Thanks for pointing out that Psiphon proposes to use SSL. It looks very natural, encrypt the traffic so the firewall will not see it. But it is actually a very bad idea.
First, the very fact of using encryption makes you stand out in the crowd. Do that a bit too often, and someone could very well come knock on your door.
Second, SSL can be defeated. I am pretty sure that all PC in China have a Chinese Government Certification Authority listed in their SSL root file. That is enough for mounting a man-in-the-middle attack against SSL. Now you have dissidents who believe they are safe because of SSL, but in fact the firewall is reading their exchanges. Knock, knock?
The article actually points to a much better solution: just use port 80, but rewrite the page to avoid the keywords that the firewall is looking for. For example, "New York Times" could be rewritten to "New Grok Dime", or whatever. That way, the traffic remains stealthy.
TFA points out the obvious problem: if the great firewall can identify a relay, it can close it. It can also find out whoever is using it, making it a dangerous proposition. To me, it is fairly obvious that the response has to rely on "strength in numbers": place a great many relaying pages all over the internet. In fact, what about placing at least one such page on every web site? The great firewall would then have to either lock the entire Internet, or give up!
Repeating bad information does not make it true. The parent article is a collection of wrong stereotypes.
The parent says Relatively low salary relative to the education required. Actually, the hiring salaries of CS graduates are among the top ten majors according to this study. There is anecdotal evidence that, in some cases, salaries can get real high. I have heard of fights for PhD graduates between Google, Microsoft, IBM and others resulting in 6 figure salaries and signing bonuses.
The parent's comment insane workloads with zero compensation is true in some sense. I have never seen software engineers punching the clock and accounting for overtime. On the other hand, the insane hours mostly occurs when a project faces an imminent deadline. The rest of the time, people tend to enjoy flexible hours. Also, beating a project deadline is often compensated by bonuses and such.
The parent also mentions little chance at career advancement. In my experience, there is as much chance at carrier advancement in CS as in any other field, becoming a team manager, etc. Moves to senior management typically involve getting management experience & maybe getting a business diploma on the side, but this is true for pretty much any profession.
As for the parent assertion that employers like casting off senior people (married, with kids) as liabilities, I can only give my own example. I am over 50, and nobody has cast me off. In fact, I am receiving unsolicited job offers.
Bottom line, there is no reason to panic. If you like programming and computers, you will be much better off excelling at CS than doing a so-so job in marketing,et alone nursing...
-- louarnkoz
Often insane workloads with zero compensation (anyone here who HASN'T done unpaid overtime?).
Little chance at career advancement.
Casting off senior people (married, with kids) as liabilities.
Vint Cerf may not be publishing many RFC nowadays, but he still wields a lot of influence in the evolution of the Internet. Apart from his presidency of ICANN, he plays a role as a kind of "father figure" in the IETF. He was influential in the debates that led to the adoption of IPv6, and occasionally provide commetary and guidance on new standards. he is also quite active in government circles, pushing for initiatives that help develop the Internet, or bring it to new frontiers. Not to mention his personal project of an "inter-planetary Internet".
To my best knowledge, and according to the article posted, the greatest proponents of the WSIS Internet governance was the European Union. Hence the the letter to foreign minister to the nation currently presiding over the EU.
Uh, no. The WSIS movement was largely initiated by the ITU, which is organized on a one country / one vote principle, and where country representatives are designated by the countries' ministries in charge of telecommunication (the State Department in the US). Chinese representative to the ITU played a prominent role, and rallied first nations like Saudi Arabia, Iran, Syria or Cuba. The EU tried to play a neutral role, and only appeared to rally to a "UN governance" proposal at a very late stage in the process.
The management of country domains was only one of the arguments for "changing Internet governance". Among the others were a desire to impose on Internet communications "bilateral tariffs" similar to those applied to telephone calls, and a desire to impose a "code of conduct" to Internet publishers.
The "bilateral tariffs" are used by many third world countries to impose a tax on phone calls originating from abroad. This is a substantial source of income for this governments. The bureaucratic view is that the Internet threatens that source of income. The reality is that such taxes have very negative economic consequences. They slow down the country development while encouraging parasitic behavior by local monopolies.
The code of conduct appears in various forms. Governments will argue that they want to fight spam and porn. In reality, dictatures can only thrive if they control information. It is no surprise that the most active defenders of WSIS are also on the list of the 19 "black spots of the Internet".
In theory, the US government could direct ICANN to remove the IP address of the.FR server from the root zone. In practice, such a move would backfire badly. There are many root servers, managed by volunteers. Not all of them are American, and even those who are are not particularly obedient to the US government. The order would be immediately discussed all over the Internet, ICANN would almost immediately loose its power, and most root servers would simply keep the old data.
The ".EU" situation is more complex. The two letters domains are supposed to be defined in a table managed by the UN. There are good reasons for that: Jon Postel did not want to be in the business to define what was or was nt a country. Think for example of Palestine, Macedonia or East Timor: neighboring nations threaten or stage war to prevent their recognition. Leaving it to the UN provides a good layer of isolation. The EU proponents were asking for an exemption, and the processing of that exemption was stalled for several years. AFAIK, it is finally resolved, and the domain is supposed to start operation this month.
The question of control over national domains is however a very good one. ICANN has been attempting for many years to impose policies on national domains. They tried to impose conflict resolution procedures aligned with the interests of trade mark owners. They tried to levy management fees. This is, IMHO, an unnecessary irritant.
Of course, the WSIS proponents like China or Saudi Arabia know full well that the US cannot in practice "disconnect a country from the Internet." A government could instruct its ISP to stop connecting to some parts of the Internet, but the ones actually doing that are precisely the promoters of "governance by the UN" -- a World Summit on Internet Censorship?
"Taking back" is one way to see the issue. The positive spin is more "let's interconnect". We can easily picture a world in which IM works much like e-mail, a distributed system of independent servers managed by enterprises, universities, ISP and service providers. A small problem is that the IETF managed to create two IM standards: SIMPLE (RFC 3856) and XMPP (RFC 3920).
XMPP is based on XML messaging and is used by Jabber. Google base their service on XMPP, but have not shown any intent of interconnecting with others.
SIMPLE is derived from the dominant VOIP signalling protocol, SIP, and is used by several enterprise products of Microsoft (Life Communication Server, LCS), IBM (Lotus Same Time) and others. The enterprise servers can be interconnected much like e-mail servers, i.e. by resolving SIP URL over the DNS. Microsoft also proposes a SIMPLE based solution for connecting LCS servers to MSN, Yahoo and AOL. The interconnection between MSN and Yahoo is most likely based on SIMPLE.
I guess the first thing we need is some kind of gateway between XMPP and SIMPLE...
The "valid logon" comment is misleading. On XP/SP2 and Windows 2003, the remote function can only be exploited by a logon with administrative privilege, the equivalent of root access.
SP2 does not correct all bugs in Windows XP, but it includes a lot a system hardening. The guiding idea was "defense in depth", i.e. don't assume that the software is perfect, add multiple layers of protection. One of these defenses was requiring authentication for all RPC access. This "defense in depth" seems to be working, at least in this case.
It is actually very easy to retrieve a password from an MD5 hash, using a dictionary attack. The attacker just had to mount a dictionary attack, i.e. try passwords one by one from a dictionary, compute the hash, and check for a match.
On a model 2005 PC, and MD5 hash can be computed in less than a microsecond. A dictionary of 10 million entries can be explored in 10 seconds. Dictionary attacks are really very effective.
And if the site forgo to add per-user salt for each passowrd, the attacker will be able to essentially break all the passwords "in parallel".
If a password was composed by a user and not randomly generated, than it will be cracked by a well tuned dictionary attack.
It can be measured, but not like that
on
Weighing the Internet
·
· Score: 3, Informative
The methodology presented here is deeply flawed: it extrapolates a large number based on a very small sample and on unsupported assumptions about browsing habits. Yet, it is possible to actually measure the number of users with some proper method.
The most obvious method is a basic opinion poll. Take a large enough random sample of the earth population, ask simple questions like "have you used the Internet ever, this year, this month, this week, today", compute the average and extrapolate.
In practice, taking a world-wide poll is not very practical, but it is certainly possible to perform polls on a country by country basis, and then compute the results. In fact, such polls are regularly conducted, and the results are just a google search away, at least for major countries.
Polls are snapshot at a moment in time, and this is problematic. If you don't pay attention, you end up adding the number of users measured in China last January, in the US last month, in Finland in May, etc. So, you want to complement the polls by an indication of trend, something that you can easily measure at frequent interval.
One possibility is to use Internet host counts, which can be obtained by sampling the DNS (see the Internet Domain Survey). One can measure the number of host in a country and the number of users at the time of the poll, the current number of host in the same country, and extrapolate.
There are other potential sources, e.g. measure the volume of traffic, the number of dial-up and broadband subscriptions, etc. Again, it is possible to link these numbers to various poll data, and maintain estimates.
By the way, the Internet Domain Survey in January 2005 showed 317.6 million IP addresses in use. The typical broadband connection uses one IP address per household, i.e. for 1 to maybe 4 or 5 users. A dial-up connection typically only use an address only a fraction of the time, so the ratio is even higher. Then, there are about 650 million PC available worlwide, many of which are shared. Based on that, there were probably somewhere between 500 millions and a billion users on the Internet.
There is no proof that the person using the network was up to anything more than surfing the web. To quote TFA:
It remains unclear what Smith was using the Wi-Fi for, to surf, play online video games, send e-mail to his grandmother, or something more nefarious. Prosecutors declined to comment, and Smith could not be reached.
This is merely about "stealing" someone's Internet connection. One can make an argument that this is bad behavior, but it is not necessarily nefarious.
Actually, people may very well already have died in network attacks, as these attacks managed to clog telephone lines and bring down 911 response centers. Someone may well have been waiting for the ambulance that never came.
The web page says it was published May 5, 2004, i.e. a year ago. The report itself is dated from April 2003. The test was done using RH advanced server 2 and Windows 2003 RC2, i.e. a pre-release version. Since then, both RH and Microsoft have published new releases, for example the service pack 1 of Windows 2003. Why is this posted now?
There is a lot of hype around WiMax! The WiMax modulation (OFDM) may be efficient, but it is not dramatically better than the new modulation proposals used for 3rd generation cell phones. At the end of the day, coverage depends on noise, energy, and frequency bands -- all of which are pretty much equivalent for WiMax and 3G. So, if you want to provide high bandwidth to many users, you will need about as many towers with WiMax as with 3G.
By the way, that is precisely why roaming between Wi-Fi access points is important. WiFi access points are much less expensive than 3G towers, and you can get very high bandwidth if you deploy a dense set of access point. However, if you have many access points, you will roam very frequently, and you need to be able to roam very fast.
I have not been taking classes for a very long time... On the other hand, reading books helps. "Hacking exposed", for example, contains most of the content of the "hacker high school", and then some...
I went through a couple of their courses, and was not too impressed. They teach mainly how to become a script kiddie.
On the other hand, there is a serious need to teach CS students how the systems they design will eventually be hacked. Everyone should understand how to analyze a system for weaknesses. There are too many authentication systems with blatant holes, too many communication syatems that are wide open to DOS attacks.
One step further, one should also teach how to test systems for possible security bugs, either by "black box testing" or by code analysis.
If we don't teach that, how will we ever get the quality systems that society can rely on?
Much is said about "quality of service", but in practice the Internet as been working quite well without any of that. In practice, Skype does work, sounds better than the average telephone, and does not use any particular priority labelling.
The "best effort" service is far from being a "bad effort". The users want to download files fast, so the ISP has to oblige and provide bandwidth. They want to play video games, so the ISP has to oblige and provide good latency. Guess what, voice over IP requires less bandwidth that downloading a file, and is more tolerant to latency than playing a video game.
In practice, we have been observing over the years a "raising tide of quality". The speed of the average connection over the Internet is more or less proportional to the speed of the user connection, because it is what the users expects. 20 years ago, 9600 bps was considered great. 10 years ago, 64 kbps. Today, users expect to use the 256 kbps of their broadband connection. Tomorrow, users will probably get connected through 100baseT Ethernet, or 50 Mbps WIFI. Yet, voice barely needs more than 20 kbps.
There is no doubt that some ISP somewhere is concocting some evil plot, but the chances are that the evil plot will fall on its face. Probably not much to worry about.
There is something bizarre in the way the article counts "attacks". In theory, the number of attacks should be almost the same for each computer in the honeypot, because most viruses don't know what they are attacking.
The blaster and sasser worms, for example, make no attempt at reconnaissance. They simply blast TCP connections to IP addresses chosen at random. In theory, they have exactly as many chances of attacking the XP/SP1 box as the XP/SP2 box, or for that matter any the Mac or any of the Linux boxes. The attack is much more likely to be successful of tne SP1 box, but that does not mean the other computers were not attacked.
So, what did they actually count? What do those numbers mean?
Code execution protection is one of the security features of XP/SP2. The design concept in XP/SP2 is to have a succession of protection layers, e.g. running the firewall to block ports, requiring authentications on RPC ports that are open, blocking some form of communications, etc. None of these protections is entirely foolproof: some ports will remain open, some passwords will be guessed, etc. But it is much harder for an attacker to breach several protections than just one.
The code execution protection is one of these protection layers, pretty much the last one when everything else has been breached and a buffer has overflown. It prevents the class of exploits that load code in a data buffer and somehow jump into it. But there is still a way through, using a stack overflow to rewrite a return pointer or a function pointer and direct it to an existing procedure, e.g. one in libc.
Protecting against such exploits is very hard, and the problem is by no means specific to Windows. Don't expect a quick fix.
If you look at the little pictues "how it works" on the ciphire site, it appears that before sending a mail to Bob, Alice retrieves Bob's certificate from the ciphire central server. Really? And that is private e-mail? They must be kidding!
What do you think will happen if someone, say in the name of the war on drugs, wants to interfere? Presto, they can convince the central server to yank Bob's key from the directory and replace it by one of their choosing. Some privacy!
There is a delay between the time a patent is applied for and the time it is allocated. The patent office is throughly congested, and the delay keeps increasing. Nowadays, it is at least 3 or 4 years. The statistics in the parent article describe the patents granted in 2004. The corresponding applications were probably done in 1999, 2000 or 2001.
IBM has been filing patents for many years, and has maintained more or less the same level over the years. On the other hand, four years ago, we did not hear much about Microsoft filing patents. So, their absence in the top 10 is not all that surprising.
Actually, the principle of free speech is written in the Declaration of the Rights of Man, published in August 1789 by the French National Assembly during the French Revolution. Article 11 states:
La libre communication des pensées et des opinions est un des droits les plus précieux de l'Homme : tout Citoyen peut donc parler, écrire, imprimer librement, sauf à répondre à l'abus de cette liberté dans les cas déterminés par la Loi.
The free communication of ideas and opinions is one of the most precious of the rights of man. Every citizen may, accordingly, speak, write, and print with freedom, but shall be responsible for such abuses of this freedom as shall be defined by law.
The declaration is perhaps the most important text of French politics, comparable to the US Declaration of Independance. It is incorporated in the preamble of the French Constitution, and as such is considered the basis for French laws.
There are many different voices coming out of Microsoft. One of the most interesting opinion is that of Kim Cameron, Microsoft's architect for identity. He publishes an Identity Weblog. Kim's "laws of identity" are all about privacy and minimal disclosure.
Kim pushes an Infocard Project that would enable any variation of identity management, from centralised servers to federation of entreprise servers or peer-to-peer systems. Whether such grand vision will make it into future Microsoft products is indeed anyone's guess...
Revised x86_64 support (possibly in the pentium m core and in the same price range as the new 90nm a64's) and Intel has a chance. That and Microsoft delaying 64-bit Windows for a couple more years.
Actually, the beta version of 64 bit Windows XP is already available on the microsoft web site. I would not bet that it will be delayed "for a couple more year".
Who wants to bet that two years from now all desktops will be 64 bit?
Slashdot Mirror
First, the very fact of using encryption makes you stand out in the crowd. Do that a bit too often, and someone could very well come knock on your door.
Second, SSL can be defeated. I am pretty sure that all PC in China have a Chinese Government Certification Authority listed in their SSL root file. That is enough for mounting a man-in-the-middle attack against SSL. Now you have dissidents who believe they are safe because of SSL, but in fact the firewall is reading their exchanges. Knock, knock?
The article actually points to a much better solution: just use port 80, but rewrite the page to avoid the keywords that the firewall is looking for. For example, "New York Times" could be rewritten to "New Grok Dime", or whatever. That way, the traffic remains stealthy.
TFA points out the obvious problem: if the great firewall can identify a relay, it can close it. It can also find out whoever is using it, making it a dangerous proposition. To me, it is fairly obvious that the response has to rely on "strength in numbers": place a great many relaying pages all over the internet. In fact, what about placing at least one such page on every web site? The great firewall would then have to either lock the entire Internet, or give up!
The parent says Relatively low salary relative to the education required. Actually, the hiring salaries of CS graduates are among the top ten majors according to this study. There is anecdotal evidence that, in some cases, salaries can get real high. I have heard of fights for PhD graduates between Google, Microsoft, IBM and others resulting in 6 figure salaries and signing bonuses.
The parent's comment insane workloads with zero compensation is true in some sense. I have never seen software engineers punching the clock and accounting for overtime. On the other hand, the insane hours mostly occurs when a project faces an imminent deadline. The rest of the time, people tend to enjoy flexible hours. Also, beating a project deadline is often compensated by bonuses and such.
The parent also mentions little chance at career advancement. In my experience, there is as much chance at carrier advancement in CS as in any other field, becoming a team manager, etc. Moves to senior management typically involve getting management experience & maybe getting a business diploma on the side, but this is true for pretty much any profession.
As for the parent assertion that employers like casting off senior people (married, with kids) as liabilities, I can only give my own example. I am over 50, and nobody has cast me off. In fact, I am receiving unsolicited job offers.
Bottom line, there is no reason to panic. If you like programming and computers, you will be much better off excelling at CS than doing a so-so job in marketing,et alone nursing...
-- louarnkoz Often insane workloads with zero compensation (anyone here who HASN'T done unpaid overtime?). Little chance at career advancement. Casting off senior people (married, with kids) as liabilities.
Vint Cerf may not be publishing many RFC nowadays, but he still wields a lot of influence in the evolution of the Internet. Apart from his presidency of ICANN, he plays a role as a kind of "father figure" in the IETF. He was influential in the debates that led to the adoption of IPv6, and occasionally provide commetary and guidance on new standards. he is also quite active in government circles, pushing for initiatives that help develop the Internet, or bring it to new frontiers. Not to mention his personal project of an "inter-planetary Internet".
-
To my best knowledge, and according to the article posted, the greatest proponents of the WSIS Internet governance was the European Union. Hence the the letter to foreign minister to the nation currently presiding over the EU.
Uh, no. The WSIS movement was largely initiated by the ITU, which is organized on a one country / one vote principle, and where country representatives are designated by the countries' ministries in charge of telecommunication (the State Department in the US). Chinese representative to the ITU played a prominent role, and rallied first nations like Saudi Arabia, Iran, Syria or Cuba. The EU tried to play a neutral role, and only appeared to rally to a "UN governance" proposal at a very late stage in the process.The management of country domains was only one of the arguments for "changing Internet governance". Among the others were a desire to impose on Internet communications "bilateral tariffs" similar to those applied to telephone calls, and a desire to impose a "code of conduct" to Internet publishers.
The "bilateral tariffs" are used by many third world countries to impose a tax on phone calls originating from abroad. This is a substantial source of income for this governments. The bureaucratic view is that the Internet threatens that source of income. The reality is that such taxes have very negative economic consequences. They slow down the country development while encouraging parasitic behavior by local monopolies.
The code of conduct appears in various forms. Governments will argue that they want to fight spam and porn. In reality, dictatures can only thrive if they control information. It is no surprise that the most active defenders of WSIS are also on the list of the 19 "black spots of the Internet".
The ".EU" situation is more complex. The two letters domains are supposed to be defined in a table managed by the UN. There are good reasons for that: Jon Postel did not want to be in the business to define what was or was nt a country. Think for example of Palestine, Macedonia or East Timor: neighboring nations threaten or stage war to prevent their recognition. Leaving it to the UN provides a good layer of isolation. The EU proponents were asking for an exemption, and the processing of that exemption was stalled for several years. AFAIK, it is finally resolved, and the domain is supposed to start operation this month.
The question of control over national domains is however a very good one. ICANN has been attempting for many years to impose policies on national domains. They tried to impose conflict resolution procedures aligned with the interests of trade mark owners. They tried to levy management fees. This is, IMHO, an unnecessary irritant.
Of course, the WSIS proponents like China or Saudi Arabia know full well that the US cannot in practice "disconnect a country from the Internet." A government could instruct its ISP to stop connecting to some parts of the Internet, but the ones actually doing that are precisely the promoters of "governance by the UN" -- a World Summit on Internet Censorship?
XMPP is based on XML messaging and is used by Jabber. Google base their service on XMPP, but have not shown any intent of interconnecting with others.
SIMPLE is derived from the dominant VOIP signalling protocol, SIP, and is used by several enterprise products of Microsoft (Life Communication Server, LCS), IBM (Lotus Same Time) and others. The enterprise servers can be interconnected much like e-mail servers, i.e. by resolving SIP URL over the DNS. Microsoft also proposes a SIMPLE based solution for connecting LCS servers to MSN, Yahoo and AOL. The interconnection between MSN and Yahoo is most likely based on SIMPLE.
I guess the first thing we need is some kind of gateway between XMPP and SIMPLE...
The "valid logon" comment is misleading. On XP/SP2 and Windows 2003, the remote function can only be exploited by a logon with administrative privilege, the equivalent of root access. SP2 does not correct all bugs in Windows XP, but it includes a lot a system hardening. The guiding idea was "defense in depth", i.e. don't assume that the software is perfect, add multiple layers of protection. One of these defenses was requiring authentication for all RPC access. This "defense in depth" seems to be working, at least in this case.
On a model 2005 PC, and MD5 hash can be computed in less than a microsecond. A dictionary of 10 million entries can be explored in 10 seconds. Dictionary attacks are really very effective.
And if the site forgo to add per-user salt for each passowrd, the attacker will be able to essentially break all the passwords "in parallel".
If a password was composed by a user and not randomly generated, than it will be cracked by a well tuned dictionary attack.
The most obvious method is a basic opinion poll. Take a large enough random sample of the earth population, ask simple questions like "have you used the Internet ever, this year, this month, this week, today", compute the average and extrapolate.
In practice, taking a world-wide poll is not very practical, but it is certainly possible to perform polls on a country by country basis, and then compute the results. In fact, such polls are regularly conducted, and the results are just a google search away, at least for major countries.
Polls are snapshot at a moment in time, and this is problematic. If you don't pay attention, you end up adding the number of users measured in China last January, in the US last month, in Finland in May, etc. So, you want to complement the polls by an indication of trend, something that you can easily measure at frequent interval.
One possibility is to use Internet host counts, which can be obtained by sampling the DNS (see the Internet Domain Survey). One can measure the number of host in a country and the number of users at the time of the poll, the current number of host in the same country, and extrapolate.
There are other potential sources, e.g. measure the volume of traffic, the number of dial-up and broadband subscriptions, etc. Again, it is possible to link these numbers to various poll data, and maintain estimates.
By the way, the Internet Domain Survey in January 2005 showed 317.6 million IP addresses in use. The typical broadband connection uses one IP address per household, i.e. for 1 to maybe 4 or 5 users. A dial-up connection typically only use an address only a fraction of the time, so the ratio is even higher. Then, there are about 650 million PC available worlwide, many of which are shared. Based on that, there were probably somewhere between 500 millions and a billion users on the Internet.
-
It remains unclear what Smith was using the Wi-Fi for, to surf, play online video games, send e-mail to his grandmother, or something more nefarious. Prosecutors declined to comment, and Smith could not be reached.
This is merely about "stealing" someone's Internet connection. One can make an argument that this is bad behavior, but it is not necessarily nefarious.AXID-ent.
Or, suppose that someone manages to sneak a virus inside a nuclear plant control system. Wait -- that actually already happened! Slammer worm crashed Ohio nuke plant network.
The web page says it was published May 5, 2004, i.e. a year ago. The report itself is dated from April 2003. The test was done using RH advanced server 2 and Windows 2003 RC2, i.e. a pre-release version. Since then, both RH and Microsoft have published new releases, for example the service pack 1 of Windows 2003. Why is this posted now?
By the way, that is precisely why roaming between Wi-Fi access points is important. WiFi access points are much less expensive than 3G towers, and you can get very high bandwidth if you deploy a dense set of access point. However, if you have many access points, you will roam very frequently, and you need to be able to roam very fast.
I have not been taking classes for a very long time... On the other hand, reading books helps. "Hacking exposed", for example, contains most of the content of the "hacker high school", and then some...
On the other hand, there is a serious need to teach CS students how the systems they design will eventually be hacked. Everyone should understand how to analyze a system for weaknesses. There are too many authentication systems with blatant holes, too many communication syatems that are wide open to DOS attacks.
One step further, one should also teach how to test systems for possible security bugs, either by "black box testing" or by code analysis.
If we don't teach that, how will we ever get the quality systems that society can rely on?
The "best effort" service is far from being a "bad effort". The users want to download files fast, so the ISP has to oblige and provide bandwidth. They want to play video games, so the ISP has to oblige and provide good latency. Guess what, voice over IP requires less bandwidth that downloading a file, and is more tolerant to latency than playing a video game.
In practice, we have been observing over the years a "raising tide of quality". The speed of the average connection over the Internet is more or less proportional to the speed of the user connection, because it is what the users expects. 20 years ago, 9600 bps was considered great. 10 years ago, 64 kbps. Today, users expect to use the 256 kbps of their broadband connection. Tomorrow, users will probably get connected through 100baseT Ethernet, or 50 Mbps WIFI. Yet, voice barely needs more than 20 kbps.
There is no doubt that some ISP somewhere is concocting some evil plot, but the chances are that the evil plot will fall on its face. Probably not much to worry about.
The blaster and sasser worms, for example, make no attempt at reconnaissance. They simply blast TCP connections to IP addresses chosen at random. In theory, they have exactly as many chances of attacking the XP/SP1 box as the XP/SP2 box, or for that matter any the Mac or any of the Linux boxes. The attack is much more likely to be successful of tne SP1 box, but that does not mean the other computers were not attacked.
So, what did they actually count? What do those numbers mean?
The code execution protection is one of these protection layers, pretty much the last one when everything else has been breached and a buffer has overflown. It prevents the class of exploits that load code in a data buffer and somehow jump into it. But there is still a way through, using a stack overflow to rewrite a return pointer or a function pointer and direct it to an existing procedure, e.g. one in libc.
Protecting against such exploits is very hard, and the problem is by no means specific to Windows. Don't expect a quick fix.
What do you think will happen if someone, say in the name of the war on drugs, wants to interfere? Presto, they can convince the central server to yank Bob's key from the directory and replace it by one of their choosing. Some privacy!
IBM has been filing patents for many years, and has maintained more or less the same level over the years. On the other hand, four years ago, we did not hear much about Microsoft filing patents. So, their absence in the top 10 is not all that surprising.
-
La libre communication des pensées et des opinions est un des droits les plus précieux de l'Homme : tout Citoyen peut donc parler, écrire, imprimer librement, sauf à répondre à l'abus de cette liberté dans les cas déterminés par la Loi.
The declaration is perhaps the most important text of French politics, comparable to the US Declaration of Independance. It is incorporated in the preamble of the French Constitution, and as such is considered the basis for French laws.The free communication of ideas and opinions is one of the most precious of the rights of man. Every citizen may, accordingly, speak, write, and print with freedom, but shall be responsible for such abuses of this freedom as shall be defined by law.
Kim pushes an Infocard Project that would enable any variation of identity management, from centralised servers to federation of entreprise servers or peer-to-peer systems. Whether such grand vision will make it into future Microsoft products is indeed anyone's guess...
Revised x86_64 support (possibly in the pentium m core and in the same price range as the new 90nm a64's) and Intel has a chance. That and Microsoft delaying 64-bit Windows for a couple more years.
Actually, the beta version of 64 bit Windows XP is already available on the microsoft web site. I would not bet that it will be delayed "for a couple more year".
Who wants to bet that two years from now all desktops will be 64 bit?