How about not relying on things around you having power? For example, wouldn't the "enemy" want to take out your power grid? Wouldn't that then significantly change the picture from the signals around you? Heck, even WE could do that to ourselves if we needed to divert power to some military purpose and might have to turn off some civilian transmitters.
We recently saw some tech news (damn; can't remember where now) where two satellites in close tandem were making incredibly detailed gravity maps of the world and had shown how "sea level" actually varies by over 30 feet due to the gravity variance. Shouldn't we base a system on something like that (call it a Sci-Fi name to sell it: Gravimetric Locator Service - when it glitches its GLS for Get Lost System). Anyway, basing it on the gravity field would result in something that could not be changed over months during some type of war or anything. Just a thought.
Worst flight I had was a DOG - (yes a dog; one of the seeing eye dogs just finishing training and being delivered) getting sick to its stomach and doing its doody (diarrhea) right in the aisle next to me. Oh, man - that stunk and since it was not very solid, it couldn't be completely cleaned up with rags. Much worse than the occasional screaming baby. Most of my flights don't have that kid anymore - possibly he grew up and stopped flying?
Older versions of office did do that; they were always have a "quick launcher" run, but the last three versions (Office XP, Office 2003, and Office 2007) do not do that.
Well I haven't used a Mac, so I am in a bit of ignorance here - but isn't that sleep or suspend? Which Windows has too (and I would have to imagine Linux does as well). Now I am regretting that I have never used Linux on a notebook (I have it on desktops; low end ones without power management features), but my notebooks are always Windows. The sleep mode is pretty darn quick as long as you are not going to be without power for like 48 hours in which case sleep will still draw the battery down a lot in that time. I would assume that Linux can do the same and hibernate is only used for times when you are going to have the machine off or off of power for a long long time? BTW, with disk encryption hibernate or sleep is usually seen as less secure by far than shutting down because the keys are already in memory.
You can turn off glass. Although what I do when I want to get the single window without any of the glass "bleed through" is to maximize a notepad window behind what I am getting a screen shot of. Simple and quick enough to do that way.
Re:Are they better, or just different?
on
eSATA Connectors
·
· Score: 2, Interesting
Thinking back to the old centronics cable that old printers had and some SCSI-1 connections used they had little clips on the side that you fliiped up to lock the cable into place. Maybe we need some kind of similar device for SATA cables. This would be fairly simple and wouldn't require changing the connection itself; just something that slipped over/around it or something would be sufficient.
I know I just re-did my machine by moving the ports on the existing 2 250 GB SATA drives and adding 2 500 GB SATA drives. Now, as you mention working in the case is a pain and I do have to check each connection carefully or they do indeed just come out.
Well, I think the point would be something more like this:
A buffer overflow is found in lsasrv.exe.
It's remotely exploitable on Win2k3 server and Windows XP and can run arbitrary code and doesn't require an account on the system (remote wormable).
It's only locally exploitable on Vista, requires a local (even if low privileged) account to be logged on an run the code (possibly via social engineering - click here for SomeStarNaked.exe).
He's talking about the rating - a rating should be in relation to something. Otherwise - what does "5 star movie" mean? Is 5 stars the best? Is it 10 stars for the best? So, you need a rating that puts them in relative perspective. In this case, the same overflow should get an "extremely critical" for XP and Win2k3 server. It MAY not deserve as high a rating on Vista though depending on its ability to be exploited and spread. Possibly on Vista it could get just critical or maybe even just important.
I think it is key when rating the vulnerability to take into account how it can be utilized and what is required to exploit it.
Whoa... There is a middle ground here between the draconian policies and the opening stuff up. As several other posters have noted, IT is there to facilitate the BUSINESS. That doesn't generally mean helping someone get their iPod working on a company machine, but it doesn't automatically mean banning said iPod either.
We really need to try to hit that middle ground. However, it remains important to remember that IT is seen as a cost center (no matter how much we want to call ourselves "enablers" for the business). Since we are seen as a cost, the business leaders actually DO expect us to operate in a cost effective manner while facilitating BUSINESS. Now, I've seen a lot of "personal use policies" which we know are just there to fire people who do it to excess. Most businesses realize that their employees tend to be more productive if they are allowed to track their order at work or check some stocks or whatever. There does have to be a limit though, because IT is not helping the business value when they spend time working on issues caused by personal use or software.
You all know this I guess - it just seems like there are too many posts here that are too firmly on one side or the other. Balance...
Really there are much more important things to block when it comes to any external mail account. For example, can your users set up a server rule (easy in Outlook/Exchange, probably in others too) to auto-forward their mail to an external service (whether a web mail or not)? If they can, then THERE is your bigger problem. External mail services don't make users abide by your strong password or Smart Card requirements. Their password is probably easily discoverable. They go on vacation and forward all their mail. It's probably trivial now for an attacker to access that CORPORATE DATA that may be in that mail. Worrying about VBS scripts isn't anywhere near as important (since any competent AV will stop the majority of bulk-mailed nasties). It's about the DATA. Not just email either. Are any of your users using one of the web based backup services (or even GMail) to backup their documents? Whoops! Data exposure there too. Anyway, I just wanted to call out that today it really isn't the random script in email that is all you need to worry about.
I agree that norton can be a pig both while running and to uninstall. But symantec does have a utility on their web site that will rip it out for you if the uninstall is jacked up. It makes it pretty easy if you just try the uninstall and it fails - go straight to their utility and Norton will be gone.
Business users (at least large ones) won't be using Retail media on many machines. Since this is a crack for retail there would be no effect on people using MAK or KMS validations as the majority of corporations would be doing. (Yes, I know that for those few corps that want to use Ultimate on some of their machines this could be an issue because Ultimate requires retail activation). However for VL (Business and Enterprise versions) MAK and KMS would be unaffected.
I do use GIMP a lot actually and I got a PSD the other day where it showed up in GIMP terribly and was all the wrong colors. I had to install Photoshop (which said something about a non-standard color something, and I accepted it) and it looked fine in Photoshop. All that to create a PNG! But just to be clear, I did try GIMP first.
Actually I think this could be very handy for people who get sent a.psd file by some "designer" who doesn't even think to send you a jpg or png that you can actually VIEW. So you open the web app, convert the file to something you can actually view and you are done. That's assuming they make it useful enough to export to other file formats.
I have a brother-in-law who spent a couple of years in a prison for transporting drugs across state lines. They might as well have dispossessed him of all future earnings as almost nobody will hire people who spent time in prison. He's really had a hard time getting any earnings in the 7 or so years since being out. He had no problem getting work before that. I've heard that others have similar trouble. It seems that whether they just attach all future earnings or lock you up to "do time", you lose most of your earnings potential either way.
True, but then it would not be $, it would be something like 500.000 or £500.000. If it is going to be in US $, which makes sense for a US prison / crime thing, then it should use not just the $ sign, but the separator correctly too.
I have to say that most people I have seen do not put a UPS on their DSL or cable modem. So all the "bad guy" has to do is turn off the house breaker and then no call out. Sorta silly. The POTS service would stay on and since alarm systems have a battery, they work. But no call goes out if your broadband is turned off or your router has no power.
Yes - that sums it up. Actually, the real issue as I see it is that many of the craplets that need to die are either "light" versions that you couldn't even buy if you wanted or 30 day trial versions or assorted other limited things trying to get you to buy something later. There is so much of it on machines these days that the steps many folks take after receiving a new machine are:
1) power on and see if hardware and drivers all work
2) copy drivers off
3) format the partition and install just windows and the apps you actually want
Since Internet Explorer isn't a trial version or a light version (and IE 7 is much better than IE 6 although my primary browser even in Vista is FF2 - almost exclusively because of adblock).
On your last point about the end result being better security - that's true if the vendors do the work right. And I sure hope they do. But I'll bet many of these "venduh's" will actually just get "a new guy" on their team to write a system service running as local system that they will talk to using IPC to do all of the "bad things" that they do today. So that it will end up being worse for security as they will be amateurs at services and will leave ports open to not only local host for their IPC, but to other machines as well. (Remember how Symantec had a remote flaw in their service recently and in theory at least they are experts at this by now). Anyway, I hope the venduh's do their work right and don't go the route of adding an insecure service to the system...
Good point - parent is correct that if you are a standard user like you should be you must enter admin creds. It's not like home users would ever use it, but there is also an option in local policy or GPO that allows you to require creds from admins too, so that even an admin user must do more than click OK. Again, this wouldn't be something the home user/gaming crowd would ever see, but since the grandparent was talking about the lack of security of "just click continue", I thought I would mention that there is another option for the more security conscious folks...
Local elevation of privilege is now considered a DoS attack on Vista? I guess even submitters don't have to RTFA here anymore to get published. I did read the article though since I was worried about any DoS attack for Vista and wanted to see what ports, processes, etc. it was using. All that was there though was a local only elevation of privs (where an authenticated user logged on to the box can get admin rights). Not good of course, but far from a DoS...
No, his proposal was to see if they resolve the same. They would not resolve to the same address, so the access to fox.com, yahoo.com, and google.com would be allowed.
Slashdot Mirror
How about not relying on things around you having power? For example, wouldn't the "enemy" want to take out your power grid? Wouldn't that then significantly change the picture from the signals around you? Heck, even WE could do that to ourselves if we needed to divert power to some military purpose and might have to turn off some civilian transmitters.
We recently saw some tech news (damn; can't remember where now) where two satellites in close tandem were making incredibly detailed gravity maps of the world and had shown how "sea level" actually varies by over 30 feet due to the gravity variance. Shouldn't we base a system on something like that (call it a Sci-Fi name to sell it: Gravimetric Locator Service - when it glitches its GLS for Get Lost System). Anyway, basing it on the gravity field would result in something that could not be changed over months during some type of war or anything. Just a thought.
Exactly. I didn't see any ads there at all and none of these text bombs people wrote about.
Worst flight I had was a DOG - (yes a dog; one of the seeing eye dogs just finishing training and being delivered) getting sick to its stomach and doing its doody (diarrhea) right in the aisle next to me. Oh, man - that stunk and since it was not very solid, it couldn't be completely cleaned up with rags. Much worse than the occasional screaming baby. Most of my flights don't have that kid anymore - possibly he grew up and stopped flying?
Older versions of office did do that; they were always have a "quick launcher" run, but the last three versions (Office XP, Office 2003, and Office 2007) do not do that.
Well I haven't used a Mac, so I am in a bit of ignorance here - but isn't that sleep or suspend? Which Windows has too (and I would have to imagine Linux does as well). Now I am regretting that I have never used Linux on a notebook (I have it on desktops; low end ones without power management features), but my notebooks are always Windows. The sleep mode is pretty darn quick as long as you are not going to be without power for like 48 hours in which case sleep will still draw the battery down a lot in that time. I would assume that Linux can do the same and hibernate is only used for times when you are going to have the machine off or off of power for a long long time? BTW, with disk encryption hibernate or sleep is usually seen as less secure by far than shutting down because the keys are already in memory.
So it is a classic race condition to see which chicken gets to peck the corn.
You can turn off glass. Although what I do when I want to get the single window without any of the glass "bleed through" is to maximize a notepad window behind what I am getting a screen shot of. Simple and quick enough to do that way.
Thinking back to the old centronics cable that old printers had and some SCSI-1 connections used they had little clips on the side that you fliiped up to lock the cable into place. Maybe we need some kind of similar device for SATA cables. This would be fairly simple and wouldn't require changing the connection itself; just something that slipped over/around it or something would be sufficient. I know I just re-did my machine by moving the ports on the existing 2 250 GB SATA drives and adding 2 500 GB SATA drives. Now, as you mention working in the case is a pain and I do have to check each connection carefully or they do indeed just come out.
Well, I think the point would be something more like this:
A buffer overflow is found in lsasrv.exe. It's remotely exploitable on Win2k3 server and Windows XP and can run arbitrary code and doesn't require an account on the system (remote wormable). It's only locally exploitable on Vista, requires a local (even if low privileged) account to be logged on an run the code (possibly via social engineering - click here for SomeStarNaked.exe).
He's talking about the rating - a rating should be in relation to something. Otherwise - what does "5 star movie" mean? Is 5 stars the best? Is it 10 stars for the best? So, you need a rating that puts them in relative perspective. In this case, the same overflow should get an "extremely critical" for XP and Win2k3 server. It MAY not deserve as high a rating on Vista though depending on its ability to be exploited and spread. Possibly on Vista it could get just critical or maybe even just important.
I think it is key when rating the vulnerability to take into account how it can be utilized and what is required to exploit it.
Whoa... There is a middle ground here between the draconian policies and the opening stuff up. As several other posters have noted, IT is there to facilitate the BUSINESS. That doesn't generally mean helping someone get their iPod working on a company machine, but it doesn't automatically mean banning said iPod either.
We really need to try to hit that middle ground. However, it remains important to remember that IT is seen as a cost center (no matter how much we want to call ourselves "enablers" for the business). Since we are seen as a cost, the business leaders actually DO expect us to operate in a cost effective manner while facilitating BUSINESS. Now, I've seen a lot of "personal use policies" which we know are just there to fire people who do it to excess. Most businesses realize that their employees tend to be more productive if they are allowed to track their order at work or check some stocks or whatever. There does have to be a limit though, because IT is not helping the business value when they spend time working on issues caused by personal use or software.
You all know this I guess - it just seems like there are too many posts here that are too firmly on one side or the other. Balance...
Really there are much more important things to block when it comes to any external mail account. For example, can your users set up a server rule (easy in Outlook/Exchange, probably in others too) to auto-forward their mail to an external service (whether a web mail or not)? If they can, then THERE is your bigger problem. External mail services don't make users abide by your strong password or Smart Card requirements. Their password is probably easily discoverable. They go on vacation and forward all their mail. It's probably trivial now for an attacker to access that CORPORATE DATA that may be in that mail. Worrying about VBS scripts isn't anywhere near as important (since any competent AV will stop the majority of bulk-mailed nasties). It's about the DATA. Not just email either. Are any of your users using one of the web based backup services (or even GMail) to backup their documents? Whoops! Data exposure there too. Anyway, I just wanted to call out that today it really isn't the random script in email that is all you need to worry about.
I agree that norton can be a pig both while running and to uninstall. But symantec does have a utility on their web site that will rip it out for you if the uninstall is jacked up. It makes it pretty easy if you just try the uninstall and it fails - go straight to their utility and Norton will be gone.
Business users (at least large ones) won't be using Retail media on many machines. Since this is a crack for retail there would be no effect on people using MAK or KMS validations as the majority of corporations would be doing. (Yes, I know that for those few corps that want to use Ultimate on some of their machines this could be an issue because Ultimate requires retail activation). However for VL (Business and Enterprise versions) MAK and KMS would be unaffected.
I do use GIMP a lot actually and I got a PSD the other day where it showed up in GIMP terribly and was all the wrong colors. I had to install Photoshop (which said something about a non-standard color something, and I accepted it) and it looked fine in Photoshop. All that to create a PNG! But just to be clear, I did try GIMP first.
Actually I think this could be very handy for people who get sent a .psd file by some "designer" who doesn't even think to send you a jpg or png that you can actually VIEW. So you open the web app, convert the file to something you can actually view and you are done. That's assuming they make it useful enough to export to other file formats.
I have a brother-in-law who spent a couple of years in a prison for transporting drugs across state lines. They might as well have dispossessed him of all future earnings as almost nobody will hire people who spent time in prison. He's really had a hard time getting any earnings in the 7 or so years since being out. He had no problem getting work before that. I've heard that others have similar trouble. It seems that whether they just attach all future earnings or lock you up to "do time", you lose most of your earnings potential either way.
True, but then it would not be $, it would be something like 500.000 or £500.000. If it is going to be in US $, which makes sense for a US prison / crime thing, then it should use not just the $ sign, but the separator correctly too.
Anyone? Darn - that was the first thing I thought of. http://en.wikipedia.org/wiki/Pork_belly I guess the price will be going up...
I have to say that most people I have seen do not put a UPS on their DSL or cable modem. So all the "bad guy" has to do is turn off the house breaker and then no call out. Sorta silly. The POTS service would stay on and since alarm systems have a battery, they work. But no call goes out if your broadband is turned off or your router has no power.
I hope I wasn't the only one that "got" the reference to Zork. Darn, that makes me feel old remembering grue's and all...
Yes - that sums it up. Actually, the real issue as I see it is that many of the craplets that need to die are either "light" versions that you couldn't even buy if you wanted or 30 day trial versions or assorted other limited things trying to get you to buy something later. There is so much of it on machines these days that the steps many folks take after receiving a new machine are:
1) power on and see if hardware and drivers all work
2) copy drivers off
3) format the partition and install just windows and the apps you actually want
Since Internet Explorer isn't a trial version or a light version (and IE 7 is much better than IE 6 although my primary browser even in Vista is FF2 - almost exclusively because of adblock).
On your last point about the end result being better security - that's true if the vendors do the work right. And I sure hope they do. But I'll bet many of these "venduh's" will actually just get "a new guy" on their team to write a system service running as local system that they will talk to using IPC to do all of the "bad things" that they do today. So that it will end up being worse for security as they will be amateurs at services and will leave ports open to not only local host for their IPC, but to other machines as well. (Remember how Symantec had a remote flaw in their service recently and in theory at least they are experts at this by now). Anyway, I hope the venduh's do their work right and don't go the route of adding an insecure service to the system...
Good point - parent is correct that if you are a standard user like you should be you must enter admin creds. It's not like home users would ever use it, but there is also an option in local policy or GPO that allows you to require creds from admins too, so that even an admin user must do more than click OK. Again, this wouldn't be something the home user /gaming crowd would ever see, but since the grandparent was talking about the lack of security of "just click continue", I thought I would mention that there is another option for the more security conscious folks...
Local elevation of privilege is now considered a DoS attack on Vista? I guess even submitters don't have to RTFA here anymore to get published. I did read the article though since I was worried about any DoS attack for Vista and wanted to see what ports, processes, etc. it was using. All that was there though was a local only elevation of privs (where an authenticated user logged on to the box can get admin rights). Not good of course, but far from a DoS...
No, his proposal was to see if they resolve the same. They would not resolve to the same address, so the access to fox.com, yahoo.com, and google.com would be allowed.