Slashdot Mirror


User: 99BottlesOfBeerInMyF

99BottlesOfBeerInMyF's activity in the archive.

Stories
0
Comments
10,115
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 10,115

  1. Re:Whip out the violins! on Bomb Explodes At PayPal Headquarters · · Score: 1

    I think you are really splitting hairs in the differences between Morality and Ethics. For all intents and purposes they're the same thing.

    No, they're not. It is too bad the wikipedia articles do such a poor job of reflecting that. Ethics are objective. Morality is subjective.

    When you assign responsibility you clearly have a goal in mind.

    No, I don't. Ethics is a tool for determining responsibility according to objective rules. Morality is determining the "good" or "evil" of an act. I don't even believe in good and evil as they are commonly defined.

    The goal is obviously not to increase EVIL behaviour but to increase GOOD behaviour.

    You're assigning motivations to me under the assumption that I have the same subjective opinions about morality you do. That is incorrect.

    So therefore in this context and in wider contexts morals = ethics.

    You need to think in terms of people with radically different beliefs than you do. The ethics of that persons actions as they see them are the same as yours (for the same ethical code). The morality of their actions, may be completely different from their perspective than yours.

    There's no way you can convince me that an unethical person could be good or a ethical person could be bad.

    Extremes provide clarity or principals. To go back to a previous example. It is unethical to kill an innocent child. If the innocent child does not die, thousands of other people will perish. From the opinion of some people, it is moral to kill the child, despite being unethical. Maybe that is not how you think of it, but a lot of people have different moral beliefs than you. Regardless of that, ethics clearly places the responsibility for the act on the killer.

    Now back to the discussion, I still do not see the point of denying yourself business because someone else hobbles themsleves with a naieve[sic] sense of honor that most would regard as "quaint and provincencial[sic]"

    That is your moral belief. It is separate from the fact that ethically, you are still responsible for the results of your decision.

  2. Re:Antitrust on IE7 Released As High-Priority Update · · Score: 1

    Having actually read both judgements against microsoft (you can too at www.microsoft-antitrust.org), there's nothing in there that describes any of the activity you list above as mandatory.

    Umm, there is precious little at all in the judgments. I wonder why? But I was not referring to the court proceedings, simply what is mandated in the Sherman anti-trust act as applied to the situation.

    IE competes on the ground it was written to compete on: Microsoft's ground. FF competes on that ground, too. Noone is making them.

    I see, so you think whenever a monopoly illegally enters another market, everyone in that market should close up shop and find a new market. Interesting. Idiotic, but interesting.

    They can certainly write their own "ground."

    Did you ever take an economics course? That road leads to a handful of giant companies and a ruinous economy. We tried it. It didn't work. That is why it is illegal, pretty much everywhere.

    A more accurate portrayal of the problem is oligopoly the mainstream PC manufacturers create by force-installing windows on each and every PC they sell without giving users an option to take anything else.

    You think they want only one option? Monopolies have the power to force their customers to take actions, unless prevented by the law. The law has not acted, and the OEMs you speak of are Microsoft's OS customers.

  3. Re:Antitrust on IE7 Released As High-Priority Update · · Score: 1

    FYI, monopolies are not illegal.

    No, leveraging monopolies in one market to gain in another market is illegal. Bundling is the most common example of this. You'll note MS was already convicted of bundling IE and lost their appeals, so arguing it isn't illegal is a little absurd.

    It's quite clear however that you are anti-Microsoft, not anti-monopoly.

    Not at all. I'm not even anti-monopoly. I'm anti-monopoly-abuse.

    IE and Firefox are free.

    That is called marketing. In economics, nothing is free. Do the developers of both projects work for free or are they paid? For the most part, they are paid. The costs are just paid via a non-standard route. Every time you buy a computer wtih Windows you're paying for IE, whether you plan to use it or not.

    Quality and stagnate industry? We just got updates to both IE and Firefox. The competition is not stagnate and both feature improvements...so inferior quality?

    Updates do not equal quality or even normal levels of advancement. It took IE years to get tabs, even after they were common on all other browsers and widely acclaimed. IE still does not implement 8 year old standards. Web developers are forced to rely upon seriously outdated standards to make Web pages and usually have to spend enormous amounts of effort working around IE's flaws. That is the industry stagnating as you'd know if you were in it.

  4. Re:Antitrust on IE7 Released As High-Priority Update · · Score: 0, Flamebait

    Microsoft doesn't stop any other software from doing an automatic update.

    So? If I buy a computer does it come with Firefox pre-installed? Does the update for Firefox run automatically or do I need to know about it and download it first? When MS sells a Windows license and gives part of the money to the IE developers, do they also give a similar amount of money to the Firefox team?

    To be in compliance with the law MS must treat IE and Firefox exactly the same, as though they were both produced by other companies. If they bundle IE, they are legally obligated to bundle Firefox and any other browser someone asks them to. And, they're legally obligated to collect money to pay the developers of that product, just as they do IE. Anything else is called "leveraging a monopoly" and allows them to gain market share not because IE is better, or developed more cheaply, or more innovative, but because they have a monopoly on Windows.

    Let IE compete on even ground against the other players and the industry and consumers win, which is why we have capitalism. Allow them to leverage their monopoly and consumers suffer with higher prices, inferior quality, and a stagnating industry.

  5. Re:Antitrust on IE7 Released As High-Priority Update · · Score: 0, Flamebait

    So I think it is more a case of Microsoft never having prevented anyone from rolling out updates.

    Can the Firefox or Opera team release their products as high priority updates via Windows Update? No. Does this mean IE will gain market share not because their browser is better, but because they have a monopoly on Windows? Yes. For MS to be in compliance with the law they must in no way leverage their existing monopoly to gain an advantage over other players in a different market. It doesn't matter if they don't stop others from running their own automated updates, because users need to get those programs in the first place. Did MS include Firefox, iTunes, Photoshop, and Acrobat with every Windows install so those auto-updates reach everyone? Did they give part of the money they make selling Windows and give it to the developers of those programs like they did the IE team?

    They have bypassed the competitive marketplace. It is detrimental to the industry and to consumers and it is clearly illegal in the US, EU, most of Asia, and a good chunk of the rest of the world.

  6. crossed thread on IE7 Released As High-Priority Update · · Score: 1

    Most of your comments about my post directly contradict what I said. Are you sure you replied to the right post?

  7. Re:Antitrust on IE7 Released As High-Priority Update · · Score: 1

    What exactly do you think "leveraging a monopoly" is?

  8. Re:IE7 *should* be adopted. sooner the better. on IE7 Released As High-Priority Update · · Score: 0, Flamebait

    I *want* people to upgrade to IE7. I don't care if they're using IE7 or Firefox. I just want to be able to write sane CSS.

    IE7 will not run on a huge number of existing Windows machines. Thus, you still can't write sane CSS. IE7 still ignores half of the CSS spec, thus you can't write sane CSS. I have some pages auto-generated. I followed the spec. They worked in every browser except IE5 and 6, which barfed on the formatting. When IE7 was released I added it to my tests. It still barfs, and adds some new broken things. If the Firefox team and Opera and Apple and Konquerer, and everyone else I tried can manage to write to the spec... why can't MS with all their resources? Obviously, they don't want to, because they want to keep the Web broken and nonstandard to lock people in.

  9. Re:Ummmm on IE7 Released As High-Priority Update · · Score: 1

    Why would the majority of Windows users go out and manually download a web browser? Oh I don't know. Maybe the millions of people who went and downloaded Firefox did it to...be more secure?

    That's a small minority of users. Most users don't know Firefox exists, or that they can use something other than IE, or even what IE is. Most don't know that they could have fewer viruses, or even that they have viruses. In a classic capitalist system, this would not matter. Like evolution, capitalism lets money talk and the market moves towards the best solution since decisions are made by informed customers or by agents trying to win customers by choosing for them. In the browser market, Microsoft has bypassed the normal market forces and chooses for customers instead. As a result, the majority of people will use IE unless it becomes so bad that it is unusable.

  10. Antitrust on IE7 Released As High-Priority Update · · Score: 1

    I'm sure since MS says they're now complying with antitrust laws they'll also be allowing Firefox, Opera, and anyone else who wants to, to roll out their own browser as a high-priority update as well, right?

  11. Re:Whip out the violins! on Bomb Explodes At PayPal Headquarters · · Score: 1

    Its[sic] not a failing of western or American culture at all.

    It is an ethical failure of our culture.

    Our economies would be absolutely paralyzed if we had to stop to consider the sentiments of every useless over emotional/idealistic person in existence.

    Which is precisely why our economies evolved the way did, to gain the benefits of unethical behavior while making the ethics harder to see.

    While trying to do the "right" thing should always be a constant and never-ending goal at the end of the day if it is too uncomfortable to do or too inconvienent then its just not going to happen.

    Not the "right" thing. That would morality. We are speaking of ethics. I'm not prescribing behaviors, I'm assigning responsibility for actions.

    There's also the fact that you can be successful monetarily and bea good person but even if not I'm not going to willfully pass up the good life so that the seriously self-conflicted will think well of me.

    I never told you what you should do, nor claimed to judge you based upon what you do. I merely said you're responsible for what you do, including all the unethical behaviors that keep you fed, or overfed.

    Being a lifestyle masochist does not make one a good person. It just makes you kinky. Really really kinky.

    Good, bad, right, and wrong are moral opinions and wholly subjective. I am speaking about ethics, which is not. Do what you will. I'm simply making the statement that you are ethically responsible for what you do, including contributing to companies that use your contribution to behave unethically. Deal with it.

  12. Re:Funny? on Bomb Explodes At PayPal Headquarters · · Score: 1

    Hurts? I'm talking about being able to provide food and shelter for my family, not about having to give up picking up the next console or big screen TV.

    Sometimes the ethical act is the one that results in you dying a horrible, painful death. That makes it no less the ethical decision. That is because the world is not a fair place and others will do unethical things and random, unfortunate events will happen.

    I've tried everywhere I've worked, to make changes to what I believe are the more "right" ways of doing things. I've had some success, but not lots.

    Great. Good for you. That is a very ethical and noble thing to do. It does not, however, make you any less responsible for other, unethical acts you know the company is performing and which you are enabling.

    However, is it ethically "right" in your mind, to subject myself and my family to stress, frustration, and fewer perks for the privilege of fighting a battle that can't be won against management that refuses to see things my way?

    "Right" is for morals. Yes, I believe it is ethical to suffer and be unable to bring benefits to others rather than contribute to unethical behavior. I fundamentally do not believe the ends justify the means.

    If so, I guess I just don't measure up on your moral yard stick.

    To be clear, I'm speaking about ethics, not morals. No one acts in a completely ethical way, nor would I presume to judge anyone based upon their actions. I'm merely speaking of ethical principals and responsibilities. We all make choices and the responsibility for those choices is our own. I'm not prescribing behavior, merely describing fundamental principals.

    I'm sorry, I will not claim responsibility for every action that remotely relates back to me. Extending you logic only slightly would mean that simply by paying taxes in my country means I support every action taken by my government.

    As a thinking person, you are responsible for the foreseeable results of your actions. That does not make the responsibility yours alone, or even in a significant way. The actions of a government funded by your tax dollars are your responsibility, but only in a small part being as you are only slightly aware of what they are used for and seeing as the money is taken from you under threat of violence.

    You've made investing money anywhere to almost be a guaranteed ethical nightmare.

    I didn't do anything. And your cause an effect is very incorrect. The system of stocks and mutual funds evolved out of people not wanting to feel responsible for unethical acts that benefit them. Layers of bureaucracy separate those profiting and the unethical acts that create that profit. Your knowledge of those probably unethical acts, however, makes you responsible for willfully being ignorant of the specifics.

    Do you see where I'm going?

    Yes. Unethical acts happen all around and it is hard to not take part in them. Since when does the fact that being ethical is difficult change what is ethical? It was hard not to kill strangers when some noble rounded you up into their little army. If you didn't help kill the children, they would kill you. How does that make killing the children ethical?

    You're (presumably) using a computer to browse slashdot. You don't really *need* to browse and comment on slashdot, so unless all your energy is from a green source, your polluting, which is unethical. Of course, that doesn't even take into account all the components in your computer that are harmful.

    I never claimed I'm not doing things that support or contribute to unethical behavior. I'm just noting that I and everyone else are personally responsible for our parts in that unethical behavior.

    You make it out to be a black or white decision. Its not, at least not for me.

    If that is what you took from this, I'm sorry. The decision is certainly not black and white. The ethics of it is. Sometimes an unethical act can resu

  13. Re:Funny? on Bomb Explodes At PayPal Headquarters · · Score: 1

    If I allow my family to suffer because I refuse to profit from ethically-suspect (not necessarily blatantly unethical) actions, have I really made the most ethical choice?

    When you strip away the situation from this it boils down to a fundamental ethical question: "Do the ends justify the means." I personally don't think they do, in principal. I don't believe murdering one unwilling, innocent to save hundreds is ethical. There is room for debate and it has been ongoing for thousands of years.

    And hey, if the old lady isn't paying her rent, then isn't she being unethical?

    Obviously that depends upon the particular situation. But does one unethical act justify another? Can two wrongs make a right. I think most of us agree they don't, and can safely discard this line of reasoning.

  14. Re:Funny? on Bomb Explodes At PayPal Headquarters · · Score: 1

    EVERY company makes decisions that somebody somewhere won't like.

    So does every individual.

    Every company has policies that will negatively affect someone. Am I, personally, responsible for all of them, regardless of whether I know of them or not? Am I complicit even though I did not actively participate in their enforcement?

    You're not responsible for acts you don't partake in or know about, but you are responsible for being willfully ignorant if you intentionally try not to learn about unethical acts in which you are complicit.

    If one of the Board of Directors of the company that I work for decides to relocate half the workers, making the Board, and, by extension, the company "evil" (a word that has no practical meaning on Slashdot), am I responsible because I run the systems? Should I commit seppuku, or would just quitting be sufficient to expiate my sins?

    If a company you're working for takes unethical actions and you know about them, you do have en ethical responsibility. The extent of that responsibility is pretty subjective as is the action you should take to take care of that unethical action. Perhaps writing to the board and telling them you disapprove is sufficient. Perhaps it is not. Everyone will have a slightly different opinion about this.

    The point is, we are all responsible for the actions of groups and companies we know are behaving unethically. Collecting a paycheck and calling it "business" in no way absolves you of responsibility. Make sure you understand that level of responsibility and are prepared to deal with the consequences.

    I'm not saying that a customer support guy at PayPal deserves to have their legs blown off for not quitting when they realize that the company is scamming people, but neither are they blameless. You are personally responsible for your actions and actions you know your company is taking. It's part of being a rational thinking creature. You're responsible for your effect upon the world.

  15. Re:Funny? on Bomb Explodes At PayPal Headquarters · · Score: 1

    Resigning from a job because of differing beliefs between employee and employer is admirable. However, its not as easy as handing in your resignation when you've got a family to feed and a mortgage to pay.

    Yeah, doing the right thing often hurts.

    I've been there, it can take years to find a new and better position.

    If you only stop an unethical act when it is to your benefit, you haven't really made an ethical choice at all, have you? Who said you have to move to a better position? Or did you mean a less ethically repugnant position?

    Just following orders - only applies to legal proceedings.

    I consider this to be one of the greatest failings of western and American culture. The excuse "it's just business" to justify or distance oneself from unethical behavior. Guess what? It doesn't fly. Whether you're profiting from stocks you know are making money because of unethical act or whether you're performing the acts themselves, but claim to abdicate responsibility to a person higher up, it does not matter. You're still responsible for what the end result is.

    Personal responsibility is rough, but that's just the way it is. A lot of people spend a lot of time trying to blame other's for their problems and for the problems with society, but if people refused to take part in unethical acts they would stop. If you help evict an old lady, guess what, you're responsible because you did not refuse to take part. If you cashed in on stock you own after it goes up because the company foreclosed on that old lady and kicked her into the street, guess what, you're responsible for profiting from the unethical act.

    Being ethical in today's society that tries to excuse unethical acts with these rationalizations is very hard. Simply finding a stock to invest in that you have a reasonable assurance will not behave unethically is a monumental task. You will suffer for doing the right thing. Less ethical people will make more money than you, send their kids to better schools and probably move up the societal ladder while you slide down it. The question is, what is more important, monetary success or being a good person?

  16. Re:Mandatory Access Control on Apple Unveils Extra Leopard-isms To Developers · · Score: 1

    Incidentally, MAC is an absolute requirement for a DRM system that will be built with the Trusted Computing TPM chip built into all Intel Apple Macintosh.

    Do you have any actual information here? My reading is this is a straight port of the MAC from TrustedBSD, which is to say the user can edit any ACL. It is possible that it will be modified to use the TPM to lock the user out of changing some ACL, but why? OS X already uses encrypted binaries for that, which are more secure (from a DRM perspective) than what you propose.

  17. Re:slashdotted already? on Apple Unveils Extra Leopard-isms To Developers · · Score: 1

    ...the new Mandatory Access Control and Trusted Binaries... all the key components of a DRM system. ...I'm sorry -- what were you Mac fags saying about Apple not being hardcore about DRM?

    Umm, the MAC is a direct port of TrustedBSD. It is not linked to TPM that I've ever seen and is a feature to help users stop malicious software, not to allow software more access than the user. You might as well complain about SELinux being a DRM system because it is the same architecture. As for signed applications (not binaries) you'll note it specifies them as a mechanism for determining trust levels, which is to say most likely the MAC, not some as of yet missing DRM component.

    You'll just keep on kidding yourself that Apple has *your* best interests at heart... and not making money.

    In a non-monopolized market, like Apple sells in, often the best interests of the customer are the best way to make money. It's called "capitalism." Maybe you want to stop your knee from jerking at least until you get some actual indication of such a DRM system, instead of what was listed in the develop notes. From what I see it looks like a great way for me to lock down applications and prevent them from behaving in ways I disapprove of, not of applications locking me out. Get a clue.

  18. Re:How is this any different? on Viral Videos That Really Are Viral · · Score: 1

    WTF? Even assuming you could design a codec that didn't run as an executable, this wouldn't help against this kind of social engineering.

    The point is not to make non executable codecs, but to restrict executables in general. I think you are failing to understand what Mandatory Access Controls are.

    The malware author could just create a setup.exe that claims to install a codec and J. Random Newbie would run it and still get owned.

    No, because different programs are trusted different amounts. An installer that is not signed/verified by a trusted certification will be unable to do anything but place a folder or application package in that user's programs directory. People will run software they don't trust. The point is to make that behavior relatively safe by default.

  19. Re:why bother? on How Encrypted Binaries Work In Mac OS X · · Score: 1

    The Linux-related analogs of OS X are SuSE, RedHat, and Ubuntu, and those are every bit as much targeted at the desktop as OS X is.

    No they aren't. Too many of the design decisions of the kernel and even common user space have remained the way they are in order to maintain compatibility and make Linux a better server. All the Linux based desktops I've seen suffer because of this.

    No, it's uninteresting because it is largely obsolete. Don't get me wrong: it still works pretty well and it's OK for Apple to stay with it for a while, but the technology is not something many people in the Linux world would be attracted to.

    You have a very interesting definition of "obsolete." It provides superior functionality that Linux has not yet managed. Until there is something better, it is not obsolete.

    More accurately, OS X lacks a full package and dependency manager, so developers are forced to bundle up all their dependencies in bloated "application packages"; that's not simple, it's simplistic.

    Its true OS X could use better package management, but that has nothing to do with OpenStep. They are separate, but related bits of functionality. The tiny amount of extra space means nothing on the desktop compared to the ease of use. Its thinking like this that is part of what keeps Linux from advancing. Clinging to and defending outdated, inferior ways of doing things to save an insignificant amount of disk space on a desktop makes no sense. Saving space on a server image, maybe.

    Apple's Services menu is a textbook example of a poorly thought out user interface and implementation; it's obscure, cluttered, counterintuitive, and many of its entries are haphazardly and inappropriately activated and inactivated.

    And yet it is there and shows superior integration between different applications. You not liking the UI in no way removes that advantage.

    ...and until someone comes up with a better interface than Apple, it shouldn't be.

    Heh, how very opposed to the fundamentals of Linux that is. If functionality is hard to use, remove it. Brilliant! I'd rather have functionality than not, even if the UI is not ideal. UIs can be improved, but are a lot more likely to be if people know the functionality is possible in the first place. Don't you feel a little ashamed of yourself for such zealousness? Linux will never catch up if every time someone points out a way Linux is behind, the community covers their ears and refuses to consider what is better for end users, rather than assuming what they are doing is perfect because it is what they are doing.

    So do I.

    Great, how about telling me why Linux is a superior desktop. Right now OS X wins on commercial software availability, application portability, services, GUI/CLI integration, interface consistency, and ease of upgrades. Linux wins on package management, ease of customization, and well I can't think of any others right now. Maybe that is why almost all of the Linux/BSD developers I know have migrated to OS X for their desktop. You know what's really funny? I run kubuntu in a VM on top of OS X, for certain applications and testing and fooling around. Upgrading my mac laptop to a new machine, including the VM takes me several days of work less time than just upgrading a kubuntu machine. I don't know about you, but there are a lot of things I can get done in that time.

  20. Re:How is this any different? on Viral Videos That Really Are Viral · · Score: 1

    Signing an application doesn't in any way demonstrate that it is not malware!

    That depends upon the service. Many simply verify that a certain binary or whatever is from a certain domain, but others verify that the domain is owned by the company who has the associated trademarks or who is doing legitimate business. There is a lot of room for levels of trust here to correspond to levels of ACL restriction. Better yet, power users will be able to customize this to their own level of paranoia.

    How do you write an ACL lets it run ImageMagick, write files to local hard drives, and access the MPEG hardware? Can you do it so that it works on a machine where you don't already know where IM is installed, where local HDs are mounted, and what the device name of the MPEG hardware is?

    Yes to all of the above. It is certainly not an unsolvable, or even difficult problem. As I mentioned about the hard drive thing earlier, most programs will need to write to the hard drive. Restricting that as a chunk is nowhere near granular enough and current systems provide much more flexibility. Programs would be restricted from writing more than a given amount of drive space and can only write it in their own application folder by default.

    BTW, Vista implements the Biba model of Mandatory Access Control.

    Even XP has most of the necessary plumbing. The problem is MS does not bring this functionality to users in a useful way.

  21. Re:why bother? on How Encrypted Binaries Work In Mac OS X · · Score: 1

    But it's not a "ideal desktop OS", it's only an "ideal desktop OS" for some people.

    Nothing is ideal for everyone, but OS X is targeted at the desktop, while Linux is not. Many of the tradeoffs in Linux are to the detriment of the desktop, in favor of flexibility or even optimization for the server environment.

    People don't use GNUStep because Linux desktops have standardized on either Gnome or KDE, and because the *Step interface and technology is uninteresting.

    It's uninteresting if you're running a server. If you're using a workstation it offers numerous benefits. Of course most people who care about those benefits have already moved. Have you ever IM'd some application you are using to someone so that they would have the exact same version, or simply because the original distributors of that program were no longer providing it? I'm guessing if you are working under Linux you haven't. I'm guessing if you work under OS X you have. OpensStep provides portable application packages that can easily be moved from one location to another and require no extra steps to install or uninstall. On the server, that is pretty uninteresting.

    At this point, Apple could completely open source the OS X GUI and people still wouldn't use it.

    I suspect you are wrong about that, but there is no point postulating.

    I challenge you to demonstrate that OS X is any more "smoothly working" or "integrated" than SuSE or Ubuntu according to any objective criterion.

    In OS X I can install a service to translate Mandarin to English and vice versus. I can use that ability in iChat, TextEdit, Adobe InDesign, Subethaedit, vi, Camino, mail.app, and pretty much every other program except bad ports that don't use the native text handling APIs. That is integration. The programmers of those programs knew nothing of the translation service, but it works anyway. The same goes for spell checking, grammar checking, dictionary lookups, thesaurus, text encryption, scripts, auto-formatting bibliography references, etc. On both Gnome and KDE I have completely failed to reproduce this functionality. The closest I've seen is Kparts which only works in apps where the developers knew about the service beforehand and specifically included it (which is to say very few).

    Linux desktop distributions are just as fully designed for the desktop as OS X.

    I use Linux and OS X on the desktop every day. I've got a pretty good handle on heir relative strengths an weaknesses. It simply is not even close from my experience. Desktop Linux distros are skin deep and most of the effort seems to be directed towards making it a better server (where it excels). I wish it were otherwise. I'd love to have a desktop OS with the functionality and integration of OS X, but on any hardware and fully open source. I just don't have that option and I'm not willing to take quite so many steps backwards out of idealism.

  22. Re:How is this any different? on Viral Videos That Really Are Viral · · Score: 1

    The big question is who gets to decide what operations are allowed?

    That's easy. Ultimately it is up to the user, but pre-installed software can have an ACL based upon what it is likely to need. Signed software can default to an ACL included with that software. Unsigned software is heavily restricted by default, depending upon the code type/location. For example, code in your codecs directory and unsigned can only take data from the host program and return it to the host program. The user can open it up more if necessary. Programs in the user's directory can create files in the user space, but not read or overwrite any files they did not create.

    Perhaps you don't think the codec should be able to access hardware, create processes, talk over the network, or write to the hard drive.

    I'd say all of those functions (excepting perhaps writing a given scratch file) would be unusual for a codec that did not ship with your machine and which is unsigned. So yes, I think those actions should be restricted by default.

    What if my codec needs to talk to MPEG decoding hardware?

    Then get it signed to demonstrate it is not malware. The same goes for any software that wants unusual access.

    What if my codec needs to use the GPU on my graphics card to perform some of its functions?

    So, call it through OpenGL and it will have the same access as anything else, that is why the API exists.

    You need to either unnecessarily restrict what a codec can do, or create some kind of crazy security framework to specify exactly what resources it is allowed to use.

    That "crazy framework" already exists in all of the more security minded OS's and it is making its way into desktop OS's now (except Windows of course).

    That seems like a whole lot of work just to mitigate one limited form of attack!

    Mandatory Access Control coupled with application signing mitigates buffer overflows, trojan, worms, spyware, and pretty much every major security hole normal desktop users deal with today. It would basically make all but a handful of current generation malware obsolete and make future malware a lot harder to write. The hard part remaining is to make it user friendly, accessible, and to create sensible defaults.

  23. Re:Do you have ANY idea how this works? on Viral Videos That Really Are Viral · · Score: 1

    Are you for real?

    Yes.

    Have you ever heard of a buffer overflow?

    Yes, it is the result of a bug. Proper input validation when coding fixes most of these. For the rest, a MAC system like I described mitigates their effects. So data overflows a buffer and executes as the thread it overflowed. With a jail, ACL, or container and new chipsets, that thread is still limited to the functions of the thread it has overflowed. That means while your video codec may be executing random code instead, it still can't do much more than hand off a chunk of data to your player, which probably does not have an exploitable buffer.

    The codec author can make these instructions be anything at all, as long as it interfaces properly to DirectShow or whatever the Unix equivalent is.

    Which is why that codex should be properly sandboxed by the OS.

    Besides. You still have to run an installer to put the codec into your system and register it with the appropriate software components.

    First, you shouldn't have to run an installer. You should drop it into a codec directory and the OS should handle the rest. Second, the installer for malware is unlikely to be signed, so by default it should have very limited access to the system and thus require user interaction to do anything useful as malware. MAC and ACLs are not perfect, but they are a huge step better than nothing and would stop the vast majority of malware currently in the wild.

  24. Re:How is this any different? on Viral Videos That Really Are Viral · · Score: 1

    Until people learn that computers are not a toy and to use it properly you do have to learn something about it, users are the largest problem.

    Thank you for that wonderful example of why computer security sucks so badly. If you ignore the human component and write it off as "someday maybe people will learn" you are sure to fail to design a secure system. Ignoring that half of the problem does not fix it. It requires education, but before that it requires a system that can be operated securely without years worth of training in obscure crap that a properly designed system would not require.

    It is more reasonable to expect users to format their system every month or so then it is to have them set up good, or even useful ACL's.

    User's should very rarely, if ever, have to set up an ACL. Instead ACLs should be set up fro them with good defaults and they might occasionally have to make a change to one. In the example of a codec, why the hell should it not be confined by an ACL to start with as soon as a user drops it in their codecs directory? All the requirements and legitimate interactions are known before the user ever grabs it.

    These are the types of people that just say 'Yes' to everything.

    No, these are the type of people who click "OK" without thinking because the people who designed the system did not take the human half of the equation into account and instead assumed people were machines. Give a machine a choice over and over and over again and it will operate on the same criteria. Give a user the same button over andover and over again, needlessly making them click the same option to make their computer work and you condition them to click that button.

    On top of all that ACL's require setting up by someone with a good understanding of what the computer will do, what each application does and exactly what should and should not be allowed. Not only does the average user not fall into that catagory, but most system admins, techs and developers don't either.

    Its not hard at all. Pre-installed apps have ACLs crafted for them. Signed applications are given the ACL they request unless the user specifies otherwise. Unsigned applications are restricted severely by ACLs until the user changes them. When an application wants more access than it has you ask the user, in plain English with a well designed UI. "The program 'MediaCodec17' would like to capture keyboard input from other programs, even when it is not in the foreground (Stop it from capturing input)(Allow it to capture input one time)(Allow it to capture input always)(Advanced Options)." I think the average user can figure that out and if they can't, well with a small amount of education they can.

    Your approach of ignoring people as a lost cause is useless defeatism. Fix the OS so that it gives them the option of being secure, then if they still screw everything up you can blame them. You must, however, give them the tools and information they need first.

  25. Re:How is this any different? on Viral Videos That Really Are Viral · · Score: 1

    And how did this get modded as insightful? Codecs aren't data, they are programs.

    So? Data is the extreme case, which on Windows is not often differentiated from executables in the UI. To the end user, a codec is simply a decoder ring and there is no reason it should be able to adversely effect the computer.

    If you want to argue that operating systems should secure users from malevolent programs that is an entirely different ball of wax. That's a hard problem, and it's what Sun and Microsoft have been trying to solve by creating sandboxes through VMs with the JVM and CLI.

    It's a complex problem, but it is one that should be mitigated in every mainstream, desktop OS. In this particular instance, codecs require very, very limited access to the system. Why are codecs not restricted to taking input from the player and handing it back? Why should they have any other permissions? By default they certainly should not. If there is some weird case where they need it, the user should have to explicitly enable that.

    Solaris, SELinux, and TrustedBSD all have this functionality, but it is mostly aimed at advanced users and servers. It absolutely needs to be brought to consumer desktops with a good GUI and sensible defaults. Hopefully it will be done properly in OSX 10.5 and MS can copy that.