According to Symantec, Microsoft is withholding these APIs to give Vista's built-in AV software a leg up.
From the article:
Symantec privately alleges that Microsoft is withholding API information to delay its own Release to Manufacture versions of their software. If Microsoft ships Vista code to hardware vendors at the end of November, then Symantec and others must have their own Vista-ready security products ready to ship to their OEM hardware vendors at the same time. Without the APIs, that's impossible.
The most important issues concerned being locked out of the kernel by "PatchGuard" on 64-bit versions of Vista. Are the Avast, et. al., products you're describing designed for 64-bit platforms or 32-bit platforms? If you RTFA, you'll see that Symantec and McAfee are concerned about the future when all PCs are 64-bit and running Vista out-of-the-box.
My Apache server was hacked via this (or some similar) exploit. The attacker installed an IRC bot in/tmp. I didn't notice it for a while until I saw some suspicious entries in my logs. Of course, since Apache runs chrooted as an unprivileged user, there wasn't much else the attacker could do.
For now I solved the problem by creating a group with write privileges to/tmp that excludes the Apache user. Next time around I'll just give/tmp a separate partition with noexec enabled.
Um, because the US is not the center of the universe?
The "licensed in the US" argument is irrelevant. These items infringe the copyrights of legitimate rights holders in another country that's also a member of WIPO. International treaties signed by the US have the force of law in the US.
Wouldn't this be a good strategy to boost the Google page-rank score as well? Have the zombies run a little web server with pages of paid-for links, and links to all the others. Suddenly it looks like millions of webmasters have decided your customer's page is really important. Even better, this method doesn't leave those traffic spikes in the logs.
I'd target a zombie newsgroup like this one http://games.groups.yahoo.com/group/shuffleboard/. These groups have no active members and collect nothing but spam. Wouldn't be hard to hide a few commands in amongst the Viagra offers.
I've used this particular group to track spam trends. For instance, look at the spam boomlet in this group at the end of 2003 after the Sobig http://en.wikipedia.org/wiki/Sobig_worm worm did its damage.
I hear lots about "data retention" but few specifics about what's supposed to be retained.
When most of America was on dialup, law enforcement officials could request the login/logout records of an ISPs subscriber. In principle that's no different from asking for a log of phone calls made. But in both cases the content of those transactions was protected from official view. In an always-on world, what are they asking for now?
Do most major ISPs proxy web requests? If so, they certainly can identify that IP address x.x.x.x, assigned to customer Joe Blow, visited site www.terrorizeyourcountry.ir at a specific time and requested/how-to-build-a-dirty-bomb.html. How is that different from asking Blockbuster what movies I've rented or a public library what books I've checked out? These are matters on which there's a lot of legal precedent and settled law.
Perhaps some folks here with real experience working in ISPs could help us out here. What have you been asked to retain? DHCP logs? Web proxy logs? What else? (Note -- posting AC about this is probably a good idea.)
It's also the FBI agent's job to "support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same," as expressed in the Federal oath of office http://www.law.cornell.edu/uscode/html/uscode05/us c_sec_05_00003331----000-.html. In fact, that's his or her primary job. Too f-ing bad if these constitutional provisions make his or her job harder.
Perhaps not, but P2P sharing is still an infringing activity regardless of the legality of downloading since it involves both downloading and uploading. The act of uploading constitutes infringement because you are distributing a copyrighted work without the owner's permission.
Of course you could avoid this problem by setting your upload speed to zero, but then if everyone does that, there won't be anything available to download.
As someone pushing 60 myself, I generally agree with your remarks, but I don't think it's all about the politicians. (If anything, we need older people to work in these areas because they're likely to have more influence with the political elites.)
From where I sit, most "techies," especially the younger generation, have aligned themselves of late with political forces that are opposed to policies advocated by extremely powerful and wealthy organizations. Educating government officials about the virtues of open source, the application of fair-use principles to digital copyright issues, the value of open file formats, and the like, won't matter if their supporters can't wield any political muscle. As someone whose career has spanned academia, consulting and nonprofits, I'd love to spend the next decade working on moving these issues up the political agenda. That won't happen without organization, and while volunteerism can play a role here, money does matter.
If Schmidt thinks this is so important, maybe he should set up a foundation.
The FuzzyOCR plugin for spamassassin uses gocr to convert the image to text, then scores it based on the words it finds. This has helped a lot with gif spams, but there are still some that gocr can't seem to decode like this one: http://www.crystalmail.net/hgh.gif.
I especially liked the responses about the enthusiast and gaming markets. They all said how important these markets are to them. I suppose the smaller retailers might care about them because they can't compete with the Dells and HPs on price, but Dell? What proportion of the PCs that go out their door do you think are designed for gaming? I'd bet it's way under 10%. I'm sure few, if any, of their large corporate clients care about having machines designed to play Oblivion.
I would have loved to hear one of them say, "No, those markets aren't that important to us. We're concentrating on the business market." But, then, unlike most Slashdot readers, I don't think PC gaming's all that important either.
I wondered about the punctuation of this sentence in the article. There's quite a difference between:
"A whole lot. Less than we see on television every night."
and
"A whole lot less than we see on television every night."
The former version reinforces the "There's a lot of violence" sentence before it; the latter makes a comparison. I wonder what the judge really meant to say.
I'm really puzzled why anyone continues to accept mail with executable attachments of any kind.
When I first started fighting viruses and spam for my clients, the very first thing we did was block executable files at the mail server. This was in 1997 and required nothing more than a simple/etc/procmailrc file that scanned the message body for executable attachments.
Nowadays, of course, we have much more full-featured software like MailScanner to handle this. This isn't really rocket science, folks. 99+% of people in most organizations have no reason to receive an executable file; if they don't get them, they can't run them.
The new vector seems to be email with clickable links that redirect to an executable. One solution is obviously to install a browser like Firefox that won't run a downloaded file by default, but that still enables lusers to download the file to the desktop then run it. Our current solution for this problem is blocking executables with Squid. Push all web requests through the proxy transparently and block access to URLs ending in.exe, etc.
I really don't understand why policies like these aren't SOP at all organizations, especially organizations large and wealthy enough to have executives worth targeting with malware.
Technology indicates that pre recorded music should be much cheaper than what it is, yet you look on the shelves-and it isn't?
And the evidence for this statement is?
Economic theory tells us that looking at the price of goods says nothing about whether or not price-fixing is occurring. In a fully-competitive market, there will be one market-clearing price for equivalent goods, just as there would be in a market with conspiratorial price-fixing. So the fact that all popular music CDs sell for about the same price tells us nothing about how that price is determined.
I read mail in Thunderbird with images turned off. Unfortunately it's an all-or-nothing choice. A better solution would allow me to right-click a specific blocked image and let it through. That way I could see the images I want to see but still keep those little 1x1 gifs from phoning home.
one license for one computer isn't too far fetched
Sure it is. Whatever happened to the licensing schemes that said that you could have multiple installations of a software program as long as you only used one at a time. Borland software had this licensing scheme on products like Sidekick from the beginning. Locking an OS to a specific hardware platform may make life easier for Microsoft, but it doesn't seem fair to me. This whole adventure treats all MS's customers as potential pirates. I'd rather deal with a company that trusts me.
I've been puzzled by the comments suggesting that Spamhaus somehow chose a poor legal strategy when they moved jurisdiction to the Federal courts. For instance, in the otherwise excellent discussion of these issues at http://blogs.securiteam.com/index.php/archives/664, Prince argues that Spamhaus's successful petition to move the case to Federal court "inherently acknowledged the jurisdiction of the federal court."
Assuming that Spamhaus wishes to argue that both the US state and Federal courts lack jurisdiction, don't they have to argue the Federal part of this issue in Federal court? Certainly they couldn't argue in Illinois state court that the Federal courts have no jurisdiction; that argument would be irrelevant in the state court. Didn't they have to first move the case to Federal court before they could contest whether the Federal court had jurisdiction?
ICANN's accredited registrar for www.spamhaus.org, is hereby ordered to suspend or place a client hold on www.Spamhaus.org
Is this the actual text of the order? Isn't it possible to comply with this order simply by abolishing www.spamhaus.org and keeping the various other hostnames which are used for IP lookups? Obviously ICANN can't ban a specific hostname, but couldn't Spamhaus make a token contribution to compliance by taking down www.spamhaus.org?
Sometimes the best strategy is to comply with the letter of the law, especially if it's written by someone who doesn't really understand what he or she is talking about!
As I understand it, the original case revolved around whether 360 was slandered by being listed on the Spamhaus website. Why not just remove them from the website listing, but keep them in the reverse domains? I admit I haven't read the legal documents involved in this case, but it sounds to me like there's room here for some fancy lawyering.
Could they not have provided the same information for the proprietary programs they tested? Would the world have ended if we discovered that Word had 476 defects?
Hell, even the names of the proprietary programs they tested would have been an improvement. We're still left wondering if they're comparing Apache to some 20-year-old proprietary CAD program at Boeing where most of the bugs have already been hunted down. How is that relevant to business executives trying to assess the relative value of proprietary and open-source software for their companies?
Note that I'm intentionally begging the question of whether aggregate bug counts are a meaningful measure of software quality, which I'd dispute as well.
I'm especially sad to see articles like this, which is essentially a puff-piece for Coverity, get the imprimatur of a widely-read publication like BusinessWeek. This is the kind of article you can imagine some mid-level executive waving around when the discussion of open-source comes up at her firm. "See, open-source is buggy and you can't trust it. It says so right here in Business Week!"
Web services strike me as an industry with very low barriers to entry. It didn't take a NewsCorp to create a MySpace (or a Facebook, Yahoo, etc.). The technological requirements for a MySpace, as others have noted, aren't all that great, nor are the costs to provide the service. Given that MySpace appeals primarily to a rather fickle market, I can certainly imagine some new, "cooler" competitor displacing MySpace, ruling the roost for a while, then losing out to the next cool site.
What, if anything, does MySpace bring to the table? It's not an Amazon, whose real competitive advantage derived from its linking the Web to an impressive retail merchandising operation that deals in physical objects. It's not a Google, whose advantage derived from inventing an effective method for ranking Web pages and tying it to commercial advertising. For MySpace to succeed it has to rely on network effects to attract visitors, because ultimately it's nothing more than a big database and a lot of online storage.
I actually think the indie bands aspect of MySpace might play a more central role in the years ahead, once the "social networking" boomlet has passed. While I certainly foresee a future where the entertainment cartels play a much smaller role in marketing artists, someone will still have to provide the infrastructure to enable artists to sell their creations directly to their publics. Just as eBay provided that service to millions of individual buyers and sellers, perhaps MySpace will become the central interaction point of the new music industry.
The US government cares about maintaining the competitive position of American firms in foreign markets. This is hardly new. Intellectual property is one of the areas where the US maintains a positive balance-of-trade with the rest of the world. US policymakers have worked for years to develop international systems that protect American rightsholders around the world.
I don't think there's any conspiracy here to impose US DRM solutions on foreigners. There is a concern to ensure that US firms receive compensation for the use of their copyrighted works overseas. If DRM helps American rightsholders preserve their revenue streams, then US policymakers are going to support it.
1) Before the election it's quite common for Diebold representatives to come in and upgrade the software on the device. As the Princeton researchers show, if one of the machines to be upgraded is infected with something like their boot-loader virus plus a malware payload, it's easy to infect the memory card used by the representative. Then upgrading the rest of the machines transfers the virus and the malicious payload. This would happen well in advance of the seals being affixed.
Slashdot Mirror
According to Symantec, Microsoft is withholding these APIs to give Vista's built-in AV software a leg up.
From the article:
Symantec privately alleges that Microsoft is withholding API information to delay its own Release to Manufacture versions of their software. If Microsoft ships Vista code to hardware vendors at the end of November, then Symantec and others must have their own Vista-ready security products ready to ship to their OEM hardware vendors at the same time. Without the APIs, that's impossible.
The most important issues concerned being locked out of the kernel by "PatchGuard" on 64-bit versions of Vista. Are the Avast, et. al., products you're describing designed for 64-bit platforms or 32-bit platforms? If you RTFA, you'll see that Symantec and McAfee are concerned about the future when all PCs are 64-bit and running Vista out-of-the-box.
You mean like, for instance, this bug: http://security.itworld.com/4352/020620apache/pfin dex.html
/tmp. I didn't notice it for a while until I saw some suspicious entries in my logs. Of course, since Apache runs chrooted as an unprivileged user, there wasn't much else the attacker could do.
/tmp that excludes the Apache user. Next time around I'll just give /tmp a separate partition with noexec enabled.
My Apache server was hacked via this (or some similar) exploit. The attacker installed an IRC bot in
For now I solved the problem by creating a group with write privileges to
Um, because the US is not the center of the universe?
The "licensed in the US" argument is irrelevant. These items infringe the copyrights of legitimate rights holders in another country that's also a member of WIPO. International treaties signed by the US have the force of law in the US.
Wouldn't this be a good strategy to boost the Google page-rank score as well? Have the zombies run a little web server with pages of paid-for links, and links to all the others. Suddenly it looks like millions of webmasters have decided your customer's page is really important. Even better, this method doesn't leave those traffic spikes in the logs.
I'd target a zombie newsgroup like this one http://games.groups.yahoo.com/group/shuffleboard/. These groups have no active members and collect nothing but spam. Wouldn't be hard to hide a few commands in amongst the Viagra offers.
I've used this particular group to track spam trends. For instance, look at the spam boomlet in this group at the end of 2003 after the Sobig http://en.wikipedia.org/wiki/Sobig_worm worm did its damage.
I hear lots about "data retention" but few specifics about what's supposed to be retained.
/how-to-build-a-dirty-bomb.html. How is that different from asking Blockbuster what movies I've rented or a public library what books I've checked out? These are matters on which there's a lot of legal precedent and settled law.
When most of America was on dialup, law enforcement officials could request the login/logout records of an ISPs subscriber. In principle that's no different from asking for a log of phone calls made. But in both cases the content of those transactions was protected from official view. In an always-on world, what are they asking for now?
Do most major ISPs proxy web requests? If so, they certainly can identify that IP address x.x.x.x, assigned to customer Joe Blow, visited site www.terrorizeyourcountry.ir at a specific time and requested
Perhaps some folks here with real experience working in ISPs could help us out here. What have you been asked to retain? DHCP logs? Web proxy logs? What else? (Note -- posting AC about this is probably a good idea.)
It's also the FBI agent's job to "support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same," as expressed in the Federal oath of office http://www.law.cornell.edu/uscode/html/uscode05/us c_sec_05_00003331----000-.html. In fact, that's his or her primary job. Too f-ing bad if these constitutional provisions make his or her job harder.
Perhaps not, but P2P sharing is still an infringing activity regardless of the legality of downloading since it involves both downloading and uploading. The act of uploading constitutes infringement because you are distributing a copyrighted work without the owner's permission.
Of course you could avoid this problem by setting your upload speed to zero, but then if everyone does that, there won't be anything available to download.
As someone pushing 60 myself, I generally agree with your remarks, but I don't think it's all about the politicians. (If anything, we need older people to work in these areas because they're likely to have more influence with the political elites.)
From where I sit, most "techies," especially the younger generation, have aligned themselves of late with political forces that are opposed to policies advocated by extremely powerful and wealthy organizations. Educating government officials about the virtues of open source, the application of fair-use principles to digital copyright issues, the value of open file formats, and the like, won't matter if their supporters can't wield any political muscle. As someone whose career has spanned academia, consulting and nonprofits, I'd love to spend the next decade working on moving these issues up the political agenda. That won't happen without organization, and while volunteerism can play a role here, money does matter.
If Schmidt thinks this is so important, maybe he should set up a foundation.
The FuzzyOCR plugin for spamassassin uses gocr to convert the image to text, then scores it based on the words it finds. This has helped a lot with gif spams, but there are still some that gocr can't seem to decode like this one: http://www.crystalmail.net/hgh.gif.
I especially liked the responses about the enthusiast and gaming markets. They all said how important these markets are to them. I suppose the smaller retailers might care about them because they can't compete with the Dells and HPs on price, but Dell? What proportion of the PCs that go out their door do you think are designed for gaming? I'd bet it's way under 10%. I'm sure few, if any, of their large corporate clients care about having machines designed to play Oblivion.
I would have loved to hear one of them say, "No, those markets aren't that important to us. We're concentrating on the business market." But, then, unlike most Slashdot readers, I don't think PC gaming's all that important either.
I wondered about the punctuation of this sentence in the article. There's quite a difference between:
"A whole lot. Less than we see on television every night."
and
"A whole lot less than we see on television every night."
The former version reinforces the "There's a lot of violence" sentence before it; the latter makes a comparison. I wonder what the judge really meant to say.
I'm really puzzled why anyone continues to accept mail with executable attachments of any kind.
/etc/procmailrc file that scanned the message body for executable attachments.
.exe, etc.
When I first started fighting viruses and spam for my clients, the very first thing we did was block executable files at the mail server. This was in 1997 and required nothing more than a simple
Nowadays, of course, we have much more full-featured software like MailScanner to handle this. This isn't really rocket science, folks. 99+% of people in most organizations have no reason to receive an executable file; if they don't get them, they can't run them.
The new vector seems to be email with clickable links that redirect to an executable. One solution is obviously to install a browser like Firefox that won't run a downloaded file by default, but that still enables lusers to download the file to the desktop then run it. Our current solution for this problem is blocking executables with Squid. Push all web requests through the proxy transparently and block access to URLs ending in
I really don't understand why policies like these aren't SOP at all organizations, especially organizations large and wealthy enough to have executives worth targeting with malware.
I was intrigued by the "dismissed with prejudice" line. What precisely does that mean? That the RIAA cannot sue him again? Inquiring minds....
Technology indicates that pre recorded music should be much cheaper than what it is, yet you look on the shelves-and it isn't?
And the evidence for this statement is?
Economic theory tells us that looking at the price of goods says nothing about whether or not price-fixing is occurring. In a fully-competitive market, there will be one market-clearing price for equivalent goods, just as there would be in a market with conspiratorial price-fixing. So the fact that all popular music CDs sell for about the same price tells us nothing about how that price is determined.
There goes what's left of my karma, I'm sure.
1) I "disarm" IFRAMES at the server using MailScanner.
2) There's still the problem of images phoning home.
I don't really understand why you felt compelled to YELL.
I read mail in Thunderbird with images turned off. Unfortunately it's an all-or-nothing choice. A better solution would allow me to right-click a specific blocked image and let it through. That way I could see the images I want to see but still keep those little 1x1 gifs from phoning home.
one license for one computer isn't too far fetched
Sure it is. Whatever happened to the licensing schemes that said that you could have multiple installations of a software program as long as you only used one at a time. Borland software had this licensing scheme on products like Sidekick from the beginning. Locking an OS to a specific hardware platform may make life easier for Microsoft, but it doesn't seem fair to me. This whole adventure treats all MS's customers as potential pirates. I'd rather deal with a company that trusts me.
Thanks for the clarification.
4 , Prince argues that Spamhaus's successful petition to move the case to Federal court "inherently acknowledged the jurisdiction of the federal court."
I've been puzzled by the comments suggesting that Spamhaus somehow chose a poor legal strategy when they moved jurisdiction to the Federal courts. For instance, in the otherwise excellent discussion of these issues at http://blogs.securiteam.com/index.php/archives/66
Assuming that Spamhaus wishes to argue that both the US state and Federal courts lack jurisdiction, don't they have to argue the Federal part of this issue in Federal court? Certainly they couldn't argue in Illinois state court that the Federal courts have no jurisdiction; that argument would be irrelevant in the state court. Didn't they have to first move the case to Federal court before they could contest whether the Federal court had jurisdiction?
ICANN's accredited registrar for www.spamhaus.org, is hereby ordered to suspend or place a client hold on www.Spamhaus.org
Is this the actual text of the order? Isn't it possible to comply with this order simply by abolishing www.spamhaus.org and keeping the various other hostnames which are used for IP lookups? Obviously ICANN can't ban a specific hostname, but couldn't Spamhaus make a token contribution to compliance by taking down www.spamhaus.org?
Sometimes the best strategy is to comply with the letter of the law, especially if it's written by someone who doesn't really understand what he or she is talking about!
As I understand it, the original case revolved around whether 360 was slandered by being listed on the Spamhaus website. Why not just remove them from the website listing, but keep them in the reverse domains? I admit I haven't read the legal documents involved in this case, but it sounds to me like there's room here for some fancy lawyering.
Why, "of course"?
Could they not have provided the same information for the proprietary programs they tested? Would the world have ended if we discovered that Word had 476 defects?
Hell, even the names of the proprietary programs they tested would have been an improvement. We're still left wondering if they're comparing Apache to some 20-year-old proprietary CAD program at Boeing where most of the bugs have already been hunted down. How is that relevant to business executives trying to assess the relative value of proprietary and open-source software for their companies?
Note that I'm intentionally begging the question of whether aggregate bug counts are a meaningful measure of software quality, which I'd dispute as well.
I'm especially sad to see articles like this, which is essentially a puff-piece for Coverity, get the imprimatur of a widely-read publication like BusinessWeek. This is the kind of article you can imagine some mid-level executive waving around when the discussion of open-source comes up at her firm. "See, open-source is buggy and you can't trust it. It says so right here in Business Week!"
Web services strike me as an industry with very low barriers to entry. It didn't take a NewsCorp to create a MySpace (or a Facebook, Yahoo, etc.). The technological requirements for a MySpace, as others have noted, aren't all that great, nor are the costs to provide the service. Given that MySpace appeals primarily to a rather fickle market, I can certainly imagine some new, "cooler" competitor displacing MySpace, ruling the roost for a while, then losing out to the next cool site.
What, if anything, does MySpace bring to the table? It's not an Amazon, whose real competitive advantage derived from its linking the Web to an impressive retail merchandising operation that deals in physical objects. It's not a Google, whose advantage derived from inventing an effective method for ranking Web pages and tying it to commercial advertising. For MySpace to succeed it has to rely on network effects to attract visitors, because ultimately it's nothing more than a big database and a lot of online storage.
I actually think the indie bands aspect of MySpace might play a more central role in the years ahead, once the "social networking" boomlet has passed. While I certainly foresee a future where the entertainment cartels play a much smaller role in marketing artists, someone will still have to provide the infrastructure to enable artists to sell their creations directly to their publics. Just as eBay provided that service to millions of individual buyers and sellers, perhaps MySpace will become the central interaction point of the new music industry.
The US government cares about maintaining the competitive position of American firms in foreign markets. This is hardly new. Intellectual property is one of the areas where the US maintains a positive balance-of-trade with the rest of the world. US policymakers have worked for years to develop international systems that protect American rightsholders around the world.
"Foreign sales account for fifty percent of the revenues of the US record industry," according to this statement by an RIAA spokesperson before Congress. The figures for movies aren't very different; nearly half of all movie revenues come from countries outside the US and Canada.
I don't think there's any conspiracy here to impose US DRM solutions on foreigners. There is a concern to ensure that US firms receive compensation for the use of their copyrighted works overseas. If DRM helps American rightsholders preserve their revenue streams, then US policymakers are going to support it.
1) Before the election it's quite common for Diebold representatives to come in and upgrade the software on the device. As the Princeton researchers show, if one of the machines to be upgraded is infected with something like their boot-loader virus plus a malware payload, it's easy to infect the memory card used by the representative. Then upgrading the rest of the machines transfers the virus and the malicious payload. This would happen well in advance of the seals being affixed.
2) After reading Avi Rubin's blog entry about his experiences in Maryland, I wouldn't place too much faith in seals.