You also can't hide from a different installation of Windows that has the infected disk mounted.
In theory (assuming a sufficiently naive theory) that is true. In practice, all it takes is Explorer and something like a few WMF files. Heck, Explorer renders HTML for its thumbnail view, so it probably wouldn't be too hard for an attacker to find an exploitable bug somewhere in that code path.
Isn't ReiserFS GPL-licensed? Microsoft would probably have to license the code from Namesys (or release Windows under the GNU GPL -- fat chance!). I have no idea what they (Namesys) are charging.
If you read the announcement, you'll find that there are still bugs (at least that's the way I interpret it). However, they're bugs that Windows chkdsk will find and fix.
The next big step for the driver will be when it can mark the filesystem as "clean", so that chkdsk doesn't need to be loaded.
Please note that, this being a Slashdot post, I could be totally talking out of my ass here.
One nice thing is that Microsoft can't change things willy-nilly with NTFS as it could with, for example, the Word file format. The worst problem with NTFS write support is that a naive driver can cause data corruption. Once the free/open-source driver is sophisticated enough, there won't be much Microsoft will be able to do to exclude it, except by adding new optional features. There will come a point where anything that Microsoft does to break the free driver will also break older versions of its own drivers. Microsoft can't really afford to let that happen, since once thing businesses will not tolerate is a file system that arbitrarily loses data, especially since NTFS is currently viewed as being very stable in the Windows-using world.
Breaking filesystems is much more drastic than breaking network protocols. The only thing that Microsoft could do that would effectively deter users of the free driver is to make it (and any older version of Microsoft's own NTFS drivers) cause data corruption. Even Microsoft isn't stupid enough to do that.
Performance problems are a well-known fundamental problem with microkernel architectures that use user-mode processes.
It's a widely-believed myth, mainly due to the poor performance of bloated first-generation microkernels like Mach, although I suppose it probably also applies to Linux when Linux acts as a microkernel.
Google is your friend.
Just because Linus Torvalds thought something was impossible during the 1990s doesn't make it so, so I suggest you skip the infamous Linus vs. AST discussion from that time period.
The reality is that:
Microkernel architectures are hard to design. This is suspected as being the real reason why they are not very popular today.
Monolithic kernel architectures are prone to insecurities. There is just way too much privileged code, and too many failure scenarios.
Unlike Linus, some people are actually devoting much of their time to solving these problems. AST is one such person. See this page on the subject.
No, I haven't heard about the MD5 and SHA-1 "breaks". What I have heard about is the MD5 and SHA-1 _collision_ scenarios. That's vastly different from a break.
That's an odd statement to make. If you have an algorithm that is claimed to be a collision-resistant hash function, and you can find a collision in fewer operations than brute force, then the algorithm is broken.
Breaking a cipher doesn't necessarily mean nding a practical way for an eavesdropper to recover the plaintext from just the ciphertext. In academic cryptography, the rules are relaxed considerably. Breaking a cipher simply means finding a weakness in the cipher that can be exploited with a complexity less than brute-force. Never mind that brute-force might require 2^128 encryptions; an
attack requiring 2^110 encryptions would be considered a break. Breaks might also
require unrealistic amounts of known or chosen plaintext---2^56 blocks---or unrealistic amounts of storage: 2^80 . Simply put, a break can just be a "certicational
weakness": evidence that the cipher does not perform as advertised.
Successful cryptanalysis might mean showing a break against a reduced-round
variant of the cipher---8-round DES versus the full 16-round DES, for example
or a simplied variant of the cipher. Most breaks start out as cryptanalysis
against reduced-round variants, and are eventually (maybe years later) extended
to the full cipher. In fact, a break on a reduced-round version of a cipher is often
a publishable result.
If you read the literature, you'll find that Bruce is correct.
From the same author, here is the announcement of the SHA-1 break:
February 15, 2005 SHA-1 Broken
SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing.
If you had searched Google for SHA-1 broken, you could have figured that out yourself. Please do some fact-checking next time.
Subtle difference: It killed it by patenting the encoding scheme for the records.
The fact is that it is illegal to use a large number of protocols, and software in general, in the U.S. because of patent law. The mechanisms by which the law does this are properly referred to as details, not differences.
Nice rhetoric, but you neglect the fact that "normal operations" on the Internet includes operating in an adversarial environment. There is no reason why Microsoft or anyone else should get special treatment regarding the public disclosure of vulnerabilities. As a competitor to Microsoft, if my computer is vulnerable to executing arbitrary code, I don't want to have to trust that Microsoft won't exploit that vulnerability to further its own ends, nor do I want to have to trust that Microsoft employees won't leak the information to malevolent third parties. Instead, I want to know now that my software is vulnerable, so that I can take the necessary precautions.
With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications?
Tough. The jackasses who have been peddling broken software for years, making phony claims about its "security", are the ones to blame.
News flash: The software was always vulnerable to these attacks. Blaming the guy who publishes exploits (with source code) is like blaming the auditors for disclosing your accounting fraud. Your books were cooked regardless of whether or not the auditors told anyone.
Actually, your response reflects much of what is wrong with the world.
If you're going to use qualifiers like "actually", could you provide, you know, evidence, or heck, even arguments? Rhetoric may make youand your buddies feel good, but it really isn't going to convince anyone who doesn't already agree with you, unless they're complete morons, in which case you probably don't care what they think anyway.
Slashdot Mirror
Microsoft tried with Sender-ID...
Hey, you just pulled that distinction out of your ass! That's not allowed!
The largest economic power in the world can't afford to build more prisons? Is there any data to support your claim of overcrowding?
IIRC, quantum entanglement can't be used to communicate information.
Why is that kind of behaviour tolerated in your prisons?
In theory (assuming a sufficiently naive theory) that is true. In practice, all it takes is Explorer and something like a few WMF files. Heck, Explorer renders HTML for its thumbnail view, so it probably wouldn't be too hard for an attacker to find an exploitable bug somewhere in that code path.
Crap. I used <blockquote> where I meant to use <p>.
'Preview'? On Slashdot? You must be joking, right?
The next big step for the driver will be when it can mark the filesystem as "clean", so that chkdsk doesn't need to be loaded.
Please note that, this being a Slashdot post, I could be totally talking out of my ass here.
ntfsresize doesn't work for you?
One nice thing is that Microsoft can't change things willy-nilly with NTFS as it could with, for example, the Word file format. The worst problem with NTFS write support is that a naive driver can cause data corruption. Once the free/open-source driver is sophisticated enough, there won't be much Microsoft will be able to do to exclude it, except by adding new optional features. There will come a point where anything that Microsoft does to break the free driver will also break older versions of its own drivers. Microsoft can't really afford to let that happen, since once thing businesses will not tolerate is a file system that arbitrarily loses data, especially since NTFS is currently viewed as being very stable in the Windows-using world.
Breaking filesystems is much more drastic than breaking network protocols. The only thing that Microsoft could do that would effectively deter users of the free driver is to make it (and any older version of Microsoft's own NTFS drivers) cause data corruption. Even Microsoft isn't stupid enough to do that.
It's a widely-believed myth, mainly due to the poor performance of bloated first-generation microkernels like Mach, although I suppose it probably also applies to Linux when Linux acts as a microkernel.
Just because Linus Torvalds thought something was impossible during the 1990s doesn't make it so, so I suggest you skip the infamous Linus vs. AST discussion from that time period.
The reality is that:
Unlike Linus, some people are actually devoting much of their time to solving these problems. AST is one such person. See this page on the subject.
That's an odd statement to make. If you have an algorithm that is claimed to be a collision-resistant hash function, and you can find a collision in fewer operations than brute force, then the algorithm is broken.
Quoting from Bruce Schneier's Self-study course in block cipher cryptanalysis:
If you read the literature, you'll find that Bruce is correct.
From the same author, here is the announcement of the SHA-1 break:
If you had searched Google for SHA-1 broken, you could have figured that out yourself. Please do some fact-checking next time.
The fact is that it is illegal to use a large number of protocols, and software in general, in the U.S. because of patent law. The mechanisms by which the law does this are properly referred to as details, not differences.
Nice rhetoric, but you neglect the fact that "normal operations" on the Internet includes operating in an adversarial environment. There is no reason why Microsoft or anyone else should get special treatment regarding the public disclosure of vulnerabilities. As a competitor to Microsoft, if my computer is vulnerable to executing arbitrary code, I don't want to have to trust that Microsoft won't exploit that vulnerability to further its own ends, nor do I want to have to trust that Microsoft employees won't leak the information to malevolent third parties. Instead, I want to know now that my software is vulnerable, so that I can take the necessary precautions.
Tough. The jackasses who have been peddling broken software for years, making phony claims about its "security", are the ones to blame.
News flash: The software was always vulnerable to these attacks. Blaming the guy who publishes exploits (with source code) is like blaming the auditors for disclosing your accounting fraud. Your books were cooked regardless of whether or not the auditors told anyone.
This is nothing less than a free speech issue.
Protocols are inventions, but it is very hard to claim that patented protocols would benefit the public or increase innovation.
Also, effectively, some protocols are patentable, at least in the US. Otherwise Microsoft wouldn't have been able to kill the IETF Sender-ID protocol.
Apparently you never heard of the MD5 and SHA-1 breaks.
+5, Insightful, WTF?
It's one thing to criticize the Chinese government, or even the Chinese people for tolerating the Chinese government, but what insight is shown here?
... switch to emacs! If you're running X, also switch to ratpoison. No mouse required!
I can't: I'm at work.
Because obviously intelligence is best rated on a one-dimensional scale.
If you're going to use qualifiers like "actually", could you provide, you know, evidence, or heck, even arguments? Rhetoric may make youand your buddies feel good, but it really isn't going to convince anyone who doesn't already agree with you, unless they're complete morons, in which case you probably don't care what they think anyway.
I'd be careful. Your "lawyer buddies" are probably already tired of your asking for free legal advice...
I'm not sure what you mean. There isn't such thing as a binding legal precedent, as the court is always free to change its mind.