1) XP 64 and 2003 32/64have been avail. as beta downloads from microsoft on an evaluation basis- they would even ship cd's to you for the cost of media.
2) OS/400 is already ready for the next jump to 128 bit and in fact uses 128 bit pointers/etc.
thought:
If we designed things correctly in the first place switching our hardware like that would be relatively easy.
disclaimer:
currently employed by a company that has literally said 'efficiency is not a design goal'/somewhat disgruntled.
if your kernel is so big, perhaps you should.. recompile it. The distro's and even kernel defaults tend to support a lot more than most people need, thus its going to be bigger. I never really understood this argument- I mean of course as development chugs on core functions are gonna change and as a result most likely get bigger- but seriously if your server has 'the latest game drivers' then you are not doing your job correctly.
I never understood this out-of-the-box obsession, i mean seriously what type of admin puts an os into production 'out-of-the-box'?
The only part that really bothers me about this, and I say this as someone who has built a career off of programming under the unices, especially Linux- what bothers me about this is that its not the tech-heads that read this and go 'whoa we better find a better solution', its the management- and as a result I have to deal with what some guy who is a journalist and quite probably not really that qualified to talk on the subject has to say, but now its coming from my boss.
there are these things called 'linux capabilities', its broken by default because the developers don't think its secure, but it will allow you to do things like that, and things like ntpd as a non-root user, etc.
Then you have posix fs acl's which add a lot of granularity. Then you have third party things like grsec which allow you to do all of the above (and specifically adds/proc restrictions)
Simply put, just because you don't know how to do it doesn't mean it can't be done.
Also, if you code your program correctly you don't even need to get funky. Open your socket but don't accept, drop priv's and chug along. Or, open a named pipe and have the priv'd process open the socket and hand the fd pair off to the child (priv seperation).
My point is that there is nothing wrong with a program initially needing root provided it drops its priv's in a correct manner.
And just to be an ass, but a serious ass, dig into your kernel and modify the system calls to do a
if ( current->uid == MAGIC ) { [... ] }
That's the beauty of open source, you can change the things you don't like about it.
Seriously, the gpl only states that you must distribute the source to people you distribute the application too, so its of 0 concern to internal company documents. I mean seriously, if the email made it out of the corporate realm then there was another problem, and anyone else who see's it was probably supposed to.
First let me say I agree with you, people will be people regardless of birthplace or birth race, c'est la vie.
Now that I've said that, let me start by explaining that I am a security analyst for a very large multi-national ASP who services mostly banks but we also have government contracts- needless to say we have plenty of sensitive information all over the world. Additionally realize that we have about 5 permanent bases in India, 3 in Canada, 3 or 4 in the UK and 2 in.au. We operate over 17k ATM's throughout the US and Canada, so on and so forth.
Here is the catch we run into with our employee's from India... you ready?
we can't do background checks on them and many positions require superuser access to many sensitive systems.
We can't even comply with our policies as a result of this, and _that_ is the risk we face outsourcing. Don't be surprised when you hear something similar for a company that starts with an 'e' and ends with an 's'.
More to the point, if you have source for something, make an SRPM out of it,
Well a source package was just one example, I've run across several similar instances- perhaps the correct answer is 'how about a plain text database or a program to edit the database', for instance I've run across instances where the database name isn't exactly what another program expected (it had a release name or similar added onto the provides line). Now of course you can edit the spec file and rebuild, but if I'm gonna do that, im gonna throw the crappy package manager away as well (yes I'm refering to rpm's).
I've been maintaining our internal rpm's and yum repositories for quite some time now, and i still think it is horrible design.
Yes I do believe I've heard of this 'rpm' thing, if I remember correct it all worked fine and dandy until 1 thing got installed from source or similar, and then it became a --nodeps hell.
security through obscurity is bad for overall design
its good for specific implementation, although by good i mean 'makes things more of a pain in the ass' and not 'they will never find my secret file!'
To me, this sounds like a management mistake in the sense that they either hired the wrong people, or had no one qualified to do IT hiring/etc, and as a result didn't get everything necessary into the contract?
I mean seriously, if you abstract and think that you plan on using a second company to build off of the progress of the first, naturally they are going to need the source code- expecting them to reverse it is absolutely silly.
thank you. thats the real security risk- not the indexing agent- but rather why is there internal documentation that is 'private' or 'confidential' within the webroot on an externally accessible webserver?
I read the article and it seems to be like a good chunk of todays security papers, 'heres a long drawn out explanation of the obvious', I suppose it wasn't as long as it could be, but really... using a search engine to find a list of files on a website? I suppose someone has to document it..
I mean, I understand its a little more complex as described in the article- but i would hardly call this a 'new web application attack', at best perhaps one of those humorous advisories where the author overstates things and creates much ado about nothing- or at least thats my take;
Felons are not allowed to own guns I believe as well as give up the right to vote.
My comment really has nothing to do with the matter at hand, but I wanted to comment that removing such rights from a felon is in a lot of cases incorrect.
While you may find that idea shocking, lets consider a few points.
1) The right to vote and the right to own a gun are two of the most fundamental rights a citizen of any country can have- it ensures that the people will always be in control- in essence the two combined form a 'voice of the people'
2) A state can make anything it wants a felony
3) Such laws restricting the rights of felons were most obviously put into place to keep the extremely violent and similar away from weapons and such- but consider point number 2.
Consider that in several states many minor offenses are considered a felony ( for instance, in arizona having a marijuana seed is a class 6 felony , ), and even though one state over such a thing may be considered a very low misdemeanor, it still transfers as a felony. Therefore taking rights away from any felon is a bad idea. Much better would be to create a list of certain crimes which would cause you to loose your rights.
Although one could argue that inalienable means immutable also, but thats a different point. Also, on a side note, the gun/vote thing for felons differs greatly from state-to-state.
But seriously, what is this going to solve? If I was a stalker who was determined to see a person who had a Restraining order against me, and they put GPS in my car.. well i would do that walking thing, or perhaps take a cab.
So in the end, it will really only catch a handful of stupid people who are likely to get caught anyways because of said intelligence-deficiencies, and waste a lot of tax payer money.
However, as someone originally from Mass, I bet they will pass it because people don't tend to look that deep into things.
( no i didnt read the article )
Re:missing the overall point
on
SHA-1 Broken
·
· Score: 1
Oops, I forgot my own footnote.
**: SSL already uses 2 forms of hash, md5 and sha1
missing the overall point
on
SHA-1 Broken
·
· Score: 3, Interesting
What you have to figure is that with any hash thats shorter than the max amount of data, then the possibility of collisions will occur;
figure that if you could represent every possible combination in 128 bits, you would never need to have 129 bits of data.
Because this is not true all hashes will have collisions. However the chances of multiple hashes all having collisions with altered data is 'pretty damn slim'.
So therefore the best solution, most likely in the future, and presently is to authenticate messages, identification (ala ssl certificates**) and binaries with multiple hashs known to be reasonably strong. One doesnt need to be a cryptologist to realize that using something like md5, sha256 and like ripemd160, the chances of collision in all 3 hashes are quite slim, and within the range of acceptable risk.
You assume the presumption of innocence. I am not refering to China in particular here, however if my effort was to censor my citizens, then the first thing I would grab people for is the use of encryption.
A covert channel/flipping a bit here and there in a proxy-like server sending legitimate traffic would raise less eyebrows.
While I've never been to China and never directly experienced their security, I cannot speak on it. However I can speak a little about respecting other countries laws- and its not so much respecting it because you agree with it, but more respecting it because you will find yourself in a nice chinese prison if you don't.
Simply put, while the US justice system has a lot of problems- its still a cake walk compared to many countries, things you may take for granted, i.e. right to a trial, right to an attorney, etc may not necessarily hold true in another country.
In addition to that, its very american of us to goto other countries and expect the same standards. We do that a lot, but thats not really the point- overall I am just saying 'sure you could probably get around it, but we are also talking about a country with gross human rights violations so you must consider which is more important to you, sims 2 or your life'.
Nevermind if you are religious or anything else.
http://www.google.com/search?hl=en&lr=&q=+%2B%22W3 2.Winux%22&btnG=Search
W32.Winux
The only reason I am impressed with it, is because it hadn't been done before. Benny is quite good at that, and that was my point as to what makes him special.
So for several years I was an op on #virus the 'home base' of 29A and less popular/talented virus groups, i've never written a virus/worm myself, and because of that I was only mildly accepted however I did get an insite to them, and many of 'them' do it for the reasons Benny listed- and Benny is a perfect example of Proof of concept, he wrote the first xp virus, the first virus that would infect linux from windows if a computer dual booted/etc, while slashdot as a whole may have an unpopular opinion of them in general, I can say at least some of them are quite talented.
Oh, and they hate the vbs/vba viruses just as much as anyone else.
A bit back, when I bought my first 64b box, I decided to just give 2003 64b edition a try, just to see what it was like. They offer it free for download, or you can pay like 20 USD (price of media/shipping) to have it shipped to you, and its like a 300 day trial or something.
I don't mind paying for software, so long as its not incredibly overpriced (okay well honestly if you think about how much it actually costs to make the product, 80-100 USD isn't terribly bad, but a little pricy for something I really don't even want).
So I bought the 2003 CD's and after a bunch of problems with them sending me XP 64b edition (each time they reshipped at their own expense), I finally got 3 copies of XP 64b edition, and 2003 64B edition, just a little folder sleeve thing for each one, nothing fancy- and it was cheap- and both are still in beta testing.
So, in short no- my experience with MS beta software is that its not fully packaged, nor sold for high prices- but this is my only experience with it, your mileage may vary.
Well at first glance it seems somewhat silly- as if they are treating the symptoms instead of the problem. Everyone can pretty much agree switching to another browser can alleviate a lot of the problems, or even just mutilating IE so that it becomes a pain in the ass to use (i.e. prompting for confirmation before allowing activex/etc), and thats what happens in 2003 by default (IE becomes a pain the ass to use), but agreed- that doesnt cure all of the problems. For instance, I know I've seen some spyware piggyback in on files played by media player or winamp, or p2p programs (contrary to popular belief kazaa lite appears to be spyware as well, fire up a sniffer and watch the local network).
But when you really look at it, solving the problem hardly seems to be the point. Contrary to what a lot of us would like to think, microsoft isn't full of idiots- and a lot could be learned from the 'failure' that is most anti-virus software, namely that signature based detection is not the best way to detect malware. So then you have to sit back and ask yourself why a corporation would follow such tactics if the elimination of spyware/adware was their goal?
Money, just like it always is- You don't want to cure the problem because then you start pinching your paycheck. Plus you have the advantage of testing/(further) conditioning the public to subscription based payment methods, and they will thank you for it because you are 'helping' them.
IMHO, it just seems like another wolf in sheeps clothing, but thats just my take on it.
Slashdot Mirror
wouldnt that actually be RSOD and not ROSD?
1) XP 64 and 2003 32/64have been avail. as beta downloads from microsoft on an evaluation basis- they would even ship cd's to you for the cost of media.
2) OS/400 is already ready for the next jump to 128 bit and in fact uses 128 bit pointers/etc.
thought:
If we designed things correctly in the first place switching our hardware like that would be relatively easy.
disclaimer:
currently employed by a company that has literally said 'efficiency is not a design goal'/somewhat disgruntled.
if your kernel is so big, perhaps you should .. recompile it. The distro's and even kernel defaults tend to support a lot more than most people need, thus its going to be bigger. I never really understood this argument- I mean of course as development chugs on core functions are gonna change and as a result most likely get bigger- but seriously if your server has 'the latest game drivers' then you are not doing your job correctly.
I never understood this out-of-the-box obsession, i mean seriously what type of admin puts an os into production 'out-of-the-box'?
The only part that really bothers me about this, and I say this as someone who has built a career off of programming under the unices, especially Linux- what bothers me about this is that its not the tech-heads that read this and go 'whoa we better find a better solution', its the management- and as a result I have to deal with what some guy who is a journalist and quite probably not really that qualified to talk on the subject has to say, but now its coming from my boss.
there are these things called 'linux capabilities', its broken by default because the developers don't think its secure, but it will allow you to do things like that, and things like ntpd as a non-root user, etc.
/proc restrictions)
... ] }
Then you have posix fs acl's which add a lot of granularity. Then you have third party things like grsec which allow you to do all of the above (and specifically adds
Simply put, just because you don't know how to do it doesn't mean it can't be done. Also, if you code your program correctly you don't even need to get funky. Open your socket but don't accept, drop priv's and chug along. Or, open a named pipe and have the priv'd process open the socket and hand the fd pair off to the child (priv seperation).
My point is that there is nothing wrong with a program initially needing root provided it drops its priv's in a correct manner.
And just to be an ass, but a serious ass, dig into your kernel and modify the system calls to do a
if ( current->uid == MAGIC ) { [
That's the beauty of open source, you can change the things you don't like about it.
that some people need.
mod me a troll, but seriously if you _need_ activex, you need a new programmer.
Seriously, the gpl only states that you must distribute the source to people you distribute the application too, so its of 0 concern to internal company documents. I mean seriously, if the email made it out of the corporate realm then there was another problem, and anyone else who see's it was probably supposed to.
First let me say I agree with you, people will be people regardless of birthplace or birth race, c'est la vie. Now that I've said that, let me start by explaining that I am a security analyst for a very large multi-national ASP who services mostly banks but we also have government contracts- needless to say we have plenty of sensitive information all over the world. Additionally realize that we have about 5 permanent bases in India, 3 in Canada, 3 or 4 in the UK and 2 in .au. We operate over 17k ATM's throughout the US and Canada, so on and so forth.
Here is the catch we run into with our employee's from India ... you ready?
we can't do background checks on them and many positions require superuser access to many sensitive systems.
We can't even comply with our policies as a result of this, and _that_ is the risk we face outsourcing. Don't be surprised when you hear something similar for a company that starts with an 'e' and ends with an 's'.
More to the point, if you have source for something, make an SRPM out of it,
Well a source package was just one example, I've run across several similar instances- perhaps the correct answer is 'how about a plain text database or a program to edit the database', for instance I've run across instances where the database name isn't exactly what another program expected (it had a release name or similar added onto the provides line). Now of course you can edit the spec file and rebuild, but if I'm gonna do that, im gonna throw the crappy package manager away as well (yes I'm refering to rpm's). I've been maintaining our internal rpm's and yum repositories for quite some time now, and i still think it is horrible design.
Yes I do believe I've heard of this 'rpm' thing, if I remember correct it all worked fine and dandy until 1 thing got installed from source or similar, and then it became a --nodeps hell.
security through obscurity is bad for overall design its good for specific implementation, although by good i mean 'makes things more of a pain in the ass' and not 'they will never find my secret file!'
To me, this sounds like a management mistake in the sense that they either hired the wrong people, or had no one qualified to do IT hiring/etc, and as a result didn't get everything necessary into the contract?
I mean seriously, if you abstract and think that you plan on using a second company to build off of the progress of the first, naturally they are going to need the source code- expecting them to reverse it is absolutely silly.
thank you. thats the real security risk- not the indexing agent- but rather why is there internal documentation that is 'private' or 'confidential' within the webroot on an externally accessible webserver?
I read the article and it seems to be like a good chunk of todays security papers, 'heres a long drawn out explanation of the obvious', I suppose it wasn't as long as it could be, but really ... using a search engine to find a list of files on a website? I suppose someone has to document it..
I mean, I understand its a little more complex as described in the article- but i would hardly call this a 'new web application attack', at best perhaps one of those humorous advisories where the author overstates things and creates much ado about nothing- or at least thats my take;
-1 not profound
Felons are not allowed to own guns I believe as well as give up the right to vote.
My comment really has nothing to do with the matter at hand, but I wanted to comment that removing such rights from a felon is in a lot of cases incorrect.
While you may find that idea shocking, lets consider a few points.
1) The right to vote and the right to own a gun are two of the most fundamental rights a citizen of any country can have- it ensures that the people will always be in control- in essence the two combined form a 'voice of the people'
2) A state can make anything it wants a felony
3) Such laws restricting the rights of felons were most obviously put into place to keep the extremely violent and similar away from weapons and such- but consider point number 2.
Consider that in several states many minor offenses are considered a felony ( for instance, in arizona having a marijuana seed is a class 6 felony , ), and even though one state over such a thing may be considered a very low misdemeanor, it still transfers as a felony. Therefore taking rights away from any felon is a bad idea. Much better would be to create a list of certain crimes which would cause you to loose your rights.
Although one could argue that inalienable means immutable also, but thats a different point. Also, on a side note, the gun/vote thing for felons differs greatly from state-to-state.
But seriously, what is this going to solve? If I was a stalker who was determined to see a person who had a Restraining order against me, and they put GPS in my car .. well i would do that walking thing, or perhaps take a cab.
So in the end, it will really only catch a handful of stupid people who are likely to get caught anyways because of said intelligence-deficiencies, and waste a lot of tax payer money.
However, as someone originally from Mass, I bet they will pass it because people don't tend to look that deep into things.
( no i didnt read the article )
Oops, I forgot my own footnote. **: SSL already uses 2 forms of hash, md5 and sha1
What you have to figure is that with any hash thats shorter than the max amount of data, then the possibility of collisions will occur;
figure that if you could represent every possible combination in 128 bits, you would never need to have 129 bits of data.
Because this is not true all hashes will have collisions. However the chances of multiple hashes all having collisions with altered data is 'pretty damn slim'. So therefore the best solution, most likely in the future, and presently is to authenticate messages, identification (ala ssl certificates**) and binaries with multiple hashs known to be reasonably strong. One doesnt need to be a cryptologist to realize that using something like md5, sha256 and like ripemd160, the chances of collision in all 3 hashes are quite slim, and within the range of acceptable risk.
You assume the presumption of innocence. I am not refering to China in particular here, however if my effort was to censor my citizens, then the first thing I would grab people for is the use of encryption. A covert channel/flipping a bit here and there in a proxy-like server sending legitimate traffic would raise less eyebrows.
While I've never been to China and never directly experienced their security, I cannot speak on it. However I can speak a little about respecting other countries laws- and its not so much respecting it because you agree with it, but more respecting it because you will find yourself in a nice chinese prison if you don't. Simply put, while the US justice system has a lot of problems- its still a cake walk compared to many countries, things you may take for granted, i.e. right to a trial, right to an attorney, etc may not necessarily hold true in another country. In addition to that, its very american of us to goto other countries and expect the same standards. We do that a lot, but thats not really the point- overall I am just saying 'sure you could probably get around it, but we are also talking about a country with gross human rights violations so you must consider which is more important to you, sims 2 or your life'. Nevermind if you are religious or anything else.
http://www.google.com/search?hl=en&lr=&q=+%2B%22W3 2.Winux%22&btnG=Search
W32.Winux
The only reason I am impressed with it, is because it hadn't been done before. Benny is quite good at that, and that was my point as to what makes him special.
So for several years I was an op on #virus the 'home base' of 29A and less popular/talented virus groups, i've never written a virus/worm myself, and because of that I was only mildly accepted however I did get an insite to them, and many of 'them' do it for the reasons Benny listed- and Benny is a perfect example of Proof of concept, he wrote the first xp virus, the first virus that would infect linux from windows if a computer dual booted/etc, while slashdot as a whole may have an unpopular opinion of them in general, I can say at least some of them are quite talented. Oh, and they hate the vbs/vba viruses just as much as anyone else.
A bit back, when I bought my first 64b box, I decided to just give 2003 64b edition a try, just to see what it was like. They offer it free for download, or you can pay like 20 USD (price of media/shipping) to have it shipped to you, and its like a 300 day trial or something.
I don't mind paying for software, so long as its not incredibly overpriced (okay well honestly if you think about how much it actually costs to make the product, 80-100 USD isn't terribly bad, but a little pricy for something I really don't even want).
So I bought the 2003 CD's and after a bunch of problems with them sending me XP 64b edition (each time they reshipped at their own expense), I finally got 3 copies of XP 64b edition, and 2003 64B edition, just a little folder sleeve thing for each one, nothing fancy- and it was cheap- and both are still in beta testing. So, in short no- my experience with MS beta software is that its not fully packaged, nor sold for high prices- but this is my only experience with it, your mileage may vary.
Well at first glance it seems somewhat silly- as if they are treating the symptoms instead of the problem. Everyone can pretty much agree switching to another browser can alleviate a lot of the problems, or even just mutilating IE so that it becomes a pain in the ass to use (i.e. prompting for confirmation before allowing activex/etc), and thats what happens in 2003 by default (IE becomes a pain the ass to use), but agreed- that doesnt cure all of the problems. For instance, I know I've seen some spyware piggyback in on files played by media player or winamp, or p2p programs (contrary to popular belief kazaa lite appears to be spyware as well, fire up a sniffer and watch the local network). But when you really look at it, solving the problem hardly seems to be the point. Contrary to what a lot of us would like to think, microsoft isn't full of idiots- and a lot could be learned from the 'failure' that is most anti-virus software, namely that signature based detection is not the best way to detect malware. So then you have to sit back and ask yourself why a corporation would follow such tactics if the elimination of spyware/adware was their goal? Money, just like it always is- You don't want to cure the problem because then you start pinching your paycheck. Plus you have the advantage of testing/(further) conditioning the public to subscription based payment methods, and they will thank you for it because you are 'helping' them. IMHO, it just seems like another wolf in sheeps clothing, but thats just my take on it.