> Can you explain how installing a second separate program improves security in the first?
For intranet applications, it may make sense.
If your intranet does not use Flash, you can avoid rolling out Flash in your corporate network in the first place, thus reducing potential attack surface.
Of course, there is still YouTube, news sites, etc., so this is only applicable in highly restricted workplaces where users aren't supposed to complain about that.
No, it doesn't.
Windows XP originally came with Macromedia Flash Player 5 (http://www.adobe.com/macromedia/proom/pr/2001/fp5_msxp.html)
This Microsoft update only applies to this ancient Flash Player distributed with Windows XP as a part of that agreement (versions 5 and 6).
Flash is now among the top attack vectors for Windows, and it isn't even covered by Windows Update.
There were 23 reported security issues in the last 2 years, including at least 4 browse-and-get-owned vulnerabilities.
In comparison, Silverlight has had no security bulletins since its 1.0 release (it's now at 3.0).
This may be just yet another reason to migrate to Silverlight, especially for intranet applications.
Anything from an 6to4 address typically gets routed to 192.88.99.1 (IPv4, protocol number 41), unless IPv6 is configured in a really weird way.
Since your ISP does not have their own router with the 192.88.99.1 anycast address, *all* IPv6 traffic goes through one of their peers who advertises their route to 192.88.99.1.
The actual destination IPv6 address doesn't matter (unless the destination is also a 6to4 address, in which case, the traffic is typically routed directly to the encoded IPv4 address instead of 192.88.99.1).
That's because you are using an IPv6 address in the 6to4 address space, not a native IPv6 address.
And according to trace, your ISP doesn't have their own 6to4 router deployed, so the traffic gets sent to whoever announces the shortest route to 192.88.99.1 route via BGP.
(192.88.99.1 is a special IP which means 'any 6to4 router')
Yes, in fact, stateless autoconfiguration implies using at least a/80 prefix.
And I don't see why ISPs would want needless complexity of keeping track of every device in a household.
Are you sure these are not 6to4 addresses (2002:::xxx)?
By default, Vista and Win7 will automatically allocate a 6to4 address for each non-private IPv4 address configured on the computer.
(since you mentioned ipconfig and not ifconfig, I assume you are using Windows)
This will only work if the drive doesn't do background 'scrubbing' to improve future write performance.
Or, even if the drive didn't erase physical Flash cells yet, it could already mangle the mapping between the logical and physical blocks.
In fact, I have a cheap CompactFlash card that does exactly that when you yank power from it while writing - the drive appears completely scrambled (with blocks reordered) when you restore power to it.
Something as simple as deleting the wrong partition becomes an irreversible operation if you do it using a tool that supports TRIM on TRIM-enabled hardware.
Even if you restore the partition table from a backup, you will likely suffer silent file system corruption, which may even not be apparent until it's too late.
If TRIM support is actually implemented on the device, the device is free to 'lose' data on TRIMmed blocks until they are written at least once.
Even if you go IPv6, you still need to provide at least a NAT-ed IPv4 address or a transparent HTTP/DNS proxy.
And the 'transparent proxy' solution will break everything except HTTP, most notably, HTTPS.
You can communicate with IPv6 hosts from an IPv4 address (via 6to4 encapsulation).
But you cannot communicate with IPv4-only hosts using an IPv6 address without a proxy.
And finally, updatedb can be disabled easily -- and even if it couldn't, newer Ubuntus come with a version that only does partial sweeps
By the way, does Linux have disk I/O prioritization like Vista does, and is it enabled by default?
For example, Vista indexing service also generates a LOT of disk I/O, but it runs with 'background' I/O priority, and the impact on the disk response time is not nearly as significant as running an add-on indexing service for WinXP.
Most add-on indexing services for XP (Google, Windows Desktop Search) will stop indexing if the user is using the keyboard/mouse for exactly that reason (no way to prioritize I/O).
Vista will not magically run kernel-mode USB device drivers in userspace.
There *is* support for user-mode USB drivers via UMDF (User-mode driver framework). But, the driver has to be implemented differently for that to work.
Apple USB driver (Usbaapl.sys) is a traditional kernel-mode driver.
Any unhandled exception (or, perhaps, kernel memory corruption) in the driver will cause a blue screen.
And there is, in fact, a redistributable version of UMDF for Windows XP (SP2 and later).
If enough is known about how the malware is behaving to know that it is suspicious, [we will] fingerprint the file and send it in the cloud to AvertLabs so we can look at it, provide people a piece of protection and send it immediately back to them.
They only match the fingerprint (probably a set of some hashes) against an online database and, if there is a match, the "fix" for that malware is downloaded and executed.
Nothing "magic" here, it's just an online signature database.
See http://www.mcafee.com/us/enterprise/products/artemis_technology/index.html
If they actually *did* online analysis, as the article suggests, just sending the alleged malware would potentially violate copyrights/NDAs/etc.
Not to mention that automated online analysis of unknown malware is a very difficult problem.
And by running tabs in separate processes, Google sidesteps the need for a native 64-bit browser and *plugins*.
After all, 2GB per tab should be enough for everyone.
That's interesting.
I noticed that the fan on my ATI card maxes out when staying on a station for an extended period of time.
This doesn't happen when playing any other games - perhaps most other games are limited by graphics memory throughput, by CPU, or by arbitrary frame rate limits.
When staying on a station the scene is quite simple - a decent card is able to pump >100 FPS if vsync is off.
OTOH, when not docked on a station, the framerate is clearly CPU-bound, and the fan speed drops to 25%.
> After about 200 identical replies with different tids (damn the source ip)... i'd block it.
Blocking is not really feasible, as you (in general) cannot distinguish the spoofed DNS replies from the actual ones. If you do blocking, the cache poisoning vulnerability immediately becomes a denial-of-service vulnerability with 100% reliable exploitation.
The exploit is trivial to figure out - if a caching DNS server has recursion enabled, and also sends the outgoing DNS queries to the authoritative servers over a fixed (or predictable) UDP port, you can just send forged UDP responses together with your recursive DNS query. The bogus response will be cached and will affect other users of the DNS server.
The attacker also needs to also guess the transaction ID (16-bit value), but they can send multiple bogus UDP responses with different transaction IDs. Also, vulnerable implementations may generate transaction IDs in a predictable way, so the attacker can obtain the current state of the PRNG by generating a recursive DNS query to DNS zone under attacker's control.
Such an attack cannot be performed from a typical home broadband connection, as most ISPs will not route packets originating from IP addresses not allocated by the ISP. The attacker needs to be in control over the routing/egress filtering within his AS (e.g. an enterprise-level Internet service).
MSN mostly doesn't index forum posts/blog comments (even Slashdot comments).
That *is* one single misfeature which makes it lose to Google, badly. A lot of useful information is hiding in random forums/blogs.
I wonder if it is related to more 'faithful' robots.txt handling - for example, Slashdot's robots.txt disallows 'comments.pl', which probably prevents MSN from ever indexing the content.
Either Google ignores this robots.txt entry, or Slashdot admins have manually configured Google per-site indexing settings to index the comments.
A fully-qualified DNS domain name ends with a dot, so you should type 'whois amazon.com.' instead. Those "hacked" results you are getting are just bogus amazon.com.foo.bar. subdomains.
Sorry, but you are already screwed. Every DIMM module you have installed probably has an unique serial number in their SPD data. Your network card has an unique default MAC address. Your motherboard probably has an unique (random) GUID. Each hard drive/optical drive has a serial number (and not just the volume serial number).
Adding a model-specific register to a CPU with its serial number does not make things much worse.
The current SSDs emulate a 'classical' 512-byte block device, just like any hard disk.
This is not the most efficient design, however, doing otherwise would be prohibitively expensive (due to incompatibility with existing software).
In a classical 512-byte block device, there is no distinction between a 'free' block, and a 'busy' block.
Hence, the 'address space' of the SSD is "virtualized", and the amount of the physical memory is greater than the addressable amount.
The physical blocks themselves can be greater than 512 bytes as well.
If you repeatedly rewrite the same 512-byte block, the wear-leveling algorithm spreads the writes over a set of physical locations.
In an ideal implementation, this set will be as large as the difference between the physical memory size and the virtual size.
However, this would make efficient implementation difficult, thus the set of 'free blocks' is actually much smaller, and the actual set depends on the address of the block being rewritten.
Slashdot Mirror
> Can you explain how installing a second separate program improves security in the first? For intranet applications, it may make sense.
If your intranet does not use Flash, you can avoid rolling out Flash in your corporate network in the first place, thus reducing potential attack surface.
Of course, there is still YouTube, news sites, etc., so this is only applicable in highly restricted workplaces where users aren't supposed to complain about that.
No, it doesn't.
Windows XP originally came with Macromedia Flash Player 5 (http://www.adobe.com/macromedia/proom/pr/2001/fp5_msxp.html)
This Microsoft update only applies to this ancient Flash Player distributed with Windows XP as a part of that agreement (versions 5 and 6).
Flash is now among the top attack vectors for Windows, and it isn't even covered by Windows Update.
There were 23 reported security issues in the last 2 years, including at least 4 browse-and-get-owned vulnerabilities.
In comparison, Silverlight has had no security bulletins since its 1.0 release (it's now at 3.0).
This may be just yet another reason to migrate to Silverlight, especially for intranet applications.
Anything from an 6to4 address typically gets routed to 192.88.99.1 (IPv4, protocol number 41), unless IPv6 is configured in a really weird way.
Since your ISP does not have their own router with the 192.88.99.1 anycast address, *all* IPv6 traffic goes through one of their peers who advertises their route to 192.88.99.1.
The actual destination IPv6 address doesn't matter (unless the destination is also a 6to4 address, in which case, the traffic is typically routed directly to the encoded IPv4 address instead of 192.88.99.1).
That's because you are using an IPv6 address in the 6to4 address space, not a native IPv6 address.
And according to trace, your ISP doesn't have their own 6to4 router deployed, so the traffic gets sent to whoever announces the shortest route to 192.88.99.1 route via BGP.
(192.88.99.1 is a special IP which means 'any 6to4 router')
Yes, in fact, stateless autoconfiguration implies using at least a /80 prefix.
And I don't see why ISPs would want needless complexity of keeping track of every device in a household.
Are you sure these are not 6to4 addresses (2002:::xxx)?
By default, Vista and Win7 will automatically allocate a 6to4 address for each non-private IPv4 address configured on the computer.
(since you mentioned ipconfig and not ifconfig, I assume you are using Windows)
This will only work if the drive doesn't do background 'scrubbing' to improve future write performance.
Or, even if the drive didn't erase physical Flash cells yet, it could already mangle the mapping between the logical and physical blocks.
In fact, I have a cheap CompactFlash card that does exactly that when you yank power from it while writing - the drive appears completely scrambled (with blocks reordered) when you restore power to it.
Something as simple as deleting the wrong partition becomes an irreversible operation if you do it using a tool that supports TRIM on TRIM-enabled hardware.
Even if you restore the partition table from a backup, you will likely suffer silent file system corruption, which may even not be apparent until it's too late.
If TRIM support is actually implemented on the device, the device is free to 'lose' data on TRIMmed blocks until they are written at least once.
Even if you go IPv6, you still need to provide at least a NAT-ed IPv4 address or a transparent HTTP/DNS proxy.
And the 'transparent proxy' solution will break everything except HTTP, most notably, HTTPS.
You can communicate with IPv6 hosts from an IPv4 address (via 6to4 encapsulation).
But you cannot communicate with IPv4-only hosts using an IPv6 address without a proxy.
And finally, updatedb can be disabled easily -- and even if it couldn't, newer Ubuntus come with a version that only does partial sweeps
By the way, does Linux have disk I/O prioritization like Vista does, and is it enabled by default?
For example, Vista indexing service also generates a LOT of disk I/O, but it runs with 'background' I/O priority, and the impact on the disk response time is not nearly as significant as running an add-on indexing service for WinXP.
Most add-on indexing services for XP (Google, Windows Desktop Search) will stop indexing if the user is using the keyboard/mouse for exactly that reason (no way to prioritize I/O).
Vista will not magically run kernel-mode USB device drivers in userspace.
There *is* support for user-mode USB drivers via UMDF (User-mode driver framework). But, the driver has to be implemented differently for that to work.
Apple USB driver (Usbaapl.sys) is a traditional kernel-mode driver.
Any unhandled exception (or, perhaps, kernel memory corruption) in the driver will cause a blue screen.
And there is, in fact, a redistributable version of UMDF for Windows XP (SP2 and later).
If enough is known about how the malware is behaving to know that it is suspicious, [we will] fingerprint the file and send it in the cloud to AvertLabs so we can look at it, provide people a piece of protection and send it immediately back to them.
They only match the fingerprint (probably a set of some hashes) against an online database and, if there is a match, the "fix" for that malware is downloaded and executed.
Nothing "magic" here, it's just an online signature database.
See http://www.mcafee.com/us/enterprise/products/artemis_technology/index.html
If they actually *did* online analysis, as the article suggests, just sending the alleged malware would potentially violate copyrights/NDAs/etc.
Not to mention that automated online analysis of unknown malware is a very difficult problem.
I guess that about 30% of the carriers' revenue in US are such 'oh shit' charges (on a lesser scale, of course).
And by running tabs in separate processes, Google sidesteps the need for a native 64-bit browser and *plugins*.
After all, 2GB per tab should be enough for everyone.
On Vista, you can enable page file encryption (the key is random on each boot, and is never stored on disk):
fsutil behavior set encryptpagingfile 1
I am sure there is a way to do this on Linux too.
That's interesting.
I noticed that the fan on my ATI card maxes out when staying on a station for an extended period of time. This doesn't happen when playing any other games - perhaps most other games are limited by graphics memory throughput, by CPU, or by arbitrary frame rate limits.
When staying on a station the scene is quite simple - a decent card is able to pump >100 FPS if vsync is off.
OTOH, when not docked on a station, the framerate is clearly CPU-bound, and the fan speed drops to 25%.
> After about 200 identical replies with different tids (damn the source ip) ... i'd block it.
Blocking is not really feasible, as you (in general) cannot distinguish the spoofed DNS replies from the actual ones.
If you do blocking, the cache poisoning vulnerability immediately becomes a denial-of-service vulnerability with 100% reliable exploitation.
The exploit is trivial to figure out - if a caching DNS server has recursion enabled, and also sends the outgoing DNS queries to the authoritative servers over a fixed (or predictable) UDP port, you can just send forged UDP responses together with your recursive DNS query.
The bogus response will be cached and will affect other users of the DNS server.
The attacker also needs to also guess the transaction ID (16-bit value), but they can send multiple bogus UDP responses with different transaction IDs.
Also, vulnerable implementations may generate transaction IDs in a predictable way, so the attacker can obtain the current state of the PRNG by generating a recursive DNS query to DNS zone under attacker's control.
Such an attack cannot be performed from a typical home broadband connection, as most ISPs will not route packets originating from IP addresses not allocated by the ISP.
The attacker needs to be in control over the routing/egress filtering within his AS (e.g. an enterprise-level Internet service).
MSN mostly doesn't index forum posts/blog comments (even Slashdot comments).
That *is* one single misfeature which makes it lose to Google, badly. A lot of useful information is hiding in random forums/blogs.
I wonder if it is related to more 'faithful' robots.txt handling - for example, Slashdot's robots.txt disallows 'comments.pl', which probably prevents MSN from ever indexing the content.
Either Google ignores this robots.txt entry, or Slashdot admins have manually configured Google per-site indexing settings to index the comments.
These figures are 87.5% bullshit anyway, MSN included.
That is, until the search engines can actually display that 12011674th match.
Of course, it's not a hack.
A fully-qualified DNS domain name ends with a dot, so you should type 'whois amazon.com.' instead.
Those "hacked" results you are getting are just bogus amazon.com.foo.bar. subdomains.
http://www.microsoft.com/Presspass/press/2008/may08/05-21ExpandedFormatsPR.mspx
Also, ODF will be allowed to be configured as the default format for documents.
SP2 will also include support for PDF and XPS export.
Sorry, but you are already screwed.
Every DIMM module you have installed probably has an unique serial number in their SPD data.
Your network card has an unique default MAC address.
Your motherboard probably has an unique (random) GUID.
Each hard drive/optical drive has a serial number (and not just the volume serial number).
Adding a model-specific register to a CPU with its serial number does not make things much worse.
The fact is that they don't.
The current SSDs emulate a 'classical' 512-byte block device, just like any hard disk.
This is not the most efficient design, however, doing otherwise would be prohibitively expensive (due to incompatibility with existing software).
In a classical 512-byte block device, there is no distinction between a 'free' block, and a 'busy' block.
Hence, the 'address space' of the SSD is "virtualized", and the amount of the physical memory is greater than the addressable amount. The physical blocks themselves can be greater than 512 bytes as well.
If you repeatedly rewrite the same 512-byte block, the wear-leveling algorithm spreads the writes over a set of physical locations.
In an ideal implementation, this set will be as large as the difference between the physical memory size and the virtual size.
However, this would make efficient implementation difficult, thus the set of 'free blocks' is actually much smaller, and the actual set depends on the address of the block being rewritten.