'If Herr Korz feels that he holds a legitimate license to the BeOS code he's been using, we're completely unaware of it, and I'd be fascinated to see him produce any substantiation for that claim'
'PJ's whereabouts were unknown for some time as stated in the filing'
But why did they process serve in Connecticut, while PJ is supposed to be in Hartsdale, New York? And why is it the entire SCO legal team can't seem to find her when Moggie O' Gara found it so easy? Maybe they should hire her on to find PJ.
'It is also, settled by case law that you cannot serve someone by email unless you have exhausted all possibly efforts to serve them in person in order to affect a certainty of awareness of the subpoena'
What efforts did they expend in locating Ms. Jones? What case law are you citing that refers to serving a subpoena by email? Please give references. According to IBM-1018.pdf SCO can just leave it lying round at the witnesses' office to be duely served.
'she has enough backing and friends to muster together a motion to quash the subpoena'
I wouldn't even respond if I was her. All is happening here is SCO trying to distract from their own lack of facts and drag out the discovery phase some more. Instead of 'SCO show us the code' it'll be when did PJ know something and how did she come by this fact. Something totally irrelevant in SCO v. IBM/Novell/AutoZone/Daimler Chrysler etc.
'Lets get it on so that the realities that each side is claiming can be settled by the facts instead of by amatuer pundits such as myself'
What factual cited court records and other fully attributed documents on Groklaw materially impinge on the SCO case? Like all they have to do is point. A bit like pointing out the 'stolen' code in Linux.
'As for Groklaw being a legal website based upon the truth, one should be reminded of the words of former Supreme Court Justice Louis Brandeis: 'Sunlight is said to be the best of disinfectants''
How can Groklaw not be in the Sunlight - it's a website? What bits on Groklaw aren't truthfull. It's being going for years. Surely you - sorry I mean the SCO legal team would have spotted something by now.
'administrator cannot disable the code-signing requirement.. which is what this article talks about.. it appears that this was a pre-RTM setting which is now ignored'
From what I read of the article(s) talks about the whole protection and security mechanisms of Windows Vista can be circumvented and it also works on Vista Final . There doesn't seem to be a reference to a method of enabling the administrator to run unsigned code.
'Yeah, we'll see some worms, but like I said, I doubt they'll be of the magnitude of some of the ones in recent memory'
'was Re:Looks like it (Score:4, spin double plus good)'
'In order for the boot sector to be compromised [in x64 Vista], there must already have been a kernel-level compromise.. My guess is that compromising this particular security mechanism will be hard'
Do you meant that this VBootkit bootable CD doesn't really launch and bypass the whole security mechanisms of Windows Vista.
'VBootkit that launches from a CD and boots Vista, making "on the fly" changes in memory and in files being read'
How exactly does x64 Vista prevent the boot sector being compromised?
'A boot disk like this wouldn't be useful for compromising a system in the traditional, and it isn't intended as such'
I would have thought that what is actually does is more important than what it is intended to do. which is to bypass the whole security mechanisms of Windows Vista.
was.. Re:and in a related story... (Score:5, Distraction)
'Assuming that Windows was running on NX-enabled hardware and had software support for NX, that still doesn't stop an overflow from spilling past the NX-marked stack into a non-NX region of memory', Chris Burke
So you're telling me the NX solution doesn't work. Not much use then is it. See here where a bug in user32.dll apparently leads to system compromise.
'There's only so much hardware can do, and it's doing most of it. The problems and solutions are all in software', Chris Burke
Not really, design a high level MMU that allocates memory and manipulates the stack under requests from the OS. I'm not saying it would be easy, but why haven't the combined efforts of Intel/Cisco etc not come up with a solution by now. The answer to that is the problem of having to stick with that aging obsolete backward compatible x86 design.
'Stack-based buffer overflows are usually problems occurring entirely within a single process'
If I can return to the above point re 'NX-marked'. Have the MMU control the boundaries, that way a buggy process can't spill past into a non-NX region of memory. Can't the MMU store the current N bytes on the stack before a call and restore them after the call. Or switch in a 'fake' stack so any attempt to manipulate it would fail on return. Are you seriously telling me there is no technological fix to stack exploits. Was there ever a CPU design that didn't get buffer overflows?
'help prevent certain classes of malicious buffer overflow attacks when combined with a supporting operating system'
'By combining Execute Disable Bit with anti-virus, firewall, spyware removal, e-mail filtering software, and other network security measures'
Only certain classes of attacks and with a supported operating system system and you still need AV, spyware etc. I'm talking about something that runs transparently in hardware and stops process A accessing process Bs memory - period. So even with malicious or defective code - nothing happens. And besides which it don't seem to be working..
'A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system'
'The vulnerability is caused due to an boundary error within the handling of animated cursors and can be exploited to cause a stack-based buffer overflow via a specially crafted animated cursor file', January 3, 2007
When are they going to fix bufferoverflows and stack exploits. Something in the hardware that prevents a process writing out of its allocated memory. Something in the hardware that marks pages read/write or execute and prevents code being executed on the stack.
'So how does the server learn the credit card number etc necessary to perform the transaction?'
When you apply for a card, the server generates a unique identity. These details are stored on the card and on the server. The card is sent out to you and when in use a processor on the card generates a one time encrypted transaction from the data on the card. This is sent across the network to the server. The server performs the same transaction on the data stored in the server. If the two matches then the transaction is validated.
If I recall correctly, these security chips are divided into two sections one holding the master key and data and a second that queries the first and communicates with the reader. The keys are not passed to the reader, only the one time transaction which is useless to the hackers.
You don't send sensitive information across the Internet period. On the client run an application that generates a unique one way hash of the transaction. This is sent to the server which performs the same hash using data stored on the server. It then sends a confirm msg to the client.
On the server the data is stored encrypted and is accessed through well defined system calls. The encryption is done by a hardware module that sits between the harddrive and the system. That way if the server is sucessfully hacked the entire database is not compromised. The hardware module provides keys to the system so there is no security data lying about the disk or in memory to be hacked. All a network sniffer can do is access a one time encrypted transaction that can not be leveraged to provide usefull information.
'The administrator in question is enjoying this publicity and thumbing his nose at the authorities and Microsoft'
Like how, he is protesting his innocence. He likes having the threat of a jail sentence hanging over his head? This is the second time a school teacher is facing jail time for using Windows. See here where a 7th grade teacher gets arrested when porn images pop up in the browser on a Win98 desktop. The expert prosecution witness says there is no way such images could have got on without user interaction. Something we all know is a big lie.
The teachers union on both continents should have the schools sign a do not sue waiver before touching the computer. Or maybe the EULA should be updated.. use of the product can land you a hefty jail sentence.
'there has been talk in Russian press that he was well aware that software was illegal on dozen of the machines but still decided to cut the costs and pocket the difference'
Do you have any evidence for this wacky anecdote.
'During a court trial he was asked to apologize and move on but he insisted of filing an appeal to "clear his name" and play a martyr of some sort. In sum, this guy is an asshole'
What trial? the first case was thrown out. Also the original claim changed from piracy to illegally using the software. Even so the Judge saw fit not to proceed. Where does it say he was asked to apologize. Why would he appeal a non case. Where does it say he appealed.
'If one were to put aside the bias towards Microsoft, it's clear that Panosov is being defiant, despite him being completely guilty'
What are you smoking, toad juice? What bias? How does defending oneself in a court of law equate to being biased? I thought even in your country people are deemed innocent until proven guilty in a court of law. 'Your honour the defendant is obviously guilty as he has chosen to plead innocent':)
'I've checked his blog and he's asking his readers on how to partition the NTFS drive and install Linux alongside windows. I don't think he learned a lesson here. He's not the saintly school teacher who was unknowingly victimized by prosecutors as the media had initially reported'
What blog? Do you mind providing a citation to this blog where it actually says that. How in the alternate Bizarro world that you occupy does installing Linux equate to being guilty in a case of software piracy.
was Not the whole story... (Score:5, Interesting:) you have got to be taking the piss!!
'I don't know for sure, but since I work for TJX I can tell everyone that MicroSoft probably isn't to blame on this one. But the Apple fanboys and the Linux geeks aren't to blame either. TJX is an AS/400 shop'
I totally believe that you work for TJX as it wouldn't be that you are intoducing a tiny fib to corroborate the rest of your story.
It was the AS/400 that got hacked was it? Like they have a mixed NT AS/400 shop and it wasn't the NT as you say so. So you can tell us exactly how the hack was done.
http://tinyurl.com/2cg4v3
">Windows NT administration.'
'The six named people must have had some deep insight to the code on which these systems were running. Maybe they had inside help. If I really wanted to be paranoid I'd suggest that the six named people were caught port-scanning the servers and they're being used as the fall guys so that the real criminals, probably insiders, can slip out the back door'
An interesting exercise in fallacious reductio ad absurdum. Just because they passed the cards don't mean they wrote the code and the Florida police caught them port-scaning the server and only arrested them to give the real criminals time slip out the back door.
Do you seriously think the hackers would drive about Florida trying to pass the stolen cards, especially months after it went public. The six are more likely to be down stream crooks that purchased the stolen card details not realising where they came from.
What does the OS of their web server have to do with what OS thier internal billing systems are using?
, Anonymous Coward
It was the ecommerce server that was compromised, unless you know different.
'Just because their webserver is running IIS doesn't necessarely mean that everything else is.. I doubt that it is an OS issue and more an inside job'
What does their internal billing systems run on. How is it connected to the front end. How was the breach achieved. Did they break in through the front end. Have you told the Florida police about this inside job.
Well according to the article how they got the information by hacking TJX and using it to purchase large quantities of gift cards from Wal-Mart and Sam's Club. So in this case we don't have to wonder.
'in filings with the U.S. Securities and Exchange Commission yesterday, the company said 45.6 million credit and debit card numbers were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders'
'in partnership with the Gainesville Police Department, officials from the Florida Department of Law Enforcement said they have taken six of 10 suspects into custody for allegedly using the TJX customer data to purchase large quantities of gift cards from discount chains Wal-Mart and Sam's Club'
'This whole Dell preinstalled Linux thing strikes me as a sham to get something out of Microsoft, like lower Windows license prices'
Like how, if they sell less Windows per line they get penalised. The push is coming from the end users who want a pre-installed Linux box. And if it is a sham then why did MS push to derail the last two Dell Linux efforts.
'Linux preinstalled is not all that important. The emphasis on preinstalled is the old, Windows/Mac way of thinking'
Linux preinstalled and in the shops is the best thing that could ever happen. Once the average user can buy Linux preinstalled then the userbase will take off. I mean how many people actually install Windows from scratch.
'Well, obviously we spoke to two different people'
I believe the problem is that 'dave' in India won't be able to talk the average user through reinstaling the OS again, after he has dragged and dropped the Windows folder into the trashcan (to save on disk space). This is a true story, I kid you not.
It's not as if technical support over the telephone is of any use. What do you do with someone who sets the fonts at 90 in Word so as they can see the text and then prints out reduced by 70% so as it fits on the paper.
The one button restore sounds like a good idea though.
Slashdot Mirror
'If Herr Korz feels that he holds a legitimate license to the BeOS code he's been using, we're completely unaware of it, and I'd be fascinated to see him produce any substantiation for that claim'
... (Score:2)
was Don't bother reading the article
Not only that but they innovated the idea before Apple ever did !!
'How long before we see a defection and find out that N.Korea or some other evil empire's government'
What makes you think they don't have their own home grown hackers - like China for instance.
'PJ's whereabouts were unknown for some time as stated in the filing'
/Daimler Chrysler etc.
But why did they process serve in Connecticut, while PJ is supposed to be in Hartsdale, New York? And why is it the entire SCO legal team can't seem to find her when Moggie O' Gara found it so easy? Maybe they should hire her on to find PJ.
'It is also, settled by case law that you cannot serve someone by email unless you have exhausted all possibly efforts to serve them in person in order to affect a certainty of awareness of the subpoena'
What efforts did they expend in locating Ms. Jones? What case law are you citing that refers to serving a subpoena by email? Please give references. According to IBM-1018.pdf SCO can just leave it lying round at the witnesses' office to be duely served.
'she has enough backing and friends to muster together a motion to quash the subpoena'
I wouldn't even respond if I was her. All is happening here is SCO trying to distract from their own lack of facts and drag out the discovery phase some more. Instead of 'SCO show us the code' it'll be when did PJ know something and how did she come by this fact. Something totally irrelevant in SCO v. IBM/Novell/AutoZone
'Lets get it on so that the realities that each side is claiming can be settled by the facts instead of by amatuer pundits such as myself'
What factual cited court records and other fully attributed documents on Groklaw materially impinge on the SCO case? Like all they have to do is point. A bit like pointing out the 'stolen' code in Linux.
'As for Groklaw being a legal website based upon the truth, one should be reminded of the words of former Supreme Court Justice Louis Brandeis: 'Sunlight is said to be the best of disinfectants''
How can Groklaw not be in the Sunlight - it's a website? What bits on Groklaw aren't truthfull. It's being going for years. Surely you - sorry I mean the SCO legal team would have spotted something by now.
was break it down (Score:5, Interesting)
'administrator cannot disable the code-signing requirement .. which is what this article talks about .. it appears that this was a pre-RTM setting which is now ignored'
From what I read of the article(s) talks about the whole protection and security mechanisms of Windows Vista can be circumvented and it also works on Vista Final . There doesn't seem to be a reference to a method of enabling the administrator to run unsigned code.
'Yeah, we'll see some worms, but like I said, I doubt they'll be of the magnitude of some of the ones in recent memory'
'was Re:Looks like it (Score:4, spin double plus good)'
'In order for the boot sector to be compromised [in x64 Vista], there must already have been a kernel-level compromise .. My guess is that compromising this particular security mechanism will be hard'
Do you meant that this VBootkit bootable CD doesn't really launch and bypass the whole security mechanisms of Windows Vista.
'VBootkit that launches from a CD and boots Vista, making "on the fly" changes in memory and in files being read'
How exactly does x64 Vista prevent the boot sector being compromised?
was Re:Looks like it (Score:5, Interesting)
'A boot disk like this wouldn't be useful for compromising a system in the traditional, and it isn't intended as such'
.. Re:and in a related story... (Score:5, Distraction)
I would have thought that what is actually does is more important than what it is intended to do. which is to bypass the whole security mechanisms of Windows Vista.
was
'Assuming that Windows was running on NX-enabled hardware and had software support for NX, that still doesn't stop an overflow from spilling past the NX-marked stack into a non-NX region of memory', Chris Burke
So you're telling me the NX solution doesn't work. Not much use then is it. See here where a bug in user32.dll apparently leads to system compromise.
'There's only so much hardware can do, and it's doing most of it. The problems and solutions are all in software', Chris Burke
Not really, design a high level MMU that allocates memory and manipulates the stack under requests from the OS. I'm not saying it would be easy, but why haven't the combined efforts of Intel/Cisco etc not come up with a solution by now. The answer to that is the problem of having to stick with that aging obsolete backward compatible x86 design.
'Stack-based buffer overflows are usually problems occurring entirely within a single process'
If I can return to the above point re 'NX-marked'. Have the MMU control the boundaries, that way a buggy process can't spill past into a non-NX region of memory. Can't the MMU store the current N bytes on the stack before a call and restore them after the call. Or switch in a 'fake' stack so any attempt to manipulate it would fail on return. Are you seriously telling me there is no technological fix to stack exploits. Was there ever a CPU design that didn't get buffer overflows?
'help prevent certain classes of malicious buffer overflow attacks when combined with a supporting operating system'
..
'By combining Execute Disable Bit with anti-virus, firewall, spyware removal, e-mail filtering software, and other network security measures'
Only certain classes of attacks and with a supported operating system system and you still need AV, spyware etc. I'm talking about something that runs transparently in hardware and stops process A accessing process Bs memory - period. So even with malicious or defective code - nothing happens. And besides which it don't seem to be working
'A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system'
'The vulnerability is caused due to an boundary error within the handling of animated cursors and can be exploited to cause a stack-based buffer overflow via a specially crafted animated cursor file', January 3, 2007
'The Americans have a secret spaceship? I ask'
'I guess so," says Gary'
'What were the ship names'
'I can't remember, says Gary'
'I was smoking a lot of dope at the time. Not good for the intellect'
They should let him light up a spliff in the dock, that way his memory should return.
When are they going to fix bufferoverflows and stack exploits. Something in the hardware that prevents a process writing out of its allocated memory. Something in the hardware that marks pages read/write or execute and prevents code being executed on the stack.
I mean this one ...
http://sourceforge.net/projects/scribesw
http://www.scribenet.com/
'So how does the server learn the credit card number etc necessary to perform the transaction?'
When you apply for a card, the server generates a unique identity. These details are stored on the card and on the server. The card is sent out to you and when in use a processor on the card generates a one time encrypted transaction from the data on the card. This is sent across the network to the server. The server performs the same transaction on the data stored in the server. If the two matches then the transaction is validated.
If I recall correctly, these security chips are divided into two sections one holding the master key and data and a second that queries the first and communicates with the reader. The keys are not passed to the reader, only the one time transaction which is useless to the hackers.
You don't send sensitive information across the Internet period. On the client run an application that generates a unique one way hash of the transaction. This is sent to the server which performs the same hash using data stored on the server. It then sends a confirm msg to the client.
On the server the data is stored encrypted and is accessed through well defined system calls. The encryption is done by a hardware module that sits between the harddrive and the system. That way if the server is sucessfully hacked the entire database is not compromised. The hardware module provides keys to the system so there is no security data lying about the disk or in memory to be hacked. All a network sniffer can do is access a one time encrypted transaction that can not be leveraged to provide usefull information.
I would have thought your onboardlexical analyser would be sufficiently advanced to decode the sentence construct without the redundant question mark.
%{ #include "y.tab.h"
%}
digit [0-9]
letter [a-zA-Z]
%%
"?" { return INTERROGATIVE; }
"where" { return INTERROGATIVE; }
"what" { return INTERROGATIVE; }
"how" { return INTERROGATIVE; }
"if" { return INTERROGATIVE; }
%%
int yywrap(void){return 1;}
'The administrator in question is enjoying this publicity and thumbing his nose at the authorities and Microsoft'
.. use of the product can land you a hefty jail sentence.
:)
:) you have got to be taking the piss!!
Like how, he is protesting his innocence. He likes having the threat of a jail sentence hanging over his head? This is the second time a school teacher is facing jail time for using Windows. See here where a 7th grade teacher gets arrested when porn images pop up in the browser on a Win98 desktop. The expert prosecution witness says there is no way such images could have got on without user interaction. Something we all know is a big lie.
The teachers union on both continents should have the schools sign a do not sue waiver before touching the computer. Or maybe the EULA should be updated
'there has been talk in Russian press that he was well aware that software was illegal on dozen of the machines but still decided to cut the costs and pocket the difference'
Do you have any evidence for this wacky anecdote.
'During a court trial he was asked to apologize and move on but he insisted of filing an appeal to "clear his name" and play a martyr of some sort. In sum, this guy is an asshole'
What trial? the first case was thrown out. Also the original claim changed from piracy to illegally using the software. Even so the Judge saw fit not to proceed. Where does it say he was asked to apologize. Why would he appeal a non case. Where does it say he appealed.
'If one were to put aside the bias towards Microsoft, it's clear that Panosov is being defiant, despite him being completely guilty'
What are you smoking, toad juice? What bias? How does defending oneself in a court of law equate to being biased? I thought even in your country people are deemed innocent until proven guilty in a court of law. 'Your honour the defendant is obviously guilty as he has chosen to plead innocent'
'I've checked his blog and he's asking his readers on how to partition the NTFS drive and install Linux alongside windows. I don't think he learned a lesson here. He's not the saintly school teacher who was unknowingly victimized by prosecutors as the media had initially reported'
What blog? Do you mind providing a citation to this blog where it actually says that. How in the alternate Bizarro world that you occupy does installing Linux equate to being guilty in a case of software piracy.
was Not the whole story... (Score:5, Interesting
'I don't know for sure, but since I work for TJX I can tell everyone that MicroSoft probably isn't to blame on this one. But the Apple fanboys and the Linux geeks aren't to blame either. TJX is an AS/400 shop'
I totally believe that you work for TJX as it wouldn't be that you are intoducing a tiny fib to corroborate the rest of your story.
It was the AS/400 that got hacked was it? Like they have a mixed NT AS/400 shop and it wasn't the NT as you say so. So you can tell us exactly how the hack was done.
http://tinyurl.com/2cg4v3 ">Windows NT administration.'
'The six named people must have had some deep insight to the code on which these systems were running. Maybe they had inside help. If I really wanted to be paranoid I'd suggest that the six named people were caught port-scanning the servers and they're being used as the fall guys so that the real criminals, probably insiders, can slip out the back door'
:)
An interesting exercise in fallacious reductio ad absurdum. Just because they passed the cards don't mean they wrote the code and the Florida police caught them port-scaning the server and only arrested them to give the real criminals time slip out the back door.
Do you seriously think the hackers would drive about Florida trying to pass the stolen cards, especially months after it went public. The six are more likely to be down stream crooks that purchased the stolen card details not realising where they came from.
Re:All encompassing (Score: 5, Interesting
It was the ecommerce server that was compromised, unless you know different.
'Just because their webserver is running IIS doesn't necessarely mean that everything else is
What does their internal billing systems run on. How is it connected to the front end. How was the breach achieved. Did they break in through the front end. Have you told the Florida police about this inside job.
'How do you know how they got your info?'
.. Example (Score:5, Interesting)
Well according to the article how they got the information by hacking TJX and using it to purchase large quantities of gift cards from Wal-Mart and Sam's Club. So in this case we don't have to wonder.
'in filings with the U.S. Securities and Exchange Commission yesterday, the company said 45.6 million credit and debit card numbers were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders'
'in partnership with the Gainesville Police Department, officials from the Florida Department of Law Enforcement said they have taken six of 10 suspects into custody for allegedly using the TJX customer data to purchase large quantities of gift cards from discount chains Wal-Mart and Sam's Club'
was
OS, Web Server and Hosting History
'This whole Dell preinstalled Linux thing strikes me as a sham to get something out of Microsoft, like lower Windows license prices'
Like how, if they sell less Windows per line they get penalised. The push is coming from the end users who want a pre-installed Linux box. And if it is a sham then why did MS push to derail the last two Dell Linux efforts.
'Linux preinstalled is not all that important. The emphasis on preinstalled is the old, Windows/Mac way of thinking'
Linux preinstalled and in the shops is the best thing that could ever happen. Once the average user can buy Linux preinstalled then the userbase will take off. I mean how many people actually install Windows from scratch.
I call BS (Score:5, Insightful)
From: "Lenovo UK Sales" ..
To: "Dave"
Subject: Re: hardware warrenty
Date: Wed, 28 Mar 2007 16:24:29 +0100
Hi Dave
Linex is supported by us so the warranty will not be void.
Kind Regards
****** ******
'Well, obviously we spoke to two different people'
I believe the problem is that 'dave' in India won't be able to talk the average user through reinstaling the OS again, after he has dragged and dropped the Windows folder into the trashcan (to save on disk space). This is a true story, I kid you not.
It's not as if technical support over the telephone is of any use. What do you do with someone who sets the fonts at 90 in Word so as they can see the text and then prints out reduced by 70% so as it fits on the paper.
The one button restore sounds like a good idea though.