Slashdot Mirror


User: 99BottlesOfBeerInMyF

99BottlesOfBeerInMyF's activity in the archive.

Stories
0
Comments
10,115
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 10,115

  1. Re:the only feature on The New Face of Script Kiddiez · · Score: 0, Flamebait

    I don't find brutal corporal punishment or rape to be "funny" or a reasonable solution to botnet operators. History will, hopefully, look back at our barbarous culture, where threat of homosexual rape is a prime deterrent, with abhorrence. It is sad that so many in our society see this sort of thing as not only acceptable, but amusing. I suppose people joked about cutting off the feet of slaves and slowly torturing jews to death as well. May historians link you IP address and name with your post so they can put your face on one of the "savages" in a future documentary about how crude and stupid people were back in 2006.

  2. Re:Debunked? on Call for Apple Security 'Czar' · · Score: 1

    Exactly. So which one proved something?

    The first challenge showed that local exploits are out there. The second challenge showed that the articles about the first challenge were a bunch of crap. Each proved something.

    It's a very common infosec term, it means an exploit that provides a remote shell or equivalent. As opposed to a flaw in RSH, if that's what you were thinking.

    I'm familiar with what a shell is. But you're saying a shell exploit is an exploit that gives access to a remote shell or the same level of access and this is opposed to rsh? Umm, isn't rsh short for remote shell? how can a remote shell be the alternative to a remote shell?

    Of course there are. Several have been published...

    I've seen published remote vulnerabilities, but not any published remote exploits, except maybe the Safari one. Can you point me to some?

    ...and I know of several more private ones.

    Not to question your credibility or anything, but I sort of have questions... about your... umm, credibility here. I have heard of one possible remote exploit incident in the wild, but have no confirmation. Sorry but the ratio of posturing script kiddies and the like to credible security people and crackers even on slashdot is pretty poor. Maybe you're on the level, but I am reserving judgement on that. Note, I'm not claiming to be either of the above. I'm just someone who follows security informally and happens to know a lot of people.

    On the contrary, I think it was very clear that the article linked intends to imply that this new test somehow demonstrates that the original test was flawed.

    I disagree and don't see any support for that assertion either from the second challenger's website or his comments posted here over the last few days.

    It was very clear to me in the original article in its original form that shell access to a nonpriv account was provided.

    Really? What in the original, not updated version of the article, made that clear to you? Because I only found out by going to the page for the test itself.

  3. Re:An opportunity, a threat... on Firefox 2 To Have Anti-Phishing Technology · · Score: 2, Insightful

    As soon as the user believes what the mail tells him, he will do ANYTHING you tell him. He will grant you any permit you want, actually telling him what kind of security warnings he'll get even increases your credibility. Because, well, would an attacker tell him that?

    This is not true in many cases. For example, if someone can successfully trick a user into thinking an executable is from their bank, they may still become suspicious when the program tries to do certain things. These things might include reading their IM buddy list, sending files via IM, reading their Word files, sending e-mail, modifying their anti-virus program, etc.

    Further, that means the author has to trick the user into thinking it is from their bank. That limitation has already eliminated all the trojans disguised as data, spyware in widgets, trojans disguised as games or software from other sources, or spyware functions of existing software.

    So yes, some users will do anything their "bank" tells them including granting a program specific access to do all of the things I mentioned above that might make a user suspicious, but not all users will and that leads to faster malware detection times and less propagation. It also leaves a much smaller area for attack that needs to be covered by education.

    Right now a perfectly intelligent, informed, and reasonable person might run a program called spacemutant7.exe because they downloaded it somewhere and the authors assured the user it was a really fun game. The user must them make a gamble. Either it is a fun game or it is a trojan that will compromise their system or both. So they run it and hope it is not malware. Sometimes they are right and sometimes they are wrong, but just taking a guess is the best they can do. This is not sufficient. They should be able to confidently run it, knowing that by default it will not be able to read their taxes, mail porno pics of their wife anywhere, turn on their webcam, or modify the core of their OS.

    Having a system like this is not perfect and their is still room for social engineering, but that room is greatly decreased and thus the amount of education required to be safe is similarly decreased. It is possible to educate people that their bank will never send them software and they should always verify e-mail from their bank. It is not really possible to educate people to never install or run any software or data on their computer, because that is why people have computers in the first place. Without that functionality, they are not very useful.

    I want the user to be the weakest link, and then we can work on fixing users with a small amount of education. The problem is, they are not now the weakest link because they have tools that are deficient.

  4. Re:non-incident? on Call for Apple Security 'Czar' · · Score: 2, Informative

    Could someone please enlighten me as to why it is possible for a least privileged user account to gain root without the consent of the owner to be classed as a "non-incident"?

    It isn't a non-incident, but neither is it a remote exploit. Apple fixes 5-10 local escalations a month in their security updates, many of which are found by outside security people. Thus exposing one more is not exactly news. This is the same for Linux or most any other OS not designed to be ultra-secure. (Except Windows which has innumerable local escalations they haven't bothered to fix and which is sort of moot point since everyone runs as admin all the time.)

    The reason everyone took notice in this case is because the articles written about the local escalation portrayed it as a remote exploit, not a local escalation. Further, in addition to being a local escalation it was a local escalation on a box with several measures taken specifically to reduce security (enabling the root account and installing all the CLI tools in Fink).

    It's like news articles running "Danger babies exploding killing those nearby!" People sit up and take notice, until it comes out that the articles failed to mention the babies had been fed on a diet of inert explosives and put in a microwave. Its still news, but it is no longer an imminent danger to the average person. Thus a lot of people were upset that they were misled.

    Just for your own personal info and so you know the score... someone out there, likely a number of them can remotely hack your OS X or Linux box. A fair number of people out there, given access to your machine via a trojan, shell account, or some other mechanism can find a local escalation and root your box. If you are running a system and think it likely one of the few expert security people or "hackers" will be attacking your machine to get your data you should not be storing that data on OS X or most Linux distros. The same goes if you plan on running any random executable given to you or if your are giving shell accounts to strangers. If you plan to do either you should be running OpenBSD with jails, SELinux, or some other ultra-secure OS with VMs to segregate users and applications.

  5. Re:Debunked? on Call for Apple Security 'Czar' · · Score: 3, Insightful

    The second challenge debunks nothing. One challenge gave shell access, the other didn't.

    The second challenge did not debunk the first challenge, it debunked the poorly written and misleading articles about the first challenge by replicating the situation the articles depicted the first challenge as being.

    Only one of those actually ended up demonstrating a result.

    You can't logically prove a negative. What amount of time is sufficient to show something won't ever happen?

    Not to mention that the second challenge was pulled early...

    But not because it was hacked. It was pulled for reasons outside the control of the person running it and certainly stood up to more than 30 minutes of attacks, thus the sensationalist articles were debunked.

    ...and not that I expect someone to give away a remote shell exploit for free to prove a point.

    Remote "shell" exploit? Why would it be a shell exploit, necessarily?

    I certainly think it is likely there are remote exploits for OS X out there. There are certainly a lot of white hats and other crackers that would love the publicity this could have generated for them. There are also a lot of people that would like to quiet down the small number of uninformed, overzealous fans of OS X that at times can be quite annoying. What this has show is that remote exploits are not common enough that people can demonstrate one to show boat and they are not easy enough to find that they can be found and demonstrated by the white hats in that short a period.

    Basically this confirmed what pretty much every security person already has plenty of evidence to support. The point you are missing is that while the original test was somewhat useful, the very poor articles about the original test spread misinformation and FUD that did more damage than the original test did good. It is those articles that this challenge was designed to rebuke and it has done that much at least.

  6. Re:An opportunity, a threat... on Firefox 2 To Have Anti-Phishing Technology · · Score: 4, Insightful

    The biggest problem is still the weakest link in the system: Its user.

    I very strongly disagree. There are currently many weaker links.

    Vulnerabilities aside, the user is what is responsible for over 90 percent of the infections monitored...

    Either I'm misunderstanding your statement or you are misinformed. Most infections do not currently involve human interaction measured both by number and bandwidth consumed.

    Currently, you face about weekly updates of some trojans. For the simple reason that there is no reason to update them more often. It is technically no problem to have them update twice a day. That's already a rate that no antivirus company could match. The AV company first of all needs to get a hold of the trojan, develop reliable signatures, create an update for the sigs and send them towards you.

    Actually, there are also self-mutating trojans that have been demonstrated that are very good at hiding and there are trojans that interfere with anti-virus.

    Currently, AV companies can keep up with development. The trojan writers have enough clueless people without any antivirus protection who click everything and anything and allow every program to do whatever it pleases on the web, so they don't care about "us", those who have av tools and/or know how to keep their computer clean.

    First, AV companies are not keeping up and we have seen several "zero-day" infections. More advanced intrusion detection software is becoming more and more responsible for finding new worms, viruses, and trojans on end users systems, a significant amount of time in advance of AV signatures. These systems are not only finding them, but creating and sharing signatures among major ISPs.

    Second, your depiction of the average user as people who "click everything and anything and allow every program to do whatever it pleases" is very misleading. I know security experts who have been duped by a well crafted trojan or phishing e-mail and the truth of the matter is, users are making poor choices based upon the fact that they are given poor options. Right now the average user is given the option of "open this file if it is a file or run it if it is a program and let it do anything it wants" or "don't open this file or program." Since users want to view data and install software, eventually they are bound to make the wrong choice.

    It will not be until users are given more control, information, and granularity by their tools that they will be given the option of being the weakest link. UI's need to let them know what is data and what is an executable. OS's need to run executables in sandboxes by default and only allow programs to do unusual things (log other program's keystrokes, modify the OS, access hardware directly, modify user files, connect to the internet, access the e-mail address book, access the buddy list, start a new service, modify other programs, etc.) after the user is informed in plain English and given a choice using a properly constructed UI. At this point, users will become the weakest link and not before.

    As soon as a browser like this hits the market, the race is on. It does no longer matter if you're clueless or an IT-pro, your browser will keep you out of way's harm on everything it knows. So, to be successful, the phishers have to be faster (or develop a new strategy, whichever is easier to do).

    First, the Web is only one vector and not even the most common vector for infection. Second, blacklists will never be able to keep up, although they will help.

    I'm not sure if AV companies can win that game if it becomes one of update speeds. A trojan writer has to push one update for one trojan. The AV company has to push a few 100 for about as many malware programs. Not a good position for the AV guys.

    Newer intrusion detection systems are they key to mitigating this. Propagation is detectable and if you have a relational model of your network abnormal activity can be flagged, detected

  7. Re:Good for Apple, but US only? on Apple to Offer Monthly iTunes TV Subscriptions · · Score: 2, Insightful

    I don't get why Apple only has permission to sell stuff only in certain regions - like lots of albums in the US store that aren't in the Canadian store.

    There are two reasons for this. The first is that media publishers are greedy, rich, and have no ethics. The second is that politicians are greedy, bribable, and have no ethics. The reason Apple can't distribute the same music.shows in Canada as in the US is simply because since artists no longer hold copyrights (basically the big publishing houses force them to give them up if they want to reach an audience) they don't have the authority to grant the right to republish the show everywhere for a set price. Instead bodies like the MPAA, RIAA, etc. collect royalties in any given country and they set the price differently in each country to maximize profit. This means anyone wanting to resell a song or show needs to negotiate and sign one contract for every country in the world, which is prohibitively expensive and time consuming.

    With physical media, it's not like if I zip across the border into Washington, the people at the store can't sell me a particular CD because they don't have permission to sell it to Canadians, so why is it the case with iTunes?

    Selling copies of a song or show are not restricted by law, making copies are restricted by law. Thus, if a company has the right to copy a CD for a set price in the US, they can do so and most countries have a reciprocal agreement that says any of them imported are legal. However, when you are dealing with a digital transfer you aren't moving a copy, you're making a copy, thus the laws restrict it.

    If you don't like it, talk to your politicians and get your laws changed.

  8. Re:can it get me to google? on Windows Live Search goes Live · · Score: 5, Insightful

    I guess I remember the 90's too well. I am in my late 20's, and watch all those companies that had foosball tables in the lobby go under. So perhaps I am prejudiced by facts.

    I lived through the same thing. Have you ever heard that correlation is not causation? This is a perfect example. Sure lots of companies with foosball tables went under, but so did plenty without. It was not the relaxed atmosphere that killed them, it was the fact that their business plans were junk. Some of them were just ways to funnel venture capital to "the guys" and have some fun. Some were incompetent people who thought because something was "cool" it was profitable. Google is not going out of business, they are making money, and so are we. Any HR drone who does not think keeping employees happy is a important concern is an idiot. Stress and poor working conditions lead to turnover, medical problems, and people motivated to do the least work possible. If I come in on a sunday to get something from the office, or grab some papers so I can answer someone's question I'm proving that keeping me happy helps, because I am there on a sunday. It is not unusual for someone else to be in the office on a sunday either. People pull all-nighters, not because they have some manager breathing down their necks, but because something really interesting is happening or because they want to make sure a customer is happy. Of course having some real stake in the company helps to motivate people too.

  9. Re:can it get me to google? on Windows Live Search goes Live · · Score: 4, Interesting

    Do you really think that MS doesn't have the personell[sic] necessary to create a great search? Just because google has a "fun" work environment doesn't make them the greatest.

    Actually, Google has a lot of the best people because of their work environment and because they are very picky. The strategy is not so different from my current job. Relax the environment, no dress code, free snack food and soda, free beer in the fridge, no one checking what hours you work, a couple couches is you need a cat nap. What does this cost our company? Probably less than the salary difference of one high paid employee if they decided to move to the job that just paid the best. People work here because they want to and because they are smart enough to realize that money isn't everything and if you're going to spend a huge portion of you life working, doing so in a fun environment while working on interesting projects is a better choice than retiring two years earlier all stressed out and hating your field.

    This means we have to hire motivated people, but also means the really smart ones want to work here. We have some ex-MS employees here. We also have had Google steal away a guy. MS has a lot of people, including some very smart ones, but their culture makes it hard for them to really get anything done right. Throwing money at a problem and hiring a dozen managers who get in each other's way and are constantly modifying what you are working on is not the best way to get things done.

  10. Re:Trust of Food on Toronto to Become One Huge Hotspot · · Score: 1

    So, if a complete stranger proffers you a sandwich, will you eat it? Homeless people get beaten and worse every so often, so I wouldn't put it past people to put poison and razor blades into such sandwiches. If you want to make an objective study, offer to buy a meal at a nearby restaurant.

    First, homeless people in this area do not get beaten regularly, there are too many police around. Second, restaurant food is expensive, it is much easier to show them the food is good by eating some of a sandwich yourself. This does not matter, since most don't really want food. The local shelter and local soup kitchens supply food. Most want money for booze, drugs, or because this is how they make their living. More than half of the beggars (from the last study I saw) are not homeless, and most of the homeless don't beg. Many even have jobs, but just can't afford housing. Some have chosen to live in tents as a lifestyle choice (a lot of hippies around here).

    Basically it is my opinion that a large number of the beggars are being dishonest, and it is usually a better practice to donate to the local shelter than to give them money.

  11. Re:A Different Test on U of Wisconsin's Mac OS X Security Challenge · · Score: 1

    You say that as if permission escalation isn't important.

    Permission escalation is important, but it is not as important as providing protection against remote exploits, which is the most common vector for attacks, especially on a desktop OS. Over-hyping the problem is both deceitful and counter-productive.

    So the original article made Macs look bad - so what, I don't care. I *do* care that it raised a serious security issue that no-one seems to be concerned about since internal security doesn't matter on Macs according to the fanboys.

    It's not that it doesn't matter, it is just that it does not matter as much. Apple fixes 5-10 of these each month in their security release, a good number of which are found by third parties. The same is true for Linux and pretty much every OS anyone uses as an everyday desktop (except Windows they don't bother fixing the thousands they have outstanding). It is just a fact of life. There are ways to fix this and I hope Apple eventually does so, but the truth of the matter is this will affect only tiny portion of users. Most non-server editions of Mac OS X are used by one person and the majority of the rest are shared by a family of trusted users. The only large segment where this is a concern is schools, but students usually have physical access to the box at that point so they can gain privileges in an easier way. If you're using OS X or a standard Linux distro to give out shell accounts to random people you are almost certainly going to get burned. You want one of the select few OS's that make security the number one priority, like SELinux, OpenBSD, or TrustedLinux. Of course don't expect it to be a functional desktop, since making them so is not a priority for them.

    All the first series of articles has done is mislead the clueless. Security people know the score for local escalations. Clueless users don't know and mostly don't need to know about local escalations. They see security as a single attribute that OS X has and Windows doesn't. Now, maybe a few more people will stick with Windows because even though OS X is orders of magnitude more secure, they were led to believe otherwise by these irresponsible articles. The net result: less secure computers in general.

  12. Re:Sad. on U of Wisconsin's Mac OS X Security Challenge · · Score: 1

    What is misleading about "Mac OS X hacked in 30 minutes"

    What is misleading about "Babies explode killing those nearby!" just because you don't mention that those babies were fed inert explosives and put in a microwave?

    We're not talking just about the headline either. There were entire articles that failed to mention that most of the primary security was bypassed by extensively altering the system, by enabling SSH and HTTP, building a Web UI to hand out SSH accounts and passwords to anyone that asked, enabling the root account, and installing a lot UNIX CLI tools. That is why those articles have retractions and updates now.

    It was OS X, it was hacked, it took 30 minutes.

    Yes, but it was not a default install of OS X, which is what most people would assume and it did not take 30 minutes, it took 2 hours from the beginning of the contest. That is very misleading.

  13. Re:A Different Test on U of Wisconsin's Mac OS X Security Challenge · · Score: 2, Informative

    The point of the original test was not to hack the machine from outside, but from inside.

    True and it confirmed what most everyone already knew, a mediocre cracker can find a local escalation. There is no problem with the original test. There is a problem with the way the media misleadingly depicted the original test. This second test is designed to help debunk some of the FUD generated by the poor media coverage, by replicating the situation they misleading led readers to believe were the conditions of the first test.

  14. Re:Sad. on U of Wisconsin's Mac OS X Security Challenge · · Score: 1

    This is ZDnet. 99.999% of ZDnet readers have no idea what a root account is, nor would it make any difference to them.

    True, but they should have pointed out that a lot of steps had been taken to bypass the majority of the security before the "test." Writing that monkeys are exploding is fine, but if they only do so in a microwave and you neglect to mention that, then you are misleading people.

  15. Re:A Different Test on U of Wisconsin's Mac OS X Security Challenge · · Score: 1

    I don't think that analogy is quite apt. It's more like locking someone in your basement and they figure out how to gain access to your whole house.

    Agreed, but the coverage was like reporting said situation with the headline "Burglars Can break into the Average House in 15 seconds!" ...without ever mentioning that is if you agree to lock all the random strangers who stop by in your basement while you are out.

    When I run a third party program I am essentially letting them inside, but as a non-priviledged user I'm confining them to a specific area. But if this ability to elevate privileges turn out to be a fact, then any program I run can have full access.

    Sadly, this is not too far from the truth. A mediocre cracker can find a local escalation on the average desktop OS, be it Linux, OS X, or Windows. This is part of the reason security minded OSs have implemented VMs and the like for both software and users. I'd like to see OS X implement this with a usable GUI and become one of those ultra-secure OS's but I don't think there is a lot of market demand for it right now, since OS X does not really have a malware or cracking problem in the eyes of the market.

  16. Re:Sad. on U of Wisconsin's Mac OS X Security Challenge · · Score: 1

    And you're missing my point. It's not misinformation.

    When one thing happens and you depict it as another, it is misinformation. If it was not, the articles would not now have edits and retractions up. The test was not misleading, the articles written about the test were definitely misleading.

    Providing local accounts to unix-based systems isn't uncommon. Sure it's not common on a desktop, but it is on servers. The article was never specific about what type of environment they were replicating.

    The articles read "mac mini hacked in under 30 minutes." What percentage of Mac minis have SSH enabled and give out accounts to anyone using a Web based setup? Since it actually took about two hours, I'd say that makes the headlines more than a little misleading. This was not a common configuration for a mac mini and it was portrayed as such.

    The article was never specific about what type of environment they were replicating. That, if anything, was the problem.

    The article(s) also never said that there was a root account enabled (which is not the default setup) nor if a backdoor program had been installed previously by a hacker. Given this lack of information most people assume therefore that neither action was taken, since it would be unusual. It turns out they would be wrong in the first case and right (as far as I know) in the second. Articles don't have room for everything in them, but to not note the major changes done to the system to make it insecure is very, very misleading. This was probably by design since it got a lot more people to read the article. It is irresponsible and very poor journalism.

  17. Re:Sad. on U of Wisconsin's Mac OS X Security Challenge · · Score: 1

    But this is FUD too.

    No. FUD is fear, uncertainty, and doubt. It is misinformation. This is designed to spread accurate information.

    DO you think ZDnet is going to re-post an updated article about how they were wrong and in fact you need to make a distinction between local and remote vulnerabilities and the level of skill and available required for both? Probably not.

    Well, they've already edited their initial article to include those facts (after everyone already read it). Yes, I do expect ZDnet to run another article, because it is news. Hopefully, this one will be more accurate. If not ZDnet I do expect other periodicals and sites to run articles.

  18. Re:Possible Danger on U of Wisconsin's Mac OS X Security Challenge · · Score: 1

    The real mystery to me is why a state employee is using my tax-funded resources to do so.

    Well, it is educating the public and it does have some value as a research project, especially if students are able to analyze a remote exploit. Not knowing what part of the university is doing this, however, I'm not really sure that it is a "proper" use of resources.

  19. Re:Sad. on U of Wisconsin's Mac OS X Security Challenge · · Score: 2, Insightful

    Why is it that the world only considers remote vulnerabilities to be of consequence? Somehow local vuls are now irrelavent[sic].

    You're missing the point. This test is not trying to imply that local vulnerabilities are inconsequential, it is trying to undo some of the misinformation that has been spread by the press. The previous test was fine, but the representation of it in the press was that a regular OS X machine put on the internet can be hacked in 30 minutes. This is wrong in many, many ways. Thus, someone made angry by these misleading articles set up a test that is closer to the condition those articles presented and hopefully the press will also report on how misleading their previous reports were. Most of them have retractions or updates up now, but since the damage is already done, this seems like a reasonable solution to me.

    Please note, neither of these tests is gathering much in the way of useful information for security people, they are just providing yet more evidence of what most security people already know. A medium competent cracker can find a local exploit for OS X. A really good cracker can find a remote exploit for OS X. If you are going to be giving shell accounts to random people or are likely to be attacked by experts, you should be running one of the secure OS's that uses jails or virtual machines. None of this is news.

    This is not about security people though, this is about giving the average person an accurate view of how secure OS X is, without the FUD.

  20. Re:Big deal.. on U of Wisconsin's Mac OS X Security Challenge · · Score: 1

    You can put any modern OS on the net, with Apache and SSHD the only available services, and it will be secure. This includes XP, Win2k3, Linux, Solaris etc etc etc.. This test proves nothing...

    Actually, there are several other ports open, but that is still two more ports than are open on a default install. This test is merely replicating the conditions that the sensationalist articles misleading reported were the conditions of the previous test. Well, actually many of them did not mention that these ports had been opened up either, so this goes somewhat above and beyond. This test is not so much to "prove" how secure the OS is as to debunk the misleading articles about how secure the OS is.

  21. Re:Possible Danger on U of Wisconsin's Mac OS X Security Challenge · · Score: 1

    They will not be willingly sent to Apple for some minor publicity and no material, no, they will be auctioned off in some sleazy IRC channel in Russia.

    I have little doubt there are remote exploits for OS X "out there" in the hands of a few security experts and crackers. And these people are not likely to respond to this challenge unless they have a large number of them and feel like show boating. If one of them does compromise this machine in short order, well it means one of two things: either security is a lot worse than most of us think or someone smart who normally would not be cracking decided to make it their mission and find one.

    The point of this challenge is to undo some of the PR damage done by the sensationalist presentation of the last test, which was hyped by the media in such a way as to mislead the majority of readers. This test is written to be similar to what most readers thought the previous test was, based upon the misleading articles that were widely spread. 99.99% of users are not going to be attacked by one of these rare experts, instead of script kiddies or worms. Those few who are likely to be attacked should be running a more secure server OS and more secure configuration anyway. All of this is news only to people who are not in the security field in the first place, like those who read and were mislead by the articles about the previous "test."

  22. Re:For God's sake on What Corporate Email Limits Do You Have? · · Score: 1

    I can't imagine that 320 people have 420GB of business data stored on the company servers.

    I can.

    If they honestly are using all that space for business related material, you guys need to fix up a TB or two of networked storage + employee training in how to use it.

    Why? Employees have a working file transfer method, e-mail attachments. The problem is partly the way exchange keeps one copy of an attached file for each user that has received it and partly that users are not given limits and encouraged to use tools to save binaries locally. Also, saved attachments are not automatically removed from the mail servers and archived somewhere periodically.

    My other suggestion is to register everybody a Gmail account for personal use and then have a special talk with the biggest inbox abusers.

    This is usually not a good idea. Users will mix up their accounts and you'll end up with corporate e-mails sent from personal accounts and vice versus.

    All of this is solvable by a decent admin with off the shelf and/or free tools. I'd also like to say, "Ha ha! You're running exchange!

  23. Re:Start your biased counters now... on Mac OS X Security Competition Ends in 30 Minutes · · Score: 1

    Although people want to point out that they shouldn't have allowed people to have a SSH connection, you need to keep in mind that an SSH connection was allowed because they thought the config was secure enough to handle it.

    Actually, they specifically said they did nothing to harden the OS although there were several things they could have done and specifically enabled SSH and handed out passwords anyway. I'm not sure what they were trying to prove by this. Either if you bypass most of OS X's security it is hackable by someone with a moderate amount of talent of if you disable most of Mac OS X's security it won't be hackable by someone with a moderate amount of talent? This "test" proves nothing 99% of people with any clue about security don't already know. OS X is not one of the few ultra-secure multi-user server environments. Anyone who did not already know this should on no account be handling secure data that is a likely target for expert crackers.

  24. Re:Homeless on Toronto to Become One Huge Hotspot · · Score: 1

    I don't deny this happens -- I've seen some cases myself -- but I think it's talked about by passerbys like us much more than it really happens.

    I'm not so sure about this. I met a few homeless people and a number of people who work at the local shelter. I've also seen several people spontaneously have the same idea. Why don't we give the homeless some food. Try it some time. Make up a couple dozen sandwiches and go try to give them to the homeless people you see on the street begging for change. You'll get a few people who take them, a large number of people who refuse them, and a few people who get mad at you and throw things. Since a good number of the people out there ask for money so they can get something to eat, I'd say the results show a lot of dishonesty.

    Now I've been dirt poor in my life. And I can sympathize with guys who are down and out who want a drink. Hell, I've given some guys cash when they asked for it and told me they wanted to buy a bottle of something. I've run into them at the liquor store later when they are buying that bottle. But I don't confuse this with actually helping the problem and I don't think most people who give cash to the homeless should think they are helping.

    The truth is you can do a lot more good by donating some cash to the homeless shelter who can get people clothes, food, a place to sleep, a job, and affordable housing than you will giving it to the homeless directly. Maybe there are some who don't want to deal with the shelters, but most of those are either scammers (as shown above) or the mentally ill, and most of them will still go in when the weather gets really bad. That is my advice.

  25. Re:Homeless on Toronto to Become One Huge Hotspot · · Score: 1

    I don't have a solution, but giving them money draws more scum to the street to abuse the "legitimate" homeless.

    The main solution is progressive homeless shelters. The majority of the homeless are not mentally ill, they are people down on their luck. Programs to get them off of addictions, into cheap housing, and into jobs for the most part work. Sure there are scammers and people who will just try to take advantage and mentally ill. They may or may not be helped, but if you want to do good, just donate to a shelter.