Good for you, and I mean that sincerely. I use Linux myself.
I don't know that it was really fair of Microsoft to continue selling Windows XP for so long without making it painfully clear to buyers that it was so close to losing all support. Microsoft really got stuck in a tough place. Vista really needed a bit more polish, and third-party developers weren't ready for Vista, which made its problems much worse. Following the issues with Vista, people demanded that Microsoft continue to support XP and keep it available. I don't express unreasonable hatred for Microsoft, but they did cause a lot of their own problems. They had a lot of help, though. Hopefully, Microsoft has learned some valuable lessons. They lost my individual business a long time ago, but they are still relevant and they can stay relevant if they keep working to improve.
I'm not defending Microsoft, and when I say "more recent operating system", that includes recent versions of Linux and other operating systems. My points about the importance of staying current are certainly valid.
So much of what you have said is catastrophically wrong. Security updates are a proactive defense and easily one of the most important things you can do to protect your system. This includes operating system updates and updates for all of the software installed on the system. Anti-malware products, egress firewalls and other such security products are retroactive defenses. They cannot make up for operating system vulnerabilities. They should be considered the last line of defense, not the first.
Additionally, an aged operating system is not "weathered" into a superior condition. That isn't how software development works. Newer products do indeed contain new code that can introduce new vulnerabilities, but they also contain old code that has been improved and code written with improved tools and techniques to avoid old and known problems. The small, often back-ported patches released as security updates will never bring an old code base up to an optimal condition. Security updates have not added the improved privilege separation, stack protection or various other security improvements present in Windows 7 to Windows XP, and they never will.
You are correct that many security products are bloated, and in some cases they do more harm than good. It is important to stick with security products that fit your needs, have up-to-date protection and in general do the job they are advertised to do without introducing more trouble than they prevent.
An '88 year model would have mirrors, signal lights, safety belts, an emergency braking system, and the ability to travel at highway speeds. In essence, it has the features necessary to keep it from being an unreasonable hazard to others on the highway should you choose to drive it there. A key word in that sentence is "unreasonable". At what point does a lack of the current security/safety features constitute an unreasonable risk to your peers? In my opinion, that point for computer operating systems is when the operating system vendor discontinues supplying security patches. For cars, I think that point is where there is a significant, measurable increase in the likelihood the vehicle will be involved in an accident as a result of the missing updates.
We typically haven't gone to great lengths to force people to replace older, more dangerous vehicles. It usually isn't necessary. By the same token, no extraordinary measures are being taken to force people to upgrade from Windows XP. Microsoft is not going to try to shut down computers running XP, nor will they try to force an upgrade. They will push newer versions at every opportunity, just as vehicle makers and sellers do. Operating systems don't generally have parts that have to be replaced like tires and wipers, and you can continue using XP and all of the things you currently have on it. My argument is that if you want to continue operating on the same highway as the rest of us, you need to upgrade before you become a danger. If you fail to do so, it is my opinion that anyone else harmed as a result should be able to hold you liable for your part, just as you could be held responsible for driving a vehicle without signal lights and causing a collision as a result.
Your car doesn't hold 5 years of email history, and nor does your shirt. If the hard drive in your old computer dies, you may lose files you want to keep, such as your email history. If you aren't staying up with changing platforms, then it will become increasingly difficult to keep your things safe and usable on current technology. If you still had your email on a Windows 98 machine, your computer started to fail and you wanted to switch to a computer running Windows 7, you might find it quite a challenge to get that mail moved over. You'd also have a lot of other major changes to deal with. It will typically be easier to stay current than to make the leaps and bounds across more than a decade of changes.
That very much depends upon how you define "safe enough". There are known, unpatched vulnerabilities in Windows XP. See Secunia's advisory database for examples. Furthermore, XP's defensive capabilities are outdated. I'm certainly not arguing that newer platforms are invulnerable, but they benefit from technologies and practices that have been created or honed over the last decade. At an even lower level than DEP, ASLR and the like, Windows 7 does a far better job of handling privilege separation, which goes a long way in mitigating risk from vulnerabilities. I personally prefer Linux, but I know better than to advocate switching to everyone. Windows Vista and Windows 7 still represent marked improvements over Windows XP, even now while the patches for XP are still coming.
I'm sure there will be plenty of posts here about how XP still works, how it fits the needs of some people, etc.
Even if you had a working Ford Model T, you couldn't safely use it on today's highways. Running Windows XP on today's Internet is far more dangerous, both for the operator and for everyone else, than running a more recent operating system. It will become far more hazardous after the patches stop flowing. There is a shrinking window for people to make the transition before the patches stop, and everyone still using XP would do well to take advantage of that window before it disappears.
Face the facts. The malware problem today is the result of large, highly-profitable, highly-competitive criminal empires. These programs are written by hired developers working in a business infrastructure, not random script kiddies locked away in their parents' basements. The developers creating this malware are typically doing so on Windows systems, though much of the delivery infrastructure does run on other platforms. It has nothing to do with ideology, vendettas, social failures or platform choices. It's all about the money.
Malicious authors would love that - another angle for them to take advantage of. Anyone with clue isn't going to trust a polite virus unless they've been told to expect it, and by the time they've been told this polite virus is friendly, the malicious authors will already be using polite messages to get users clicking where they want them to.
An arms race against an opponent that know no boundaries is typically futile.
It would be extremely difficult to develop a virus that could effectively spread and eliminate other infections without stooping to the same low levels as the malicious developers, at which point the friendly virus isn't so friendly anymore.
Sophos is right that such a counter-attack launched on a managed network with security-aware personnel capable of removing the malicious infections and performing a proper investigation is only going to complicate matters.
...when I see a company developing robotic exoskeletons for humans run by a CEO named Bender. This development could cover both "embrace" and "extend". I think we all know what comes next.
Windows Phone 7 is actually the only current phone with no known exploits. Both Android and iPhone have exploits (even tho users usually label them as rooting their phones, but essentially it's the same).
TFTFY
If new tokens are not issued, I'm sure the community will start looking for, and will find, such exploits.
Unfortunately, it seems the court's decision with regard to the retroactive immunity is correct. The legal basis to challenge the new law simply does not exist. The blame should rest on Congress for passing such a law.
"It could probably be shown by facts and figures that there is no distinctively native American criminal class except Congress." - Mark Twain
When you need to recreate the functionality of an existing application in a new application, as would be the case if you wanted to create a Facebook competitor, you may want the source code of the existing application.
When you want to integrate your new application with one that already exists, as would be the case if you are creating a complementary or dependent project, you want SDKs/APIs.
Developers do frequently use the APIs published for toolkits (jQuery, for example) and often load those toolkits from a third-party hosting service (like Google's, for example). This does create a dependency that would need to be updated if the hosting service made an incompatible change or discontinued their service, and that is something that developers need to keep in mind.
When developers tie into the APIs of platforms like Facebook and Twitter, it would usually do them no good to have access to the source code, as they are usually trying to tie into those existing platforms to connect with their user bases. If the developer chooses to make their application dependent upon a third-party API, that is a strategic decision and the committment is theirs to make. It makes sense if the purpose of the application is dependent upon the third-party platform.
As for published APIs interfering with open source development, I think it is possible that developers may choose to use proprietary products with published APIs rather than implement an open source solution. An example might be a developer choosing to use Google Charts rather than integrating gnuplot into their project. This might have some impact on the momentum of some open source projects, but the examples given in the summary are way off. A developer choosing to use an API published by Facebook for Facebook integration is not taking anything away from open source software.
I am offended by all pictures containing mirrors. I demand that all social networks immediately terminate all profiles featuring photographs with mirrors in them! Or displaying their captive animals they call "pets" (how abusive!) Or holding alcohol - don't they have any respect for the alcoholics they're teasing?! Then there are those photos of people grappling others. They call it hugging and try to make it look all chummy, but I can see their unbridled violence! While they're at it, they can get rid of all of those profiles with pictures of people baring their teeth - there are so many of those! There are also many profiles with pictures that are straining to look at - out of focus, poorly lit or colored, or otherwise difficult to look at. It is so very offensive for people to post such pictures. I'm sure if they remove all of these offending profiles, the social networks would be better, happier places!
I refer (in jest) to patenting the methods of parsing the hash table, not to the practice of parsing the hash table (which could be seen as an obvious necessity of handling POST data.) This is all just pedantry, however. My point was simply to make fun of the popular issue of software patents by pointing to a potential benefit that would have actually been a cure worse than the disease.
That the DDoS exists is yesterday's news (nevermind that it didn't make the Slashdot front page.) The point of this post is that Microsoft is issuing an out-of-band update. A security-aware and in-touch admin should have already learned of the n.runs advisory yesterday. If they were really on top of things, they may have been aware of the potential danger as far back as 2003.
See, everyone here complains that patents are always causing trouble, forcing each developer to do something a little differently to avoid infringing on another patent. If the techniques used for parsing the hash tables had been patented, forcing each server developer to come up with their own unique implementation that didn't mimic the techniques of the others, then this whole situation might only have impacted one or two server technologies. Now, all of these different server technologies using similar implementations are all affected by this single type of attack. With all of the diversity that patents enforce, they could have prevented a single attack like this from affecting so many implementations at once!
Slashdot Mirror
Good for you, and I mean that sincerely. I use Linux myself.
I don't know that it was really fair of Microsoft to continue selling Windows XP for so long without making it painfully clear to buyers that it was so close to losing all support. Microsoft really got stuck in a tough place. Vista really needed a bit more polish, and third-party developers weren't ready for Vista, which made its problems much worse. Following the issues with Vista, people demanded that Microsoft continue to support XP and keep it available. I don't express unreasonable hatred for Microsoft, but they did cause a lot of their own problems. They had a lot of help, though. Hopefully, Microsoft has learned some valuable lessons. They lost my individual business a long time ago, but they are still relevant and they can stay relevant if they keep working to improve.
I'm not defending Microsoft, and when I say "more recent operating system", that includes recent versions of Linux and other operating systems. My points about the importance of staying current are certainly valid.
So much of what you have said is catastrophically wrong. Security updates are a proactive defense and easily one of the most important things you can do to protect your system. This includes operating system updates and updates for all of the software installed on the system. Anti-malware products, egress firewalls and other such security products are retroactive defenses. They cannot make up for operating system vulnerabilities. They should be considered the last line of defense, not the first.
Additionally, an aged operating system is not "weathered" into a superior condition. That isn't how software development works. Newer products do indeed contain new code that can introduce new vulnerabilities, but they also contain old code that has been improved and code written with improved tools and techniques to avoid old and known problems. The small, often back-ported patches released as security updates will never bring an old code base up to an optimal condition. Security updates have not added the improved privilege separation, stack protection or various other security improvements present in Windows 7 to Windows XP, and they never will.
You are correct that many security products are bloated, and in some cases they do more harm than good. It is important to stick with security products that fit your needs, have up-to-date protection and in general do the job they are advertised to do without introducing more trouble than they prevent.
An '88 year model would have mirrors, signal lights, safety belts, an emergency braking system, and the ability to travel at highway speeds. In essence, it has the features necessary to keep it from being an unreasonable hazard to others on the highway should you choose to drive it there. A key word in that sentence is "unreasonable". At what point does a lack of the current security/safety features constitute an unreasonable risk to your peers? In my opinion, that point for computer operating systems is when the operating system vendor discontinues supplying security patches. For cars, I think that point is where there is a significant, measurable increase in the likelihood the vehicle will be involved in an accident as a result of the missing updates.
We typically haven't gone to great lengths to force people to replace older, more dangerous vehicles. It usually isn't necessary. By the same token, no extraordinary measures are being taken to force people to upgrade from Windows XP. Microsoft is not going to try to shut down computers running XP, nor will they try to force an upgrade. They will push newer versions at every opportunity, just as vehicle makers and sellers do. Operating systems don't generally have parts that have to be replaced like tires and wipers, and you can continue using XP and all of the things you currently have on it. My argument is that if you want to continue operating on the same highway as the rest of us, you need to upgrade before you become a danger. If you fail to do so, it is my opinion that anyone else harmed as a result should be able to hold you liable for your part, just as you could be held responsible for driving a vehicle without signal lights and causing a collision as a result.
Your car doesn't hold 5 years of email history, and nor does your shirt. If the hard drive in your old computer dies, you may lose files you want to keep, such as your email history. If you aren't staying up with changing platforms, then it will become increasingly difficult to keep your things safe and usable on current technology. If you still had your email on a Windows 98 machine, your computer started to fail and you wanted to switch to a computer running Windows 7, you might find it quite a challenge to get that mail moved over. You'd also have a lot of other major changes to deal with. It will typically be easier to stay current than to make the leaps and bounds across more than a decade of changes.
That very much depends upon how you define "safe enough". There are known, unpatched vulnerabilities in Windows XP. See Secunia's advisory database for examples. Furthermore, XP's defensive capabilities are outdated. I'm certainly not arguing that newer platforms are invulnerable, but they benefit from technologies and practices that have been created or honed over the last decade. At an even lower level than DEP, ASLR and the like, Windows 7 does a far better job of handling privilege separation, which goes a long way in mitigating risk from vulnerabilities. I personally prefer Linux, but I know better than to advocate switching to everyone. Windows Vista and Windows 7 still represent marked improvements over Windows XP, even now while the patches for XP are still coming.
I'm sure there will be plenty of posts here about how XP still works, how it fits the needs of some people, etc.
Even if you had a working Ford Model T, you couldn't safely use it on today's highways. Running Windows XP on today's Internet is far more dangerous, both for the operator and for everyone else, than running a more recent operating system. It will become far more hazardous after the patches stop flowing. There is a shrinking window for people to make the transition before the patches stop, and everyone still using XP would do well to take advantage of that window before it disappears.
Face the facts. The malware problem today is the result of large, highly-profitable, highly-competitive criminal empires. These programs are written by hired developers working in a business infrastructure, not random script kiddies locked away in their parents' basements. The developers creating this malware are typically doing so on Windows systems, though much of the delivery infrastructure does run on other platforms. It has nothing to do with ideology, vendettas, social failures or platform choices. It's all about the money.
Malicious authors would love that - another angle for them to take advantage of. Anyone with clue isn't going to trust a polite virus unless they've been told to expect it, and by the time they've been told this polite virus is friendly, the malicious authors will already be using polite messages to get users clicking where they want them to.
An arms race against an opponent that know no boundaries is typically futile.
It would be extremely difficult to develop a virus that could effectively spread and eliminate other infections without stooping to the same low levels as the malicious developers, at which point the friendly virus isn't so friendly anymore.
Sophos is right that such a counter-attack launched on a managed network with security-aware personnel capable of removing the malicious infections and performing a proper investigation is only going to complicate matters.
...when I see a company developing robotic exoskeletons for humans run by a CEO named Bender. This development could cover both "embrace" and "extend". I think we all know what comes next.
Windows Phone 7 is actually the only current phone with no known exploits. Both Android and iPhone have exploits (even tho users usually label them as rooting their phones, but essentially it's the same).
TFTFY
If new tokens are not issued, I'm sure the community will start looking for, and will find, such exploits.
Unfortunately, it seems the court's decision with regard to the retroactive immunity is correct. The legal basis to challenge the new law simply does not exist. The blame should rest on Congress for passing such a law.
"It could probably be shown by facts and figures that there is no distinctively native American criminal class except Congress." - Mark Twain
Different tools for different goals.
When you need to recreate the functionality of an existing application in a new application, as would be the case if you wanted to create a Facebook competitor, you may want the source code of the existing application.
When you want to integrate your new application with one that already exists, as would be the case if you are creating a complementary or dependent project, you want SDKs/APIs.
Developers do frequently use the APIs published for toolkits (jQuery, for example) and often load those toolkits from a third-party hosting service (like Google's, for example). This does create a dependency that would need to be updated if the hosting service made an incompatible change or discontinued their service, and that is something that developers need to keep in mind.
When developers tie into the APIs of platforms like Facebook and Twitter, it would usually do them no good to have access to the source code, as they are usually trying to tie into those existing platforms to connect with their user bases. If the developer chooses to make their application dependent upon a third-party API, that is a strategic decision and the committment is theirs to make. It makes sense if the purpose of the application is dependent upon the third-party platform.
As for published APIs interfering with open source development, I think it is possible that developers may choose to use proprietary products with published APIs rather than implement an open source solution. An example might be a developer choosing to use Google Charts rather than integrating gnuplot into their project. This might have some impact on the momentum of some open source projects, but the examples given in the summary are way off. A developer choosing to use an API published by Facebook for Facebook integration is not taking anything away from open source software.
Yeah... you killed it.
That's the way it used to be. You must be new here.
I am offended by all pictures containing mirrors. I demand that all social networks immediately terminate all profiles featuring photographs with mirrors in them! Or displaying their captive animals they call "pets" (how abusive!) Or holding alcohol - don't they have any respect for the alcoholics they're teasing?! Then there are those photos of people grappling others. They call it hugging and try to make it look all chummy, but I can see their unbridled violence! While they're at it, they can get rid of all of those profiles with pictures of people baring their teeth - there are so many of those! There are also many profiles with pictures that are straining to look at - out of focus, poorly lit or colored, or otherwise difficult to look at. It is so very offensive for people to post such pictures. I'm sure if they remove all of these offending profiles, the social networks would be better, happier places!
Oh, that's simple: it's all a joke... a really bad joke.
...with blackjack and hookers. In fact, forget the farming and cities!
I thought the first rule of a climate crisis was to not talk about the climate crisis. At least that's the impression I get.
I refer (in jest) to patenting the methods of parsing the hash table, not to the practice of parsing the hash table (which could be seen as an obvious necessity of handling POST data.) This is all just pedantry, however. My point was simply to make fun of the popular issue of software patents by pointing to a potential benefit that would have actually been a cure worse than the disease.
...that is, they must implement a new collision resolution strategy that avoids the problem described in the advisory.
There are also other ways of mitigating this problem in web servers without addressing the root problem.
They don't necessarily have to replace a hash function. They have to implement collision resolution.
That's also giving Microsoft too much credit. They were informed of the vulnerability ("responsible disclosure") last month.
That the DDoS exists is yesterday's news (nevermind that it didn't make the Slashdot front page.) The point of this post is that Microsoft is issuing an out-of-band update. A security-aware and in-touch admin should have already learned of the n.runs advisory yesterday. If they were really on top of things, they may have been aware of the potential danger as far back as 2003.
See, everyone here complains that patents are always causing trouble, forcing each developer to do something a little differently to avoid infringing on another patent. If the techniques used for parsing the hash tables had been patented, forcing each server developer to come up with their own unique implementation that didn't mimic the techniques of the others, then this whole situation might only have impacted one or two server technologies. Now, all of these different server technologies using similar implementations are all affected by this single type of attack. With all of the diversity that patents enforce, they could have prevented a single attack like this from affecting so many implementations at once!
[/sarcasm]