error and poor input validation, not Windows.
In September 21, 1997 while on maneuvers off the coast of Cape Charles, Virginia, a crew member entered a zero into a database field causing a divide by zero error in the ship's Remote Data Base Manager which brought down all the machines on the network, causing the ship's propulsion system to fail.
This gives a new meaning to the phrase "laying some pipe".
Maybe Microsoft could pay him to do it...
No, not unless Smith and Wesson were selling guns to people they knew were going to misuse them. Microsoft knows that many of their users are totally security clueless.
Smith and Wesson sell guns to (almost) everyone, but they can't make the guns discriminate based on who's holding it. They don't know if people are going to use their gun to go hunting, shoot up a school or blow their brains out.
It's the same deal with Windows; Microsoft doesn't know whether people are going to be security conscious or if they just don't care. They sell you the OS, you're allowed to do whatever you like, and so long as it's within the limits of the EULA they don't care. In this kind of environment, where people have more or less free rein over what they install and run, how could they be liable for every little instance of malware?
Your scenarios (and AKAImBatman's) are all examples of failed offline security policies. If someone is able to physically plug a pendrive into a mission critical computer or even physically touch the thing without appropriate credentials, you may as well blow up the damn warship yourself.
These aren't corporate desktops. The military are not stupid enough to make such attacks easy.
I'm sorry, but when you're taking men into combat, you want equipment that has been designed to do what needs to be done, not pretty features that let the GIs open their email attachments.
Which is why they're presumably using a heavily locked down version of Windows 2000 Server with no Internet access.
Erm:
"Few cases have considered the validity of clickwrap licenses. However, in the cases that have challenged their validity, the terms of the contract have ultimately been upheld [...] Essentially, under a clickwrap arrangement, potential licensees are presented with the proposed license terms and forced to expressly and unambiguously manifest either assent or rejection prior to being given access to the product."
That's quite different, and a bit of a strawman. Of course they should be held responsible for security holes which they introduced in messenger, DCOM etc; it's a different matter entirely when it comes to third party programs which they have no involvement with or approval of doing malicious or dangerous things, especially when the user explicitly allowed those things to happen. They might as well slap a "well it's not our fault" on the design, if only to make it clear that it isn't their fault if a program you installed and ran fucks something up.
(Of course this is all moot, since the EULA disclaims all responsibility and absolves Microsoft of all guilt. Nice of them.)
UAC doesn't actually protect the user, but it enables Microsoft, in response to any virus/worm/trojan/botnet/class action lawsuit to say "well, you clicked allow. It wasn't our fault."
It wouldn't be their fault. Nor should it be their fault.
Microsoft shouldn't be required to take the blame for harm that results to their installation or data because of third party programs that they themselves didn't supply. You allowed the program to run, you deal with the consequences; it isn't Microsoft's fault at all that you decided to allow NastyShitware.exe to run. Why should it be? If you shoot yourself, are Smith and Wesson liable?
If Microsoft was held liable for the actions of third party applications, it would open up the way for lawsuits against pretty much every other OS provider that gave their customers a chance to run nasty programs on their OS. Imagine the lunacy that would result from that. Imagine the ass-covering lockdown that would most likely result. Not very nice at all...
ELL OH ELL.
Erm, "free software sucks"? I've coded some free software (a tiny useless piece of public domain stuff, but still) before, released it, got it put into the Debian archive (yes, you can apt-get a tiny little piece of jb.hl.com now. Get you paranoid yet?). I use Firefox, OpenOffice.org, Thunderbird and the GIMP almost daily, and up until recently used Linux pretty much full time. What planet are you on? Microsoft don't rule, they do a lot of suspect things, I just find Windows to be the best platform available for what I want to do, and they're certainly undeserving of the kind of irrational hatred you specialise in.
I don't hate Slashdot. I just don't like you. Get that, Twit? I don't like you, or your FUD, or your baseless accusations, or your bizarre messianic complex. The fact you seriously think a multi-billion dollar corporation is sending footsoldiers out to get you because you post bad things about them on Slashdot is testament to your utter lunacy. It is not Slashdot I dislike, it is you personally. Got that? Good.
Another hearty LOL at you for posting that link to you annotating my comments again. You do realise it's all bullshit, and anyone reading the comments can see as such, don't you? I hope so.
My last Asus mobo came with a bootable CD with FreeDOS on it, which could be used to perform BIOS upgrades.
Of course, for all other purposes it was useless (its main function, I found out, was to annoy the tits off me if I rebooted and left the CD in the drive).
Again with that link. You don't think it actually proves anything, do you? The only thing it might possibly prove is that I think you're a prick, and get a kick out of proving you wrong. And I think you get that same kick with me, otherwise you wouldn't bother posting that silly, easily refuted link every time I hit a nerve.
You've not seen many of twitter's "funny" posts. Really, it's sort of like watching an anti-Semite try and put a few jokes into his conspiracy-theory laden rants about how the Jews own everything.
Actually, it's exactly like that.
Is this you trying to be funny again? Because you failed hopelessly.
Sorry.
This line of thinking would work only if there were some publicly viewable show of your bandwidth/penis size.
Say, branding on executives' foreheads.
See, people complain about UK ISPs, but as the post above shows things are infinitely better than in the US...not WONDERFUL, but still far better than in the US. I'm with TalkTalk, for christ's sake (for the Yanks, TalkTalk introduced a free broadband offer and were completely and totally unable to satisfy demand), and they haven't given me any trouble whatsoever despite all the bad press, and recently just bumped me up to a consistent 6mbps download (even on torrents). It's quite impressive. Compare with some of the American horror stories...
So wait:
Puts down Linux, says good things about Windows: EVIL BIASED PAID FOR GET THE FACTS PROPAGANDA MARKETING BALLMER CHAIRS RAWR
Puts down Windows, says good things about Linux: Learned research from an expert in his field, dispute it and you're a shill
Hmm.
If you buy things, anything at all in any industry, then you are a consumer. If you're buying something from a specific place, you're a customer of that place. If you're a member of a nation state, you're a citizen.
They're not mutually exclusive though. Nothing to get your panties in a bunch about. If it really bugs you that much then just read "consumer" as "economically active individual", because the meaning is pretty much the same.
Well no, they don't all have perl and python installed.
/lib/modules and then a subdir with the version of the kernel. Directory structure has little to no relevance to kernel modules. I'm going to assume that you're pulling this out of your ass.
Debian ships with Perl as standard, IIRC. So does Ubuntu. Red Hat and Fedora ship with Python and Perl, and their config tools relied on Python last I saw. You could, of course, install the system without Perl, but very few do that as it's that useful. Remember, it doesn't need all, it needs most, an overwhelming majority. That's as effective a monoculture as any other.
They don't have the same directory structure by a long shot and that has kernel module implications.
This makes no sense.
Yes, different distros put different things in different places. That is to be expected. However writing a test to check whether files that you want to play with are installed in the Debian location, the Ubuntu location, the Fedora location etc would be simple, even in say bash scripting. Checking for any other distros? Not worth it. Ubuntu, Debian and Debian-based distros and Fedora make up a large part of the Linux market. Again, you wouldn't need all, just most.
I'm not entirely sure what you're talking about with your "module" remark. Modules on pretty much all systems I've seen go in
They don't all run samba by choice, though they may have clients, and sshd is not installed by default on most.
SSHD is installed on Ubuntu by default, same with Samba. Debian installed SSHD by default last I checked, as did Fedora.
Not all...most.
They may or may not be running xorg, but the configurations will be different.
It's safe to assume that 99.999% of desktop systems would be running X.org. How precisely does the configuration of X.org matter at all, though?
Many have their own kernel versions and compiles.
That, in itself, would stop a worm doing anything kernel-level on a huge scale, although by making assumptions (i.e. that newbies don't upgrade the kernel or whatever) that could be got around by just including a module or whatever for the default kernel of the big three distros.
The only way you could think anything else is to have never done any real work on as much as one distribution. The differences are easy for a human to navigate, but difficult for a worm - and this is why there is not a Linux Monoculture and one of the reasons there are no gnu/Linux hosted worms of any significance.
Like I said, you wouldn't need a "monoculture" with 100% of users using 100% the same software and configurations, you would need a fair percentage of users using enough of the same distros to be able to make reasonable assumptions about what software and configurations they have.
As for why there isn't a Linux worm yet, well, all it takes is one sloppy coding error... And then we could get back into the debate on market share, but I'd rather not, as that (as I've said in previous comments) is almost entirely based upon hypotheticals and what ifs. No point to it.
Your turn.
Endemol don't handle DVD sales directly, IIRC, and in Brooker's case the DVDs would be sold by the BBC's commercial arm, BBC Worldwide.
:)
Although it's moot in this instance; Brooker's show (Screenwipe...excellent show btw) has so many clips of things that just getting the rights for any putative DVD of the show would be completely impossible. UKNova is your friend
Being outside of that, I'm free to say whatever I want about the tin-horns who are busy calling free software "a cancer", "communist" and all that jazz. No respect has been earned and none is paid.
And by the same token, people are free to call you a FUD-spouting cretin who for some reason is megalomaniacal enough to think that his witterings (or should that be twitterings? LOLOL) on a piddling discussion website are of any kind of import to a massive corporation with actual critics who write things about them in actual journals/magazines.
By the way, I've never called free software "a cancer", "communist" or anything else in that vein. Nice try though. At least this time you're not quoting yourself to make a point.
This is a valid concern. But all Microsoft has to do is to provide 99% of all requested software, and then strongly discourage the clueless from using alternative methods of installation (which must be available, duh).
.deb or the .tar.gz on my program's website and leave it at that.
Do you honestly think OpenOffice.org, Gaim and other such programs would last long under this scenario? Of course, NOT allowing them would be incredibly bad PR, but this move would introduce all sorts of complications, not least being that people wouldn't be able to get new software fast enough. What about boxed software? How would that work? Would you have to have a sort of Steam for all the software on the system? Wouldn't that introduce a whole new range of privacy violations and such?
The way it is in Debian now is a good way. I've written my little program, and if I want to get it in the Debian Archive then I have to test it, run lintian on it to make sure the package is in good shape, run it past Debian QA etc...but then, if I really want to I can just host the
If anything, if Microsoft offered some kind of certification scheme, where you could submit your program to Microsoft and get it certified for a nominal sum ($20 or so) that would be handy. But even that introduces even MORE complications...