Why do I find it much more likely that this guy stole the idea from a patent application on his desk which belonged to a recently deceased individual? The idea that he, a patent lawyer, came up with something himself which contributes to society directly completely spoils the suspension of disbelief.
You didn't even read the article, did you? This was a hardhack.
Tarnovsky needed six months to figure out his attack, which requires skill in modifying the tiny parts of the chip without destroying it.
Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips' cores. From there, he had to find the right communication channels to tap into using a very small needle.
The needle allowed him to set up a wiretap and eavesdrop on all the programming instructions as they are sent back and forth between the chip and the computer's memory.
It also amuses me that TFS makes the point of blaming "proprietary" solutions. Exactly how would this attack have been prevented by using open source?
Protected Mode is the "sandbox" feature present in IE7 and IE8. It uses UAC that's in both Vista and 7 to run in an even more limited fashion, but not in XP. If you've got UAC disabled, you're not running Protected Mode and you're vulnerable. There are other ways which Protected Mode can be disabled.
For quite awhile I was getting 10 and 15 points, but after burning some karma defending things the SlashDot hivemind dislikes, I'm back to getting only 5. I'm glad. Now I don't feel like I'm wasting so many points all the time as even now I usually have 1-2 expire.
Yes, it only deserves a rating of Moderate. It's not remote and requires local user intervention. This is pretty much the definition of a moderate vulnerability.
Well, look at the vulnerability. It's in the Virtual DOS Machine. That means you have to get 16-bit code onto the system and then make Windows execute it. So, in order to exploit the vulnerability, you've already got to have local access. No wonder Microsoft is dragging their feet. It's only exploitable in cases where you can already gain access to the system. If you're not logged on, I don't see any way to exploit this. It's not like you could even put 16-bit code in a buffer overrun and expect the kernel to execute it. It's got to be run through the NT Virtual Dos Machine or Windows-on-Windows, or it's not executable code.
I'm sure someone will correct me if I'm wrong, but AFAIK there's no possible way to remotely exploit this (outside of another vulnerability). It's a Moderate vulnerability at best.
Why? Each application on a machine is that many more potential vulnerabilities which need to be managed for risks. If users are allowed to install applications that aren't managed by IT, they cannot guarantee the security of the network or the integrity of the systems. Google Chrome may have privacy issues which make it unacceptable for use, for example. Plus, it automatically updates, which may or may not cause problems of it's own (if it breaks, consumes too much network bandwidth, etc.).
This was kind of the reason the user/admin dichotomy was created. It's pretty basic stuff. Chrome makes it easy for users to ignore IT policy by ignoring the conventions for Windows programs.
Corporate IT departments don't want to deploy Firefox, Chrome, or Safari because they can't be centrally managed. There is no equivalent to the IEAK. Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory. Additionally, adding Firefox means you've also got to support that in addition to IE. Switching away from IE doesn't mean you can stop supporting it; it's a core OS component.
Yeah, that answer is really going to spur adoption of Firefox in the corporate world. Now -- in addition to deploying and supporting an additional web browser -- you're asking them to learn how to package it and test the package, too. You're simply reinforcing the "FOSS is only free if your time has no value" argument.
If you go into Options and turn off storage of History then the performance issue all but disappears. A good idea for a thumb drive, but doesn't make much sense if you're mapping profiles over a network.
Madden '07 sold 2 million copies the first week it was available. Microsoft claimed to have logged 228 years worth of game time played on their servers in the same time frame.
Knowing how to calculate the nth digit of Pi itself is slightly retarded.
The observable universe is about 50 billion light years across, which is about 4.27 * 10^26 meters. If we take a ring of atoms each roughly 1 Angstrom (10^-10 meters) apart with a diameter the size of the observable universe and want to determine the circumference of the resulting circle, then knowing Pi to 40 or so places is sufficient that the error caused by the atoms themselves is greater than that introduced by using an approximate value for Pi. Knowing Pi to 40 or so places is sufficient that you can calculate the difference in circumferences of the inner diameter of the ring and outer diameter of the ring.
Knowing Pi to 40 places is basically sufficient for describing our entire universe and anything you could put into it. We've known the first 35 for four hundred years, and we've never needed that much information to describe our universe.
I haven't researched it, but I'd be willing to bet that the additions added to NTFS since Windows XP (volume shadow copies among other things) may not be supported by the Linux drivers. Not a huge problem, but something to keep in mind.
I think it's more likely we'll see tort reform, which will probably make it so that only the most wealthy individuals and corporations can risk a lawsuit. Small companies like i4i will then no longer have options. If we're lucky, the tort reform will also affect patent and copyright trolls, but I'm pretty sure whatever they do to fix it will probably increase the durability of IP overall and generally punish everyone else.
If they can somehow ensure that the identity of the bank's customers will not be released or revealed, then I have no problem with the books being opened.
Use in a commercial product more or less necessitates distribution, which is exactly the kind of "use" the GPL applies to and exactly the kind of "use" these companies have done.
If Imeem is bankrupt, it may not be legal for them to sell assets without compensating or making good on their debts. Any monies that result from the sale of Imeem assets should go towards the debt.
Slashdot Mirror
Why do I find it much more likely that this guy stole the idea from a patent application on his desk which belonged to a recently deceased individual? The idea that he, a patent lawyer, came up with something himself which contributes to society directly completely spoils the suspension of disbelief.
You must be a software developer. While technically fulfilling what was asked for, you managed to satisfy none of the goals of the request.
It's a quote. I'd cite it in the .sig but /. truncates it.
http://en.wikipedia.org/wiki/H%C3%A9lder_C%C3%A2mara
You didn't even read the article, did you? This was a hardhack.
It also amuses me that TFS makes the point of blaming "proprietary" solutions. Exactly how would this attack have been prevented by using open source?
Protected Mode is the "sandbox" feature present in IE7 and IE8. It uses UAC that's in both Vista and 7 to run in an even more limited fashion, but not in XP. If you've got UAC disabled, you're not running Protected Mode and you're vulnerable. There are other ways which Protected Mode can be disabled.
It's best to check out the blog entry on the MSRC and the Knowledge Base article.
We now return to your regularly scheduled Microsoft bashing and Linux referrals already in progress.
For quite awhile I was getting 10 and 15 points, but after burning some karma defending things the SlashDot hivemind dislikes, I'm back to getting only 5. I'm glad. Now I don't feel like I'm wasting so many points all the time as even now I usually have 1-2 expire.
Yes, it only deserves a rating of Moderate. It's not remote and requires local user intervention. This is pretty much the definition of a moderate vulnerability.
The industry appears to agree with me:
http://secunia.com/advisories/38265/
http://www.vupen.com/english/advisories/2010/0179
Well, look at the vulnerability. It's in the Virtual DOS Machine. That means you have to get 16-bit code onto the system and then make Windows execute it. So, in order to exploit the vulnerability, you've already got to have local access. No wonder Microsoft is dragging their feet. It's only exploitable in cases where you can already gain access to the system. If you're not logged on, I don't see any way to exploit this. It's not like you could even put 16-bit code in a buffer overrun and expect the kernel to execute it. It's got to be run through the NT Virtual Dos Machine or Windows-on-Windows, or it's not executable code.
I'm sure someone will correct me if I'm wrong, but AFAIK there's no possible way to remotely exploit this (outside of another vulnerability). It's a Moderate vulnerability at best.
Why? Each application on a machine is that many more potential vulnerabilities which need to be managed for risks. If users are allowed to install applications that aren't managed by IT, they cannot guarantee the security of the network or the integrity of the systems. Google Chrome may have privacy issues which make it unacceptable for use, for example. Plus, it automatically updates, which may or may not cause problems of it's own (if it breaks, consumes too much network bandwidth, etc.).
This was kind of the reason the user/admin dichotomy was created. It's pretty basic stuff. Chrome makes it easy for users to ignore IT policy by ignoring the conventions for Windows programs.
How is this a troll? What he said is true.
Corporate IT departments don't want to deploy Firefox, Chrome, or Safari because they can't be centrally managed. There is no equivalent to the IEAK. Chrome is particularly loathed by IT departments because you can download it, install it, and run it as a user because the program only installs to the user's application directory. Additionally, adding Firefox means you've also got to support that in addition to IE. Switching away from IE doesn't mean you can stop supporting it; it's a core OS component.
Hey, the best thing about that movie was Lea Thompson, and she didn't need any special effects at all!
Yeah, if it's one thing that George Lucas has proven, it's that good special effects don't make a good movie.
Just like amazing graphics don't make a good game.
Yeah, that answer is really going to spur adoption of Firefox in the corporate world. Now -- in addition to deploying and supporting an additional web browser -- you're asking them to learn how to package it and test the package, too. You're simply reinforcing the "FOSS is only free if your time has no value" argument.
You've obviously never worked in business IT.
There are entire websites devoted to business apps behaving badly.
If you go into Options and turn off storage of History then the performance issue all but disappears. A good idea for a thumb drive, but doesn't make much sense if you're mapping profiles over a network.
No, but that combination would make for an awfully good weapon.
Well, at least you can be a door-to-door window salesman. That's more than most sociology graduates.
Madden '07 sold 2 million copies the first week it was available. Microsoft claimed to have logged 228 years worth of game time played on their servers in the same time frame.
Knowing how to calculate the nth digit of Pi itself is slightly retarded.
The observable universe is about 50 billion light years across, which is about 4.27 * 10^26 meters. If we take a ring of atoms each roughly 1 Angstrom (10^-10 meters) apart with a diameter the size of the observable universe and want to determine the circumference of the resulting circle, then knowing Pi to 40 or so places is sufficient that the error caused by the atoms themselves is greater than that introduced by using an approximate value for Pi. Knowing Pi to 40 or so places is sufficient that you can calculate the difference in circumferences of the inner diameter of the ring and outer diameter of the ring.
Knowing Pi to 40 places is basically sufficient for describing our entire universe and anything you could put into it. We've known the first 35 for four hundred years, and we've never needed that much information to describe our universe.
No, that would be heresy.
I haven't researched it, but I'd be willing to bet that the additions added to NTFS since Windows XP (volume shadow copies among other things) may not be supported by the Linux drivers. Not a huge problem, but something to keep in mind.
I think it's more likely we'll see tort reform, which will probably make it so that only the most wealthy individuals and corporations can risk a lawsuit. Small companies like i4i will then no longer have options. If we're lucky, the tort reform will also affect patent and copyright trolls, but I'm pretty sure whatever they do to fix it will probably increase the durability of IP overall and generally punish everyone else.
If they can somehow ensure that the identity of the bank's customers will not be released or revealed, then I have no problem with the books being opened.
Use in a commercial product more or less necessitates distribution, which is exactly the kind of "use" the GPL applies to and exactly the kind of "use" these companies have done.
If Imeem is bankrupt, it may not be legal for them to sell assets without compensating or making good on their debts. Any monies that result from the sale of Imeem assets should go towards the debt.