Slashdot Mirror


User: 99BottlesOfBeerInMyF

99BottlesOfBeerInMyF's activity in the archive.

Stories
0
Comments
10,115
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 10,115

  1. Re:Whatever... same with Windows on Want Security? Make The Switch · · Score: 4, Insightful

    Umm, obviously you're just looking for some way to criticize Microsoft without actually knowing what you are talking about. Whether it says 'OK' or 'RUN', a dialog is a dialog. The fact is, people don't read them after they've popped up a handful of times.

    Read a book on interface design. Most all of them will cover the "ok/cancel mistake." It is classic operant conditioning. By providing the same two buttons over and over again, buttons that are not actions, and by not providing the user with the means to make a good decision, users are conditioned to always click "OK." If, however, users are provided with buttons that are actions and which are pertinent to the question asked the response is very different. On Windows users reflexively click the "OK" button that is always there and which is always in the same place and which means "keep working" to the average user. On other systems the user can't just click the same button in the same place, because they are not given that option. Instead they see the buttons, "don't run the program" and "run the program." Simply be reading these buttons the user is made aware that it is a program about to be run and not a picture about to be opened. It takes them a half a second and they have to think. At this point users that know what they want click and those that don't pause, and most read the dialogue box looking for help.

    This has been demonstrated time and again in usability studies and human/computer interaction experiments. The key is having different choices for different situation, using actions as button names, providing regular English in the dialogue messages, and providing reasonable choices. Windows does a terrible job of this and even after moving to another system, some users (but not most) take a little while to break conditioning and not just click on a random option all the time. Many other OS's and applications have varying levels of success with their implementation of this concept. OS X is one of the better ones, although far from perfect.

    Please, if you are going to comment and sound credible, at least know what you are talking about.

    I've studied UI design both formally and informally for years. I've read quite a few good books, and reviewed quite a few experiments. I've attended conferences and conducted usability testing. Using Google you should not have too much trouble finding information on this concept. UI design is part engineering and part psychology, but it is a maturing field. Windows is a poster child for what not to do in this case (although they do manage some other good UI design here and there in Windows). The fact is, people do read dialogue buttons and boxes as is appropriate, if they are presented with the proper frequency and in the correct way, instead of in the terribly broken way Windows has implemented them.

  2. Re:Employees suck! on FBI Password Database Compromised by Consultant · · Score: 5, Insightful

    Employers need to be more careful about whom they hire and what their employees are doing.

    In the U.S. the workplace has developed an adversarial relationship between employers and employees. The mantra, "nothing personal, this is just business" has removed the major factor stopping employees from screwing over their employer. If it is just business when an employer lies to the employees, fires them when they need a boost in the numbers, outsources their job, cancels benefits, or takes other action that affects the employees negatively then it is also just business when the employee lies to the employer, walks off with equipment, moves to another job at a bad time without giving any notice, or loots the database for info they can sell.

    You see, it was not the law that prevented this sort of behavior, it was an ethical motivation. People, in general, don't like to hurt or even disappoint others. They want to do right by them. When they are treated unethically in turn, that motivation disappears. Do you want your employees to be loyal and honest? I certainly recommend checking up on each one, but more importantly, treat them well and with concern. Make sure they know, even if they screw up they won't be fired. Make sure they know you're doing the best you can to provide them with a reasonable income, friendly workplace, and what they need to be happy. Make sure you reward their good works. Make sure that if they run into money troubles you're the first person they talk to. Make sure they know you respect them. This is not only ethical, it is good business.

  3. Re:EffPeee!!! No Surprise Here on Want Security? Make The Switch · · Score: 1

    WOW! You're aware that virtually all Windows programs have supported this since the beginning of time, right? Guess not.

    They support it from the unusable DoS command line. They don't support it from within cygwin where you can also use pipe, cat, etc., or if they do I've yet to see anyone who can manage to get it to work properly with a normal shell script.

    [That's also not "piping", BTW. I would be surprised if you could cat file.tiff > Photoshop.app, but maybe it's possible.]

    You can obviously use pipe and cat and output stdout with the above command, although I don't think the syntax you list would work.

    So, Cygwin is really buggy -- just another reason not to use it, I guess.

    It is not buggy, it is just not integrated. Cygwin can't know what explorer is doing and vice versus.

    I get by with native ports of the GNU tools.

    Which is great for those that exist, but it still doesn't let them work seamlessly with other apps or make it easier to script them via the CLI.

    the scriptablity of the software like Photoshop and MS Office is usually identical between the Windows and Mac versions.

    I can script the mac versions via the CLI using a dozen languages. I can, without writing a line of code, script it via Automator. The mac version has Applescript hooks. What exactly makes that on par with the Windows version?

    Agreed. But it has very little to do with Unix.

    Who said anything about Unix? We were discussing the choice of Windows over the Mac platform for professional graphics and scripting.

  4. Re:EffPeee!!! No Surprise Here on Want Security? Make The Switch · · Score: 1

    I'm not convinced that the AppleEvents/Mac side of the house interacts with the Unix side very well (osascript, eh). At least not any better than on Windows.

    Take the command:

    open -a "Abobe Photoshop CS2.app" /~user/Pictures/temp2.tiff

    Combine with all the power of the shell environment.

    Try using cygwin to launch Windows apps and pass them parameters. How about monitoring them? Try moving a folder in Explorer and see what happens to your view of it in Cygwin. Try the same with Finder and terminal.app. I've used both and let me tell you, Windows+Cygwin is not even close to the level of integration you'll find with OSX, its shell, and applications.

    On top of that you have OS X's better integration with applications on other levels. You can use spelling, grammar, translation etc. in Photoshop or InDesign or most other applications. You can add arbitrary functionality to the OS that the applications gain access to with services. The indexed filesystem extends to photoshop and PDF files, so searches on OS X will return results that may be captions in an image. Really, there is just not much contest. Windows has been behind for years now for this sort of work.

  5. Re:Why Bother? on Want Security? Make The Switch · · Score: 1

    Actually, if you were a true "computer nerd" you would understand the F'ups that assumptions make.

    Mathematics is not an assumption. Lots of security people on the mac means a greater percentage on the mac, given the small market share.

    I would actually attest that to your proper grammar and pro-Microsoft alternative stance. No offence meant to any specific moderating member, but if someone posts "Bill Gates blows goats, I have proof." in the top 10 posts, they will likely get rated +5 insightful.

    I think you're full of it. There are pro-microsoft comments modded to +5 in this very thread. Besides my comment was in no way anti-microsoft; it merely pointed out one of several reasons why it is harder to have a successful worm on OS X and some motivations for why a person might try anyway.

    /. has a heavily skewed bias that usually spurns anything MS based, and praises anything that is an alternative.

    Or maybe, MS actually tends to make crappy products and screw their customers over with certain business practices and as a result, most people in the computer business recognize that and comment on it when appropriate.

  6. Re:Why Bother? on Want Security? Make The Switch · · Score: 1

    Your initial statement was that a large number of security people use Macs, there for, Macs are more secure... Your third statement was that a larger percentage of Mac users are security people, there for, Macs are more secure.

    I guess if you don't know that macs have a smaller market share than Windows machines, you could have missed that these two things are one and the same, however, at that point maybe you should find a different forum than Slashdot as you can't possibly be a computer nerd.

    Instead of blaiming readers for the missunderstanding, maybe you should review how you present your theory.

    If reader as so pathetic that they can't do math, I certainly do blame them and I have doubts that they have anything useful to add to this discussion. Enough people understood the original statement that it was modded to +5. That I bothered to respond and explain in small words for the stragglers is a courtesy, nothing more.

  7. Re:EffPeee!!! No Surprise Here on Want Security? Make The Switch · · Score: 1

    Sure the Mac has those things but it hasn't historically.

    It's been five years now, I'm not sure anyone who is still in the industry can have missed it.

  8. Re:EffPeee!!! No Surprise Here on Want Security? Make The Switch · · Score: 3, Interesting

    Considering that most graphic designers don't know much about networking, scripting or coding, they tend to prefer the Mac.

    Does this statement make any sense? OS X has built in scripting interpreters for numerous languages, a functional command line, GUI piping/tranforms/scripts via Automator, free dev tools including gcc. On Windows the user has to install cygwin, which does not even interact with cygwin in any meaningful way. On OS X you can pipe things to and from Photoshop. OS X wins hands down if for no other reason than I can run perl scripts without a huge hassle.

    Aside from that, you make some good points. Different OS's are better for different tasks and different people. I use Linux, OS X, OpenBSD, NetBSD, and Windows XP regularly. The only thing about the previous poster that gives me pause is that based upon their comments, I don't think they've used OS X to try to do their tasks, or if they did they tried to replicate them exactly and do things just how they used to on Windows. It is hard to argue that for basic command line usage or for commercial graphics work is not king of the hill. The level of integration between gui apps and the cli, the ability to see previews of photoshop files and globally search text within them, scripting, system services, and both free and commercial application availability from both open source and commercial sources just makes those workflows so much easier.

    Now Windows certainly has its uses in a lot of areas and is hands down the best for niche application availability in most fields, but I'm suspicious of anyone arguing it for the above uses over OS X.

  9. Re:Why Bother? on Want Security? Make The Switch · · Score: 1

    I think your numbers were pulled directly from a dark orifice wrapped in cotton

    It is an example to illustrate the logic, not hard numbers on what percentage of users are security people or anything else.

    My problem is not with your claim... but with how you presented your point of view. You made an implication, you countered someone who called you on it, and now after a 2nd rebuttal you finally clarify your statement to the point where it is matching your logic.

    My assertion was that the relatively large number of security experts using the OS provides it an advantage in preventing worm propagation. If people responding to me are too dimwitted to understand the mechanism and I actually have to not only spell out the logic, but then further provide an example to model it for them, well that is not exactly my fault. My statements always matched my logic, it is just that some people required a detailed, page-long explanation before they could comprehend it.

  10. Re:Why Bother? on Want Security? Make The Switch · · Score: 1

    Well, this might be the case, but it seems that if Macs were such a juciy target, I would expect to see more blunt-force attempts. I think the case is still that there's very little Mac malware, even unsuccessful malware.

    Data mining takes more talent than spamming or network abuse. It is on the rise, but still not a major part of worm payloads. I attribute the relative dearth of Mac malware to the difficulty of finding usable vulnerabilities before they are patched, the much higher rate of patching, and the fact that in the malware for profit business the skill set is very Windows focused.

  11. Re:Why Bother? on Want Security? Make The Switch · · Score: 1

    How does earlier detection prevent this malware from existing in the first place?

    What a silly question. Obviously it does not stop it from existing, it helps stop it from being effective. Malware can be neutralized by fixing underlying exploits and distributing the patch or via malware mitigation systems that either stop it from propagating or from infecting a host to which it has propagated. Once malware is known network operators can filter the signature, anti-virus can scan for it on hosts, some users can mitigate the vulnerability by disabling the service or changing permissions, and vendors can patch the OS and distribute that patch. This prevents a large number of later infections, especially if the vendor is responsive and the update process is built into the OS and running by default.

  12. Re:Why Bother? on Want Security? Make The Switch · · Score: 1

    In TFA, Sophos says that 82% of new security threats are trojans.

    By number, not by number of infections. There are more trojans, but each worm spreads much more widely and with more rapidity. I think the number is something like 70%, last I looked. That is pretty close to the numbers I'm getting for a tier 1's malware detection system I happen to have open right now.

  13. Re:So what you're saying is... on Want Security? Make The Switch · · Score: 1

    This does matter if someone wrote a trojan that would use the privilege escalation to circumvent the sudo prompt.

    True, but most malware has no need as a user's permissions are sufficient for most tasks a worm performs.

    Really, how much malware these days tries a forced entry (exploiting a remote vulnerability) vs. a sneak entry (hiding in some binary the user has to open)?

    I think about 70% forced entry versus 30% trojans by infection number, last I checked.

  14. Re:Whatever... same with Windows on Want Security? Make The Switch · · Score: 2, Insightful

    Now every frickin time I want to run some executable I have to click "Yeah, ok, fine, do it".

    Providing a dialogue that is a confirmation, not a choice is a usability and security flaw. OS X does not do this. What is does is when you run a program for the first time, it tells you it is a program and then asks if you want to run that program or not run that program. You are not given the option of clicking "ok" like on Windows, which with a ridiculous number of said, useless dialogues trains everyone to reflexively click "ok."

    Do you think I read the stupid dialogs?

    You have no choice in this case. You have read the button names to know what you're picking or click randomly. Since the button names are actions, reading them gives you enough info to make a choice.

    Confirmation prompts are not security.

    Security is telling the user what is happening and letting them do what they want, but not what they don't want. In this case, the user is informed something is a program and not data. They are then asked if they want to run the program or not. This stops the program masquerading as data (nudepics.jpg.exe) problem. It works too.

  15. Re:Lunch Threatened on Google Fires Off Warning to US Telcos · · Score: 3, Insightful

    Keep in mind that the telcos OWN the internet roads and byways. I guess telcos are 'mad' realizing how much goods and $ are passing through those roads on a daily basis. Now, the telcos want a cut.

    The telcos already charge people a toll to go down the road. They already charge different tolls for different types of traffic. What they want to do now is extort money from people who aren't their customers, but who have a vested interest in others using it. Think, "hey East-coast tourism industry, pay us a billion dollars or we'll jack up toll fees on your half of the country so much that people will go to the west coast."

  16. Re:Why Bother? on Want Security? Make The Switch · · Score: 1

    In reality, there's an insigificant[sic] percentage of these people, and they find malware because they go and look for it, not because it randomly hits them.

    Do you have any numbers to back that up? Honeypots, IDS's, and scanners certainly find a lot of them, but regular users stumble across them quite often as well. For example, the recent targeted Word/Excel exploits were detected manually. The first propagating Mac worm (very limited) was discovered when users became suspicious of the dropper trojan. Where I work, worm detection is a small part of our business. We have discovered about 16 new worms/variants that I know of using automated detection, 3 via honeypots, 3 via honeynets, and 7 via manual discovery from random user investigations.

    If you do have numbers as to how most malware is discovered I'd love to see them. Anecdotally, however, I disagree that manual discovery is insignificant.

  17. Re:Why Bother? on Want Security? Make The Switch · · Score: 1

    Except due to the size of the installed base, it's almost impossible to pull off...

    Two opportunities exist that I know of. One is to target the worm at a concentration of Mac users, either via a dedicated mac resource, a business that uses them, or via some other means. The second opportunity and the one more likely to succeed, is a cross-platform worm that attacks both Windows and Macs.

    Assume that 1% of Windows/Mac users will be socially engineered into running a trojan.

    Most malware is not trojans, but spreads without user interaction.

    and the users aren't connected to a network full of machines or have access to a giant corporate directory of email addresses.

    This presumes the purpose is to send spam or harvest addresses. If the worm was data mining online shopping accounts or credit cards, or bank accounts, there would probably be a better return than with Windows machines.

  18. Re:So what you're saying is... on Want Security? Make The Switch · · Score: 2, Insightful

    But personally, I have to say I find Linux more convenient, because you get a complete, ready-to-go desktop with all your applications and settings nicely pre-configured, right out of the box

    We were actually trying to figure this out at work. We get our choice of machines and OS's. The estimate right now is it takes the average Linux install and config about 4 business days to get everything they need installed and configured and working with all our resources. It takes the average Windows user 3 days (but these are mostly managerial types). It takes the average OS X user about 3 days as well, so it is winning for engineers, but not by much. For upgrades, however, it wins hands down. There is nothing quite as easy in the Linux world (that I've seen) as the install as an upgrade option. You boot the old machine while holding down a key, plug a firewire cable to the new machine, and click a button. It maxes out the hard drive write speed and you don't even have to tell it what files/configurations/etc. to copy. As a Linux distro maintainer I implore you, steal this feature.

    But if I'm not mistaken, by your own argument that's too many choices

    Touche. I don't really count Windows as a choice, as it is more of a default. My only thought is that we all have to help others make the right choice (yeah pigs flying applies here too). You make a good point.

  19. Re:Why Bother? on Want Security? Make The Switch · · Score: 3, Insightful

    If you say "a lot of security people use macs" and are not implying that Mac users are generally more secure because of it, then the statement might as well say "a lot of security people use Windows PCs." Because, a lot of "security people" use windows. I would wager a guess there are significantly MORE "security people" that use Windows than OSX.

    When a worm is propagating, every propagation exposes it to potential detection. If malware hits my box and my IDS notices an anomalous outgoing communication that does not match my normal pattern, I'm going to look into it and find out what happened. Suddenly the malware is exposed to the security community.

    The vast majority of the time, a worm hits a non-expert's machine and is not detected. For simplicity's sake, lets say there are 100,000 users in some network. 80,000 are using Windows. 4,000 are using OS X. 16,000 are using other OS's. Say there are 500 security experts in this group. 250 are using macs, 150 are using alternative OS's and 100 are using Windows (based upon the attendees of security conferences this is being overly generous to Windows by a lot).

    You write a Windows worm. Every propagation it has a 1 in 800 chance of being detected. You'll probably net 400 machines for your botnet before anyone is even investigating and a lot more before anyone gets around to writing a signature.

    Suppose you write a OS X only virus. Every propagation has a 1 in 16 chance of being detected. You'll probably net about 8 machines before someone is investigating. The investigation will likely go faster as there is a lot more interest in a mac worm than a Windows worm, due to the novelty. The propagation will likely be slower due to the scarcity of targets (only 1 in 25 targets is viable).

    Suppose you write a cross-platform Mac/Windows worm. Every propagation has a 1 in 240 chance of being detected. You'll probably net a 120 before the investigation starts.

    Because the percentage of security people who use OS X is so much greater than the percentage that use Windows, an OS X worm faces a much harder "market" for propagation and is likely to be detected while many fewer hosts have been compromised. This has been demonstrated in the real world as well, with the case of the dropper trojan on a mac forum. Do you understand now?

  20. Re:Why Bother? on Want Security? Make The Switch · · Score: 1

    There is no motivation to attack Macs. The motivation here is money.

    That is the case for much, but not all malware.

    Am I going to write a worm that attacks less than 4% or 80% of the machines?

    Actually, the choice is probably to write a worm that attacks 80% or 84% of machines, since it would almost need to be cross platform.

    You security people are still too arrogant and anal to realize that it isn't about prestige or notariety. It is about money.

    I've read botnet logs. I've followed the cases of convicted malware authors. I've paid attention to what worms do. A lot are simply gathering botnets or even data mining for profit. A significant number, however, are written for other reasons including exposing flaws and making a statement. You are simply incorrect in your assumption that all of them are for profit ventures.

  21. Re:Why Bother? on Want Security? Make The Switch · · Score: 1

    Not true - a lot of Mac users are just ordinary people...

    Do you understand the concept of inclusive and exclusive? "You also, unfortunately, are targeting a lot of the security expert crowd..." does not in any way preclude most mac people being clueless. Because a lot of security people use macs does not mean that all mac users are security people. The former is obvious to anyone who attended a security conference in the last four years.

    As a result, your Mac worm is much more likely to attack a security expert's machine than a Windows exclusive worm is, for any given propagation. This means someone is much more likely to notice it, sooner and information about it will be of great interest and spread much more quickly than for just another Windows worm.

  22. Re:So what you're saying is... on Want Security? Make The Switch · · Score: 1

    Granted, they were literally asking for it, but the point remains that it was hacked in a very short period of time, and you kind of have to question the security stuff there.

    They were more than asking for it, they did most of the work for you. If you build a Web interface that gives anyone who asks an account on your Linux box and you don't restrict it in a VM or jail, and you disable several other security mechanisms, well the same thing will happen as did on OS X. Basically the test said, "yup just like every other workstation UNIX that is not designed for high security installations, OS X has some local privilege escalations."

    Personally, I'd say that it would make a lot more sense just to switch to Linux - not only does it work with your existing PC hardware, but it's also usually free or inexpensively-priced.

    For some of us, out time is worth enough to justify a small up front cost to save time daily (for those uses where OS X does save time over Linux). For others, Linux simply does not support applications we need to use, because there are no good alternatives on Linux.

    I'd stay away from Ubuntu, I've had some bad experiences with it myself*, but the hell with it, you have a choice, so you choose what's best for you.

    99% of users don't have the expertise or knowledge to make this determination. They just use whatever comes on their computer. Telling them "macs don't get viruses like Windows does" is understandable to them. Telling them to evaluate a nonspecific set of Linux distributions and pick the one for them, install it, and learn new ways of doing things, is a non-starter.

    Of course, if security's the number one priority and absolutely nothing else matters, the only way to go is OpenBSD...

    Nope. If security is the number one concern, the only way to go is hiring someone who knows what they're doing. They may or may not recommend OpenBSD for a given application. I like OpenBSD and use it daily, but it is not a cure-all.

    Probably some bias in there, since I'm a distro maintainer myself. Take with a grain of salt...

    The truth of the matter is, different OS's are the best choice for different people with different tasks. Linux is the best choice for a lot of people who are using Windows. OS X is the best choice for a lot of people using Windows. Windows is probably the best choice for some Linux users. We need to help people find the best choice for them rather than make generic statements about what everyone should be using.

  23. Re:It may be true but... on Want Security? Make The Switch · · Score: 1

    But I think people using Apple computers are the one with less technical knowledge...

    Not really. A lot of people who use macs are clueless, but a significant portion of the security professional industry is also using macs. Think of the attempt to spread a worm using a dropper on a mac discussion site that happened last year. The trojan itself was discovered, analyzed, and documented everywhere within hours and the infection was contained at the source.

    So, if there was a company creating malware for that computer now, with almost no "active protection" I believe they could get a nice perecentage of the userbase to fall into their claws.

    Due to the general makeup of machines on the internet, it would likely have to be a cross-platform worm to actually propagate. Also, most malware authors are Windows people, with a skillset dedicated to that platform. Most of them simply don't have the skill to write a mac worm. Macs also present a tough target, with good default settings (mostly) and some well thought out and time tested design choices. Trying to go from adapting existing Windows malware to writing from scratch malware that will actually work on OS X is a pretty big jump. If it happens, it will likely be for reasons of prestige, not purely monetary concerns.

  24. Re:Why Bother? on Want Security? Make The Switch · · Score: 5, Insightful

    Why would I write a piece of malware that would only target a small segment of the market? If one wanted to further one's nefarious plans wouldn't it be smart to go after the biggest slice of the pie?

    That would depend upon your goal, now wouldn't it? For botnets, it is probably too difficult compared to the return to go after OS X boxes, but for other types of malware it makes some sense to add OS X as a secondary vector for a cross-platform worm. If, for example, you're gathering credit card numbers and accounts to online stores, you'll get a better return from OS X boxes than from Windows machines since you eliminate the chunk that is pirated and running in the third world, and basically limit yourself to the wealthy first worlders, and usually even the higher end of that group. You also, unfortunately, are targeting a lot of the security expert crowd, almost guaranteeing early detection of your worm.

    If, however, your goal is hactivism or prestige, well the first worm that targets OS X machines and actually propagates significantly in the wild will be big news and generate a lot of press. It is an ideal target, if you can pull it off.

    There is plenty of motivation to attack OS X boxes, but the difficulty of doing so, due to more reasonable security and architectural choices and because the skillset of malware authors is usually very Window's platform specific has played a big part in making sure that it has not yet been a concern.

  25. Re:X11 Apps under MacOSX on The Ten Most Beautiful OS X Apps · · Score: 1

    Just my two cents... X11 apps are a distant third choice for me behind native and java apps. For small utilities I'd prefer a CLI interface. For larger, more complex utilities, the misplaced menu, lack of support for services, and other UI inconsistencies you don't think about till you hit them are just too detrimental to my workflow. I never use drag and drop, except for the occasional image so it is not a big deal to me.

    Do not assume, however, that lack of negative feedback means everyone likes something. Either do real testing and surveying or be very cognizant of the fact that you don't know. Personally, I've never written a software developer and told them I was unhappy about the X11 GUI. That would seem rude, given they spent the time porting the app. I just shrug and look for an alternative application.