> The average user HATES the kind of inconvenience/confusion a product like Zone Alarm presents, and, like my Dad, will eventually get rid of it.
Do you give the user what they want, or do you give them what you want and feel they need? Convenience uber alles or some security to boot?
I'd call it a rhetorical question, but let's just say that Microsoft's figured out the answer.
The prospect of (currently) 290,000+ hosts flooding an IP address that's blackholed on one end doesn't mean that the guy who was supposed to be on the receiving end of all that is going to feel a thing, but if the upstream providers haven't blackholed everything as well, there's a few trunks that could be saturated by, you know. 290,000 hosts packetflooding. And if some hacker with a brain releases a smarter new virus in the next two weeks to piggyback off of/replace Code Red, what then?
I'll agree that we haven't and probably won't hit THE MELTDOWN OF THE INTERNET AS WE KNOW IT, but then again... we're more than two weeks away from this going into hibernation.
I've done my part by inadvertently corrupting my IIS metabase, so I'm protected from these nasty worms.
Would you rather see this be another self-fulfilling media prophecy (a la Attrition's dissection of the US/China "hacker war" that was supposed to be going on) or would you rather see the problems get fixed?
As I read it, there's already 22K infected hosts out there (as of 10-11 AM) that incidents.org has found; how many more haven't probed their servers yet? The A and B strains of the worm aren't as plodding in their search for new servers to infect, and there could be even more strains out there. Hopefully, some braindead admins out there have taken note of all the media coverage and will patch their machines before this ramps up any further than it already has.
Or would you rather journalists got their copy about the devastating effects of the worm done in advance rather than trying to prevent it?
Love it. It's the greatest!
Like how I inexplicably got a copy of AOL IM installed with Netscape 4.74 even after doing a custom, what I thought was bare minimum, install? It's lovely! Like how WMP and IE attach themselves like a cancer to Windows installations? (i like IE just fine, but loathe WMP and the security holes, useless functionality and bloat it brings with it)
If AOL wants to package its IM with Netscape or KaZaAaAZAAaaaAA010als0@aol.com wants to package its own ReLinkIFiEr 1.o with its software, that's fine. Just be up front about it and let me opt out of dumping 10 tons of crap on my computer to get to the tasty nougat center, mmmkay? Easy does it!
Nintendo's just been on a steady downhill slope ever since the NES. As the eminently readable Game Over and plenty of other "insider" publications can tell you, Nintendo used their position of market dominance (pull your own analogues) to bully game developers into subservience and didn't exactly win any friends in the process. They haven't forgotten, Nintendo's coming in against a powerhouse in the PS2 (are they still kicking themselves for screwing over Sony when Sony was just a SNES hardware licensee?) and a promising, overhyped XBox. Couple this with battling not only its own Game Boy Advance but the bad press it's gotten for ill-designed screen, and all I can do is mostly think anemic 3rd party support, and that's a recipe for disaster.
Granted, I own a NES, Game Boy Color and N64, but in the long run, I've got a feeling I'll be saying the same thing about the Game Cube that I do about the N64: pretty, but also a pretty small selection. Easy does it!
File it under bad idea: you release it, you're liable. Unless you can test every NT/Win9X installation and every piece of hardware it talks to between here and the ends of the earth and verify that it's OK and verify that the operators have OK'd your entry to their systems, you're hanging yourself out to dry.
Which is to say it's a dumb idea, but not a horrible one, so if someone else wants to, uh. Go ahead or something. Easy does it!
Best practices dictates that you uninstall any unneeded services: you install a vanilla (OS of your choice) server and point it to the internet, it's gonna get rooted in no time; the Honeynet Project has shown this to be (perhaps not statistically) true.
The service may have been exploitable, but the VAST majority of websites weren't even using it and as such should have removed the script mappings (and DLLs, for the truly paranoid).
Of course, IIS patches do a fine job of restoring script mappings behind your back, so maybe you have a point after all? Easy does it!
To quote Marc Maiffret, "We've designated this the.ida "Code Red" worm, because part of the worm is
designed to deface web pages with the text "Hacked by Chinese" and also
because code red mountain dew was the only thing that kept us awake all last
night to be able to disassemble this exploit even further."
If you want to blame someone, blame eEye; for once, a journalist isn't to blame. I'll content myself with wagging an accusatory finger at the braindead moderators who dumped points in your lap. Easy does it!
At least not on my W2K Pro machine, and numerous others out there have replicated it. F7 once won't disrupt you; spamming F7 + (enter) multiple times while a foreground process (be it ping, tracerute, dir or whatever) is running will, once the foreground process terminates, err... terminate your kernel.
Strictly a userland snafu (for now), but not exactly a confidence-builder. Easy does it!
F7 is the DosKey command to bring up the list of recently used commands.
Apparently, it doesn't do too well with handling buffered keystrokes while a foreground process is running, so doing this will chop a Windows (works on NT 4 and Win9X if the reports are to be believed) machine down to size.
Luckily enough, it was a known bug with NT 3.51 and they fixed it back then. Good job, Microsoft! Way to regress those bugs! Easy does it!
For what little it's worth, when I was working on Wall St., one of the guys I met had a "part time" job finding Indian developers to come over to the US and work as consultants for him. He sponsored the visas, found them a place to live (never found out what sort) and paid them $20K or so a year, pocketing the rest. They were happy, and with the two or so million a year he was clearing, he was even happier.
It's not quite indentured servitude, but it isn't that far, either. Easy does it!
...that "hiding" encrypted data obviously means that The Man has no idea what you're looking at, but he knows what you're talking to.
Which is to say: I think that Spam Mimic's definitely on the right track; if officials see garbage going to and fro between machines and they're on the lookout, you're in trouble. Of course, I'm taking the paranoid's view that Big Brother really is out there and really is constantly looking over your shoulder, in which case there's no "right solution" to the problem: at some point, this data's being read by at least one human being which means a plurality of humans with the means and motive can read it, too. So I'm thinking that steganography of some sort, be it plain text (like Spam Mimic) or perhaps embedded imagery (more obvious) or perhaps even a subchannel in an online game would work wonders: you're not doing anything that looks obviously or not so obviously subversive (receiving spam, playing a game, looking at pictures of doggies and kitties) is the way to go: information can be delivered without tipping off The Man that maybe you're someone that they should keep a closer eye on.
Just food for thought or whatever, but what do I know? Easy does it!
So good for them. All I'm really seeing with their demo is web surfing at less than half the speed (encryption, right?).
This and Peekabooty and Freenet all suffer from the same problem: they're trying to surreptitiously allow end users in ideologically restricted areas (the US and decryption, China, the Middle East, etc.) but while they're not surfing for restricted material in plaintext, constantly sending obviously encrypted packets back and forth is likely just the red flag that authorities need to look for to black bag a computer and find out what you're up to.
If someone puts their thinking cap on and converts Spam Mimic to a distributed system and somehow manages to graft on a keyed infrastructure, then people with artificially restricted access to the Internet really will be able to get at information that The Man doesn't want them to see without the Stormtroopers Of Death kicking their door in. Well, at least until The Man gets hip to having to kick in the door of every single person who gets spam... Easy does it!
US encryption export restrictions were skirted by developing encryption outside of the US before importing it back in as well as throughout the rest of the world while the same encryption, developed inside of the US, would have been illegal to distribute, as per the OpenBSD team.
Would we have arrested a Canadian cryptographer upon setting foot in US soil for developing a program which only we seem to have a hang-up about to the world, including the US? Apparently we (remember: corporations are people, too) don't have any such qualms about slapping Russians in handcuffs.
While the Internet may have opened up the "virtual" world, if this gets tried and Dmitri convicted, the real world looks to be getting shackled down: a world of nations each with their corporation-friendly or religion-friendly or whatever-friendly laws for their tiny little vicarage that don't make sense anywhere else but, because of the pervasive nature of the Internet, can be enforced anywhere doesn't make for big tourism, does it?
Also, I'm still... does anyone have any actual proof that Dmitri or Elcomsoft ever sold the eBook decryptor inside the US? I've heard conflicting reports that he has, he hasn't, he was selling at DefCon, but nothing I'd consider concrete. Easy does it!
I'm glad to see that while we're free to rail against the post-Columbine backlash against gaming, we're also free to take findings as out of context as "they" are.
And when did playing (insert video game of choice here) start turning anyone into a jock? Being able to twitch a joystick to and fro doesn't mean you're not a klutz. It doesn't mean you're a genius, either: where's the control group in this experiment? Do we have children with access to games who choose to not play them, opting instead to ride a bike or play chess or whatever? Are we solely talking about privileged middle-and-upper-class children here with ample leisure time and parents with disposable income?
All that this survey's really done is proven that "all things in moderation" applies to, you know. All things. Easy does it!
... but you're awful bad at comprehending what you read.
To quote myself, "and 60% of the people out there may not have bought it for that, but there's still 40% of the populace out there who may have bought it solely for the netplay and obviously want to get their money's worth."
NB: may have bought. They may not have bought it solely for the netplay, but the fact of the matter is that the netplay likely had a very major part in their purchase of the game. For all you or I know (I haven't bought the game and don't plan to until it hits the bargain bin, so don't ask me), 40% bought it with no plan to ever play it single-player; your imaginary statistics don't preclude this scenario so, however unlikely, it's still possible.
While the box may not have said (quoting you) '"Free unlimited play on Battle.net, with total security, and 100% uptime"', it did advertise Free play on Battle.net, did it not? And did it or did it not advertise "Sort of free, more or less limited play on Battle.net with security that may or may not work quite as planned and uptime guaranteed to be greater than or equal to 0%"? Mostly it advertised free play on Battle.net, right? Nothing explicit about the possibility of losing items and characters, so the product should deliver what people are accustomed to and expecting: security for characters and items.
Call it another point to could argue if you really feel like splitting semantic hairs. Easy does it!
...was leaving unneeded script mappings on the computer.
While MS patches are wont to generously restore them for you behind your back (thanks a lot for that one, retards) it's a more or less well-known issue by now and not one that the clueful should ever fall victim to. This isn't a Unicode error or anything of that nature: even unpatched, simply nuking the mappings would have saved them. Easy does it!
Half the advertisements for smallish electronics have the little batteries not included note on them; does the fact that they're not part of the "central advertising" (whatever that means) indicate to me that I should crap my pants with fury over the fact that there are no batteries in it when the box clearly (and in tiny print) indicates so?
Likewise, Blizzard indicated on the box that there would be free netplay included with Diablo II. You and 60% of the people out there may not have bought it for that, but there's still 40% of the populace out there who may have bought it solely for the netplay and obviously want to get their money's worth.
And I'm sure that the cost of Battle.Net was factored into the price of the game. Easy does it!
...XML is simple, simple stuff. XSL/XSLT/XSD/etc., etc. are the schemas that do all the actual work. Not only did they take longer to make than they should have, but they even feel like (especially XSLT) they were slapped together by a bunch of people who had no idea what the other guys were up to.
For what little it's worth, I visit gotapex.com daily for their deals page http://www.gotapex.com/deals.php as it's generally pretty good.
So I'm still happy about the $20 APC surge protectors.
Try this one on for size.
I buy a car. It's a nice car. I enjoy it very much. As I'm wont to do, I pull apart the car and start looking at its innards and what do you know? I discover that the fuel tank's got a pin exposed that shouldn't and realize that a side impact to it could jostle it loose into the fuel, causing it to erupt.
Perhaps I then realize that a little duct tape will fix it. Perhaps I don't figure out how to fix it.
I then go about announcing to the world this flaw and the solution to it. Should I be arrested for this? Easy does it!
...is if they were to somehow restrict its reproduction to MiniDiscs. Or maybe they'll be available for play on DIVX drives?
With that one-two knockout combination, I'm sure that.NAP files will see 100% market saturation faster than you can say "you'd thought by now suits would have learned from the inevitable consumer rejection and pentultimate failure of these inane, limiting corporation-driven formats".
Slashdot Mirror
> The average user HATES the kind of inconvenience/confusion a product like Zone Alarm presents, and, like my Dad, will eventually get rid of it.
Do you give the user what they want, or do you give them what you want and feel they need? Convenience uber alles or some security to boot?
I'd call it a rhetorical question, but let's just say that Microsoft's figured out the answer.
The prospect of (currently) 290,000+ hosts flooding an IP address that's blackholed on one end doesn't mean that the guy who was supposed to be on the receiving end of all that is going to feel a thing, but if the upstream providers haven't blackholed everything as well, there's a few trunks that could be saturated by, you know. 290,000 hosts packetflooding. And if some hacker with a brain releases a smarter new virus in the next two weeks to piggyback off of/replace Code Red, what then?
I'll agree that we haven't and probably won't hit THE MELTDOWN OF THE INTERNET AS WE KNOW IT, but then again... we're more than two weeks away from this going into hibernation.
I've done my part by inadvertently corrupting my IIS metabase, so I'm protected from these nasty worms.
Would you rather see this be another self-fulfilling media prophecy (a la Attrition's dissection of the US/China "hacker war" that was supposed to be going on) or would you rather see the problems get fixed?
As I read it, there's already 22K infected hosts out there (as of 10-11 AM) that incidents.org has found; how many more haven't probed their servers yet? The A and B strains of the worm aren't as plodding in their search for new servers to infect, and there could be even more strains out there. Hopefully, some braindead admins out there have taken note of all the media coverage and will patch their machines before this ramps up any further than it already has.
Or would you rather journalists got their copy about the devastating effects of the worm done in advance rather than trying to prevent it?
There's a gang of lawyers out there chomping at the bit to prove whoever it was that said "you can't litigate the laws of nature" wrong.
Love it. It's the greatest!
Like how I inexplicably got a copy of AOL IM installed with Netscape 4.74 even after doing a custom, what I thought was bare minimum, install? It's lovely! Like how WMP and IE attach themselves like a cancer to Windows installations? (i like IE just fine, but loathe WMP and the security holes, useless functionality and bloat it brings with it)
If AOL wants to package its IM with Netscape or KaZaAaAZAAaaaAA010als0@aol.com wants to package its own ReLinkIFiEr 1.o with its software, that's fine. Just be up front about it and let me opt out of dumping 10 tons of crap on my computer to get to the tasty nougat center, mmmkay?
Easy does it!
Nintendo's just been on a steady downhill slope ever since the NES. As the eminently readable Game Over and plenty of other "insider" publications can tell you, Nintendo used their position of market dominance (pull your own analogues) to bully game developers into subservience and didn't exactly win any friends in the process. They haven't forgotten, Nintendo's coming in against a powerhouse in the PS2 (are they still kicking themselves for screwing over Sony when Sony was just a SNES hardware licensee?) and a promising, overhyped XBox. Couple this with battling not only its own Game Boy Advance but the bad press it's gotten for ill-designed screen, and all I can do is mostly think anemic 3rd party support, and that's a recipe for disaster.
Granted, I own a NES, Game Boy Color and N64, but in the long run, I've got a feeling I'll be saying the same thing about the Game Cube that I do about the N64: pretty, but also a pretty small selection.
Easy does it!
File it under bad idea: you release it, you're liable. Unless you can test every NT/Win9X installation and every piece of hardware it talks to between here and the ends of the earth and verify that it's OK and verify that the operators have OK'd your entry to their systems, you're hanging yourself out to dry.
Which is to say it's a dumb idea, but not a horrible one, so if someone else wants to, uh. Go ahead or something.
Easy does it!
Best practices dictates that you uninstall any unneeded services: you install a vanilla (OS of your choice) server and point it to the internet, it's gonna get rooted in no time; the Honeynet Project has shown this to be (perhaps not statistically) true.
The service may have been exploitable, but the VAST majority of websites weren't even using it and as such should have removed the script mappings (and DLLs, for the truly paranoid).
Of course, IIS patches do a fine job of restoring script mappings behind your back, so maybe you have a point after all?
Easy does it!
To quote Marc Maiffret, "We've designated this the .ida "Code Red" worm, because part of the worm is
designed to deface web pages with the text "Hacked by Chinese" and also
because code red mountain dew was the only thing that kept us awake all last
night to be able to disassemble this exploit even further."
If you want to blame someone, blame eEye; for once, a journalist isn't to blame. I'll content myself with wagging an accusatory finger at the braindead moderators who dumped points in your lap.
Easy does it!
At least not on my W2K Pro machine, and numerous others out there have replicated it. F7 once won't disrupt you; spamming F7 + (enter) multiple times while a foreground process (be it ping, tracerute, dir or whatever) is running will, once the foreground process terminates, err... terminate your kernel.
Strictly a userland snafu (for now), but not exactly a confidence-builder.
Easy does it!
F7 is the DosKey command to bring up the list of recently used commands.
Apparently, it doesn't do too well with handling buffered keystrokes while a foreground process is running, so doing this will chop a Windows (works on NT 4 and Win9X if the reports are to be believed) machine down to size.
Luckily enough, it was a known bug with NT 3.51 and they fixed it back then. Good job, Microsoft! Way to regress those bugs!
Easy does it!
For what little it's worth, when I was working on Wall St., one of the guys I met had a "part time" job finding Indian developers to come over to the US and work as consultants for him. He sponsored the visas, found them a place to live (never found out what sort) and paid them $20K or so a year, pocketing the rest. They were happy, and with the two or so million a year he was clearing, he was even happier.
It's not quite indentured servitude, but it isn't that far, either.
Easy does it!
So, uh. Plaintext encryption (that is rampant on the Internet) raises red flags more than encyrpted transmissions how?
KTHX BYE
Easy does it!
...that "hiding" encrypted data obviously means that The Man has no idea what you're looking at, but he knows what you're talking to.
Which is to say: I think that Spam Mimic's definitely on the right track; if officials see garbage going to and fro between machines and they're on the lookout, you're in trouble. Of course, I'm taking the paranoid's view that Big Brother really is out there and really is constantly looking over your shoulder, in which case there's no "right solution" to the problem: at some point, this data's being read by at least one human being which means a plurality of humans with the means and motive can read it, too. So I'm thinking that steganography of some sort, be it plain text (like Spam Mimic) or perhaps embedded imagery (more obvious) or perhaps even a subchannel in an online game would work wonders: you're not doing anything that looks obviously or not so obviously subversive (receiving spam, playing a game, looking at pictures of doggies and kitties) is the way to go: information can be delivered without tipping off The Man that maybe you're someone that they should keep a closer eye on.
Just food for thought or whatever, but what do I know?
Easy does it!
You've got the bravery to show us that trolls really can find work in the "real world".
Easy does it!
So good for them. All I'm really seeing with their demo is web surfing at less than half the speed (encryption, right?).
This and Peekabooty and Freenet all suffer from the same problem: they're trying to surreptitiously allow end users in ideologically restricted areas (the US and decryption, China, the Middle East, etc.) but while they're not surfing for restricted material in plaintext, constantly sending obviously encrypted packets back and forth is likely just the red flag that authorities need to look for to black bag a computer and find out what you're up to.
If someone puts their thinking cap on and converts Spam Mimic to a distributed system and somehow manages to graft on a keyed infrastructure, then people with artificially restricted access to the Internet really will be able to get at information that The Man doesn't want them to see without the Stormtroopers Of Death kicking their door in. Well, at least until The Man gets hip to having to kick in the door of every single person who gets spam...
Easy does it!
US encryption export restrictions were skirted by developing encryption outside of the US before importing it back in as well as throughout the rest of the world while the same encryption, developed inside of the US, would have been illegal to distribute, as per the OpenBSD team.
Would we have arrested a Canadian cryptographer upon setting foot in US soil for developing a program which only we seem to have a hang-up about to the world, including the US? Apparently we (remember: corporations are people, too) don't have any such qualms about slapping Russians in handcuffs.
While the Internet may have opened up the "virtual" world, if this gets tried and Dmitri convicted, the real world looks to be getting shackled down: a world of nations each with their corporation-friendly or religion-friendly or whatever-friendly laws for their tiny little vicarage that don't make sense anywhere else but, because of the pervasive nature of the Internet, can be enforced anywhere doesn't make for big tourism, does it?
Also, I'm still... does anyone have any actual proof that Dmitri or Elcomsoft ever sold the eBook decryptor inside the US? I've heard conflicting reports that he has, he hasn't, he was selling at DefCon, but nothing I'd consider concrete.
Easy does it!
I'm glad to see that while we're free to rail against the post-Columbine backlash against gaming, we're also free to take findings as out of context as "they" are.
And when did playing (insert video game of choice here) start turning anyone into a jock? Being able to twitch a joystick to and fro doesn't mean you're not a klutz. It doesn't mean you're a genius, either: where's the control group in this experiment? Do we have children with access to games who choose to not play them, opting instead to ride a bike or play chess or whatever? Are we solely talking about privileged middle-and-upper-class children here with ample leisure time and parents with disposable income?
All that this survey's really done is proven that "all things in moderation" applies to, you know. All things.
Easy does it!
... but you're awful bad at comprehending what you read.
To quote myself, "and 60% of the people out there may not have bought it for that, but there's still 40% of the populace out there who may have bought it solely for the netplay and obviously want to get their money's worth."
NB: may have bought. They may not have bought it solely for the netplay, but the fact of the matter is that the netplay likely had a very major part in their purchase of the game. For all you or I know (I haven't bought the game and don't plan to until it hits the bargain bin, so don't ask me), 40% bought it with no plan to ever play it single-player; your imaginary statistics don't preclude this scenario so, however unlikely, it's still possible.
While the box may not have said (quoting you) '"Free unlimited play on Battle.net, with total security, and 100% uptime"', it did advertise Free play on Battle.net, did it not? And did it or did it not advertise "Sort of free, more or less limited play on Battle.net with security that may or may not work quite as planned and uptime guaranteed to be greater than or equal to 0%"? Mostly it advertised free play on Battle.net, right? Nothing explicit about the possibility of losing items and characters, so the product should deliver what people are accustomed to and expecting: security for characters and items.
Call it another point to could argue if you really feel like splitting semantic hairs.
Easy does it!
...was leaving unneeded script mappings on the computer.
While MS patches are wont to generously restore them for you behind your back (thanks a lot for that one, retards) it's a more or less well-known issue by now and not one that the clueful should ever fall victim to. This isn't a Unicode error or anything of that nature: even unpatched, simply nuking the mappings would have saved them.
Easy does it!
Half the advertisements for smallish electronics have the little batteries not included note on them; does the fact that they're not part of the "central advertising" (whatever that means) indicate to me that I should crap my pants with fury over the fact that there are no batteries in it when the box clearly (and in tiny print) indicates so?
Likewise, Blizzard indicated on the box that there would be free netplay included with Diablo II. You and 60% of the people out there may not have bought it for that, but there's still 40% of the populace out there who may have bought it solely for the netplay and obviously want to get their money's worth.
And I'm sure that the cost of Battle.Net was factored into the price of the game.
Easy does it!
...XML is simple, simple stuff. XSL/XSLT/XSD/etc., etc. are the schemas that do all the actual work. Not only did they take longer to make than they should have, but they even feel like (especially XSLT) they were slapped together by a bunch of people who had no idea what the other guys were up to.
For what little it's worth, I visit gotapex.com daily for their deals page http://www.gotapex.com/deals.php as it's generally pretty good.
So I'm still happy about the $20 APC surge protectors.
Try this one on for size.
I buy a car. It's a nice car. I enjoy it very much. As I'm wont to do, I pull apart the car and start looking at its innards and what do you know? I discover that the fuel tank's got a pin exposed that shouldn't and realize that a side impact to it could jostle it loose into the fuel, causing it to erupt.
Perhaps I then realize that a little duct tape will fix it. Perhaps I don't figure out how to fix it.
I then go about announcing to the world this flaw and the solution to it. Should I be arrested for this?
Easy does it!
...is if they were to somehow restrict its reproduction to MiniDiscs. Or maybe they'll be available for play on DIVX drives? .NAP files will see 100% market saturation faster than you can say "you'd thought by now suits would have learned from the inevitable consumer rejection and pentultimate failure of these inane, limiting corporation-driven formats".
With that one-two knockout combination, I'm sure that