It is nice to have access to things that you wouldn't before the internet.
Location doesn't really matter for a lot of professions any more -- software development being among them. I had a former boss who liked to talk about a particular project in which three people were in Europe, one in Asia, and two in North America.
I hear a lot of griping about outsourcing, but not about the benefits granted by that same technology. You not longer have to live in Manhattan to get a high-paying job -- you can do that same job while living in Podunk, Kansas, and have a fraction of the living expenses
It's silly to commute an hour each way for a job. That's two hours a day wasted, when you could be working remotely -- and who wants to work ten hours a day for the same pay instead of eight? It's not as if your employer derives any benefit from you sitting in a car for a chunk of each day.
Working on embedded systems I'm used to checking every malloc(). It is fairly easy to do, but you need to design your application to handle out of memory situations gracefully. That is not as easy depending on what you are trying to do.
Yes, but on an embedded system, you almost always have an init phase where you allocate all the memory that you need at startup, and so you have an init() function or similar that either fails or succeeds at startup containing checked mallocs. Then you have *one* cleanup path. You only guarantee that your application handles up to N resources used of each type at runtime (100 connections, 30 open files, whatever).
Checking malloc in the middle of your code is essentially an obsolete practice for real-world systems -- it's essentially impossible to cleanly back out of all failures, and nobody is going to test all possible failure conditions. The fact that Linux uses an OOM killer and overcommits by default is just a recognition of this fact.
I know this goes against what some people learn, but let me ask those people who carefully check every failure:
* Do you actually test each bit of cleanup and error-recovery code? I mean, are you using a malloc()/free() wrapper that causes *every* path to be invoked? Otherwise, you're just bloating your application with masses of untested code.
* Are you certain that you can't run out of stack space, not just heap space? Particularly if you're using C++ and local objects, I'm pretty dubious that you're so sure. Do you really know, for certain, how much space a random STL object uses?
Systems these days have so much memory and virtual memory that running out of memory is almost *always* a bug. It's a pretty safe bet that the allocation that causes your app to run out of memory is the culprit. Even if Linux didn't have an OOM killer, I'd feel safe in almost all circumstances just wrapping malloc() with an abort() on failure.
Some applications might be fed huge workloads inadvertently. Those are better off adding checks specifically for those workloads. For example, if you load a huge image in the GIMP, you'll get a warning based on the size before the GIMP attempts to do memory allocation, not after the failure happens.
He is important on popular media (ZDNet) and he is taken serious by non geek computer users, that is a huge power.
Expressing security bugs accurately and correctly is often someone at odds with making a good media story. It sounds like Gibson is quite good at the latter.
AFAIK, the Wine people probably know about a lot of things in Wine that aren't securely designed. Doing secure software design is hard even for simple software, and when someone else has already done the design and you're worried about trying to make (often broken) code written to their design work under your system, it's not so obvious.
That being said, I'm not saying that I couldn't see them raising it, but it's not as if they were proposing designs and some guy was pointing out security holes in the designs, either.
The idea was that it isn't Microsoft -- as you said, Microsoft has no reason to stuff a back door into the software. However, Microsoft has an awful lot of employees, and one of *them* might have thought that it would be fun to secretly introduce a back door.
Remember Apple engineers introducing Easter eggs that the company didn't know about? Same idea.
I think that it's safe to say that this really is just a bad design that never got examined by someone involved with securing software, and not an intentional hole, though.
will they use all my searches for "doj lawyer-raping" against me? it's really just a fantasy... i don't mean to do anything illegal and if any doj lawyers get wrongfully imprisoned and raped over and over and over and over and over and over, well, just remember that the innocent have nothing to fear
I remember "spook.el" for emacs. I can already see a similar firefox plugin, to mask your searches in noise...
And if your child searches 'breast"... and finds a sweet pair of titties... it's your own damn fault for not monitoring their internet usage, not Google's.
Why is it that humanity once, when we were sitting around nude in caves, had the maturity to see breasts, but no longer does?
You generally don't dig in your heels until they come calling for personally identifiable information. Then you call in the lawyers and fight the good fight. Google isn't doing this to be noble, they are doing this to protect trade secrets.
So what? This is not a federal issue. This is a partisian issue, where one side wants to support some laws that they're pushing through. They should not be able to obtain data for this reason. I sure as hell don't want to start even the slightest precedent of Google searchers being available to the federal government without a damned good reason. Wanting to make lobbying easier to re-establish censorship laws does not qualify, in my book.
Well, now we know that Yahoo will turn over the private contents of what their users do at the drop of a hat, and without any criminal case involved at all. If you were still considering using Yahoo, they've certainly made it easier to find a search engine.
My dad doesn't know about minor technical differences between different search engines, but he gets irritated enough already with how much companies know about going on, and knowing that Yahoo doesn't give a damn about their privacy policy does matter to him.
I have a strong belief that a great deal of the sexual crimes commited in this country is due to repressed sexual urges. A teen age boy is told he's not supposed to masterbait, it's shameful. He becomes ashamed of who he is, and it happens for so long that he needs to shame other people to have sexual release. Maybe that comes out as child molestation or rape, who knows?
We *know* that sexual suppression screws people up. Freud was on top of that.
Many worms or trojans make outbound connections to download additional exploit tools. They could make those connections using TFTP outbound through the common DNS port (udp 53). If those connections are restricted IT doesn't have to worry about that being an attack vector.
They could also get data in many ways that you aren't going to block -- heck, if your web browser can get to the Internet, they can just examine the settings or piggyback the web browser.
I can understand trying to keep malware from getting on a machine in the first place, but trying to keep it from downloading additional data once it's there is a lost cause.
With more and more internet users behind NAT routers, networked malware is now instead of running on a machine and listening, is running on a machine and making an outbound connection to some remote host. If you don't have egress filtering, your firewall may as well not exist.
I will grant that I think about this less; in the Unix world, security problems are slightly different. However, I have discussed this with some rather notable gentlemen who are more oriented around Windows security, and their opinion is different. They suggest that it is not really possible to keep information from filtering *out*, if software on your machine wants to send data out. There are just too many ways to sneak bits across the wire, and they cannot all be blocked in the real world. Their take is that the only reasonable way to stop malware is to keep it from gaining a foothold on the computer in the first place, rather than trying to keep it from then communicating once it is there.
Actually, to some extent, this is exactly what you just said (though about NAT, not about firewalls) -- security administrators tried using NAT to lock down their networks, and discovered that malware simply adapts to deal with it, and now there is a big functionality hole that makes it difficult for people to write and use legitimate network applications.
Highly restrictive blocking, as implemented today at a corporate level, is *only* useful in that people that do so may differ from the majority, that they have an "oddball" configuration. That's where the practical security benefits that they're claiming comes from, not from the fact that their blocks cannot be walked around by anyone who tries to do so. If I can write malware that, on 90% of the machines out there, can just open a TCP connection to the outside world on an arbitrary port and send data, I'm probably going to do so, rather than making that worm take a clever approach of having to subvert Outlook or IE to send its data out.
The problem is that now a number of companies *do* only allow access out through a proxied connection, and now malware writers that want to target them need to hijack things like Outlook or DNS requests or whatever. The benefit is highly impermanent -- so there is no long-term security benefit, but there is a blow to functionality, in that features once present are now missing on these corporate networks (and doing things like ramming previously-working apps through HTTP tunnels simply degrades performance and increases complexity).
If you want to occasionally SSH to your home machine, run your sshd on port 443 and go via your company's web proxy (tools like PuTTY can use HTTP CONNECT to do ssh via a proxy on port 443). Be sure to ask your company if this is OK first though. That way they don't have to open port 22 to the world, and instead they have a logged, traceable connection.
Oh, I have. Had a meeting with our security admin and everything. He said "no go" and warned me that he monitors connections. Actually, he used to have a configuration in place that killed any outbound HTTP connections that lasted too long. That was infuriating to work around if you needed a Linux ISO or something similar. He finally got enough complaints to decide that that was a bad idea.
XP/2003 have file hard links and 2000 also supports directory simbolic links - I use one to 'alias' my 'home' folder at the root of the C: drive, and it works fine. Check out SysInternal's JUNCTION or XP's FSUTIL. Been doing that for years.
Hardlinks (IIRC, NTFS-only, though that's not much of a problem anymore) are not a replacement for symlinks.
If there was an electronic way to submit bug reports there would be so much crap that real bug reports would get lost in the pile of crap, which would be bad.
I'll admit that Microsoft has a harder task than the Linux folks, because most of Microsoft's users are less technically knowledgeable and less able to submit a good bug report.
However, you have to admit that most open source projects have publically-viewable and submittable-to bugtrackers, and that these projects continue to function. I was particularly pleased with one past experience with Red Hat's bugtracker, where a Red Hat engineer issued two updates to xorg for testing to me and another user and managed to fix a problem that we were running into within 48 hours of the bug report. Surely Microsoft can come up with *some* kind of karma-based or MVP-like system that allows people who can actually submit bug data worth a data to submit bug data?
Window's Defender add's another layer by catching events such as driver installation, service addition, homepage changes, etc, etc, and additionally prompts the user to allow or deny the action.
This sort of thing only helps if the user is (a) technically knowledgeable enough to understand and answer questions and (b) willing to click on lots of dialogs.
Some of these things should never have been allowed in the first place.
For example, home page modification. I can't think of any legitimate reason for an application other than IE to be setting IE's homepage, other than *maybe* the network administrator setting it for the first time. Why can this even be modified at all by other applications? It's wildly abused, clearly is an interesting thing for malware companies to modify, and provides little benefit.
I think that a good chunk of security problems at Microsoft come from either unwillingness of people to say "this feature is insecure, so it's going to be dropped" (or maybe the security people *did* say something like this and got overruled, I'm not sure).
Look, if I go out to, say, the apache developers and submit a patch to add a feature, the first thing that they're going to care about is whether or not it opens a security hole. It's not that they have a checklist that says "check for security holes", it's just what any open source project is going to do. There are no customers saying "we want feature X" (where feature X introduces problems).
Occasionally, I watch people browse the web with IE, and I wonder just why various things are allowed (and some of these, sadly enough, Firefox does as well). The very first thing I think of when I see a feature in a web browser is "How can this be exploited, and if it can be, why was it allowed in?" Why can websites change the mouse cursor, position, depth, and size of windows, and appearance of scroll bars? There is very little trusted information on the screen, and these are three sources of information that can no longer be trusted under IE. Why throw it away without a really good reason? What significant benefit that cannot be otherwise provided do these features provide?
Basically, nobody seems to have gotten to veto these features. I imagine that somewhere, a customer must have asked for these, so they went in.
I can understand that if you're trying to run a company, you know that a new feature is probably a lot more compelling than the lack of a feature (which avoids some currently-theoretical attack) to a customer. But there is also clearly long-term reputation value involved with simply saying "No, this has security implications, so it's not going in".
Going waaay back up to the top of my post, I want to address the other problem, the "lots of dialogs" issue.
Microsoft has a problem with confirmation dialogs. A large number of common operations cause confirmation dialogs to appear. This is very much not good. If a user has to click "OK" constantly to get his work done, he becomes very used to constantly clicking "OK" on any dialogs that come up -- after all it is unlikely that any given dialog has any useful information. It feels like some developer wrote a piece of software, and a UI guy said "Nope, can't do that -- the user might inadvertently break something." So instead of making it harder to accidently invoke the command in the first place or making it harder for the situation to arise, a common solution seems to be throwing a confirmation dialog up on the screen.
Take deletion of files in Windows Explorer. There was a UI mistake made by Microsoft -- they introduced a single-key combination that is highly destructive -- DEL deletes all selected files. Some UI guy presumably said "You can't do that, guys", and the developers took that ever-so-easy way out -- to slap a confirmation dialog on the screen. They could have made "Control-DEL" delete files, or done something else to make it harder to accidentally invoke the combination, but instead they made the action
I remember a Slashdot article about an incident CMU when a Windows-based Diebold ATM kiosk crashed, leaving the desktop available, and students started music playing on the kiosk using some media player on the system. That system was *definitely* not locked down.
Of course they won't. Firefox doesn't support a lot of proprietary things that lots of intranet applications depend on. Can Firefox run HTAs? Does Firefox support VBScript? If Microsoft were to drop Internet Explorer for Firefox, they'd be leaving a lot of customers high and dry, requiring them to rewrite applications before upgrading to Vista.
I think that the move to tie IE to the OS was sort of reactionary, and the rush to try to do so was the cause of a lot of the security problems today. Lots of problems came from overlap in responsibilities and rights of a file browser versus a web browser versus a remote application executor. I think that there's really three different sets of tasks, and should be clearly separated, and what each is allowed to do clearly defined.
I can understand that Microsoft wanted to provide some sort of mechanism to run intranet "applications", stuff that's more application-like than a typical webpage is. Maybe it was politically necessary to use an "open" environment like the Web at the time to do this, and to use Microsoft's web browser as a platform. I'm guessing that making a single application to browse files, the Web, and handle remote applications might have sounded simpler to a user.
Honestly, though, most intranet applications that target IE aren't portable to other web browsers anyway. I'd rather that there simply be a piece of software responsible for running "remote applications", and that this be separate from a web browser -- and that the web browser place very strict conditions on what it allows the remote world to do to a computer. Maybe opening new windows makes sense for a remote application, but is potentially abusable (and thus not acceptable behavior) for a web browser. Yes, in theory this may be what trusted domains were meant to do, but they don't seem to have eliminated everyone's problems.
I realized that I could become a cube code monkey, or expand and accept that the rules changed. CS undergrads would be better off knowing this lesson early than finding out one day they had been outsourced.
This does, of course, assume that the unique skills that you bring to the table outside of CS provide better value than those that can be found in, say, India.:-)
And language isn't such a barrier anymore. I work with Europeans and Asians who speak English as a language other than their first on a daily basis, and English is pretty widespread these days.
I put in the long hours and hard work to really earn my degree, but many do not. Employers are not blind -- they realize that a lot of CS "grads" are total nitwits.
Your degree matters a lot for Job #1. After that, what matters is how much you've demonstrated that you can actually do.
What amazes me is that some people are willing to spend *vast* amounts of money to buy themselves a university education. They have purchased the right to listen to famous researchers reading off the contents of their textbooks to them. They've purchased the right to have those researchers made available to answer questions of any sort. Neither of these are *essential* to learning, but they're handy tools -- and damned expensive ones. Then these students to try to subvert the entire system by not doing any work or learning anything. They're going to get exactly one job with that (assuming that they can game the interview as well). After that, the world knows that they just aren't competent. There just isn't any alternative to learning material.
Do students really think that employers are really that stupid? That if they manage to get through one interview, that that an employer will never question the fact that these graduates just can't do their job?
If someone is cheating, it hurts their future badly -- they are going to have to compete in the future with the knowledge and skills that they are acquiring now. They have retained expensive people to help them learn. Why throw that away?
Professors are *not* the enemy -- they're there to do what they can to assist students in learning. Heck, they can't even ram an education down a student's throat -- the student needs to learn themselves. A professor can at best help a student acquire skills.
I think that many people see the phrase "cheating hurts only you" and write it off as propaganda to try to get people to conform. They think that they've found an easy path to success. It really is not. The harm that cheating causes the reputation of other students or the institution is not that great, but the harm that not knowing your subject material causes you is enormous.
One of the most knowledgeable technical people I know lacks even a high school degree (not that there's any form of inverse correlation with degree -- I know sharp PhDs too). That non-high-school-graduate, however, reads engineering texts constantly, designs digital circuits and reverse-engineers devices in his free time, along with spending volunteer time helping people design networks. I think that the most overriding factor in how solid someone is in their field is how *interested* they are in it. People that spend their own time tinkering away in their field get damned good at it, and all other factors kind of fade into the background.
That's one reason why, I think, that so many Linux folk are so technically competent. It has nothing to do with "knowing Linux" -- Linux is just another operating system. It's that a lot of people that use Linux are technology hobbyists, people who like pulling things apart and trying out new ideas and building new things. It's just that a lot of people who treat technology as not just a profession, but also a hobby, wind up here. Linux is the ham radio of today's generation, the magnet that attracts hobbyists. Open Source, too acts as such a trap for interested people -- it's not necessarily that the source being open magically makes people competent, but that the sorts of people that do volunteer open source work are usually the tinkerers I'm speaking of, and that these people tend to value being able to poke around at source code.
Google has a near monopoly (AFAIK), which allows it to extract (close to) the full consumer surplus for the ads it sells
Google has no monopoly in the traditional sense. They are the market leader, but don't control even as much of the search market as Microsoft does the desktop market. There is *very* little barrier to switching away from them, and there are a number of competitors. The only reason Google can keep making money from day to day is because they are consistently better than their competitors.
* Renders incorrectly in Firefox, with buttons lapping off the white main area.
* Is slower to load than Google
* Contains a huge amount of crap that I simply do not care about
* Contains numerous links that *nobody* would ever care about. Who needs a link to find microsoft.com? If they wanted to go to Microsoft, why would they go to msn.com and then look halfway down the page at the side?
* Has flashing, periodically changing images.
* Has ads embedded with the news, rather than clearly delineated, as Google does.
* Yahoo has a huge banner-sized ad for a Yahoo searchbar at the top of the page (which doesn't seem to actually *do* anything in Firefox when I click on it).
* Yahoo has masses of crap that I, once again, do not care about. I don't need to look at a newspaper thirty times a day (which is what Yahoo's front page seems to be trying to imitate). I do need to search for things thirty times a day. Actually, this single point amazes me. Google is stomping all the other people out there. Everyone else knows that portals were a stupid idea and flopped. *Why* is it that nobody (well, there are a few, like Teoma) is willing to just realize that people want simple and fast (and having powerful, unobtrusive features is frosting, if it can be managed), and not to look at a silly newspaper-like page each day?
* Yahoo has loads of ads embedded throughout the page, not clearly delinated from the rest of the text.
* Yahoo renders incorrectly in Firefox -- the "Advanced, My Web, Answers" text covers up part of the "Yahoo Search!" button and lap off the bottom of the blue box surrounding the "Search the Web" field.
* Yahoo has a lot of services, but they attempt to throw all of them at you. Compare Google's approach -- put only the very commonly used features on the main page, and stuff all the rest on a secondary page, with a brief description that anyone can understand. I'm *far* more likely to try out Google's other features over time after skimming their descriptions than I am to try to click on all of the 500 links on Yahoo's main page to try to find interesting features -- "Yahoo 360 degrees"? What on earth *is* it? Why would I blow my time figuring out what services I might be interested in using when Yahoo can't be bothered to even present them reasonably?
Now let's look at Google's main page.
* There isn't a single ad (if I do a search, I will see ads clearly labelled as such).
* There is a *single*, small image. Google provides more humor and information with this image than most media I read do throughout their entire bodies. They still probably haven't fully exploited that one image. Imagine how unbelivably wasteful of user attention span those competing sites are -- they have images galore, but most of them do nothing to actually aid the user.
* Google makes it easy to use all their primary services from the main page, using just six links, and a seventh for services that aren't used as much. Two other precious links are expended providing a way for people to easily find their other products. One more link is used to provide an *excellent*, easy-to-navigate help system (
Actually, that "Randomized" idea is interesting...I realize that "newest first" by default means that users start out seeing a lower caliber of comment.
Maybe a weighted randomization, where heavily modded posts are more likely to come up up top. If you think about it, maintaining a chronological order of root-level posts doesn't seem to really provide much of a benefit.
Well, personally I thought the definition of a "professional" was "someone who gets paid for their work." Doesn't matter if your paid to sit on a toilet and poop. If you get paid for it, you're a professional pooper!
The word "professional" has two separate meanings. One means "someone who does something for money". A whore is a professional, in this sense. The other is "someone who has a businesslike manner in the workplace".
Slashdot Mirror
It is nice to have access to things that you wouldn't before the internet.
Location doesn't really matter for a lot of professions any more -- software development being among them. I had a former boss who liked to talk about a particular project in which three people were in Europe, one in Asia, and two in North America.
I hear a lot of griping about outsourcing, but not about the benefits granted by that same technology. You not longer have to live in Manhattan to get a high-paying job -- you can do that same job while living in Podunk, Kansas, and have a fraction of the living expenses
It's silly to commute an hour each way for a job. That's two hours a day wasted, when you could be working remotely -- and who wants to work ten hours a day for the same pay instead of eight? It's not as if your employer derives any benefit from you sitting in a car for a chunk of each day.
Working on embedded systems I'm used to checking every malloc(). It is fairly easy to do, but you need to design your application to handle out of memory situations gracefully. That is not as easy depending on what you are trying to do.
Yes, but on an embedded system, you almost always have an init phase where you allocate all the memory that you need at startup, and so you have an init() function or similar that either fails or succeeds at startup containing checked mallocs. Then you have *one* cleanup path. You only guarantee that your application handles up to N resources used of each type at runtime (100 connections, 30 open files, whatever).
Checking malloc in the middle of your code is essentially an obsolete practice for real-world systems -- it's essentially impossible to cleanly back out of all failures, and nobody is going to test all possible failure conditions. The fact that Linux uses an OOM killer and overcommits by default is just a recognition of this fact.
I know this goes against what some people learn, but let me ask those people who carefully check every failure:
* Do you actually test each bit of cleanup and error-recovery code? I mean, are you using a malloc()/free() wrapper that causes *every* path to be invoked? Otherwise, you're just bloating your application with masses of untested code.
* Are you certain that you can't run out of stack space, not just heap space? Particularly if you're using C++ and local objects, I'm pretty dubious that you're so sure. Do you really know, for certain, how much space a random STL object uses?
Systems these days have so much memory and virtual memory that running out of memory is almost *always* a bug. It's a pretty safe bet that the allocation that causes your app to run out of memory is the culprit. Even if Linux didn't have an OOM killer, I'd feel safe in almost all circumstances just wrapping malloc() with an abort() on failure.
Some applications might be fed huge workloads inadvertently. Those are better off adding checks specifically for those workloads. For example, if you load a huge image in the GIMP, you'll get a warning based on the size before the GIMP attempts to do memory allocation, not after the failure happens.
Dupes generate a great deal of enjoyment among Slashdot readers, as they get to happily call "dupe"!
He is important on popular media (ZDNet) and he is taken serious by non geek computer users, that is a huge power.
Expressing security bugs accurately and correctly is often someone at odds with making a good media story. It sounds like Gibson is quite good at the latter.
AFAIK, the Wine people probably know about a lot of things in Wine that aren't securely designed. Doing secure software design is hard even for simple software, and when someone else has already done the design and you're worried about trying to make (often broken) code written to their design work under your system, it's not so obvious.
That being said, I'm not saying that I couldn't see them raising it, but it's not as if they were proposing designs and some guy was pointing out security holes in the designs, either.
The idea was that it isn't Microsoft -- as you said, Microsoft has no reason to stuff a back door into the software. However, Microsoft has an awful lot of employees, and one of *them* might have thought that it would be fun to secretly introduce a back door.
Remember Apple engineers introducing Easter eggs that the company didn't know about? Same idea.
I think that it's safe to say that this really is just a bad design that never got examined by someone involved with securing software, and not an intentional hole, though.
will they use all my searches for "doj lawyer-raping" against me? it's really just a fantasy ... i don't mean to do anything illegal and if any doj lawyers get wrongfully imprisoned and raped over and over and over and over and over and over, well, just remember that the innocent have nothing to fear
I remember "spook.el" for emacs. I can already see a similar firefox plugin, to mask your searches in noise...
And if your child searches 'breast" ... and finds a sweet pair of titties ... it's your own damn fault for not monitoring their internet usage, not Google's.
Why is it that humanity once, when we were sitting around nude in caves, had the maturity to see breasts, but no longer does?
You generally don't dig in your heels until they come calling for personally identifiable information. Then you call in the lawyers and fight the good fight. Google isn't doing this to be noble, they are doing this to protect trade secrets.
So what? This is not a federal issue. This is a partisian issue, where one side wants to support some laws that they're pushing through. They should not be able to obtain data for this reason. I sure as hell don't want to start even the slightest precedent of Google searchers being available to the federal government without a damned good reason. Wanting to make lobbying easier to re-establish censorship laws does not qualify, in my book.
Well, now we know that Yahoo will turn over the private contents of what their users do at the drop of a hat, and without any criminal case involved at all. If you were still considering using Yahoo, they've certainly made it easier to find a search engine.
My dad doesn't know about minor technical differences between different search engines, but he gets irritated enough already with how much companies know about going on, and knowing that Yahoo doesn't give a damn about their privacy policy does matter to him.
I have a strong belief that a great deal of the sexual crimes commited in this country is due to repressed sexual urges. A teen age boy is told he's not supposed to masterbait, it's shameful. He becomes ashamed of who he is, and it happens for so long that he needs to shame other people to have sexual release. Maybe that comes out as child molestation or rape, who knows?
We *know* that sexual suppression screws people up. Freud was on top of that.
I'm sure you can do valuable data mining on searches that people do; I doubt that Google would delete these.
Many worms or trojans make outbound connections to download additional exploit tools. They could make those connections using TFTP outbound through the common DNS port (udp 53). If those connections are restricted IT doesn't have to worry about that being an attack vector.
They could also get data in many ways that you aren't going to block -- heck, if your web browser can get to the Internet, they can just examine the settings or piggyback the web browser.
I can understand trying to keep malware from getting on a machine in the first place, but trying to keep it from downloading additional data once it's there is a lost cause.
With more and more internet users behind NAT routers, networked malware is now instead of running on a machine and listening, is running on a machine and making an outbound connection to some remote host. If you don't have egress filtering, your firewall may as well not exist.
I will grant that I think about this less; in the Unix world, security problems are slightly different. However, I have discussed this with some rather notable gentlemen who are more oriented around Windows security, and their opinion is different. They suggest that it is not really possible to keep information from filtering *out*, if software on your machine wants to send data out. There are just too many ways to sneak bits across the wire, and they cannot all be blocked in the real world. Their take is that the only reasonable way to stop malware is to keep it from gaining a foothold on the computer in the first place, rather than trying to keep it from then communicating once it is there.
Actually, to some extent, this is exactly what you just said (though about NAT, not about firewalls) -- security administrators tried using NAT to lock down their networks, and discovered that malware simply adapts to deal with it, and now there is a big functionality hole that makes it difficult for people to write and use legitimate network applications.
Highly restrictive blocking, as implemented today at a corporate level, is *only* useful in that people that do so may differ from the majority, that they have an "oddball" configuration. That's where the practical security benefits that they're claiming comes from, not from the fact that their blocks cannot be walked around by anyone who tries to do so. If I can write malware that, on 90% of the machines out there, can just open a TCP connection to the outside world on an arbitrary port and send data, I'm probably going to do so, rather than making that worm take a clever approach of having to subvert Outlook or IE to send its data out.
The problem is that now a number of companies *do* only allow access out through a proxied connection, and now malware writers that want to target them need to hijack things like Outlook or DNS requests or whatever. The benefit is highly impermanent -- so there is no long-term security benefit, but there is a blow to functionality, in that features once present are now missing on these corporate networks (and doing things like ramming previously-working apps through HTTP tunnels simply degrades performance and increases complexity).
If you want to occasionally SSH to your home machine, run your sshd on port 443 and go via your company's web proxy (tools like PuTTY can use HTTP CONNECT to do ssh via a proxy on port 443). Be sure to ask your company if this is OK first though. That way they don't have to open port 22 to the world, and instead they have a logged, traceable connection.
Oh, I have. Had a meeting with our security admin and everything. He said "no go" and warned me that he monitors connections. Actually, he used to have a configuration in place that killed any outbound HTTP connections that lasted too long. That was infuriating to work around if you needed a Linux ISO or something similar. He finally got enough complaints to decide that that was a bad idea.
XP/2003 have file hard links and 2000 also supports directory simbolic links - I use one to 'alias' my 'home' folder at the root of the C: drive, and it works fine. Check out SysInternal's JUNCTION or XP's FSUTIL. Been doing that for years.
Hardlinks (IIRC, NTFS-only, though that's not much of a problem anymore) are not a replacement for symlinks.
Reparse points are not exactly symlinks.
If there was an electronic way to submit bug reports there would be so much crap that real bug reports would get lost in the pile of crap, which would be bad.
I'll admit that Microsoft has a harder task than the Linux folks, because most of Microsoft's users are less technically knowledgeable and less able to submit a good bug report.
However, you have to admit that most open source projects have publically-viewable and submittable-to bugtrackers, and that these projects continue to function. I was particularly pleased with one past experience with Red Hat's bugtracker, where a Red Hat engineer issued two updates to xorg for testing to me and another user and managed to fix a problem that we were running into within 48 hours of the bug report. Surely Microsoft can come up with *some* kind of karma-based or MVP-like system that allows people who can actually submit bug data worth a data to submit bug data?
Window's Defender add's another layer by catching events such as driver installation, service addition, homepage changes, etc, etc, and additionally prompts the user to allow or deny the action.
This sort of thing only helps if the user is (a) technically knowledgeable enough to understand and answer questions and (b) willing to click on lots of dialogs.
Some of these things should never have been allowed in the first place.
For example, home page modification. I can't think of any legitimate reason for an application other than IE to be setting IE's homepage, other than *maybe* the network administrator setting it for the first time. Why can this even be modified at all by other applications? It's wildly abused, clearly is an interesting thing for malware companies to modify, and provides little benefit.
I think that a good chunk of security problems at Microsoft come from either unwillingness of people to say "this feature is insecure, so it's going to be dropped" (or maybe the security people *did* say something like this and got overruled, I'm not sure).
Look, if I go out to, say, the apache developers and submit a patch to add a feature, the first thing that they're going to care about is whether or not it opens a security hole. It's not that they have a checklist that says "check for security holes", it's just what any open source project is going to do. There are no customers saying "we want feature X" (where feature X introduces problems).
Occasionally, I watch people browse the web with IE, and I wonder just why various things are allowed (and some of these, sadly enough, Firefox does as well). The very first thing I think of when I see a feature in a web browser is "How can this be exploited, and if it can be, why was it allowed in?" Why can websites change the mouse cursor, position, depth, and size of windows, and appearance of scroll bars? There is very little trusted information on the screen, and these are three sources of information that can no longer be trusted under IE. Why throw it away without a really good reason? What significant benefit that cannot be otherwise provided do these features provide?
Basically, nobody seems to have gotten to veto these features. I imagine that somewhere, a customer must have asked for these, so they went in.
I can understand that if you're trying to run a company, you know that a new feature is probably a lot more compelling than the lack of a feature (which avoids some currently-theoretical attack) to a customer. But there is also clearly long-term reputation value involved with simply saying "No, this has security implications, so it's not going in".
Going waaay back up to the top of my post, I want to address the other problem, the "lots of dialogs" issue.
Microsoft has a problem with confirmation dialogs. A large number of common operations cause confirmation dialogs to appear. This is very much not good. If a user has to click "OK" constantly to get his work done, he becomes very used to constantly clicking "OK" on any dialogs that come up -- after all it is unlikely that any given dialog has any useful information. It feels like some developer wrote a piece of software, and a UI guy said "Nope, can't do that -- the user might inadvertently break something." So instead of making it harder to accidently invoke the command in the first place or making it harder for the situation to arise, a common solution seems to be throwing a confirmation dialog up on the screen.
Take deletion of files in Windows Explorer. There was a UI mistake made by Microsoft -- they introduced a single-key combination that is highly destructive -- DEL deletes all selected files. Some UI guy presumably said "You can't do that, guys", and the developers took that ever-so-easy way out -- to slap a confirmation dialog on the screen. They could have made "Control-DEL" delete files, or done something else to make it harder to accidentally invoke the combination, but instead they made the action
I remember a Slashdot article about an incident CMU when a Windows-based Diebold ATM kiosk crashed, leaving the desktop available, and students started music playing on the kiosk using some media player on the system. That system was *definitely* not locked down.
Of course they won't. Firefox doesn't support a lot of proprietary things that lots of intranet applications depend on. Can Firefox run HTAs? Does Firefox support VBScript? If Microsoft were to drop Internet Explorer for Firefox, they'd be leaving a lot of customers high and dry, requiring them to rewrite applications before upgrading to Vista.
I think that the move to tie IE to the OS was sort of reactionary, and the rush to try to do so was the cause of a lot of the security problems today. Lots of problems came from overlap in responsibilities and rights of a file browser versus a web browser versus a remote application executor. I think that there's really three different sets of tasks, and should be clearly separated, and what each is allowed to do clearly defined.
I can understand that Microsoft wanted to provide some sort of mechanism to run intranet "applications", stuff that's more application-like than a typical webpage is. Maybe it was politically necessary to use an "open" environment like the Web at the time to do this, and to use Microsoft's web browser as a platform. I'm guessing that making a single application to browse files, the Web, and handle remote applications might have sounded simpler to a user.
Honestly, though, most intranet applications that target IE aren't portable to other web browsers anyway. I'd rather that there simply be a piece of software responsible for running "remote applications", and that this be separate from a web browser -- and that the web browser place very strict conditions on what it allows the remote world to do to a computer. Maybe opening new windows makes sense for a remote application, but is potentially abusable (and thus not acceptable behavior) for a web browser. Yes, in theory this may be what trusted domains were meant to do, but they don't seem to have eliminated everyone's problems.
I realized that I could become a cube code monkey, or expand and accept that the rules changed. CS undergrads would be better off knowing this lesson early than finding out one day they had been outsourced.
:-)
This does, of course, assume that the unique skills that you bring to the table outside of CS provide better value than those that can be found in, say, India.
And language isn't such a barrier anymore. I work with Europeans and Asians who speak English as a language other than their first on a daily basis, and English is pretty widespread these days.
I put in the long hours and hard work to really earn my degree, but many do not. Employers are not blind -- they realize that a lot of CS "grads" are total nitwits.
Your degree matters a lot for Job #1. After that, what matters is how much you've demonstrated that you can actually do.
What amazes me is that some people are willing to spend *vast* amounts of money to buy themselves a university education. They have purchased the right to listen to famous researchers reading off the contents of their textbooks to them. They've purchased the right to have those researchers made available to answer questions of any sort. Neither of these are *essential* to learning, but they're handy tools -- and damned expensive ones. Then these students to try to subvert the entire system by not doing any work or learning anything. They're going to get exactly one job with that (assuming that they can game the interview as well). After that, the world knows that they just aren't competent. There just isn't any alternative to learning material.
Do students really think that employers are really that stupid? That if they manage to get through one interview, that that an employer will never question the fact that these graduates just can't do their job?
If someone is cheating, it hurts their future badly -- they are going to have to compete in the future with the knowledge and skills that they are acquiring now. They have retained expensive people to help them learn. Why throw that away?
Professors are *not* the enemy -- they're there to do what they can to assist students in learning. Heck, they can't even ram an education down a student's throat -- the student needs to learn themselves. A professor can at best help a student acquire skills.
I think that many people see the phrase "cheating hurts only you" and write it off as propaganda to try to get people to conform. They think that they've found an easy path to success. It really is not. The harm that cheating causes the reputation of other students or the institution is not that great, but the harm that not knowing your subject material causes you is enormous.
One of the most knowledgeable technical people I know lacks even a high school degree (not that there's any form of inverse correlation with degree -- I know sharp PhDs too). That non-high-school-graduate, however, reads engineering texts constantly, designs digital circuits and reverse-engineers devices in his free time, along with spending volunteer time helping people design networks. I think that the most overriding factor in how solid someone is in their field is how *interested* they are in it. People that spend their own time tinkering away in their field get damned good at it, and all other factors kind of fade into the background.
That's one reason why, I think, that so many Linux folk are so technically competent. It has nothing to do with "knowing Linux" -- Linux is just another operating system. It's that a lot of people that use Linux are technology hobbyists, people who like pulling things apart and trying out new ideas and building new things. It's just that a lot of people who treat technology as not just a profession, but also a hobby, wind up here. Linux is the ham radio of today's generation, the magnet that attracts hobbyists. Open Source, too acts as such a trap for interested people -- it's not necessarily that the source being open magically makes people competent, but that the sorts of people that do volunteer open source work are usually the tinkerers I'm speaking of, and that these people tend to value being able to poke around at source code.
Google has a near monopoly (AFAIK), which allows it to extract (close to) the full consumer surplus for the ads it sells
Google has no monopoly in the traditional sense. They are the market leader, but don't control even as much of the search market as Microsoft does the desktop market. There is *very* little barrier to switching away from them, and there are a number of competitors. The only reason Google can keep making money from day to day is because they are consistently better than their competitors.
Look at MSN's main page and then Google's main page. MSN's page:
* Renders incorrectly in Firefox, with buttons lapping off the white main area.
* Is slower to load than Google
* Contains a huge amount of crap that I simply do not care about
* Contains numerous links that *nobody* would ever care about. Who needs a link to find microsoft.com? If they wanted to go to Microsoft, why would they go to msn.com and then look halfway down the page at the side?
* Has flashing, periodically changing images.
* Has ads embedded with the news, rather than clearly delineated, as Google does.
How about Yahoo: Let's take a look.
* Yahoo has a huge banner-sized ad for a Yahoo searchbar at the top of the page (which doesn't seem to actually *do* anything in Firefox when I click on it).
* Yahoo has masses of crap that I, once again, do not care about. I don't need to look at a newspaper thirty times a day (which is what Yahoo's front page seems to be trying to imitate). I do need to search for things thirty times a day. Actually, this single point amazes me. Google is stomping all the other people out there. Everyone else knows that portals were a stupid idea and flopped. *Why* is it that nobody (well, there are a few, like Teoma) is willing to just realize that people want simple and fast (and having powerful, unobtrusive features is frosting, if it can be managed), and not to look at a silly newspaper-like page each day?
* Yahoo has loads of ads embedded throughout the page, not clearly delinated from the rest of the text.
* Yahoo renders incorrectly in Firefox -- the "Advanced, My Web, Answers" text covers up part of the "Yahoo Search!" button and lap off the bottom of the blue box surrounding the "Search the Web" field.
* Yahoo has a lot of services, but they attempt to throw all of them at you. Compare Google's approach -- put only the very commonly used features on the main page, and stuff all the rest on a secondary page, with a brief description that anyone can understand. I'm *far* more likely to try out Google's other features over time after skimming their descriptions than I am to try to click on all of the 500 links on Yahoo's main page to try to find interesting features -- "Yahoo 360 degrees"? What on earth *is* it? Why would I blow my time figuring out what services I might be interested in using when Yahoo can't be bothered to even present them reasonably?
Now let's look at Google's main page.
* There isn't a single ad (if I do a search, I will see ads clearly labelled as such).
* There is a *single*, small image. Google provides more humor and information with this image than most media I read do throughout their entire bodies. They still probably haven't fully exploited that one image. Imagine how unbelivably wasteful of user attention span those competing sites are -- they have images galore, but most of them do nothing to actually aid the user.
* Google makes it easy to use all their primary services from the main page, using just six links, and a seventh for services that aren't used as much. Two other precious links are expended providing a way for people to easily find their other products. One more link is used to provide an *excellent*, easy-to-navigate help system (
Agreed, but would you say that Hemos' review is an unusual or a common occurence?
Actually, that "Randomized" idea is interesting...I realize that "newest first" by default means that users start out seeing a lower caliber of comment.
Maybe a weighted randomization, where heavily modded posts are more likely to come up up top. If you think about it, maintaining a chronological order of root-level posts doesn't seem to really provide much of a benefit.
Well, personally I thought the definition of a "professional" was "someone who gets paid for their work." Doesn't matter if your paid to sit on a toilet and poop. If you get paid for it, you're a professional pooper!
The word "professional" has two separate meanings. One means "someone who does something for money". A whore is a professional, in this sense. The other is "someone who has a businesslike manner in the workplace".