Microsoft has been releasing early warnings for months, and they have regularly leaked to the press. The contents of the warning includes very little information: the number of vulnerabilities, the severity level, and the products affected. You might be able to infer which people you have to force to do overtime (Microsoft patches aren't released during business hours in all parts of the world), but apart from that, the information is not very useful.
Less well known is Microsoft's Patch Validation Program. Basically, you get patches a week or so in advance (without any further information about the scope of the patch), and you can test it in a production-like environment. This way, you can alert Microsoft about unexpected incompatibilities, but I'm not sure how helpful this is in practice. The patches surely make an interesting BinDiff target, so this program probably isn't available to all premium customers.
All in all, it appears to be a poor replacement for the vendor-sec community on the free software side of security, where distributors (which would be Microsoft's OEMs) can openly discuss security issues and resolve them in colaboration.
The bug was closed as WONTFIX because the reporter was an obnoxious prick. Referring to the developer as a Moron on repeated occasions. The fact is that if you want people to help you, yelling abuse is not a particularly good strategy.
The bugzilla entry is not a request for technical expertise, it's a bug report. It doesn't matter if the submitter is a socially challenged idiot.
A traditional means to achieve at least part of this goal is to mount/usr read-only over NFS and distribute it to various clients. But this is quite risky with Fedora:
If you follow the link and you can't believe what's recorded there, it's still correct: if/usr is read-only and the sysadmin accidentally tries to install a package, the RPM database is corrupted. Maybe this bug is hard to fix, but it's definitely a bug -- yet one of those fine Fedora engineers closed the bug report with WONTFIX, and insisted that this was indeed correct!
What right does paypal have to fine people. If its against the terms of service they could shut down the offending account, but fine them?
It's called "regulatory pressure".
The US is currently trying very hard to push online gambling off the Internet (with a few exceptions for US sites with licenses, I assume). It tries to do this by targeting any US company that indirectly benefits from gambling sites: banner ad buyers, ISPs, and now PayPal.
PayPal's situation is complicated because they operate in a field that is strictly regulated (banking) and haven't got banking licenses in all US states. PayPal basically has no choice to comply with law enforcement suggestions at this point if they want to continue business.
Really, so then PIX fixup does nothing for you? How about Checkpoint's AI?
PIX fixups often don't work (SMTP, H.323, even Cisco's proprietary Skinny protocol for VoIP signaling). Maybe Checkpoint is better, but I doubt it.
My trouble with these "intelligent firewalls" is that they are extremely complex, sometimes even more complex than the systems that they are trying to protect. Complexity leads to configuration errors and software bugs, and ultimately to vulnerabilities.
Therefore, it seems to be better to use very basic packet filters to separate critical systems from the remaining parts of the network, and secure the systems themselves. If this is impossible (for example, your very expensive new online banking application has countless SQL injection bugs), you might be forced to put an application layer gateway in front of it that verifies all HTTP requests (and handles the SSL encryption). But this should be an exception, not the norm.
The damages are so low because you have to prove in court that you actually lost the amount of money which you claim as damages. Over here, we don't have punitive damages.
In some regions, rumor about more or less responsible people who cooperate with law enforcement against their employers' interests spreads rather quickly, and those people have a very hard time to find another job in the field.
Is this different in the US?
Re:Easy Money...
on
Odds-on Science
·
· Score: 2, Informative
A program made in Java without an eye to security is going to be more secure than a program made in C without an eye to security.
I wouldn't count on that. The classes of vulnerabilities that affect typical C and Java programs are just different. Of course, buffer overflows aren't a problem for typical Java programs. On the other hand, lack of synchronization is not such a big problem in the C world.
For example, if you write a web application in C, it's quite unlikely that it exposes data from a different session if you hit the browser's back button. With Java, such problems do occur (because the same servlet object is used in different sessions and some programmers use it to store session-specific data).
Similarly, when the grain size is maintained below the scattering limit, the fully crystallized Al[2]O[3] REO ceramics exhibit attractive optical characteristics including high refractive index (1.8 and higher) and transparency through the mid-infrared range.
Cool. Finally something to tackle the 1.8 barrier, and smaller glasses for me. 8-)
Spoken like someone who has never had to calculate the cost of a large-scale service outage.
Cisco routers fail, too, and hardware support contracts are extremely expensive, even if you opt for the 4 hour response time variant ("response time", not "time to fix").
If technically feasible, I'll always choose commodity PC hardware over special-purpose equipment. It's so much cheaper that you can actually afford redundancy. Unfortunately, some interface cards or protocol implementations are hard to find for PCs, so this doesn't always work at the moment (although both PC bus bandwidth and CPU power could compete even with some forms of ASIC-based routing).
Support contracts are for those of us who try to delegate responsibility for outages. If you just want to minimize downtime, they are typically not very useful, and often they are counterproductive: you are not allowed to fix things yourself even if you know how to do it, because a modified system is no longer covered by the support contract.
I can't get 1 hour support for an Intel/OBSD server from a service provider with a worldwide reputation. If I do get such support, it would have to be guaranteed that they would have every combination of T1 and FastEther card in stock, power supply, etc that would possibly break.
So what? It's still much cheaper than a real Cisco router. 8-)
At least they have recompiled it, with some compiler flags that make undefined behavior due to sloppy coding even more undefined (no kidding). We have to wait and see if this changes anything in practice.
Well, looks like home users play lab rats once again.
Slashdot Mirror
Microsoft has been releasing early warnings for months, and they have regularly leaked to the press. The contents of the warning includes very little information: the number of vulnerabilities, the severity level, and the products affected. You might be able to infer which people you have to force to do overtime (Microsoft patches aren't released during business hours in all parts of the world), but apart from that, the information is not very useful.
Less well known is Microsoft's Patch Validation Program. Basically, you get patches a week or so in advance (without any further information about the scope of the patch), and you can test it in a production-like environment. This way, you can alert Microsoft about unexpected incompatibilities, but I'm not sure how helpful this is in practice. The patches surely make an interesting BinDiff target, so this program probably isn't available to all premium customers.
All in all, it appears to be a poor replacement for the vendor-sec community on the free software side of security, where distributors (which would be Microsoft's OEMs) can openly discuss security issues and resolve them in colaboration.
The bug was closed as WONTFIX because the reporter was an obnoxious prick. Referring to the developer as a Moron on repeated occasions. The fact is that if you want people to help you, yelling abuse is not a particularly good strategy.
The bugzilla entry is not a request for technical expertise, it's a bug report. It doesn't matter if the submitter is a socially challenged idiot.
A traditional means to achieve at least part of this goal is to mount /usr read-only over NFS and distribute it to various clients. But this is quite risky with Fedora:
i ?i d=119185
/usr is read-only and the sysadmin accidentally tries to install a package, the RPM database is corrupted. Maybe this bug is hard to fix, but it's definitely a bug -- yet one of those fine Fedora engineers closed the bug report with WONTFIX, and insisted that this was indeed correct!
http://bugzilla.redhat.com/bugzilla/show_bug.cg
If you follow the link and you can't believe what's recorded there, it's still correct: if
What right does paypal have to fine people. If its against the terms of service they could shut down the offending account, but fine them?
It's called "regulatory pressure".
The US is currently trying very hard to push online gambling off the Internet (with a few exceptions for US sites with licenses, I assume). It tries to do this by targeting any US company that indirectly benefits from gambling sites: banner ad buyers, ISPs, and now PayPal.
PayPal's situation is complicated because they operate in a field that is strictly regulated (banking) and haven't got banking licenses in all US states. PayPal basically has no choice to comply with law enforcement suggestions at this point if they want to continue business.
Really, so then PIX fixup does nothing for you? How about Checkpoint's AI?
PIX fixups often don't work (SMTP, H.323, even Cisco's proprietary Skinny protocol for VoIP signaling). Maybe Checkpoint is better, but I doubt it.
My trouble with these "intelligent firewalls" is that they are extremely complex, sometimes even more complex than the systems that they are trying to protect. Complexity leads to configuration errors and software bugs, and ultimately to vulnerabilities.
Therefore, it seems to be better to use very basic packet filters to separate critical systems from the remaining parts of the network, and secure the systems themselves. If this is impossible (for example, your very expensive new online banking application has countless SQL injection bugs), you might be forced to put an application layer gateway in front of it that verifies all HTTP requests (and handles the SSL encryption). But this should be an exception, not the norm.
The damages are so low because you have to prove in court that you actually lost the amount of money which you claim as damages. Over here, we don't have punitive damages.
They need to give IT people the ability to block IE, it's more dangerous than any removable storage device.
It's already possible to (mostly) disable non-embedded IE for normal users (and Outlook, too). But there doesn't seem to be a real demand for it.
You can load them via infrared, cable or bluetooth connection and thus don't have to pay a single cent for your new ringtones.
You still need a license to play them in public, though.
But a denial of service attack? Wouldn't most service providers want to help their customer with this kind or problem?
Only if you feel up to the task, and in some cases only if the customer is willing to pay extra fees.
In some regions, rumor about more or less responsible people who cooperate with law enforcement against their employers' interests spreads rather quickly, and those people have a very hard time to find another job in the field.
Is this different in the US?
Stalk Steven Hawking, bet what he bets.
This isn't necessarily a good idea: Hawking backs down on black holes (last section)
Thats a programmer error. A bad programmer can make anything happen.
Of course it is. It's a bit shortsighted to assume that Java magically makes bad programmers less risky.
Also their marketing department is high on crack. Java 1.2 = java2? Next up, Java5 ?! WTF!!!
And "Sun Java Server" is actually the next release of Solaris. 8-)
A program made in Java without an eye to security is going to be more secure than a program made in C without an eye to security.
I wouldn't count on that. The classes of vulnerabilities that affect typical C and Java programs are just different. Of course, buffer overflows aren't a problem for typical Java programs. On the other hand, lack of synchronization is not such a big problem in the C world.
For example, if you write a web application in C, it's quite unlikely that it exposes data from a different session if you hit the browser's back button. With Java, such problems do occur (because the same servlet object is used in different sessions and some programmers use it to store session-specific data).
Of course Macs are immune to this virus, but this sort of thing is theoretically possible for a Mac.
Just because Mac OS X doesn't have socklen_t?
Some development branches of this bot run on more POSIX-compatible systems. I wouldn't be too sure that it's still at the technology preview stage.
From the article in Nature:
Similarly, when the grain size is maintained below the scattering limit, the fully crystallized Al[2]O[3] REO ceramics exhibit attractive optical characteristics including high refractive index (1.8 and higher) and transparency through the mid-infrared range.
Cool. Finally something to tackle the 1.8 barrier, and smaller glasses for me. 8-)
So what happens when I make a wrong turn in LA and end up in watts or compton, does my insurance skyrocket?
It's probably part of the concept that people who take wrong turns more often than usual pay above-average fees. 8-)
Spoken like someone who has never had to calculate the cost of a large-scale service outage.
Cisco routers fail, too, and hardware support contracts are extremely expensive, even if you opt for the 4 hour response time variant ("response time", not "time to fix").
If technically feasible, I'll always choose commodity PC hardware over special-purpose equipment. It's so much cheaper that you can actually afford redundancy. Unfortunately, some interface cards or protocol implementations are hard to find for PCs, so this doesn't always work at the moment (although both PC bus bandwidth and CPU power could compete even with some forms of ASIC-based routing).
Support contracts are for those of us who try to delegate responsibility for outages. If you just want to minimize downtime, they are typically not very useful, and often they are counterproductive: you are not allowed to fix things yourself even if you know how to do it, because a modified system is no longer covered by the support contract.
I can't get 1 hour support for an Intel/OBSD server from a service provider with a worldwide reputation. If I do get such support, it would have to be guaranteed that they would have every combination of T1 and FastEther card in stock, power supply, etc that would possibly break.
So what? It's still much cheaper than a real Cisco router. 8-)
Yeah, but it would be better if developers were getting laid for their work.
If everything else fails, it shouldn't be a problem for a developer to get laid
off for his work.
Rewriting the entire OS?
At least they have recompiled it, with some compiler flags that make undefined behavior due to sloppy coding even more undefined (no kidding). We have to wait and see if this changes anything in practice.
Well, looks like home users play lab rats once again.
Instead, try to keep up with the demands and needs of users.
Indeed. Microsoft ist doing quite well here, they have delayed their next-generation object-oriented database-as-a-file-system by more than a decade.
Currently B, F, H, and M-roots have IPv6 addresses.
I still don't see them over here. Maybe you have to query them over IPv6 (how boring), or it depends on the anycast server you are being routed too.
You are listing the name servers for the f.root-servers.org zone. These name servers aren't root name servers.
I wonder how this has been implemented. I can't find an AAAA record for f.root-servers.net (the server operated by ISC).