I can't agree. Even if consumers who always have to have the latest (even if they don't really need those high-end specs, and even if you can satiate the gamers (who do use those high0end specs), the technical computing folk will continue to drive for more compute power.
Meanwhile, thinner transistor gate structures, etc., will also improve power efficiency--already the leading cost in many datacenters.
No link to whatever de Radt may have posted. Moglen should be direct, or STFU. I don't have the time or patience for 'hint and innuendo' games.
Slashdot 'Editors' (better described as gatekeepers) have outdone themselves on this one. I don't have a degree in journalism, but don't real editors: a) work with authors (anyone even *heard* of this on Slashdot?) re: verbiage b) fact-check (a truly laughable concept on Slashdot)
Slashdot has managed to maintain itself as something of a community voice. Given the above, I think it's mostly a matter of history, momentum, and the community not having come up with something rational to replace it.
But never mistake Slashdot for anything but a venue delivering eyeballs to advertisers. Probably on the 'impression' business model, I might add, as I doubt the 'click-through' model is working for them. Perhaps they can get a premium impression rate because they have a large audience. I dunno.
But possible journalist metrics, which might include editorial competence and integrity? Yeah, right. They're a pack of idiots. Don't get too caught up in anything here. It's all about eyeballs and advertsiers, and posters are just part of the product.
Plus, few people are going to call Google how lame Google Moon was/is. For people that want to index all the world's knowledge, this thing is shallow. I'm sure there must be good databases of lunar images and other data, just as there is for asteroids, various biology databases, etc.
From there, you can go off into discussions about the Deep Web, the Semantic Web, etc. IMHO, Google is a *long* way from that stated goal, which is something fundamentally impossible (how do you deal with literally innumerable database schema?), and they're just trotting it out as PR.
In some ways, Google's failures are a Good Thing, vis-a-vis privacy, as this is also a company with *another* stated goal of wanting to know all about you. But they can garner mondo press (given how lame our press is) along the lines of, "Wow, Google now does Outer Space".
Perhaps you're operating in an e-commerce environment or something, and are falling into the classic over-focus trap. Real-time isn't required to do tremendous damage. Research John Walker, for example. Beyond that, my sig sums it up.
"What do you think is in the kernel ? (This discussion is rapidly exceeding the scope of comparing IE on Windows to its counterparts on other platforms - unless you think IE is in the kernel.)"
No, I'm talking about things like the GDI kernel data structures. A vulnerability there was reported in last year's Month of Kernel Bugs, and it turns out that it had been reported two years earlier, and was still unpatched.
"Perhaps you don't realise pretty much the biggest reason Windows 9x even existed *at all* was to deal with legacy hardware and software.... "None of either" ? Do the ~15 years of PC usage usage preceding Windows 95 - and the significant investment by users in hardware and software during that time - not exist in your world ?"
I think you're arguing for the sake of arguing. Certainly this is a strawman. At the beginning of that ~15 year period, you'd find personal machines like the Commodore PET. At the ~10 year point, my personal machine ran CP/M on a 4MHZ Z80A, with 64K RAM, and the only way I could talk to another system was over a 300 bps modem. WTF does ~15 years have to do with Windows backward compatibility? Though they're better at this than, say, Linux (which had a truly horrible ABI situation for a long time), Microsoft has broken backwards compatibility several times.
Once again, I have to reiterate that I was speaking of quite simply of the the folly of introducing a single-user machine to the Internet.
"They did. Windows NT. Users weren't really interested at the time because most of their software and hardware was unsupported and it needed a relatively powerful machine to run (another price you pay)."
So buy the expensive product or be exposed to risks you probably didn't know about in the cheaper product? Perhaps it was impossible to add multiuser to Win95 and still maintain the ability to run Win 3.1 apps. Certainly it would have been difficult, but I've never heard that it was even attempted. You're making a reasonable argument here, but (largely because of Microsoft's business practice record) I'm not convinced.
"You mean extending it in a way the protocol and RFCs allowed for ? How would that argue against Windows being meaningfully more complex than its functionally-equivalent contemporaries ?"
The purpose of the RFCs is interoperability. The MIT Kerberos team developed something quite useful, gave it away, and got an RFC out there to make it easier for others to implement, all in the name of interoperability, and helping the computing world. Microsoft took that product, and intentionally broke interoperability. *That* is illegal use of monopoly power, IMO. After a huge firestorm of bad press, they made the spec available if you'd run a.exe that forced you to agree that it was a trade secret, making it essentially unusable. Yet more hilarity ensues, and yet more bad PR.
That's a sweet bit of revisionist history you're working on there, but I doubt many people who've been in this game for long are buying what you're selling.
"You'll need to be more specific." (related to my "subtly different APIs" remark)
I'm not up for chasing down the references. Let's leave that one as an exercise for the reader. Anyone who wants to Google for Microsoft API weirdness, or undocumented APIs (cause of yet legal more problems in both the US DoJ and European Commission cases) shouldn't have much trouble.
"What's in the equivalent Linux documentation ? (Although given that SELinux-capable distros didn't start showing up until 4 - 5 years later, the comparison is hardly going to be fair.)"
There wasn't much there in way of Linux docs on the NSA site at the time, and they didn't release SELinux for another year. You could run SELinux in 2001, if you had too. Not "4-5 years later." See the press release at http://www.nsa.gov/releases/relea00027.cfm, dated 2 January 2001. I wouldn't have done it without a driving need, but I know people who had the ne
You might have mentioned this in your original post. I would still have had my doubts, having been on the admin side and heard some of the whiniest BS imaginable (you. would. be. amazed.), and in my experience few companies make it impossible for employees to do their jobs. But I probably wouldn't have sniped at you.
If something's necessary (as in, you can make a *business case* for it), you should be able to get a fixed IP number on your LAN, and the firewall punched out to that address. Or possibly there should be a machine somewhere that's not on the LAN, and is allowed to see 'around' the firewall.
Both of those approaches have potential downsides for the company, and how the company mitigates that risk will vary a lot. Their solution probably won't be as easy for you to live with as the easiest (for you) situation, where you can do anything from your desktop. But the solution should be workable.
If this truly is one of those comparatively unusual cases where a company has actually made it impossible for an employee to perform the work they're being paid for, and won't fix the problem after being made aware of its exact nature, then you have only two options: find another position within the company, or leave.
You might try making the business case first, though. Some managers are pleasantly astonished (with good reason) when employees take this approach.
I'm on the bubble over that. I saw plenty of references to an 80% miss rate in '05, but most seemed to be referring to an abstract of a vendor presentation to be made at a conference, which struck me as poor journalism. http://conference.auscert.org.au/conf2005/abstracts.php
But the general manager at auscert seemed to be saying the same thing in 5/06: ----- The survey, which was published at the start of this year's AusCERT 2006 conference on the Gold Coast, is further evidence that malware writers are targeting their attacks and testing their code to ensure it is undetectable by antivirus products before it is distributed. According to the survey, 98 percent of respondents have deployed an antivirus application and yet 45 percent reported being infected by a virus or worm. Graham Ingram, general manager of AusCERT, said that cybercriminals are making a "concerted effort" to defeat antivirus technology -- and they are being successful. http://www.zdnet.com.au/news/security/soa/Antivirus-software-is-being-defeated-/0,130061744,139257227,00.htm -----
So why would I be on the bubble, instead of completely agreeing with you? Well, I hear the argument that since people can't be trained to not click on unverified attachments, security suites are at least *something*. In the back of my mind is the thought that if people didn't believe in these ratty security nets, perhaps they *would* change their behavior.
Another factor may lie in how corporations mitigate risk through insurance. Being able to check the AV box when seeking insurance might keep a policy affordable.
No myth. You can't do this with a 30-06 or 7.62mm NATO round, but.50 BMG is a different story. 2,250 meters (7381 ft, 1 mi = 5280 ft) was done in Vietnam, by Marine GySgt Carlos Hathcock..50 MBG, fired from an M2 w/ Unertl scope. http://en.wikipedia.org/wiki/Carlos_Hathcock
I could personally ring your bell at 1000 meters (better than half a mile) with a 7.62 NATO round, using a rifle that's just a few feet along the hall. I did the equivalent (on a range) a couple of weeks ago. I'm fully aware of the differences between a range and the real thing. I'm a vet.
Being an intellectual is fine, but it's best tempered with some real-world experience. It might prevent you from being correct about some things (it really is difficult to fire something into the sun) and erroneously expanding that into opinions about things you clearly know nothing about. Such as carrying a rifle, and meaning to use it.
Read that link above, and maybe you'll understand why your comment got my vet ass in the air. I suspect that my ass was in the mud while yours was in grammar school.
OK, you're having a experience. Zoom around in this thread, and you'll find plenty of folk with opinions from the opposite side of the fence. I've worked both sides, and my results have been mixed, but generally favorable toward IT. Like groups everywhere, there are good ones and bad ones.
But, be advised that that something like a simple DNS change (2 minute job) can actually take *forever*, depending upon policy. I once worked at a place with a trouble ticket system, and a managerial policy that allowed no deviations. Anything prioritized below the current level never happened. If your DNS change was Pri 3, it would never happen.
When I was new at the job, that sort of thing used to annoy me, and I'd take a few minutes out of lunch to fix whatever. Within a week, word had spread that I was a soft touch, and I had *no* lunch. When I started turning people away (at this point I couldn't even eat a sandwich in peace), I was the goat. My more experienced colleagues had been laughing all the while, as they knew exactly where it would lead.
The mess was eventually sorted by new management that wasn't quite so interested in slashing IT costs to the bone. We even got to buy some new servers which weren't pegged at all times, and a dependable backup system. It didn't turn into heaven on earth, but it turned into something workable. The average workweek even dropped from 60 hrs to 50hrs, which was a big deal, as everyone was salaried. We never could get even partial payment for beeper hours, though. And there were a lot of those.
Bottom line is that there will always be anecdotal horror stories on either side of this fence. You can work for the best company in the world, but if the couple of management layers above you suck, the job will suck.
And which of those apps do you actually require to do what they pay you to do? Given serious security weaknesses that could cause your admin's lives to suck, in terms of unplanned recovery overtime, etc., you want sympathy because you can't wank with youtube? I bet your admins friggin' love you. Hint--the world does not owe you a living.
If, after that, you still feel all beat on and downtrodden, you might consider careers involving paper hats--though even there, coworkers probably won't appreciate your willingness to cause them grief in order to make your screwing off more pleasurable. It's a human nature thing, and you'll find it hard to avoid.
>GNOME, KDE and OS X have all implemented the same component architecture as Windows [and IE].
None of these have stuffed so much into the kernel. They *can't*. They're userland. Win, OTOH, was GUI from Square 1, and has all sorts of things in the kernel.
>>I'm well aware that 9x were single-user. That's what I'd just *said*. That's what I was *complaining* about. You don't point a machine with no concept of privilege separation at public networks, unless you don't mind your users paying the price. >Or you don't have a choice because there's no other way to deliver the users' other [more] important requirements. Like, say, legacy hardware and software support.
We were talking about the days when Microsoft first discovered TCP/IP networking, and the business rags were talking about their rapid turnaround. Neither legacy software or software support concerns apply, as there were none of either.
Both of these apply *now*, as I don't doubt that there are people getting bitten by running more modern variants as admin, just to get old games, etc. to play. There was a large hue and cry about that, when Microsoft finally began to get the security message, and some apps, games, etc., would no longer run. At one point, Microsoft had a rather lengthy list on their site. If they'd done proper multiuser/privilege separation back in the Win95 time frame, they'd have saved themselves and their users a lot of grief.
>Other platforms with equivalent functionality have equivalent levels of complexity. I doubt that would be the case. The only way to know would be to do a complete call analysis across Win, OSX, KDE, and Gnome, which I very much doubt anyone, save NSA, has done.
Points that argue against it would include a) Microsoft's 'embrace, extend, extinguish' approach to open standards would argue against it, as in what they did with Kerberos. b) Much anecdotal evidence on mailing lists, etc, about subtly different APIs. c) My personal experience when faced with attempting to secure a Win2K system, and finding an NSA doc with 20+ pages of registry edits *alone*. I doubt it's become less complex in the meantime.
Some added complexity is probably justifiable, as they do have real backward compatibility issues to contend with. But that was a bit much.
Maybe just variance. Until somebody has some statistics, I wouldn't read too much into it. Given that somebody has an issue, I'd guess that some stats will be forthcoming, if there really is a problem.
What? Who brought 64-bit instructions to x86, when Intel and HP were trying to drive everyone to high-dollar (and at the time miserably performing) Itanium for 64-bit? Who brought out an architecture that would let you plug FPGAs, etc., into CPU slots?
IMHO, AMD is lagging in semiconductor manufacturing processes. Their geometries are larger, etc. I doubt that they get the yields that Intel does, and that counts against them in price wars. But developing new fab processes costs a lot of money, and Intel has always had a huge financial edge. There's no conceivable way that AMD isn't doing there best with the resources they have available on this front, as it has a direct impact on the bottom line. Hence their history of fabrication R&D agreements with IBM.
BTW, I've worked for both companies (but some years ago) and did process engineering work for Intel. I have at least some clue, which is more than the A/C parent poster has.
"AMD's culture of minimal R&D/innovation" is completely unjustified bullshit.
It's difficult to answer your question, because you haven't RTFA, which talks about primarily CPU v primarily disk workloads, power consumption at idle, etc.
Overall, data center power consumption is a big deal. It's one of the main reasons that some corporations are after virtualization. It's one of the main reasons that Google is locating a datacenter in the Columbia Gorge. http://www.iht.com/articles/2006/06/13/business/se arch.php
While you were 'hazarding to guess', and 'imagining' and thinking various things 'may be', you probably could have RTFA. At that point, the need to ask the question may have been obviated. If not, you would have been able to better frame the question, and possibly gotten an answer that actually *supplied you with useful information*.
Discussions are enriched when participants actually know at what's being discussed. When a participant *doesn't* know what's actually being discussed, you're mostly adding entropy.
Not all do. For instance, I run Kmail (and before the flames begin, yes, I realize that most readers can't) You have to explicitly check boxes in the configuration system to allow HTML, and/or allow external references to be loaded. The warning is right there, not buried in a dialog box man would click through:
WARNING: Allowing HTML in email may increase the risk that your system will be compromised by present and anticipated security exploits. More about HTML mails... More about external references...
The two 'more' items are links for more information.
Another box, related to MDNS responses does basically the same thing, and has the following warning:
WARNING: Unconditionally returning confirmations undermines your privacy. More...
Again, nothing in click-through dialog boxes. That was such an obviously better way to code that I adopted it as soon as I saw it. Better to have at least a brief warning and a link right there.
I'm hoping it's easier to configure Outlook this way now. In Outlook 2K, you really had to look for the settings. But even this is a teaching issue. Example: a guy I know is 100% Windows. His development shop has all the Microsoft certifications, etc. They do mostly VB apps. He complained at one point that I wasn't reading his mail, because he wasn't getting an auto-response. He couldn't imagine an environment where people didn't use that 'feature'. I actually had to take some time out and explain that it was a privacy issue (What gives you the right to know what I'm doing on my system, in a non-business environment?) and that it was wildly inaccurate anyway, as some mail systems will open a mail if you select it even if you're only dragging to another folder, while some require a double click. Or you might open it but be called away, etc.
I've known this guy forever, and he's actually pretty smart. Always did well in school, has a degree in nuclear engineering, etc. We most definitely are *not* talking IQ equal to shoe size. There's some sort of mind-set issue in play that is very difficult to get a handle on.
Parent 100% correct. Though it's easy to see how people can be mislead, as even some of the security sites are calling it a worm. http://www.secureworks.com/research/threats/view.h tml?threat=storm-worm gives you some information on how it operates (as of 2/07, and the names of the executables you had to click on to infect yourself have probably changed since then)
How this got so large is a pretty sad commentary. First off, it's proof that people will still click on attachments without verifying whether they're legitimate. I'm not convinced that any amount of training will ever stop this behavior. It hasn't worked over the *last* ten years, at any rate. Second, several virus scanners would have detected it, if they'd been kept updated. Thirdly, I've seen this running from within a couple of corporate LANs, which implies that even corporations don't always keep anti-virus software up to date, or monitor for P2P traffic, which IMO should very seldom be allowed on a corporate network.
It's not clear to me who "they" are. It *is* clear to me that what you suggest is illegal.
If it were made legal for some government agency to remotely exploit a system that they had decided was doing something that they didn't approve of, that power, like so many others, would soon be abused. Be careful what you wish for.
There's also the issue that this problem is international in scope. Should country foo be able to legally plant a virus on a system in country bar?
In any such system, response time would certainly be an issue, as would forged IP addresses.
"Which presumably explains why every other major platform went on to do exactly the same thing, I assume, because all those developers are stupid as well ?" I haven't called anyone stupid. And "every other platforms" hasn't done the same thing. Without exception, they have remained far less monolithic than Windows.
"The nature of Windows 9x means that whether or not IE was "integrated" has no bearing on the security principles you're talking about." I'm well aware that 9x were single-user. That's what I'd just *said*. That's what I was *complaining* about. You don't point a machine with no concept of privilege separation at public networks, unless you don't mind your users paying the price.
"Every complex system is a "maze of interdependencies". That's the price you pay for a system based on modular, reusable components." Complexity can be minimized. In secure systems, complexity *must* be minimized.
I can agree with much of that, from the standpoint of a desktop machine. But even in its original desktop context, it certainly faces a far more hostile environment that it did ten years ago. But now Windows has evolved into something much more. It's likely the most common server in the world, though that's hard to judge. Security is more important now than it was in '95.
I have to reiterate something you're apparently not buying. Complexity is the enemy of security. This is a secure systems design maxim. Taint analysis is a tool, not a maxim.
If something isn't present, it cannot be attacked. There is inherently less taint analysis (which is not a trivial thing) to be performed. I prefer modular systems which allow a minimal OS (scheduler, memory manager, I/O, etc.) capable of running a given workload, and being maintained with simple tools. Such a system does not need a Web browser, etc. It doesn't even need a windowing system. This is a system with a minimal attack surface, ideal for server loads from a security standpoint. In addition, the system can be maintained without GUI overhead. If the system is running slowly, for instance, you don't add the memory and CPU overhead of a GUI while troubleshooting.
I'm not advocating deploying such systems as desktops, but as a solid base upon which to build desktops., and much else. This morning, I was on a tiny little box (about 1x5x7 inches, Geode CPU, three Ethernet ports, power consumption maybe 4-5 Watts), adding code at the command line. Flexibility is a Good Thing.
I'm not bashing Windows. I know a few people who work in small business (and I mean *small*) who've never used anything else, and are too busy keeping the business afloat to think about what, to them, are irrelevant questions regarding OS aesthetics. Given their circumstances, they're entirely correct. People should run whatever they want to run. My only issue with Microsoft lies with their business practices.
"...not that it was a technically bad thing to do."
It's a *fundamentally* bad thing to do. It lead to an awful lot of remote code execution exploits. It was originally done in Win95 days--before Windows had any notion of being a multiuser system. There was no privilege separation, so if IE was exploited, no system file, etc., was safe. I don't believe for a moment that Microsoft wasn't aware of this. I think they simply didn't care about their users.
It's *still* a bad idea. In fact, it's a fundamentally poor practice in secure systems design. The resulting system is too monolithic--it's a maze of interdependencies. That leads to security, patching, etc., issues. You may want to Google around a bit.
You're just full of fun ideas. It turns out that you must have a minimum of five sections and four 'authors'. The 'author' label is probably a bug, and should be 'editors'. I'm not a subscriber. YMMV.
So I couldn't create a sucking vortex of CSS, and will have to look for another means of destroying the world. After work tonight, I'll get right on it.
Slashdot Mirror
I can't agree. Even if consumers who always have to have the latest (even if they don't really need those high-end specs, and even if you can satiate the gamers (who do use those high0end specs), the technical computing folk will continue to drive for more compute power.
Meanwhile, thinner transistor gate structures, etc., will also improve power efficiency--already the leading cost in many datacenters.
No link to whatever de Radt may have posted. Moglen should be direct, or STFU.
I don't have the time or patience for 'hint and innuendo' games.
Slashdot 'Editors' (better described as gatekeepers) have outdone themselves
on this one. I don't have a degree in journalism, but don't real editors:
a) work with authors (anyone even *heard* of this on Slashdot?) re: verbiage
b) fact-check (a truly laughable concept on Slashdot)
Slashdot has managed to maintain itself as something of a community voice.
Given the above, I think it's mostly a matter of history, momentum, and the
community not having come up with something rational to replace it.
But never mistake Slashdot for anything but a venue delivering eyeballs to
advertisers. Probably on the 'impression' business model, I might add, as I
doubt the 'click-through' model is working for them. Perhaps they can get a
premium impression rate because they have a large audience. I dunno.
But possible journalist metrics, which might include editorial competence and
integrity? Yeah, right. They're a pack of idiots. Don't get too caught up in
anything here. It's all about eyeballs and advertsiers, and posters are just
part of the product.
Plus, few people are going to call Google how lame Google Moon was/is. For people that want to index all the world's knowledge, this thing is shallow. I'm sure there must be good databases of lunar images and other data, just as there is for asteroids, various biology databases, etc.
From there, you can go off into discussions about the Deep Web, the Semantic Web, etc. IMHO, Google is a *long* way from that stated goal, which is something fundamentally impossible (how do you deal with literally innumerable database schema?), and they're just trotting it out as PR.
In some ways, Google's failures are a Good Thing, vis-a-vis privacy, as this is also a company with *another* stated goal of wanting to know all about you. But they can garner mondo press (given how lame our press is) along the lines of, "Wow, Google now does Outer Space".
But it should be tons of fun to watch the in-band key OTP crypto 'solution providers' (mostly share-ware folk) furiously generate press releases.
Perhaps you're operating in an e-commerce environment or something, and are falling into the classic over-focus trap. Real-time isn't required to do tremendous damage. Research John Walker, for example. Beyond that, my sig sums it up.
"What do you think is in the kernel ? (This discussion is rapidly exceeding the scope of comparing IE on Windows to its counterparts on other platforms - unless you think IE is in the kernel.)"
.exe that forced you to agree that it was a trade secret, making it essentially unusable. Yet more hilarity ensues, and yet more bad PR.
No, I'm talking about things like the GDI kernel data structures. A vulnerability there was reported in last year's Month of Kernel Bugs, and it turns out that it had been reported two years earlier, and was still unpatched.
"Perhaps you don't realise pretty much the biggest reason Windows 9x even existed *at all* was to deal with legacy hardware and software.... "None of either" ? Do the ~15 years of PC usage usage preceding Windows 95 - and the significant investment by users in hardware and software during that time - not exist in your world ?"
I think you're arguing for the sake of arguing. Certainly this is a strawman. At the beginning of that ~15 year period, you'd find personal machines like the Commodore PET. At the ~10 year point, my personal machine ran CP/M on a 4MHZ Z80A, with 64K RAM, and the only way I could talk to another system was over a 300 bps modem. WTF does ~15 years have to do with Windows backward compatibility? Though they're better at this than, say, Linux (which had a truly horrible ABI situation for a long time), Microsoft has broken backwards compatibility several times.
Once again, I have to reiterate that I was speaking of quite simply of the the folly of introducing a single-user machine to the Internet.
"They did. Windows NT. Users weren't really interested at the time because most of their software and hardware was unsupported and it needed a relatively powerful machine to run (another price you pay)."
So buy the expensive product or be exposed to risks you probably didn't know about in the cheaper product? Perhaps it was impossible to add multiuser to Win95 and still maintain the ability to run Win 3.1 apps. Certainly it would have been difficult, but I've never heard that it was even attempted. You're making a reasonable argument here, but (largely because of Microsoft's business practice record) I'm not convinced.
"You mean extending it in a way the protocol and RFCs allowed for ? How would that argue against Windows being meaningfully more complex than its functionally-equivalent contemporaries ?"
The purpose of the RFCs is interoperability. The MIT Kerberos team developed something quite useful, gave it away, and got an RFC out there to make it easier for others to implement, all in the name of interoperability, and helping the computing world. Microsoft took that product, and intentionally broke interoperability. *That* is illegal use of monopoly power, IMO. After a huge firestorm of bad press, they made the spec available if you'd run a
That's a sweet bit of revisionist history you're working on there, but I doubt many people who've been in this game for long are buying what you're selling.
"You'll need to be more specific." (related to my "subtly different APIs" remark)
I'm not up for chasing down the references. Let's leave that one as an exercise for the reader. Anyone who wants to Google for Microsoft API weirdness, or undocumented APIs (cause of yet legal more problems in both the US DoJ and European Commission cases) shouldn't have much trouble.
"What's in the equivalent Linux documentation ? (Although given that SELinux-capable distros didn't start showing up until 4 - 5 years later, the comparison is hardly going to be fair.)"
There wasn't much there in way of Linux docs on the NSA site at the time, and they didn't release SELinux for another year. You could run SELinux in 2001, if you had too. Not "4-5 years later." See the press release at http://www.nsa.gov/releases/relea00027.cfm, dated 2 January 2001. I wouldn't have done it without a driving need, but I know people who had the ne
You might have mentioned this in your original post. I would still have had my doubts, having been on the admin side and heard some of the whiniest BS imaginable (you. would. be. amazed.), and in my experience few companies make it impossible for employees to do their jobs. But I probably wouldn't have sniped at you.
If something's necessary (as in, you can make a *business case* for it), you should be able to get a fixed IP number on your LAN, and the firewall punched out to that address. Or possibly there should be a machine somewhere that's not on the LAN, and is allowed to see 'around' the firewall.
Both of those approaches have potential downsides for the company, and how the company mitigates that risk will vary a lot. Their solution probably won't be as easy for you to live with as the easiest (for you) situation, where you can do anything from your desktop. But the solution should be workable.
If this truly is one of those comparatively unusual cases where a company has actually made it impossible for an employee to perform the work they're being paid for, and won't fix the problem after being made aware of its exact nature, then you have only two options: find another position within the company, or leave.
You might try making the business case first, though. Some managers are pleasantly astonished (with good reason) when employees take this approach.
I'm on the bubble over that. I saw plenty of references to an 80% miss rate in '05, but most seemed to be referring to an abstract of a vendor presentation to be made at a conference, which struck me as poor journalism.
http://conference.auscert.org.au/conf2005/abstracts.php
But the general manager at auscert seemed to be saying the same thing in 5/06:
-----
The survey, which was published at the start of this year's AusCERT 2006 conference on the Gold Coast, is further evidence that malware writers are targeting their attacks and testing their code to ensure it is undetectable by antivirus products before it is distributed.
According to the survey, 98 percent of respondents have deployed an antivirus application and yet 45 percent reported being infected by a virus or worm.
Graham Ingram, general manager of AusCERT, said that cybercriminals are making a "concerted effort" to defeat antivirus technology -- and they are being successful.
http://www.zdnet.com.au/news/security/soa/Antivirus-software-is-being-defeated-/0,130061744,139257227,00.htm
-----
So, how about something more up to date?
Friday, April 13, 2007
Storm Worm Blast Still Evades Antivirus
http://blogs.pcworld.com/staffblog/archives/004102.html
So why would I be on the bubble, instead of completely agreeing with you? Well, I hear the argument that since people can't be trained to not click on unverified attachments, security suites are at least *something*. In the back of my mind is the thought that if people didn't believe in these ratty security nets, perhaps they *would* change their behavior.
Another factor may lie in how corporations mitigate risk through insurance. Being able to check the AV box when seeking insurance might keep a policy affordable.
"mythical sniper shots"
I forgot to call you a dick-head. Sorry about that.
"mythical sniper shots at 1 mile"
.50 BMG is a different story. 2,250 meters (7381 ft, 1 mi = 5280 ft) was done in Vietnam, by Marine GySgt Carlos Hathcock. .50 MBG, fired from an M2 w/ Unertl scope.
No myth. You can't do this with a 30-06 or 7.62mm NATO round, but
http://en.wikipedia.org/wiki/Carlos_Hathcock
I could personally ring your bell at 1000 meters (better than half a mile) with a 7.62 NATO round, using a rifle that's just a few feet along the hall. I did the equivalent (on a range) a couple of weeks ago. I'm fully aware of the differences between a range and the real thing. I'm a vet.
Being an intellectual is fine, but it's best tempered with some real-world experience. It might prevent you from being correct about some things (it really is difficult to fire something into the sun) and erroneously expanding that into opinions about things you clearly know nothing about. Such as carrying a rifle, and meaning to use it.
Read that link above, and maybe you'll understand why your comment got my vet ass in the air. I suspect that my ass was in the mud while yours was in grammar school.
OK, you're having a experience. Zoom around in this thread, and you'll find plenty of folk with opinions from the opposite side of the fence. I've worked both sides, and my results have been mixed, but generally favorable toward IT. Like groups everywhere, there are good ones and bad ones.
But, be advised that that something like a simple DNS change (2 minute job) can actually take *forever*, depending upon policy. I once worked at a place with a trouble ticket system, and a managerial policy that allowed no deviations. Anything prioritized below the current level never happened. If your DNS change was Pri 3, it would never happen.
When I was new at the job, that sort of thing used to annoy me, and I'd take a few minutes out of lunch to fix whatever. Within a week, word had spread that I was a soft touch, and I had *no* lunch. When I started turning people away (at this point I couldn't even eat a sandwich in peace), I was the goat. My more experienced colleagues had been laughing all the while, as they knew exactly where it would lead.
The mess was eventually sorted by new management that wasn't quite so interested in slashing IT costs to the bone. We even got to buy some new servers which weren't pegged at all times, and a dependable backup system. It didn't turn into heaven on earth, but it turned into something workable. The average workweek even dropped from 60 hrs to 50hrs, which was a big deal, as everyone was salaried. We never could get even partial payment for beeper hours, though. And there were a lot of those.
Bottom line is that there will always be anecdotal horror stories on either side of this fence. You can work for the best company in the world, but if the couple of management layers above you suck, the job will suck.
And which of those apps do you actually require to do what they pay you to do? Given serious security weaknesses that could cause your admin's lives to suck, in terms of unplanned recovery overtime, etc., you want sympathy because you can't wank with youtube? I bet your admins friggin' love you. Hint--the world does not owe you a living.
2 100-1002_3-6099228.html
Google around for average time spent responding to a security incident. Go read something like
http://news.com.com/The+security+risk+in+Web+2.0/
If, after that, you still feel all beat on and downtrodden, you might consider careers involving paper hats--though even there, coworkers probably won't appreciate your willingness to cause them grief in order to make your screwing off more pleasurable. It's a human nature thing, and you'll find it hard to avoid.
>GNOME, KDE and OS X have all implemented the same component architecture as Windows [and IE].
None of these have stuffed so much into the kernel. They *can't*. They're userland. Win, OTOH, was GUI from Square 1, and has all sorts of things in the kernel.
>>I'm well aware that 9x were single-user. That's what I'd just *said*. That's what I was *complaining* about. You don't point a machine with no concept of privilege separation at public networks, unless you don't mind your users paying the price.
>Or you don't have a choice because there's no other way to deliver the users' other [more] important requirements. Like, say, legacy hardware and software support.
We were talking about the days when Microsoft first discovered TCP/IP networking, and the business rags were talking about their rapid turnaround. Neither legacy software or software support concerns apply, as there were none of either.
Both of these apply *now*, as I don't doubt that there are people getting bitten by running more modern variants as admin, just to get old games, etc. to play. There was a large hue and cry about that, when Microsoft finally began to get the security message, and some apps, games, etc., would no longer run. At one point, Microsoft had a rather lengthy list on their site. If they'd done proper multiuser/privilege separation back in the Win95 time frame, they'd have saved themselves and their users a lot of grief.
>Other platforms with equivalent functionality have equivalent levels of complexity.
I doubt that would be the case. The only way to know would be to do a complete call analysis across Win, OSX, KDE, and Gnome, which I very much doubt anyone, save NSA, has done.
Points that argue against it would include
a) Microsoft's 'embrace, extend, extinguish' approach to open standards would argue against it, as in what they did with Kerberos.
b) Much anecdotal evidence on mailing lists, etc, about subtly different APIs.
c) My personal experience when faced with attempting to secure a Win2K system, and finding an NSA doc with 20+ pages of registry edits *alone*. I doubt it's become less complex in the meantime.
Some added complexity is probably justifiable, as they do have real backward compatibility issues to contend with. But that was a bit much.
Maybe just variance. Until somebody has some statistics, I wouldn't read too much into it. Given that somebody has an issue, I'd guess that some stats will be forthcoming, if there really is a problem.
"AMD's culture of minimal R&D/innovation."
What? Who brought 64-bit instructions to x86, when Intel and HP were trying to drive everyone to high-dollar (and at the time miserably performing) Itanium for 64-bit? Who brought out an architecture that would let you plug FPGAs, etc., into CPU slots?
IMHO, AMD is lagging in semiconductor manufacturing processes. Their geometries are larger, etc. I doubt that they get the yields that Intel does, and that counts against them in price wars. But developing new fab processes costs a lot of money, and Intel has always had a huge financial edge. There's no conceivable way that AMD isn't doing there best with the resources they have available on this front, as it has a direct impact on the bottom line. Hence their history of fabrication R&D agreements with IBM.
BTW, I've worked for both companies (but some years ago) and did process engineering work for Intel. I have at least some clue, which is more than the A/C parent poster has.
"AMD's culture of minimal R&D/innovation" is completely unjustified bullshit.
It's difficult to answer your question, because you haven't RTFA, which talks about primarily CPU v primarily disk workloads, power consumption at idle, etc.
e arch.php
Overall, data center power consumption is a big deal. It's one of the main reasons that some corporations are after virtualization. It's one of the main reasons that Google is locating a datacenter in the Columbia Gorge.
http://www.iht.com/articles/2006/06/13/business/s
While you were 'hazarding to guess', and 'imagining' and thinking various things 'may be', you probably could have RTFA. At that point, the need to ask the question may have been obviated. If not, you would have been able to better frame the question, and possibly gotten an answer that actually *supplied you with useful information*.
Discussions are enriched when participants actually know at what's being discussed. When a participant *doesn't* know what's actually being discussed, you're mostly adding entropy.
Not all do. For instance, I run Kmail (and before the flames begin, yes, I realize that most readers can't)
You have to explicitly check boxes in the configuration system to allow HTML, and/or allow external references to be loaded. The warning is right there, not buried in a dialog box man would click through:
WARNING: Allowing HTML in email may increase the risk that your system will be compromised by present and anticipated security exploits. More about HTML mails... More about external references...
The two 'more' items are links for more information.
Another box, related to MDNS responses does basically the same thing, and has the following warning:
WARNING: Unconditionally returning confirmations undermines your privacy. More...
Again, nothing in click-through dialog boxes. That was such an obviously better way to code that I adopted it as soon as I saw it. Better to have at least a brief warning and a link right there.
I'm hoping it's easier to configure Outlook this way now. In Outlook 2K, you really had to look for the settings. But even this is a teaching issue. Example: a guy I know is 100% Windows. His development shop has all the Microsoft certifications, etc. They do mostly VB apps. He complained at one point that I wasn't reading his mail, because he wasn't getting an auto-response. He couldn't imagine an environment where people didn't use that 'feature'. I actually had to take some time out and explain that it was a privacy issue (What gives you the right to know what I'm doing on my system, in a non-business environment?) and that it was wildly inaccurate anyway, as some mail systems will open a mail if you select it even if you're only dragging to another folder, while some require a double click. Or you might open it but be called away, etc.
I've known this guy forever, and he's actually pretty smart. Always did well in school, has a degree in nuclear engineering, etc. We most definitely are *not* talking IQ equal to shoe size. There's some sort of mind-set issue in play that is very difficult to get a handle on.
Parent 100% correct. Though it's easy to see how people can be mislead, as even some of the security sites are calling it a worm. http://www.secureworks.com/research/threats/view.h tml?threat=storm-worm
. html
gives you some information on how it operates (as of 2/07, and the names of the executables you had to click on to infect yourself have probably changed since then)
The original storm.worm (2001) attacked unpatched MS IIS servers, and actually was a worm.
http://www.securiteam.com/securitynews/5DP0B0K4KG
How this got so large is a pretty sad commentary. First off, it's proof that people will still click on attachments without verifying whether they're legitimate. I'm not convinced that any amount of training will ever stop this behavior. It hasn't worked over the *last* ten years, at any rate. Second, several virus scanners would have detected it, if they'd been kept updated. Thirdly, I've seen this running from within a couple of corporate LANs, which implies that even corporations don't always keep anti-virus software up to date, or monitor for P2P traffic, which IMO should very seldom be allowed on a corporate network.
Parent post is not a troll. I disagree with everything he says, as a moderator apparently did as well, but that doesn't make it a troll.
It's not clear to me who "they" are. It *is* clear to me that what you suggest is illegal.
If it were made legal for some government agency to remotely exploit a system that they had decided was doing something that they didn't approve of, that power, like so many others, would soon be abused. Be careful what you wish for.
There's also the issue that this problem is international in scope. Should country foo be able to legally plant a virus on a system in country bar?
In any such system, response time would certainly be an issue, as would forged IP addresses.
"Which presumably explains why every other major platform went on to do exactly the same thing, I assume, because all those developers are stupid as well ?" I haven't called anyone stupid. And "every other platforms" hasn't done the same thing. Without exception, they have remained far less monolithic than Windows.
"The nature of Windows 9x means that whether or not IE was "integrated" has no bearing on the security principles you're talking about."
I'm well aware that 9x were single-user. That's what I'd just *said*. That's what I was *complaining* about. You don't point a machine with no concept of privilege separation at public networks, unless you don't mind your users paying the price.
"Every complex system is a "maze of interdependencies". That's the price you pay for a system based on modular, reusable components." Complexity can be minimized. In secure systems, complexity *must* be minimized.
I can agree with much of that, from the standpoint of a desktop machine. But even in its original desktop context, it certainly faces a far more hostile environment that it did ten years ago. But now Windows has evolved into something much more. It's likely the most common server in the world, though that's hard to judge. Security is more important now than it was in '95.
I have to reiterate something you're apparently not buying. Complexity is the enemy of security. This is a secure systems design maxim. Taint analysis is a tool, not a maxim.
If something isn't present, it cannot be attacked. There is inherently less taint analysis (which is not a trivial thing) to be performed. I prefer modular systems which allow a minimal OS (scheduler, memory manager, I/O, etc.) capable of running a given workload, and being maintained with simple tools. Such a system does not need a Web browser, etc. It doesn't even need a windowing system. This is a system with a minimal attack surface, ideal for server loads from a security standpoint. In addition, the system can be maintained without GUI overhead. If the system is running slowly, for instance, you don't add the memory and CPU overhead of a GUI while troubleshooting.
I'm not advocating deploying such systems as desktops, but as a solid base upon which to build desktops., and much else. This morning, I was on a tiny little box (about 1x5x7 inches, Geode CPU, three Ethernet ports, power consumption maybe 4-5 Watts), adding code at the command line. Flexibility is a Good Thing.
I'm not bashing Windows. I know a few people who work in small business (and I mean *small*) who've never used anything else, and are too busy keeping the business afloat to think about what, to them, are irrelevant questions regarding OS aesthetics. Given their circumstances, they're entirely correct. People should run whatever they want to run. My only issue with Microsoft lies with their business practices.
"...not that it was a technically bad thing to do."
It's a *fundamentally* bad thing to do. It lead to an awful lot of remote code execution exploits. It was originally done in Win95 days--before Windows had any notion of being a multiuser system. There was no privilege separation, so if IE was exploited, no system file, etc., was safe. I don't believe for a moment that Microsoft wasn't aware of this. I think they simply didn't care about their users.
It's *still* a bad idea. In fact, it's a fundamentally poor practice in secure systems design. The resulting system is too monolithic--it's a maze of interdependencies. That leads to security, patching, etc., issues. You may want to Google around a bit.
You're just full of fun ideas. It turns out that you must have a minimum of five sections and four 'authors'. The 'author' label is probably a bug, and should be 'editors'. I'm not a subscriber. YMMV.
So I couldn't create a sucking vortex of CSS, and will have to look for another means of destroying the world. After work tonight, I'll get right on it.
I'd forgotten you could do that! Thanks.