And if programmers upgrade every six months, why are so many Linux packages still i386?
Actually, the upgrades are precisely the reason there are usually two choices for packages, i686 for "what I use" and i386 for "anyone else". I was looking around for an i586 distro recently and there quite simply isn't one. No programmer has such a machine.
Crap hardware is crap hardware, but you usually get what you pay for in that respect. Try linux on a machine with similar price and build quality to the Apple ones.
Just try plugging your machine directly to the net sometime, and turn off the firewall. It won't be long before some kind of exploit is used on your machine.
I did that about six months ago. No exploit so far.
Simple. Just don't share it.... or use another ripper besides iTunes (there are plenty.) Potential problem solved. What you described was not a breach of privacy even if you squint.
So how come it was something to complain about when WMP was doing it?
I buy myself an Xbox (200$), PS2 (180$), and a GameCube (120$). That costs me $500. A GeForce 6800 GT costs the same amount.
I can build a whole PC for that, with a geforce 6200. Not the very best of the best, but good enough - as others have said, if you're going to compare the current top-of-the-range graphics card you should compare buying the consoles when they were new.
Then I look at the games. Between the GameCube, Xbox, and PS2, I own (easily) over 100 games. Have there been over 100 PC games in the past 3 years that are worth owning? We do have representatives from the real-time strategy crowd and the FPS crowd, but what of the musir rythm games, platformers, party games (Mario Party on a computer would be considerably more constrained!), J-RPGs, etc?
It's my experience that you see more "wacky" games for the PC, since it's so easy to develop for.I should mention I've never had to patch Super Mario Sunshine. When I bought it in 2002, it worked bug free!
I've had many PC games I don't need to patch. The difference is if there is a bug, you *can* patch it.
NFS I have but only readonly, non-sensitive stuff that might as well be public. I haven't deliberately set up any of the others, and can't imagine most users would need to.
All he's saying is the wine code doesn't work the way Gibson says this exploit does. It could be that the same file triggers a completely different bug in wine and windows, both of which happen to be found at the same time, but I think it's more likely Gibson's wrong about the windows exploit.
(which you haven't proven that it is, and neither have I. because as I've said, that number varies based on the song... in an unidentified pattern, at least as far as I can see... if it were a GUID, it'd be the same each time.)
No, it's different each time, the point of GUIDs is that every single one, ever, is different. And the way that's implemented is that each computer has a set of GUIDs allocated to it (based on mac address).
and if you pirated the MP3, it won't contain that anyway
If I share it, it's traceable. If it makes its way indirectly onto the internet - I give a copy to a friend, who gives a copy to his friend, and it eventually gets to someone who shares it - then it's still traceable to me.
This randomly selected number in mp3's does not prove Apple has a pattern of spying on you with iTunes and neither does the mini store.
No. But both suggest they do.
What I'd REALLY like to hear from someone is if you disabled the iTunes Store in configuration (6.0.1) and you installed 6.0.2, what would happen?
So if you've installed a proprietary program (say, Oracle as in another poster's example), can you still update it with one command?
Yes, I can. I updated unreal tournament 2003 as part of my daily updates a few days ago. Anything sufficiently popular has an ebuild in gentoo, proprietary or not.
Sigh... were the Moon landings a technological feat, never to be duplicated?
There was no great technological achievement. The saturn V is a demonstration that if you throw enough money at it, you can usually do what you want. Price/performance the atlas has it beat by probably an order of magnitude.
He's entirely wrong. Linux allows raw sockets, heck, even openbsd allows raw sockets. It doesn't do them any harm. Disabling them just means applications have to depend on the kernel having support for obscure protocols - which means a lot more code running in kernelspace, and so a lot more network vulnerabilities are root access. Or, more likely, no support for those protocols at all. There's a small gain in security from doing that, but it's exactly the same tradeoff as not having network access at all.
Local non-root is no vulnerability at all - a local user by definition already has non-root access. Also, crashes often become exploits - I'd put #9 above #7 as the potential risk is higher.
It got "fixed" and stopped perfectly legitimate programs from running - you try running a rarp server in windows XP. He may have succeeded in getting them blocked, but that doesn't make the idea that they're dangerous any less stupid.
There's two obvious flaws in what he's saying: firstly, the fact that the bug exists in wine. If it's a dumb specification that allows executing arbitrary code, it's feasible that the wine devs could have just implemented the spec without thinking. But I can't imagine them coding in a special value, 1, and not thinking about what it meant. Secondly, if it requires the special value 1, how on earth was the bug found? Is someone really going to try an exploit, have it not work, then try various values and find it works with 1?
That shows the fundamental difference between design errors and coding error. This is an error in the WMF spec, and all the coding skills in the world won't save you from that.
You seem to assume he'd want to hit every machine out there at once. Why? It's worth more used as a 0-day, to penetrate targets you can make real money from (selling zombies is AFAICS relatively recent. I'd bet 0-days have been valuable far before that). And it could be easily triggered by emailing - OE and outlook use the same HTML engine to render the message, and any other client is still probably going to use the system WMF renderer. People get emails with pictures in all the time, and they quite often don't display properly - it wouldn't look suspicious in the slightest.
Slashdot Mirror
Actually, the upgrades are precisely the reason there are usually two choices for packages, i686 for "what I use" and i386 for "anyone else". I was looking around for an i586 distro recently and there quite simply isn't one. No programmer has such a machine.
Hopefully that means it's featureful enough not to need them.
Crap hardware is crap hardware, but you usually get what you pay for in that respect. Try linux on a machine with similar price and build quality to the Apple ones.
I did that about six months ago. No exploit so far.
So how come it was something to complain about when WMP was doing it?
I can build a whole PC for that, with a geforce 6200. Not the very best of the best, but good enough - as others have said, if you're going to compare the current top-of-the-range graphics card you should compare buying the consoles when they were new.
Then I look at the games. Between the GameCube, Xbox, and PS2, I own (easily) over 100 games. Have there been over 100 PC games in the past 3 years that are worth owning? We do have representatives from the real-time strategy crowd and the FPS crowd, but what of the musir rythm games, platformers, party games (Mario Party on a computer would be considerably more constrained!), J-RPGs, etc?
It's my experience that you see more "wacky" games for the PC, since it's so easy to develop for.I should mention I've never had to patch Super Mario Sunshine. When I bought it in 2002, it worked bug free!
I've had many PC games I don't need to patch. The difference is if there is a bug, you *can* patch it.
How about the one that says "we have x developers and have to ship by y"?
Because the US no longer has a bigger dick than the rest of the world. That's all it's about.
NFS I have but only readonly, non-sensitive stuff that might as well be public. I haven't deliberately set up any of the others, and can't imagine most users would need to.
All he's saying is the wine code doesn't work the way Gibson says this exploit does. It could be that the same file triggers a completely different bug in wine and windows, both of which happen to be found at the same time, but I think it's more likely Gibson's wrong about the windows exploit.
I have no software firewall. I give my machines static, public IPs and leave them on all the time. I see no vulnerability in this.
I mean, I know windows security is bad, but is it really considered a compromise to simply be on the same network as the attacker's machine?
The list subject is "likely to be important in 2006". Which this is.
No, it's different each time, the point of GUIDs is that every single one, ever, is different. And the way that's implemented is that each computer has a set of GUIDs allocated to it (based on mac address).
and if you pirated the MP3, it won't contain that anyway
If I share it, it's traceable. If it makes its way indirectly onto the internet - I give a copy to a friend, who gives a copy to his friend, and it eventually gets to someone who shares it - then it's still traceable to me.
This randomly selected number in mp3's does not prove Apple has a pattern of spying on you with iTunes and neither does the mini store.
No. But both suggest they do.
What I'd REALLY like to hear from someone is if you disabled the iTunes Store in configuration (6.0.1) and you installed 6.0.2, what would happen?
I shouldn't have to disable it in configuration.
Not what I've read.
Not my experience at all. Personally, my system's even more solid than when I was running slackware.
Yes, I can. I updated unreal tournament 2003 as part of my daily updates a few days ago. Anything sufficiently popular has an ebuild in gentoo, proprietary or not.
I've heard unconfirmed reports of gator doing it. It's certainly very possible, but I suspect it's hard to sift through the logs and find a CC#.
There was no great technological achievement. The saturn V is a demonstration that if you throw enough money at it, you can usually do what you want. Price/performance the atlas has it beat by probably an order of magnitude.
He's entirely wrong. Linux allows raw sockets, heck, even openbsd allows raw sockets. It doesn't do them any harm. Disabling them just means applications have to depend on the kernel having support for obscure protocols - which means a lot more code running in kernelspace, and so a lot more network vulnerabilities are root access. Or, more likely, no support for those protocols at all. There's a small gain in security from doing that, but it's exactly the same tradeoff as not having network access at all.
Local non-root is no vulnerability at all - a local user by definition already has non-root access. Also, crashes often become exploits - I'd put #9 above #7 as the potential risk is higher.
It got "fixed" and stopped perfectly legitimate programs from running - you try running a rarp server in windows XP. He may have succeeded in getting them blocked, but that doesn't make the idea that they're dangerous any less stupid.
There's two obvious flaws in what he's saying: firstly, the fact that the bug exists in wine. If it's a dumb specification that allows executing arbitrary code, it's feasible that the wine devs could have just implemented the spec without thinking. But I can't imagine them coding in a special value, 1, and not thinking about what it meant. Secondly, if it requires the special value 1, how on earth was the bug found? Is someone really going to try an exploit, have it not work, then try various values and find it works with 1?
That shows the fundamental difference between design errors and coding error. This is an error in the WMF spec, and all the coding skills in the world won't save you from that.
You seem to assume he'd want to hit every machine out there at once. Why? It's worth more used as a 0-day, to penetrate targets you can make real money from (selling zombies is AFAICS relatively recent. I'd bet 0-days have been valuable far before that). And it could be easily triggered by emailing - OE and outlook use the same HTML engine to render the message, and any other client is still probably going to use the system WMF renderer. People get emails with pictures in all the time, and they quite often don't display properly - it wouldn't look suspicious in the slightest.