Seriously though, I work for a startup company, and as such my job ranges from supporting our software products to development, scripting, and system administration. When I started at the company I wore khakis to work every day, jeans on Friday. Then I started wearing jeans for my commute to work (say what you will, I just don't find khakis as comfortable, especially when driving). Eventually I realized nobody really gave a crap if I wore jeans while I sat at my computer, and I stopped wearing khakis all the time,
Sure, when I have to go to a customer site or on a business trip, I break out the button-down shirts and dress pants. Then it actually matters, because customers impressions of our company will be based on me, our company's representative.
When I'm sitting at a computer writing code, answering emails, and making phone calls, it makes no difference what I'm wearing. I'm sure there are people out there that work more focused when they're dressed up, or whatever. Well, I'm not one of them. I work best when I'm comfortable, so I can relax and think. All I can say is if I ever have employees, there will be no "business" attire in my place of business.
I've been somewhat disappointed with how badly the mainstream antivirus companies have handled most of the IM outbreaks. There are vunerable clients out there, mass spreading worms that install rootkits, disable AV programs and Internet Explorer, and through it all I feel like the AV companies are barely even there.
I'm not an antivirus expert, and I'm not a programming genius by any means. The guys at Symantec and McAfee and F-Prot et al are trained to deal with this stuff. They have the best tools and the best brains to throw at removing this malware. I'm just zis guy, you know? I've learned a hell of a lot in the past couple years by maintaining AIMFix, and I'll keep doing it as long as there's a need for it, but it never hurts to have some help!
I'm more than glad to keep doing what I do as long as it's helping people out there, but at the rate things are going these worms are simply going to get too hard for me to remove, much like CoolWebSearch was for Merijn and CWShredder. I welcome the opportunity to learn new things and become a better programmer, certainly, but I'd also love to see the major AV companies get in the game and start laying out the smackdown on these malware authors, since they have the resources to do it, and I just have a few spare hours a week to throw at them.
On a related topic, to all Slashdot readers: If you run into any new virus variants, have information you'd like to share, or if you're a Win32 programming guru (C++) interested in helping out, feel free to shoot me a note through the contact form on my site.
No problem, glad to help:)
You're more than welcome. By the way, if you run into a new variant that AIMFix misses, contact me through my contact form and send me a HijackThis log from the infected machine and I'll be happy to try and get some updates out for you.
-Jay
This story has had me rather bemused for some time now...I've had lockx.exe in the AIMFix removal definitions for quite a while. I haven't looked in my cvs log for AIMFix to check, but I'd guesstimate somewhere around a month. Maybe I need to start doing press releases:)
I wrote a journal post recently about some of the experiences I had with other AIM-based rootkit infections, as well. The nastiest one I've seen so far has been pokapoka/elitebar, which is an enormous pain in the rear to remove (also closely related to lockx). As far as I know, the only way (without using a boot disk) to remove this crap is to boot into Safe Mode, run AIMFix - or manually remove any known virus/worm files - and then delete the entire C:\Windows\etb directory, which is where PokaPoka and Elitebar sticks its infector files. I maintain a Safe Mode instructions page for helping end users get into Safe Mode as well, which is often helpful.
I've been working to remove AIM viruses since 2003, and my software, AIMFix, is used by Universities and individuals all over the country. See the users page if you're interested in who uses AIMFix (that I know of, at least). I've seen this stuff progress from simple exe files that run at startup to rootkits that are almost impossible to remove for most normal users. I switched to Linux for all my computer needs in 2004, but I've continued to maintain AIMFix. It's now cross-compiled with mingw for Win32 platforms on my Linux box, and I use VMWare for testing and analysis. I keep doing it simply because it helps so many people. I'd rather not have to take my free time and spend it hunting down virus variants, and answering email, but it's worth it to help people out here and there.
According to the book C++ GUI Programming With QT, I believe that the founder of the company had a dream in which he owned a company called Trolltech. He told his wife about the name, and she hated it, so they went with it.
That's not all...Norton antivirus, at least 2004 and up, has required
a) running in Normal mode (safe mode scanning no longer an option - are you KIDDING ME?) b) MSIE security settings to allow execution of ActiveX controls etc on the local disk. That means that when a virus sets all of your IE security settings to "High" and won't let you reset them, you also can't run Norton Antivirus. Brilliant.
Maybe I'm wrong and there's some kind of other mode you can run NAV in that doesn't depend on the mshtml engine, but if there is, I haven't heard about it.
Since 9.2 onward, Mandrake's 'urpmi' tool has been excellent. It's the only other distro that I think compares with apt-get on Debian (I haven't any experience with portage, only ports on BSD).
The problem with RPM isn't the format, it's simply the RPM managers that have come previously weren't very good. apt4rpm and Yum are ok, but the repositories for Fedora Core and RH/Centos etc seem woefully incomplete compared to what you can find for Debian and mandrake. The end result is that you end up with a disillusioned feeling about RPM and package management with it in general.
If you set up good Mandrake repositories for PLF, JPackage, main, contrib, and updates, you can find most stuff, and urpmi is a very decent package manager. I've since switched from Mandrake to Kubuntu since the Kubuntu repositories just plain have more packages, but Mandrake/Mandriva is nonetheless excellent and it's still high on my list of good distros. I recommend that you give it another try if you're actually interested in Mandriva, and check out the current urpmi situation - it's a hell of a lot improved over the 8.2 days:)
Also, there's EasyUrpmi out there for setting up your package repos all in one shot with no annoying fiddling and googling for repos.
I had the exact same model and revision number card. I ended up buying a card that's supported without any hassle, but I did at one point get the DWL-520 working. I don't remember the specifics on it, but the card will most likely never work out of the box on any distro, because it requires some firmware from the Windows software. You have to get the firmware from the Windows installer, load the firmware, load the driver, and then it works. It's highly unlikely that that particular revision/chipset of the DWL-520 will work out of the box on any Linux distribution.
I suggest you go to ebay, spend 20 bucks, and pick up a cheap wireless card that works without any hassle. For example, the Netgear MA311 works just fine. The only configuration I've ever had to do with the Netgear since I got one was the WEP key. Every distro I've tried, including Live CDs, works out of the box.
Linux has pretty decent hardware support overall, but part of using Linux is recognizing that if the hardware vendor is totally unsupportive, you are better off choosing something from a different vendor that you *know* will work under Linux. Either that, or get used to be frustrated and spending a lot of your time hacking things to get them to work.
My fiancee and I agreed some time ago that we would never let ourselves be unhappy for money. We agreed that it would be better for the both of us to live in a shack someplace together and be happy than live in a mansion and flush our lives away working a job we hate just for a paycheck.
I actually hate money, because it's so damn easy to let yourself get stressed out by it. I make ok money in my current job, it pays my bills, I can afford to go out with my fiancee and buy my friends dinner - and I'm determined to let that be enough for right now. I have ambitions and big dreams like most other people, but at the same time, I'm willing to take a step back and say that working towards a dream doesn't make the here and now worthless or meaningless.
What's even more important than my salary is that I like my job. When I wake up in the morning, I'm not upset, angry, or disappointed that I have to go to work today. I have a decent office environment, good co-workers, and a flexible job that lets me be comfortable. I always remember something my Dad has told me many times "It's not supposed to be fun. That's why they call it work". Every time I hear that, I think the same thing; "why not?". Why can't I have a good time at work, enjoy what I do, relish the opportunities I get to learn, and be content with the general situation I find myself in? I say the key to happiness at work is just enjoying what you do. There's an old nugget of wisdom out there that says "Do what you love, and the money will follow". If you can wake up in the morning for work without feeling dread in the pit of your stomach, that's a major first step toward not burning out at work.
Re:Naming Worms - Virii's pride
on
Name That Worm
·
· Score: 2, Insightful
I have to agree with you whole-heartedly here. I make a virus removal tool in my spare time that deals with IM-specific viruses. There was one virus that I was able to track back to the author (which is a whole nother story), and he got a little upset when I pointed out his name and contact info on my website for infected users to contact him. Shortly thereafter, "someone" attempted to access both my gmail account and free DNS accounts and reset the passwords, among other threats and such that I received.
This virus evidently shared code with some other virii that had come before it, to the point of the same name in a registry key/file. As such, it was fairly clear that someone had "borrowed" some code. So, I decided to change the name of the virus to "The Copy Paste" virus, with the intended results of making the author even more upset. It is most definitely very much a pride issue with virus authors, and I think you're correct in your assertion that keeping the name boring helps prevent the "cool" factor from being quite so high.
Sounds like a decent home server. I've been wanting something similar so I can turn off my 650 watt power supply machine that's doing that duty now:-)
Do you have a list someplace of the components in your box/how you put it together? I'd be interested in taking a look. Maybe it'd be worth my time and money to put a nice home server together that'd be quieter and less power hungry.
The "Extremely Critical" problem listed on Secunia is actually only a problem for a small percentage of users. (not to discount it, just pointing out that it's not for all users). In case anyone is interested, the problem is simply that the Firefox launching script that shipped with previous versions doesn't verify input. This means that it processes
http://local`rm -rf $HOME1`host
through the shell, which of course is bad. However, the key points here are a) It only affects the Linux/Unix platform b) It only affects the user Firefox runs as c) It only works if you are calling Firefox from an external application (i.e. clicking a link in a webpage won't do it), and that application has to do no checking of the arguments.
For example, if I try to load the link above in KDE, the url is processed by KDE before it is passed on to the Firefox launch script, and gives me an error that the host does not exist rather than actually executing the command.
In regards to the rest of your comment, it's silly to think that any development process is free of bugs. The idea behind with Open Source is simply that more people looking at the code means more people finding bugs. This may or may not be true. The point is, Open Source advocates don't claim OSS is free of bugs or security holes, just that it's a better model to find and patch bugs because you have an army of people looking at the code. In theory, you'd expect even MORE bugs to be found in OSS, but also for them to be patched faster.
Vulnerabilities will still be found, and they will still exist - people make mistakes. You make assumptions and mistakes when you code, like assuming someone isn't going to pass in a link with `rm -rf $HOME` embedded in backticks. That will always happen, no matter what the software is, or who writes it, but what matters is how you can respond to it. I don't believe that either Microsoft or Mozilla is doing all that great in that sense. Mozilla may take a giant leap forward once binary patching is available for updates - we'll see. I'm not defending the Mozilla foundation or bashing Microsoft here, but I do take umbrage to the insinuation that finding bugs means Open Source is a bad development model.
You know, at least one person posts on every slashdot article about Firefox that they won't use Firefox because it doesn't come in an MSI package.
Well, as has been pointed out numerous times over the months, the first hit on Google for "Firefox MSI package" is: http://msi-repository.sourceforge.net/
Where you can get thunderbird and firefox MSI packages of the current stable release.
Oracle is now the number one CRM company? What about SAP? They're so big and so dominant in their market that their product gave CRM systems the name "CRM" in the first place
captive-ntfs isn't as safe and stable as doing it through a PE disk. It runs fine for some people some of the time, but when I tried it, it corrupted the ntfs file system all over the place and it took like three or four hours worth of running chkdsk on it until Windows was able to boot back up normally.
I'm not saying it's going to do that every time, but it's not worth the risk, or the complications involved in running Ad-Aware and Spybot under Wine, etc etc. On top of that, ClamAV isn't going to detect the same things as AntiVir, AVG, Norton, or McAfee, and so on.
There are many things Linux is awesome at, which is why I run it on every computer I own, but I really don't think this is one of them (yet).
oh, I see. How do you clean spyware and viruses with knoppix on an infected windows machine that's formatted with ntfs?
hmmm...maybe that's why you might still have a use for a bootable CD that will run windows tools and get full read/write ntfs support.
I'm a linux fan as much as the next guy, and I'd rather never have Windows on any computer I own or care for than have to build one of these CDs to fix them, but at the same time, I can see there's things it can do that you just can't do with a Linux live CD right now.
You know, the funny thing is, I see this ALL THE TIME. I work on a virus removal tool in my spare time, and the motive for every single one of these worms is twofold.
1) Just as in this case, they are using spyware referrals to make cash off of every install. My first experience with this was realphx.com's IM worm in 2003, and they've pretty much all done it.
2) Oooooh look at me, I'm a script kiddie! All bow before my awesome coding prowess! Instead of using my meager, supposed skill to build software for a non-profit, or work on open source software that benefits others, I was a jerk and copied and pasted a virus together out of borrowed code!
It's sad, but that's the way it is. At first when I started, I thought it was a one-off type of thing, I'd make a removal tool for a worm and get out of the whole mess. Instead, because there's still money and allure in it for the script kiddies, it's only gotten worse and more prolific.
I've actually tracked a couple of these idiots down to the point of getting names, addresses, and phone numbers of the author(s). Usually it's some teenage kid with an inferiority complex. Makes me wish it was still like the days my parents grew up in, where you could call the kid's parents and tell them the situation and be assured it would be addressed appropriately.
I'm not that old myself (21), but there was never a time in my life that I would have considered using any ability I had to harm other people. It always amazes me how differently people's minds can work. I think to myself "well, I may not be a genius, but I can cobble together some half-assed software, maybe I can make a useful tool for some people". Someone else thinks "well, I'm a 1337 hax0r, I could make a virus and make money off it!"
Ok, and then you go looking for some help/support on your Linux install.
User: "My boot loader isn't loading the OS properly" Support: "Ok, and what boot loader are you using?" User: "The boot loader" Support "..."
Get the idea? They have names for a reason. Even the Windows boot loader has a name, NTLDR. In fact, it even has a config file, only instead of/etc/lilo.conf or/boot/grub/menu.1st, it's C:\boot.ini
My mother and my fiancee both use Linux. They've used Mandrake, Slackware, and Kubuntu Linux so far, and both lilo and Grub. Guess what? Neither of them has ever heard the name "Lilo" or "Grub" or probably even the term "boot loader". To them, it's indistinguishable from any other part of the OS and the boot process. In short, the truth is it really doesn't matter that they have names, whether you're a hacker, a windows refugee or the proverbial grandma computer user.
You learn as much about your computer as you care to, and no more. If you dig around enough to find out that there's even such a thing as "Grub", then more power to you, and it will make it easier to look up information about "Grub" than "that boot loader thingy".
Interestingly, the teenagers they pay to staff the theater are still getting paid the same rates as they were before movies cost 10 dollars a ticket. They may be charging as much as your maid service, but they're sure as hell not paying their staff to be your maid*...
*or, apparently, enough for decent customer service if my recent theater visits are any indication
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
I guess it all depends on how you (or more accurately, the Supreme Court) defines "unreasonable", now doesn't it. The reason searches of bags in airports and other public places is not considered unconstitutional is that they are not considered "unreasonable" by the courts. You are of course, free to try and argue this with the Supreme Court. I'm not saying one way or the other if searching people's bags is a good thing or not, just pointing out that semantics can be very important in law, and in this case, crucial to the legality of a search.
Dunno about the rest of the world, but I have a Corporate Communications degree and I work for a software company. Previous co-workers of mine varied pretty widely. A couple had no degree at all, one had a degree in Art, and so on. I think that (depending on where you work) technology can still be a meritocracy in some ways.
People who can code well and have good experience doing the right projects and working with the right tools seem to find decent jobs. If you're a wizard at Linux kernel programming in C or embedded development, for example, and you can prove it, there are plenty of places out there offering jobs at 75-100k and more.
Slashdot Mirror
Amen brother!
Seriously though, I work for a startup company, and as such my job ranges from supporting our software products to development, scripting, and system administration. When I started at the company I wore khakis to work every day, jeans on Friday. Then I started wearing jeans for my commute to work (say what you will, I just don't find khakis as comfortable, especially when driving). Eventually I realized nobody really gave a crap if I wore jeans while I sat at my computer, and I stopped wearing khakis all the time,
Sure, when I have to go to a customer site or on a business trip, I break out the button-down shirts and dress pants. Then it actually matters, because customers impressions of our company will be based on me, our company's representative.
When I'm sitting at a computer writing code, answering emails, and making phone calls, it makes no difference what I'm wearing. I'm sure there are people out there that work more focused when they're dressed up, or whatever. Well, I'm not one of them. I work best when I'm comfortable, so I can relax and think. All I can say is if I ever have employees, there will be no "business" attire in my place of business.
Thanks for the plug :)
I've been somewhat disappointed with how badly the mainstream antivirus companies have handled most of the IM outbreaks. There are vunerable clients out there, mass spreading worms that install rootkits, disable AV programs and Internet Explorer, and through it all I feel like the AV companies are barely even there.
I'm not an antivirus expert, and I'm not a programming genius by any means. The guys at Symantec and McAfee and F-Prot et al are trained to deal with this stuff. They have the best tools and the best brains to throw at removing this malware. I'm just zis guy, you know? I've learned a hell of a lot in the past couple years by maintaining AIMFix, and I'll keep doing it as long as there's a need for it, but it never hurts to have some help!
I'm more than glad to keep doing what I do as long as it's helping people out there, but at the rate things are going these worms are simply going to get too hard for me to remove, much like CoolWebSearch was for Merijn and CWShredder. I welcome the opportunity to learn new things and become a better programmer, certainly, but I'd also love to see the major AV companies get in the game and start laying out the smackdown on these malware authors, since they have the resources to do it, and I just have a few spare hours a week to throw at them.
On a related topic, to all Slashdot readers:
If you run into any new virus variants, have information you'd like to share, or if you're a Win32 programming guru (C++) interested in helping out, feel free to shoot me a note through the contact form on my site.
-Jay
No problem, glad to help :)
You're more than welcome. By the way, if you run into a new variant that AIMFix misses, contact me through my contact form and send me a HijackThis log from the infected machine and I'll be happy to try and get some updates out for you.
-Jay
This story has had me rather bemused for some time now...I've had lockx.exe in the AIMFix removal definitions for quite a while. I haven't looked in my cvs log for AIMFix to check, but I'd guesstimate somewhere around a month. Maybe I need to start doing press releases :)
I wrote a journal post recently about some of the experiences I had with other AIM-based rootkit infections, as well. The nastiest one I've seen so far has been pokapoka/elitebar, which is an enormous pain in the rear to remove (also closely related to lockx). As far as I know, the only way (without using a boot disk) to remove this crap is to boot into Safe Mode, run AIMFix - or manually remove any known virus/worm files - and then delete the entire C:\Windows\etb directory, which is where PokaPoka and Elitebar sticks its infector files. I maintain a Safe Mode instructions page for helping end users get into Safe Mode as well, which is often helpful.
I've been working to remove AIM viruses since 2003, and my software, AIMFix, is used by Universities and individuals all over the country. See the users page if you're interested in who uses AIMFix (that I know of, at least). I've seen this stuff progress from simple exe files that run at startup to rootkits that are almost impossible to remove for most normal users. I switched to Linux for all my computer needs in 2004, but I've continued to maintain AIMFix. It's now cross-compiled with mingw for Win32 platforms on my Linux box, and I use VMWare for testing and analysis. I keep doing it simply because it helps so many people. I'd rather not have to take my free time and spend it hunting down virus variants, and answering email, but it's worth it to help people out here and there.
-Jay
I think at that point, it's just considered a desktop, but the difference is that you've turned your lap into a desk.
Could be good for the economy, might up fast-food and candy sales as people try desperately to match their lap to their "laptop"
According to the book C++ GUI Programming With QT, I believe that the founder of the company had a dream in which he owned a company called Trolltech. He told his wife about the name, and she hated it, so they went with it.
That's not all...Norton antivirus, at least 2004 and up, has required
a) running in Normal mode (safe mode scanning no longer an option - are you KIDDING ME?)
b) MSIE security settings to allow execution of ActiveX controls etc on the local disk. That means that when a virus sets all of your IE security settings to "High" and won't let you reset them, you also can't run Norton Antivirus. Brilliant.
Maybe I'm wrong and there's some kind of other mode you can run NAV in that doesn't depend on the mshtml engine, but if there is, I haven't heard about it.
Since 9.2 onward, Mandrake's 'urpmi' tool has been excellent. It's the only other distro that I think compares with apt-get on Debian (I haven't any experience with portage, only ports on BSD).
:)
The problem with RPM isn't the format, it's simply the RPM managers that have come previously weren't very good. apt4rpm and Yum are ok, but the repositories for Fedora Core and RH/Centos etc seem woefully incomplete compared to what you can find for Debian and mandrake. The end result is that you end up with a disillusioned feeling about RPM and package management with it in general.
If you set up good Mandrake repositories for PLF, JPackage, main, contrib, and updates, you can find most stuff, and urpmi is a very decent package manager. I've since switched from Mandrake to Kubuntu since the Kubuntu repositories just plain have more packages, but Mandrake/Mandriva is nonetheless excellent and it's still high on my list of good distros. I recommend that you give it another try if you're actually interested in Mandriva, and check out the current urpmi situation - it's a hell of a lot improved over the 8.2 days
Also, there's EasyUrpmi out there for setting up your package repos all in one shot with no annoying fiddling and googling for repos.
I had the exact same model and revision number card. I ended up buying a card that's supported without any hassle, but I did at one point get the DWL-520 working. I don't remember the specifics on it, but the card will most likely never work out of the box on any distro, because it requires some firmware from the Windows software. You have to get the firmware from the Windows installer, load the firmware, load the driver, and then it works. It's highly unlikely that that particular revision/chipset of the DWL-520 will work out of the box on any Linux distribution.
I suggest you go to ebay, spend 20 bucks, and pick up a cheap wireless card that works without any hassle. For example, the Netgear MA311 works just fine. The only configuration I've ever had to do with the Netgear since I got one was the WEP key. Every distro I've tried, including Live CDs, works out of the box.
Linux has pretty decent hardware support overall, but part of using Linux is recognizing that if the hardware vendor is totally unsupportive, you are better off choosing something from a different vendor that you *know* will work under Linux. Either that, or get used to be frustrated and spending a lot of your time hacking things to get them to work.
If not for people hacking and cracking things we would not have things such as online shopping and ssh encrpytion etc.
and we wouldn't need them,either.
My fiancee and I agreed some time ago that we would never let ourselves be unhappy for money. We agreed that it would be better for the both of us to live in a shack someplace together and be happy than live in a mansion and flush our lives away working a job we hate just for a paycheck.
I actually hate money, because it's so damn easy to let yourself get stressed out by it. I make ok money in my current job, it pays my bills, I can afford to go out with my fiancee and buy my friends dinner - and I'm determined to let that be enough for right now. I have ambitions and big dreams like most other people, but at the same time, I'm willing to take a step back and say that working towards a dream doesn't make the here and now worthless or meaningless.
What's even more important than my salary is that I like my job. When I wake up in the morning, I'm not upset, angry, or disappointed that I have to go to work today. I have a decent office environment, good co-workers, and a flexible job that lets me be comfortable. I always remember something my Dad has told me many times "It's not supposed to be fun. That's why they call it work". Every time I hear that, I think the same thing; "why not?". Why can't I have a good time at work, enjoy what I do, relish the opportunities I get to learn, and be content with the general situation I find myself in? I say the key to happiness at work is just enjoying what you do. There's an old nugget of wisdom out there that says "Do what you love, and the money will follow". If you can wake up in the morning for work without feeling dread in the pit of your stomach, that's a major first step toward not burning out at work.
I have to agree with you whole-heartedly here. I make a virus removal tool in my spare time that deals with IM-specific viruses. There was one virus that I was able to track back to the author (which is a whole nother story), and he got a little upset when I pointed out his name and contact info on my website for infected users to contact him. Shortly thereafter, "someone" attempted to access both my gmail account and free DNS accounts and reset the passwords, among other threats and such that I received.
This virus evidently shared code with some other virii that had come before it, to the point of the same name in a registry key/file. As such, it was fairly clear that someone had "borrowed" some code. So, I decided to change the name of the virus to "The Copy Paste" virus, with the intended results of making the author even more upset. It is most definitely very much a pride issue with virus authors, and I think you're correct in your assertion that keeping the name boring helps prevent the "cool" factor from being quite so high.
Sounds like a decent home server. I've been wanting something similar so I can turn off my 650 watt power supply machine that's doing that duty now :-)
Do you have a list someplace of the components in your box/how you put it together? I'd be interested in taking a look. Maybe it'd be worth my time and money to put a nice home server together that'd be quieter and less power hungry.
The "Extremely Critical" problem listed on Secunia is actually only a problem for a small percentage of users. (not to discount it, just pointing out that it's not for all users). In case anyone is interested, the problem is simply that the Firefox launching script that shipped with previous versions doesn't verify input. This means that it processes
http://local`rm -rf $HOME1`host
through the shell, which of course is bad. However, the key points here are
a) It only affects the Linux/Unix platform
b) It only affects the user Firefox runs as
c) It only works if you are calling Firefox from an external application (i.e. clicking a link in a webpage won't do it), and that application has to do no checking of the arguments.
For example, if I try to load the link above in KDE, the url is processed by KDE before it is passed on to the Firefox launch script, and gives me an error that the host does not exist rather than actually executing the command.
In regards to the rest of your comment, it's silly to think that any development process is free of bugs. The idea behind with Open Source is simply that more people looking at the code means more people finding bugs. This may or may not be true. The point is, Open Source advocates don't claim OSS is free of bugs or security holes, just that it's a better model to find and patch bugs because you have an army of people looking at the code. In theory, you'd expect even MORE bugs to be found in OSS, but also for them to be patched faster.
Vulnerabilities will still be found, and they will still exist - people make mistakes. You make assumptions and mistakes when you code, like assuming someone isn't going to pass in a link with `rm -rf $HOME` embedded in backticks. That will always happen, no matter what the software is, or who writes it, but what matters is how you can respond to it. I don't believe that either Microsoft or Mozilla is doing all that great in that sense. Mozilla may take a giant leap forward once binary patching is available for updates - we'll see. I'm not defending the Mozilla foundation or bashing Microsoft here, but I do take umbrage to the insinuation that finding bugs means Open Source is a bad development model.
You know, at least one person posts on every slashdot article about Firefox that they won't use Firefox because it doesn't come in an MSI package.
Well, as has been pointed out numerous times over the months, the first hit on Google for "Firefox MSI package" is:
http://msi-repository.sourceforge.net/
Where you can get thunderbird and firefox MSI packages of the current stable release.
If Google loses, they'll just rename GMail to GoogleMail.
They already did, at least in Germany, where it is now called "googleMail" and not "Gmail"
http://www.webmasterworld.com/forum100/241.htm/
Oracle is now the number one CRM company? What about SAP? They're so big and so dominant in their market that their product gave CRM systems the name "CRM" in the first place
Just a thought...
captive-ntfs isn't as safe and stable as doing it through a PE disk. It runs fine for some people some of the time, but when I tried it, it corrupted the ntfs file system all over the place and it took like three or four hours worth of running chkdsk on it until Windows was able to boot back up normally.
I'm not saying it's going to do that every time, but it's not worth the risk, or the complications involved in running Ad-Aware and Spybot under Wine, etc etc. On top of that, ClamAV isn't going to detect the same things as AntiVir, AVG, Norton, or McAfee, and so on.
There are many things Linux is awesome at, which is why I run it on every computer I own, but I really don't think this is one of them (yet).
oh, I see. How do you clean spyware and viruses with knoppix on an infected windows machine that's formatted with ntfs?
hmmm...maybe that's why you might still have a use for a bootable CD that will run windows tools and get full read/write ntfs support.
I'm a linux fan as much as the next guy, and I'd rather never have Windows on any computer I own or care for than have to build one of these CDs to fix them, but at the same time, I can see there's things it can do that you just can't do with a Linux live CD right now.
You know, the funny thing is, I see this ALL THE TIME. I work on a virus removal tool in my spare time, and the motive for every single one of these worms is twofold.
1) Just as in this case, they are using spyware referrals to make cash off of every install. My first experience with this was realphx.com's IM worm in 2003, and they've pretty much all done it.
2) Oooooh look at me, I'm a script kiddie! All bow before my awesome coding prowess! Instead of using my meager, supposed skill to build software for a non-profit, or work on open source software that benefits others, I was a jerk and copied and pasted a virus together out of borrowed code!
It's sad, but that's the way it is. At first when I started, I thought it was a one-off type of thing, I'd make a removal tool for a worm and get out of the whole mess. Instead, because there's still money and allure in it for the script kiddies, it's only gotten worse and more prolific.
I've actually tracked a couple of these idiots down to the point of getting names, addresses, and phone numbers of the author(s). Usually it's some teenage kid with an inferiority complex. Makes me wish it was still like the days my parents grew up in, where you could call the kid's parents and tell them the situation and be assured it would be addressed appropriately.
I'm not that old myself (21), but there was never a time in my life that I would have considered using any ability I had to harm other people. It always amazes me how differently people's minds can work. I think to myself "well, I may not be a genius, but I can cobble together some half-assed software, maybe I can make a useful tool for some people". Someone else thinks "well, I'm a 1337 hax0r, I could make a virus and make money off it!"
Ok, and then you go looking for some help/support on your Linux install.
/etc/lilo.conf or /boot/grub/menu.1st, it's C:\boot.ini
User: "My boot loader isn't loading the OS properly"
Support: "Ok, and what boot loader are you using?"
User: "The boot loader"
Support "..."
Get the idea? They have names for a reason. Even the Windows boot loader has a name, NTLDR. In fact, it even has a config file, only instead of
My mother and my fiancee both use Linux. They've used Mandrake, Slackware, and Kubuntu Linux so far, and both lilo and Grub. Guess what? Neither of them has ever heard the name "Lilo" or "Grub" or probably even the term "boot loader". To them, it's indistinguishable from any other part of the OS and the boot process. In short, the truth is it really doesn't matter that they have names, whether you're a hacker, a windows refugee or the proverbial grandma computer user.
You learn as much about your computer as you care to, and no more. If you dig around enough to find out that there's even such a thing as "Grub", then more power to you, and it will make it easier to look up information about "Grub" than "that boot loader thingy".
http://sandbox.norman.no/
Sort of like that?
Interestingly, the teenagers they pay to staff the theater are still getting paid the same rates as they were before movies cost 10 dollars a ticket. They may be charging as much as your maid service, but they're sure as hell not paying their staff to be your maid*...
*or, apparently, enough for decent customer service if my recent theater visits are any indication
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
I guess it all depends on how you (or more accurately, the Supreme Court) defines "unreasonable", now doesn't it. The reason searches of bags in airports and other public places is not considered unconstitutional is that they are not considered "unreasonable" by the courts. You are of course, free to try and argue this with the Supreme Court. I'm not saying one way or the other if searching people's bags is a good thing or not, just pointing out that semantics can be very important in law, and in this case, crucial to the legality of a search.
Dunno about the rest of the world, but I have a Corporate Communications degree and I work for a software company. Previous co-workers of mine varied pretty widely. A couple had no degree at all, one had a degree in Art, and so on. I think that (depending on where you work) technology can still be a meritocracy in some ways.
People who can code well and have good experience doing the right projects and working with the right tools seem to find decent jobs. If you're a wizard at Linux kernel programming in C or embedded development, for example, and you can prove it, there are plenty of places out there offering jobs at 75-100k and more.