Slashdot Mirror


User: 99BottlesOfBeerInMyF

99BottlesOfBeerInMyF's activity in the archive.

Stories
0
Comments
10,115
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 10,115

  1. Re:All models are wrong, but .... on Why the Cloud Cannot Obscure the Scientific Method · · Score: 4, Insightful

    All models are wrong, but some are useful.

    All models are wrong, to some degree. A better way to put it is all models are imprecise, but some are precise enough to be useful. 'Wrong' is a very flexible word and can easily lead to a misunderstanding in this context.

  2. Re:Correlation is not causation on Why the Cloud Cannot Obscure the Scientific Method · · Score: 2, Insightful

    In science, the phrase usually used is "correlation does not imply a specific causation." It does, of course, imply some correlation and most of modern science is noticing correlations and testing for causation.

  3. Re:An unpopular opinion.... on Two Trojans For Mac OS X · · Score: 1

    There are actually, regular privilege escalations for Vista reported both discovered and in use in the wild. When I worked at a security firm last year, I saw about one a week in our weekly security bulletin. Here's one from the other day.

  4. Re:No, non-password variants won't appear on Two Trojans For Mac OS X · · Score: 1

    ...we can expect that future trojans won't just politely request your password. Um....except that they won't have any choice. If they want to modify the filesystem, OS X won't let them unless they've obtained authority and that requires them doing so via the authentication system that asks for the user's password.

    I think you're missing the point. The proof of concept escalated privilege without the password using a hole. The second trojan is in the wild and asks for a password. If the author of the second takes the code from the first, then we'd end up with just that. Maybe that will happen and maybe it won't, but it can happen.

  5. Re:"Politely request your password"... Meh on Two Trojans For Mac OS X · · Score: 1

    Of the three broad types of malware, the only one that does not require the user to manually run it is a worm.

    I believe you are slightly incorrect. A worm is malware that propagates without direct action of the user. Malware that executes without user interaction (but does not propagate automatically) is still a virus. A good example would be the viruses that used to find their way onto CDs and which would autorun on Windows and infect the machine without user interaction to run (just to propagate).

  6. Re:Yawn on Two Trojans For Mac OS X · · Score: 1

    We go through this about twice a year with the same results every time. "Someone" releases a trojan, presumably as proof that Mac OS X has security holes.

    Except in this case, that's not the only thing that has happened. Supposedly, Intego has found a trojan in the wild, which is very rare. It's not a very good trojan and we don't know how widespread or if Intego's claims about the quality are verifiable. This may be scare mongering, but at least it has a little more meat to it than a purely academic proof of concept does.

  7. Re:Summary For The Lazy on How to Save Mac OS X From Malware · · Score: 3, Insightful

    The only way to fix this is with mandatory access control, but how will a normal untrained user set these up properly? How will we prevent them from screwing up the secure default settings?

    The normal user should probably not have to set hem up at all. Rather, ACLs should be certified by security companies who review the software looking for problems and malware and then feed that data to the OS. These could be free and community driven like ClamAV is now, payware, like Norton and the like, or supplied by the OS vendor. Ideally, the user should be able to subscribe to them and weight them as they like.

    I don't see any reason why MAC can't be transparent to the user, except in weird edge cases. Users should only have to do anything when software is not pre-installed, not identifiable from one of the services I describe, and wants to exceed a strict sandbox that untrusted software defaults to. For normal users, that should pretty much mean they never have to interact with setting up an ACL and only be prompted if they are dealing with malware. They can learn if they see such a prompt, something fishy is going on and they should not run it (the default) and maybe look into the source of the software more closely. For advanced users that want to run custom software or company specific software, well they are advanced and can deal with it.

  8. Re:Summary For The Lazy on How to Save Mac OS X From Malware · · Score: 3, Informative

    Sure... But only if you can first give me unambiguous definitions of "executable" and "data".

    For the most part, that distinction is clear, although a few programs blur the lines, we should probably be asking if that is a useful thing to do or just a security mess from lousy design.

    Into which category does a Word document fall? How about an HTML file?

    With properly coded applications, both should be data if stored locally anyway. When accessed via a browser, we should establish a convention. I see no reason for word or HTML files to do anything outside of the sandbox of the program opening them.

    An arbitrary file without a filename extension?

    That's easy, data... until you change the file to be executable and assign it a proper extension.

    Simplistic "solutions" like this have gotten us where we are now. A warning is popped up whenever the user tries to do anything useful with the computer. "Oooh, that file might be dangerous, do you really want to open it?"

    That's not a simplistic solution, nor even a solution in most cases. It is just a way for the manufacturer to transfer blame for security failures. Most don't even seem to be intended to increase overall security. That doesn't mean you can't make good security changes or simplify things in ways that make things easier for users. Seriously, what we have now is not working.

    And that doesn't even begin to address the bigger issue, which is that users are easily tricked into running programs that they shouldn't.

    This is, in my opinion, a misstatement of the problem. The problem is not that users run programs that they shouldn't. It is that users want to run programs they don't trust, but without significant risk. They can do it today using VMs, but surely OS manufacturers should be able to come up with a more convenient method of letting people run potentially dangerous software in a safe way. The main problem now is users have to take a gamble. I want to play this game, if it is a game, so I'll guess it isn't malware and give it a try. The OS should be telling them it is malware or if it is unknown, should be telling them what it is trying to do, before it does it. You'd think this incredibly common use case would be a priority by now, but for the most part only Windows has a big trojan problem and they also have a monopoly so why should they care?

  9. Re:BSD chroot jails for Safari? on How to Save Mac OS X From Malware · · Score: 1

    less drastic measures like SElinux or apparmour (or bsd equivelents) would probably be more user friendly.

    Apple's sandboxing framework is an MAC one, mostly a port of the one in TrustedBSD as I understand. They already use it to provide an extra layer of security around certain services. The hard part is applying it to third party applications in a user friendly way that does not undermine the security advantages or take control away from end users.

  10. Re:Summary For The Lazy on How to Save Mac OS X From Malware · · Score: 5, Insightful

    Whoa there, tiger. You seem to be missing the point of my post: that most users don't know what an "executable" or "data file" is in the first place, and will likely not use the computer often enough to learn by exposure.

    How would they know if the user interface makes no distinction? You have to fix the UI first, to reduce the level of education needed to something reasonable. Seriously, most user want to run programs they don't completely trust and their inability to do so is one of the primary causes of insecurity. Current OS's make this incredibly common task very, very onerous. Really the easiest way to do that these days is to but a VM, install it, configure it appropriately for the program you want to run, create a new image, install an OS, install the program within the OS, and finally run it. That takes money and significant skill and time and is simply too onerous for the normal user.

    But any interface nonetheless requires some degree of learning--"intuition" in interfaces is only, in fact, "familiarity."

    You can call it whatever you want, but different interfaces and the functionality they connect to make a huge difference in how much education, skill, time, and money it takes to compute securely. Until OS's catch up, people constantly calling for education and blaming users are part of the problem, more than the solution, IMHO.

  11. Re:Summary For The Lazy on How to Save Mac OS X From Malware · · Score: 3, Interesting

    It's not the interface's problem, it's the fact that 98% of computer users do not want to and will not learn anything about their computer.

    Bullshit. How hard is it to create an interface that can easily and consistently show executables and data differently. Seriously, add a red ring around all executables, or something more subtle, just something that isn't duplicated by the icons for data. That would solve a myriad of security problems and I don't think it would be to onerous for users to learn. But instead we expect them to interpret hundreds of three letter codes indicating file types, codes which are sometimes visible and sometimes hidden and sometimes appear to be visible, but are really lies covering the hidden code. Yeah, blame the user for not memorizing hundreds of file extensions and learning the controls necessary for making sure they are always visible.

  12. Re:Address space layout randomization on How to Save Mac OS X From Malware · · Score: 1

    The technology is there, it's just not setup throughout the system. Is having a security tool and not using it system-wide any different from not having it at all?

    Yes. You can use it for high-risk applications.

  13. Interesting on Tru64 Unix Advanced File System (AdvFS) Now GPL · · Score: 3, Insightful

    Everyone has been looking at ZFS to provide a whole lot of this same feature set, but the CDDL license has been a significant stumbling block. Releasing AdvFS as GPL could actually put it in the running for real world adoption and use on a large scale. I think Sun already considered this a battle won and may now have to rethink their strategy. If they released Sun as GPL in the next month, I'd be willing to bet AdvFS would probably be largely ignored and become a historical footnote. If Sun waits and lets it gain traction (as they tend to do) it could be they will find themselves with another cool technology they sat on too long and which has been replaced y the OSS community.

  14. Re:That is why we call it a 'settlement' on DOJ To Oversee Windows 7 Development · · Score: 2, Informative

    Again, it is not illegal to be a monopoly; it is illegal to use the leverage of being a monopoly to stay a monopoly.

    Actually, most of the actions they were convicted of were leveraging a monopoly to gain unfair advantage in other markets (office suites, Web browsers, server OS's, e-mail clients, media players, etc.).

    This might actually be a good thing for Microsoft, as the company will know where they stand when building a product and shipping a product. If two years after Win7 ships a company cries foul play, Microsoft can point back to this committee.

    Unless the net administration has any more teeth than the current, this will not make much difference. All the big players have given up on the US courts as hopelessly ineffective. They just go straight to the EU these days.

  15. Re:Microsoft chose regulation. on DOJ To Oversee Windows 7 Development · · Score: 1

    I fail to see how any of the companies spawned from MS break up would be competing though. You would end up with an OS provider, office tools provider, developer tools provider and and entertainment company.

    Why? There is no reason the copyrights and patents that go into Windows can't be given to two different companies, both of which could create competing OS's from the Windows code base. That would, in fact, probably be the ideal solution, with both companies forbidden from any non-public communications or exclusive deals.

  16. Re:Mad? Really? on MySpace's Melting Makes Murdoch Mad · · Score: 4, Insightful

    I don't revel in being a defender of big media, but those who pan Fox News never seem to understand what they're criticizing.

    What does this have to do with it. They went to court and Newscorp lawyers argued that their program "which they call news" had the right to broadcast information they knew was false and the right to fire journalists with enough integrity to refuse. Whatever else that makes them, it is completely untrustworthy as a source for facts.

    If and when that discourse lacks value, the host is to blame.

    Who picks the hosts? Who fires the people who refuse to tell lies. Sorry, you can't shift the blame away from a corporation that is not trying to inform, but persuade. They just aren't news.

  17. Re:apropos on Non-Compete Pacts Called Bad For Tech Innovation · · Score: 1

    This is simply NOT true. This comment is why discussions like these are frustrating on Slashdot. The economics are simply not true. First, your friend's compensation priced in this non-compete. If your friend didn't like it, he should have asked for more.

    The reality of your argument is, because of consolidated hiring, where employers have more power, there are two answers. The first is regulation that prevents companies from requiring employees to sign away their rights. The second is workers' unions, to have consolidated labor equal to consolidated hiring. In my mind, the latter has shown how dangerous such consolidation of power is, while the former is inefficient and prone to abuse by the government and anyone who can buy it.

  18. Re:Hulu? on TV and Movies On YouTube? · · Score: 1

    Hulu? Please not. I've once watched an episode on it, but after all 5 minutes, a commercial appeared. I mean, one is ok, or maybe one every 30 minutes if it's a movie, but I'll certainly won't ever watch something on Hulu again unless they limit the ads shown.

    Weird. I've watched several full seasons of shows on Hulu. There seem to be different numbers of ads for different shows (selection by the copyright holder?) but the largest number I've seen is one commercial for each spot there would have been one when it played on TV, plus one additional one within the first minute or so. Mind you, this is still quite a bit less than when the show originally played, where there are something like four commercials for each spot.

    Maybe our different experiences are because of the types of shows we chose. I suppose someone could do a spot check and see, statistically what the relative number is.

  19. Re:A broader lesson on SSL Encryption Coming To The Pirate Bay · · Score: 3, Informative

    This is exactly the problem, though--people are accustomed to using envelopes, whereas getting people to use e-mail encryption requires some serious additional effort, which most people aren't willing to put in.

    The real problem is that people have to put in additional effort, because their e-mail program doesn't handle it seamlessly. Their e-mail doesn't handle it seamlessly because it isn't easy to do, because there is no one dominant standard, but there is one dominant e-mail client (Outlook) which is controlled by a monopolist who has no incentive to make things better for their customers (because they have a monopoly). This is one of the many hundreds of ways the computing industry is constantly being held back by MS's monopolies.

  20. Re:Maybe I'm being selfish on Sandvine CEO Says Internet Monitoring a Necessity · · Score: 1

    If people are using these sorts of applications when the network is heavily loaded it seems to me quite reasonable that traffic based on interactive applications (VOIP, video, HTTP) should receive priority. I disagree. I think each user should be given an equal share of the bandwidth, and be able to decide on their own how best to distribute that share among their desired applications.

    There is more to traffic shaping than bandwidth, for example latency. There are good, existing tools for prioritizing traffic and they work. Personally, while I see false advertising as an issue, I have no problem with network operators selling access to a service where bandwidth at a given point is not guaranteed, but traffic is well prioritized, especially since such a service can be a lot cheaper. As for network neutrality, that is a concept to prevent monopoly abuse and for that it needs to prevent traffic from being prioritized based upon sender and receiver. It does not need to guarantee prioritization based upon traffic type, just so long as everyone using a given protocol is given the same priority.

  21. Re:Is the headline a bit sensational? on Safari "Carpet Bomb" Attack Still a Risk · · Score: 1

    It implies that Safari still has major problems, while the summary clearly states that this issue (that was discovered in Safari), is now found to affect FireFox 2/3.

    The way I read it is that the Safari bug has been fixed to his satisfaction, but that users who haven't patched it and who use Firefox are at an even greater risk due to a new interaction he discovered that means if the attack works and you have Firefox, it can also steal arbitrary files from your computer. Further, it implies that if an attacker has another way to get random files onto your desktop or wherever, he can probably use Firefox to steal files.

    I think a more accurate headline would have stated that FireFox was found to be not immune to a security problem found in IE and Safari.

    I disagree. I think this is a separate flaw in Firefox, but one that is not very useful/dangerous unless you already have a hole like the one in Safari which you can use to exploit it efficiently.

  22. Re:Maybe I'm missing something? on Safari "Carpet Bomb" Attack Still a Risk · · Score: 3, Informative

    It wouldn't be the first time I got the wrong end of the stick, but Rios blog seems to suggest that he has discovered a way to use the original "Carpet Bomb" issue with Firefox to steal user data.

    Yup, so if you can get a file onto the desktop, you can steal data from people with Firefox installed... in some unspecified way. At least that is how I read it.

    So what are Apple supposed to be patching or responding to?

    I don't see that Apple is supposed to be responding to anything at this point. I don't think his blog implied that they were.

  23. Re:I'm not at all surprised on Hotmail Full Version Incompatible With Firefox 3 · · Score: 1

    ...I'm also pretty sure Microsoft wasn't too worried about launching Hotmail without Firefox support.

    That pretty much says it all about how much MS fears the law. What's one more potentially criminal antitrust abuse? The courts are so slow and punishments so weak, why would they even bother worrying about breaking the law?

  24. Re:Honestly, I'm SHOCKED! on Sandvine CEO Says Internet Monitoring a Necessity · · Score: 5, Interesting

    I am shocked because Sandvine is a frequent supporter of Open Source Operating Systems and has contributed to BSD Conferences. I would have thought that they would support the openness of the internet too. Apparently, their monetary sponsorship of open source conferences are just a PR Stunt.

    Sandvine is one of many telecomm gear companies that strongly support OSS. I used to work at a similar company with at least one ex-Sandvine co-worker. Basically, they build "devices" which they sell to ISPs and other big network operators. They build those devices with custom or off the shelf hardware combined with on OSS operating system, toolchain, and applications, plus a few closed source applications that contain their core competency and money proposition. This is often referred to as the "secret sauce" code.

    These companies do support OSS and build their entire business model around it (in combination with some closed source). They aren't OSS zealots, but most of the employees are strong supporters of OSS and the companies are very good about contributing code back. A lot of the code in Linux and the BSDs is contributed by these companies. They support OSS conferences and the like, because they want to promote OSS, because it is a good way to recruit new talent, and because the improvements that come out of those conferences are often beneficial to their bottom line. A lot of people think OSS is created by hobbyists, but really Sandvine is a good example of who really makes up the OSS community and contributes code. It is mostly businesses who use it to make money in conjunction with hardware, services, or additional closed source software.

  25. Re:Great. on Studies Confirm That Bad Boys Get More Girls · · Score: 1

    Well, now that science has figured it out, maybe we can find some kind of cure for stupid chicks that go after guys who are going to treat them like shit.

    There is a cure. It is called education. Give women (and men) the mental tools they need, like critical thinking, logic, and a basic understanding of practical psychology. Everyone has self esteem issues to some degree. Being sought after or approved of by people who are highly critical of others provides a strong emotional reward. Our whole society teaches women that physical beauty and popularity are the most important traits. People who only care about popularity and physical beauty provide the strongest reward. He doesn't care and only dates pretty girls, so if he's dating you it proves you're pretty, which in turn is the most important thing to feel (according to most social cues in our society). By understanding this process, people are able to control it and improve their life. When a woman recognizes how her feelings are affecting her, she can use her reason to override that emotion and make abetter decision which in turn results in more long term happiness.

    Telling people their choice is stupid or that they should value people being nice, considerate, and empathic does not really do any good. People know intellectually that may be true, but it does nothing to change the way they feel. Until someone understands why they feel the way they do, they can't really recognize what is happening and do "better".