Sure. If it's a randomly stolen item then it is pretty unlikely that anyone would use this data. The point I was trying to make was that the security on the system is bad (from what I have read). This makes the phone a nice weak point for targetted attacks; "I don't like my coworker/boss/networkadmin" sort of attacks.
If my device was stolen, I'd be more worried about the immediate disclosure of my password, as it could be used to get my private key and someone could pretend they were me, or get into my home computer over ssh where they'd have access to my entire photo collection and data like my MSN details. The device should encrypt all sensitive data based on a password given at startup by default, and only keep the decrypted passwords in memory -- they should never touch the disk. I've not got one of these devices so I can't say if that happens or not, but the point is, that should happen. The master password should not be stored anywhere on the system, in a weakly encrypted form or not.
Remote Keyboard should be encrypted regardless of whether there's a password prompt or not using SSL. Theoretically there's no way for a man in the middle unless someone cracks the authority key, so you know if your keystrokes are appearing on the device and there hasn't been an invalid certificate error, then noone is listening.
The ActiveSync vulnerability is just terrible practise. Someone across the room could be sitting watching for the person to plug in their mobile device (not hard to imagine in an office environment) and then be the first to spawn a password prompt. Not sure how hard it'd be to implement something that then also sends the password to the device so it's not even noticed that the password has been stolen.
Protects you from a great deal of spyware and viruses which in have been known previously to propagate through security holes in Internet Explorer, perhaps by one of the many exploits to make a foreign site "trusted" (I was hit by one or two in my IE days -- despite my strict conditioning to say "no" to every ActiveX popup). Or there are some viruses that only install through ActiveX.
So it does give you a degree of protection. Remember, even running anti-vrius, anti-adware and a good firewall doesn't preclude you from viruses and spyware, just makes it more difficult, as does running a less exploited browser*.
* I refrain from saying Firefox is more secure as there's no way to show that, but it's definitely exploited less on malicious websites, be it because of the smaller marketshare or otherwise.
Well, considering that a higher proportion of the users of OSS will contribute fixes and bug reports than the equivelant for proprietary software, it doesn't matter as much if fewer of the main programming team are always available. Also, companies that are worried can fix security threats internally and submit the changes back. I'm not a major OSS developer but I've contributed many bug reports to GNOME and some to the linux kernel, and they've all been fixed. I have submitted some usability improvements in patch form too, which can't be done with proprietary stuff. Sure I'm only one person, but if you get even a tiny proportion of the users of a popular piece of software willing to get messy with the code, then it's a positive thing.
The problem I find with most proprietary apps isn't the development model as such, but there's rarely a clear place to forward suggestions and bug reports. For Microsoft software you get the crasher bug reporting with their "Send error report" thing, but there are far many more types of bug that you can submit to bugzilla on most projects (Crasher, usability, suggestion, glitch, etc.). I have seen some Microsoft projects with places to send reports and suggestions, as I have other proprietary stuff, it's just that it usually much less polished if it exists at all.
I agree. If you look at any operating system (or indeed similar software) you'll see they 'share' ideas and copy each other. Usually the newer implementation has some improvements over the system they were based on. For example Linux and friends tend to have features in command line before the competitors have it in an easy to use GUI, then once that happens there usually tends to be an OSS GUI developed.
I'm sure that compiz for Xgl will take on some of the ideas from Apple's implementation of virtual desktops, just as Apple and Microsoft with it's powertoy took that idea from previous systems. This is what competition brings, and I'm glad that Microsoft are finally feeling the need to start pushing themselves again.
If you look at Linux for example, which had USB 2.0, bluetooth, etc. support before Windows and OS X, does that mean Windows and OS X implementing it should be called copying? I don't think anyone's ever said that, but Paul seems to think that Microsoft having a "pretty" RSS feed viewer is in some way stolen.
Paul makes some other silly points in this article too, such as saying Microsoft has done more than Apple in the last 6 years by stating that there have been loads of Windows editions released, despite it being Apple's policy to have only one version of OS X targetted for non-server use.
"If I have seen farther, it is by standing on the shoulders of giants." -- Isaac Newton
To support them at the time the kernel is loaded they still need to be enabled in the.config (CONFIG_CRAMFS). Initramfs afaik is always used in the kernel since it contains the code for finding the root partition. Modification of this needs to be done at compile time and so can be a bit difficult for most times where an initrd would be simple.
Just like anything else that is supported at boot, it is actually compiled into the kernel.. in theory it could contain loadable modules too but I think that would be a real pain to set up. If CONFIG_CRAMFS was a module, for example, you'd need to use an initrd to load it if your root filesystem was of type cramfs.
Except that you can buy a Windows system and install Linux to it usually, and it will usually still be cheaper due to Dell being larger and producing more PCs.
Well, you need to have support compiled into the kernel to be able to mount the root filesystem before you can actually load the modules. If IDE Hard drive, ext3 and whatever is compiled into the kernel and it can mount / and load everything else from/lib/modules/... but I'm guessing that Debian therefore has SATA support compiled as loadable modules.
The reason an initrd works is because it's the bootloader's responsibility to load the initrd, and one would hope that the bootloader has support for the hard drive it's running from.
It is indeed a problem, but have you tried using a kernel of the same version/.config (4k vs 8k stacks etc) but just force loading the module? *Usually* distro-specific patches don't change the ABI so you might be able to just load it if you it to ignore the magic.
Seriously though, I hope this goes the way that Blender did. If SGI could agree to give OpenGL to a non-profit organisation for a fixed amount, the non-profit organisation could appeal to the opensource community (and companies like RedHat, Novell) for donations.
A story: Once I was playing a song in my head as I do regularly then the person next to me started humming it. It wasn't a popular song or a song that was on the radio in the morning or anything (some indie gothic metal stuff).
I said "Um was I singing outloud or something?" "Er... no" "Well you've started humming the same song I was thinking of"
I thought that it was a funny coincidence and carried on working. Later in the day I heard someone who was in my ICT class playing the same song through their headphones. I asked them if they had been playing it in ICT and they said yes. They had been sitting at the other side of the class from me playing music through their headphones. I can't prove that this stimulated both me and my friend to start humming/thinking of the song, but I think it's pretty likely that this was the case.
The relevance being, maybe you and your daughter pick up something subconsciously and don't notice. I didn't hear that song playing even after I grew suspicious -- I probably just heard a few of the higher pitched tones from the headphones which provoked my brain to remember that song. I've heard many times of people who will do things like get up just before their microwave beeps, and don't realise how they do it but they just do. There's usually something like a click just before it stops that they've never noticed consciously but I assume their subconscious has associated this click with the microwave stopping.
I thought this was exactly what the passive RFID chips do, except that RFID chips tend not to have this large a memory (though is there a technical reason why that's the case?)
Good point. Though for a highly skilled officer/seargent/commander or whatever they're called, there'd probably be a place for him in higher management, whether they save his mobility or not.
Depends who it is. If it's someone high up with lots of experience then I guess they're more likely to do this to them because the overall cost of finding and training someone to their level might far, far exceed the cost of fixing them back together. If it's just a low level solider then they probably won't. There obviously are going to be people who go "A human life is a human life, whether it's had 40 years training or just joined the army" (including me) but it doesn't mean they'll listen.
Firefox simply shouldn't have been allowed to change network settings, much less seemingly occasionally mess up the network driver. More likely is that Firefox was using a particular API in a way that hadn't been implemented properly by your network card's driver and it was getting confused. Firefox is not doing something on purpose and to be able to do what you're suggesting it'd done would have required specific use of win32 API functions which I don't believe Firefox even has anywhere in it's code.
On my system, if firefox were to try and change any network settings it'd be given an error:
If the networking goes down (as it has done before when using Firefox) I know there's something else at fault. Upgrading the network driver fixed any previous problems I had.
With a bit of planning you can do side by side installs of all those without chroots or even different prefixes I believe (easier on some distros of Linux than on others). Through chroots/jails/prefixes/virtualisation this can be made simpler but there are drawbacks to every method.
The mysql migrations were a pain in the ass but I managed to get mysql3 and mysql5 side by side during the period of migration.
You know, if you're running some fully Xen compatible OS like Linux then it's likely that Xen would be the better option in terms of speed and system resources. It supports VMotion like things too I believe.
Anyone who says quantum theory is a fact needs their head examined;) but seriously, you can go for one of the more "normal" feeling interpretations of QM that doesn't require you to believe the cat is both dead and alive.
And also, since they coexist, will it provide any tangible advantages to users? Is it really something that could have just been added in to an existing version of Windows?
ALSA is a fantastic audio API but when programs running at the same time on the same system use OSS, the software mixing doesn't work unless you're lucky and pull off the alsaconf stuff properly, and the audio generally runs slower and laggier (more xruns and stuff).
And there are plenty of OSS applications still around, even though it's been deprecated for years and ALSA is easier to work with. Lots of code would have been hard to update to ALSA so the developers never bothered. If in Windows there's a choice between a Vista-only API (especially since Vista is a paid upgrade, not a free one like Linux) and a 2k, XP, Vista API which they already have an entire codebase around... are many companies going to put resources into doing two different drivers until at least 2009?
This "article" (i.e. blog post) doesn't even mention what browser(s) this affects or how it works. What program is at fault here.. wmplayer? Or is this little dialog box *after* pressing yes to some shady ActiveX thing.
How about using a dialog box where it shows the user some image or something they set up but only programs with the appropriate permission are allowed to display it. Couple it with "Do not enter your administration password when you do not see this image" or whatever and we're *hopefully* on the right path.
Slashdot Mirror
Sure. If it's a randomly stolen item then it is pretty unlikely that anyone would use this data. The point I was trying to make was that the security on the system is bad (from what I have read). This makes the phone a nice weak point for targetted attacks; "I don't like my coworker/boss/networkadmin" sort of attacks.
If my device was stolen, I'd be more worried about the immediate disclosure of my password, as it could be used to get my private key and someone could pretend they were me, or get into my home computer over ssh where they'd have access to my entire photo collection and data like my MSN details. The device should encrypt all sensitive data based on a password given at startup by default, and only keep the decrypted passwords in memory -- they should never touch the disk. I've not got one of these devices so I can't say if that happens or not, but the point is, that should happen. The master password should not be stored anywhere on the system, in a weakly encrypted form or not.
Remote Keyboard should be encrypted regardless of whether there's a password prompt or not using SSL. Theoretically there's no way for a man in the middle unless someone cracks the authority key, so you know if your keystrokes are appearing on the device and there hasn't been an invalid certificate error, then noone is listening.
The ActiveSync vulnerability is just terrible practise. Someone across the room could be sitting watching for the person to plug in their mobile device (not hard to imagine in an office environment) and then be the first to spawn a password prompt. Not sure how hard it'd be to implement something that then also sends the password to the device so it's not even noticed that the password has been stolen.
Protects you from a great deal of spyware and viruses which in have been known previously to propagate through security holes in Internet Explorer, perhaps by one of the many exploits to make a foreign site "trusted" (I was hit by one or two in my IE days -- despite my strict conditioning to say "no" to every ActiveX popup). Or there are some viruses that only install through ActiveX.
So it does give you a degree of protection. Remember, even running anti-vrius, anti-adware and a good firewall doesn't preclude you from viruses and spyware, just makes it more difficult, as does running a less exploited browser*.
* I refrain from saying Firefox is more secure as there's no way to show that, but it's definitely exploited less on malicious websites, be it because of the smaller marketshare or otherwise.
Well, considering that a higher proportion of the users of OSS will contribute fixes and bug reports than the equivelant for proprietary software, it doesn't matter as much if fewer of the main programming team are always available. Also, companies that are worried can fix security threats internally and submit the changes back. I'm not a major OSS developer but I've contributed many bug reports to GNOME and some to the linux kernel, and they've all been fixed. I have submitted some usability improvements in patch form too, which can't be done with proprietary stuff. Sure I'm only one person, but if you get even a tiny proportion of the users of a popular piece of software willing to get messy with the code, then it's a positive thing.
The problem I find with most proprietary apps isn't the development model as such, but there's rarely a clear place to forward suggestions and bug reports. For Microsoft software you get the crasher bug reporting with their "Send error report" thing, but there are far many more types of bug that you can submit to bugzilla on most projects (Crasher, usability, suggestion, glitch, etc.). I have seen some Microsoft projects with places to send reports and suggestions, as I have other proprietary stuff, it's just that it usually much less polished if it exists at all.
I agree. If you look at any operating system (or indeed similar software) you'll see they 'share' ideas and copy each other. Usually the newer implementation has some improvements over the system they were based on. For example Linux and friends tend to have features in command line before the competitors have it in an easy to use GUI, then once that happens there usually tends to be an OSS GUI developed.
I'm sure that compiz for Xgl will take on some of the ideas from Apple's implementation of virtual desktops, just as Apple and Microsoft with it's powertoy took that idea from previous systems. This is what competition brings, and I'm glad that Microsoft are finally feeling the need to start pushing themselves again.
If you look at Linux for example, which had USB 2.0, bluetooth, etc. support before Windows and OS X, does that mean Windows and OS X implementing it should be called copying? I don't think anyone's ever said that, but Paul seems to think that Microsoft having a "pretty" RSS feed viewer is in some way stolen.
Paul makes some other silly points in this article too, such as saying Microsoft has done more than Apple in the last 6 years by stating that there have been loads of Windows editions released, despite it being Apple's policy to have only one version of OS X targetted for non-server use.
"If I have seen farther, it is by standing on the shoulders of giants." -- Isaac Newton
To support them at the time the kernel is loaded they still need to be enabled in the .config (CONFIG_CRAMFS). Initramfs afaik is always used in the kernel since it contains the code for finding the root partition. Modification of this needs to be done at compile time and so can be a bit difficult for most times where an initrd would be simple.
Just like anything else that is supported at boot, it is actually compiled into the kernel.. in theory it could contain loadable modules too but I think that would be a real pain to set up. If CONFIG_CRAMFS was a module, for example, you'd need to use an initrd to load it if your root filesystem was of type cramfs.
Except that you can buy a Windows system and install Linux to it usually, and it will usually still be cheaper due to Dell being larger and producing more PCs.
Well, you need to have support compiled into the kernel to be able to mount the root filesystem before you can actually load the modules. If IDE Hard drive, ext3 and whatever is compiled into the kernel and it can mount / and load everything else from /lib/modules/... but I'm guessing that Debian therefore has SATA support compiled as loadable modules.
The reason an initrd works is because it's the bootloader's responsibility to load the initrd, and one would hope that the bootloader has support for the hard drive it's running from.
It is indeed a problem, but have you tried using a kernel of the same version/.config (4k vs 8k stacks etc) but just force loading the module? *Usually* distro-specific patches don't change the ABI so you might be able to just load it if you it to ignore the magic.
Seriously though, I hope this goes the way that Blender did. If SGI could agree to give OpenGL to a non-profit organisation for a fixed amount, the non-profit organisation could appeal to the opensource community (and companies like RedHat, Novell) for donations.
Where does one find these heroine pimps?
A story: Once I was playing a song in my head as I do regularly then the person next to me started humming it. It wasn't a popular song or a song that was on the radio in the morning or anything (some indie gothic metal stuff).
I said "Um was I singing outloud or something?"
"Er... no"
"Well you've started humming the same song I was thinking of"
I thought that it was a funny coincidence and carried on working. Later in the day I heard someone who was in my ICT class playing the same song through their headphones. I asked them if they had been playing it in ICT and they said yes. They had been sitting at the other side of the class from me playing music through their headphones. I can't prove that this stimulated both me and my friend to start humming/thinking of the song, but I think it's pretty likely that this was the case.
The relevance being, maybe you and your daughter pick up something subconsciously and don't notice. I didn't hear that song playing even after I grew suspicious -- I probably just heard a few of the higher pitched tones from the headphones which provoked my brain to remember that song. I've heard many times of people who will do things like get up just before their microwave beeps, and don't realise how they do it but they just do. There's usually something like a click just before it stops that they've never noticed consciously but I assume their subconscious has associated this click with the microwave stopping.
I thought this was exactly what the passive RFID chips do, except that RFID chips tend not to have this large a memory (though is there a technical reason why that's the case?)
Good point. Though for a highly skilled officer/seargent/commander or whatever they're called, there'd probably be a place for him in higher management, whether they save his mobility or not.
They may have added the cracklib module into the PAM authentication chain making anyone with an insecure password unable to log in.
Depends who it is. If it's someone high up with lots of experience then I guess they're more likely to do this to them because the overall cost of finding and training someone to their level might far, far exceed the cost of fixing them back together. If it's just a low level solider then they probably won't. There obviously are going to be people who go "A human life is a human life, whether it's had 40 years training or just joined the army" (including me) but it doesn't mean they'll listen.
Firefox simply shouldn't have been allowed to change network settings, much less seemingly occasionally mess up the network driver. More likely is that Firefox was using a particular API in a way that hadn't been implemented properly by your network card's driver and it was getting confused. Firefox is not doing something on purpose and to be able to do what you're suggesting it'd done would have required specific use of win32 API functions which I don't believe Firefox even has anywhere in it's code.
/sbin/ifconfig eth0 192.168.0.1
On my system, if firefox were to try and change any network settings it'd be given an error:
tux ~ $
SIOCSIFADDR: Permission denied
If the networking goes down (as it has done before when using Firefox) I know there's something else at fault. Upgrading the network driver fixed any previous problems I had.
With a bit of planning you can do side by side installs of all those without chroots or even different prefixes I believe (easier on some distros of Linux than on others). Through chroots/jails/prefixes/virtualisation this can be made simpler but there are drawbacks to every method.
The mysql migrations were a pain in the ass but I managed to get mysql3 and mysql5 side by side during the period of migration.
You know, if you're running some fully Xen compatible OS like Linux then it's likely that Xen would be the better option in terms of speed and system resources. It supports VMotion like things too I believe.
Anyone who says quantum theory is a fact needs their head examined ;) but seriously, you can go for one of the more "normal" feeling interpretations of QM that doesn't require you to believe the cat is both dead and alive.
And also, since they coexist, will it provide any tangible advantages to users? Is it really something that could have just been added in to an existing version of Windows?
ALSA is a fantastic audio API but when programs running at the same time on the same system use OSS, the software mixing doesn't work unless you're lucky and pull off the alsaconf stuff properly, and the audio generally runs slower and laggier (more xruns and stuff).
And there are plenty of OSS applications still around, even though it's been deprecated for years and ALSA is easier to work with. Lots of code would have been hard to update to ALSA so the developers never bothered. If in Windows there's a choice between a Vista-only API (especially since Vista is a paid upgrade, not a free one like Linux) and a 2k, XP, Vista API which they already have an entire codebase around... are many companies going to put resources into doing two different drivers until at least 2009?
This "article" (i.e. blog post) doesn't even mention what browser(s) this affects or how it works. What program is at fault here.. wmplayer? Or is this little dialog box *after* pressing yes to some shady ActiveX thing.
How about using a dialog box where it shows the user some image or something they set up but only programs with the appropriate permission are allowed to display it. Couple it with "Do not enter your administration password when you do not see this image" or whatever and we're *hopefully* on the right path.