No offence, but did you notice earlier in our discussion that 6 of the vulnerabilities detected in Window's OS's since Vista's launch also hit XP (and in some cases other OS's as well...). LEts detail them shall we...
SA27134, Microsoft Windows RPC Authentication Denial of Service, affects Vista, XP and 2003 Server. SA27112, Microsoft Windows NNTP Response Handling Buffer Overflow, affects Vista, XP, 2003 Server *and* 2000, *and* is marked Highly Critical *and* is exploitable from remote. SA26409, Microsoft Windows Vector Markup Language Buffer Overflow, affects Vista, XP, 2003 Server *and* 2000, *and* is marked Highly Critical *and* is exploitable from remote. SA25639, Microsoft Outlook Express and Windows Mail Multiple Vulnerabilities, affects Vista, XP, 2003 Server, *and* is marked Highly Critical *and* is exploitable from remote. SA24659, Microsoft Windows Animated Cursor Buffer Overflow Vulnerability, affects Vista, XP, 2003 Server *and* 2000, *and* is marked Extremely Critical *and* is exploitable from remote. Most importantly, how can a sophisticated code review *and* better security practices *and* a rewrite, miss an extremely dangerous remote exploit in *animated cursors*, hardly a massively important part of the OS?? SA24245, Microsoft Windows Directory Monitoring Information Disclosure Weakness, affects Vista, XP, 2003 Server *and* 2000, to be fair this really isn't all that critical, but has been left unpatched across all OS's.
Now when someone confirms that this issue does not effect Vista and can prove it I'll believe it, for now I'd be unhappy to comment one way or another, especially given that this flaw was initially reported to net affect XP either, and especially given the issues listed above. Oh, and in addition, since it is apparently being patched for XP and 2000, I guess it is *still* not a reason to upgrade, not that I have to worry about this vulnerability one way or the other, especially as its presence in Vista has not been confirmed/denied, it doesn't seem to have any real exploit potential *yet* and will be patched soon (apparently).
Re:How can ...
on
Spying On Tor
·
· Score: 2, Insightful
Well the way I normally test to make sure a key is from who it claims to be from is to ask, or more likely because they have told me in advance using a medium that can be trusted (i.e. by phone, or any other communications method that you trust, for me to communicate with you securely getting in touch using the emails listed on/. would probably be sufficient because its not like you know who I am anyway, as long as you are talking to the person you expect to talk to it matters very little who I really am).
It is perfectly possible to fake almost any element of an email, from faking the sender, the headers, up to and including the creation and registration of encryption keys with PKI servers that have nothing to do with the person the email claims to be from (as far as an email address can claim anything). However, this is where the trust element of PKI comes in. If I sign up with a commercial supplier of PKI related products then that supplier may well carry out a number of checks to ensure that I am who I say I am, if I use a random and badly configured server on the net, it will work just as well but will not have the same level of trust. Most importantly it would then be up to you to decide if you trust my PKI provider to identify me correctly.
However disregarding the positive identification of a sender to some degree, you can get round most of the problems by using a little common sense, if you received an email from me now, encrypted and signed, all you would know is that someone had sent you an email, claiming to be me. If I call you first and tell you I am about to email you something encrypted, you can be 99.99% certain that its from me (you still don't know for sure who I am, but you know the email came from the person claiming to have sent it). More importantly we only need to go through that once, after all if I signed the message you know who I am and can can now use my public key to send me encrypted communications and you can verify that my key doesn't change between mails (unless I tell you it will be) just as I can do for you. The only remaining risk is me losing my private key, but that's what revocation is for. The big thing with PKI and mail is less to do with positively identifying someone, and everything to do with knowing it is the same person sending the mail (however you verify their identity in the first instance) or being able to ensure that only the holder of a specific private key is able to read an email you send (a key that only they have, and one they never have to share).
You decide to trust the public key and the identity of the person you are communicating with, if you blindly trust an email because its signed and it turns out its someone else then that's tough, it would be the same as assuming the mails from NatWest and Barcleys Bank I get about my account being closed unless I update my security data are valid and responding. Emails, Signatures, Keys, Passports, Letters etc.. are only valid for identification to a certain level, a level defined by the trust of the person relying on them of the system used to procure them, and the certainty they purport to provide with regard to identification.
Sorry, this post isn't all that clear and I think I rambled.
FFS, I pointed out that the security improvements are insufficient to to justify business upgrades from XP, I never asked you to explain why Vista is more secure, I'm more than capable of determining the merits of the various technologies involved, I am saying that you are *wrong* to suggest that Vista's enhanced security is enough to justify upgrades given the level of security already available to business *and* the mass of other issues that must be addressed to upgrade.
Do you agree with that yet or are you still convinced that the Vista's security advances alone trump all other potential negatives for businesses? IMHO there is no compelling justification to upgrade to Vista, the negatives outweigh the positives at this point, the enhanced security does *not* change that balance.
Yes migration of will probably happen over time, but that is why there is no immediate adoption of Vista, there is no killer feature and the hardware requirements are more onerous.
I did some 2000 (and even Win98) to XP upgrades in 2003 where the hardware, though older was still capable of running XP within a corporate environment quite well, this is likely not going to be possible with Vista, because the minimum specs are much higher than what I see on a normal corporate desktop (and I'm not assuming that business users will want Aero, 512Mb RAM seems about the norm at the moment (with 256 still common) and importantly low end and low capacity HDD's and processors (After all its much cheaper to pick up new clients with minimum specs)).
Interestingly, I also doubt that the migration will be piecemeal like it could be from 2000 to XP, an environment where either client could co-exist peacefully and without issue, I have it on moderately decent authority* that dropping a Vista box in as a straight replacement for an XP box and not making any changes in other areas (AD primarily, whether group policy or user profiles and scripts etc..)is not possible, whilst in a 2000 to XP transition it was (XP being fully backward compatible but without too many fundamental changes, you simply didn't get some of XP's other benefits with regard to group policy etc..)
* Corporate IT departments are fairly resistant to change so this may be somewhat related to that rather than the issue at hand
Its people like you who make IT in the workplace such a nightmare for your customers,
I mean granted you probably provide a reliable, secure, stable, scalable, well maintained, fit for purpose, fast, resilient, redundant and nicely cabled IT infrastructure, that meets the businesses needs, is well documented and complies with all policies and any legislation relating to it, but what is that when compared to the ability of your users to use whatever OS they happen top think is shiny?
All that saying no to your customers when they ask for the latest upgrades achieves is an easy life and a well functioning IT department, hardly worth the stigma your customers must suffer from being behind the times in terms of technology.
Damn you sir*,
* and well done if your position is backed by senior management and applied to them as well...
Why would a business want to buy additional hardware for this upgrade? They wouldn't need to if they didn't upgrade.
If a business has thousands of desktops from a few years ago, say 1.8Ghz CPU, 512Mb RAM, 40Gb hard disk etc... a bog standard corporate desktop, its not cheap to replace all that kit in one go with something vista will run on, its much easier (and more cost efficient) to upgrade as stuff breaks and then at some distant point in the future upgrade to vista because all your equipment is capable of running it and it fits in with the other infrastructure life cycles that you are working within.
I wish people would think about the difference between IT in business and at home, I can go and buy a £500 PC get it home and have it work in an hour or so, a business may need to do this for many hundreds of machines at tens of sites without excessive down time for the installation etc.., with relevant training for staff, both technical and end users. Every change has an impact and needs to have a pre-defined benefit, switching from XP to vista isn't going to justify spending a massive amount of money on hardware, training, licenses, down time and all the other bits surrounding a major change without any real benefit.
Because you claim that security alone is a sufficient reason for businesses to upgrade to Vista. Clearly its not, there are too many other factors, spelled out repeatedly in my previous posts, and that is without considering other alternatives.
Are misunderstanding on purpose or is this concept simply too complex?
Vista vs XP, Vista is more secure. Vista vs XP in a corporate environment with all the additional security systems and procedures already present, Vista is *not* significantly more secure than XP.
Since Vista requires a large investment in terms of hardware, licensing, training and time for migration, the significance of any minor security improvement is reduced.
Would a haulage operator re-purchase all of his vehicles because a new one was 25%* less likely to be stolen? Would he do so if the new vehicle required twice as much fuel to go twice as far, needed months of roll out planning time, different licenses for the drivers and didn't work with some of the ancillary equipment that was already in place?
What if 10 vehicles of his 30 vehicle fleet were stolen each year? Then he probably would. What if 1 vehicle of his 250 vehicle fleet were stolen each year? Then he would not.
Security's is important, it is probably one of the *most* important element when looking at IT systems, mainly because a single failure can destroy a company and because there are so many potential issues, but IT security is *not* just about the OS, and its not the only factor. Get it through your head that the increased security in vista is not sufficient at this time to be a significant reason to buy.
Oh and thanks for the personal attack, I see that if you are incapable of making an argument you feel an insult is sufficient, I suggest that politics may be a good career choice at some point.
*25% being an arbitrary figure 50% or 150% works just as well.
You'd be right if anyone touted a single benefit as a reason to migrate, Security has been hailed as a major benefit of Linux, BSD, MacOS etc.. and quite rightly so, many of the benefits you see with Vita are already present in those systems. Now in addition to the security element, there are also benefits in terms of cost, hardware requirements, stability & reliability and a raft of others that depend on the organisation making the decision. Sure there are issues with retraining and compatibility, but they don't need to come with added expense in terms of hardware and licensing. In short moving from Windows to a Non-Windows environment has short term and long term benefits in more areas than simply upgrading to Vista at this time, keeping XP is probably an even better option if that's what's already present, as long as updates are not halted and as long as software continues to work with XP.
Any postal employee with a sufficient lack of gruntles Is that any postal employee with a lack of scruples, or any disgruntled postal employee? I assume that as disgruntled means malcontent a lack of gruntle would be a lack of contentment, but plural? If you combine scruples and gruntles we could have scruntles or even gruples. Both seem to work, I'm sure employers would prefer employees with scruntles over ungrupulous ones. It made me giggle anyway.
For the home user Vista has many potential attractions, not least of which is that it will likely arrive on a new PC bought, not because vista is available but because a new computer is required. For business the thought of having to replace a huge number of machines, make changes to various other IT systems, solve any incompatibilities, deal with driver issues, retrain staff and then end up with an IT system that may or may not be more secure than the current one (as you said measures have already been taken) and one that will in all honestly probably deliver little or no productivity benefits, is simply repugnant. This is even more so the case since there are other OS's with similar or better levels of security that run very well on older hardware and are considerably cheaper to acquire and potentially cheaper to maintain, sure they have similar issues with regard to training and compatibility, but if you are throwing out everything else anyway, why not go in favour of something that will at least save you money in terms of licensing and hardware requirements (obviously this aproach is not suitable for all, but then those that is is not suitable for Vista as also not suitable.
I have been having this very discussion with trifish as a part of another story.
Trifish would argue that the security benefits alone are sufficient to justify businesses to upgrade. Personally I would say that Vista may be attractive to new businesses* but not ones with an existing investment in XP or 2000, not because the security is lacking, it is an improvement over XP (especially on x64 hardware) but with all the other issues its just not justifiable.
Vista may become viable as hardware becomes cheaper or if there is a sufficiently large threat to XP that is left unpatched but does not affect Vista.
* (but they should be looking at the alternatives regardless, see what my company tries to do..)
Good job its me who runs a company and not you then.
I have not said vista is less secure than XP, what I said is that it is not a big enough reason to migrate, this whole thread is in response to the following:
Why in the @#$%! should we pay a boatload of money to slash our workers' productivity?
Easy one: Significantly improved security. Now its not hard to understand, the security improvements in vista are *not* as significant as claimed, especially if you are not running x64 based hardware. The upgrade in terms security gained compared to capital investment and ongoing costs is not justifiable for most company's (i.e. those with pre-existing Windows 2000/XP Environments). This is not an anti Vista position, I cannot think of a better Microsoft Operating system to be used with the latest hardware, but the reality of the situation is that Vista has a huge number of negative aspects for the business user, and these are not balanced by the improved security.
Lets agree to disagree, you seem to be missing the point anyway so that path would seem to be an honourable one.
You listed a load of technologies, I pointed out what I thought of them 2 of them didn't seem to bring any benefit, one (the user privileges element) will have a massive impact on the home user, but much less on the corporate. I pointed out that with regards to KPP there are issues that devalue its impact and I stated that ASLR was a good preventative mechanism but not a show stopper. None of that is untrue nor it is factually incorrect as far as I am aware, if you know better then do tell. At the moment all you are doing is complaining that I do not agree with you and suggesting that somehow that is trollish behaviour.
It boils down to a simple statement.
The security improvements in windows Vista, when compared to Windows XP are not sufficient to justify upgrading in most instances as there are many other obstacles that hinder Vista adoption in a corporate environment.
As I indicated Vista may be more secure than XP, but given all the other issues that surround Vista, the amount of improvement is not sufficient to warrant upgrading. This is what I believe to be true, it is neither offensive, factually inaccurate (given the evidence with regard to corporate adoption of Windows Vista to date) nor is it propaganda aimed for or against one group or another. Quite simply unless you can come up with some compelling argument other than "Microsoft state that vista is more secure and there have been less patches, therefore it must be a valuable upgrade for corporates" you aren't going to get very far, trying to shift the argument by making me out to be something I am not simply suggests that there is no other argument to be made.
Further I will repeat it because it is worth repeating, the number of vulnerabilities detected in a program is not the be all and end all of categorising how secure something is, and as such how valuable extra or different levels of security are.
By your logic,
IE7 is less secure than IE6 (IE7 has had more vulnerabilities detected than IE6, 15 vs 13, both with 4 unpatched), so business should be using IE6. Office 2000, 2003 and 2007 are all as secure as one another (as they all list the same issues since 08/05/2007), so business can use any of those. 2000 server is more secure than 2003 server (21 vs 28 vulnerabilities with 2000 server leaving 1 unpatched and 2003 leaving 2 unpatched), so business should be using 2000 server instead of 2k3.
Oh as for the Vista vs XP vulnerabilities, its 12 vs 26 vulnerabilities, with 1 and 2 unpatched for Vista then XP respectively. Of those 6 (SA27134, SA27112, SA26409, SA25639, SA24659, SA24245 ) affected both XP and Vista, and 6 were purely Vista issues, so I'm not sure if that is good or bad, or if it indicates that the re-write of vista, or the changes in policies are less useful than they could be from a security standpoint.
Can you see why there is more too it? A machine on a home users desk with a hard disk full of random software and no real attempt at security will be less secure than one sat in an office maintained by IT staff. So given that business users have the resources to add additional security, decent policies and management practices to the layers of security that already surround XP, given that they have IT staff to handle and monitor what is going on, and given that they have already paid to do so, do you think that the security benefits of Vista compared to XP are still significant enough for a *business* to switch?
First off, lets address the personal attack, if you think that disagreeing with you and explaining why is trolling then I'm not sure why I am having this discussion with you as you clearly wont re-evaluate your position regardless of what I say. I would suggest that describing any of the posts I have made in this thread as trollish is both unfair and inaccurate, further if you look at my historical posts I doubt you will be able to find any other trollish behaiviour.
Secondly, We are not discussing what features have been added to mitigate security threats to a platform we are discussing the benefits of replacing XP clients used in business with Vista on the basis of security enhancements in Vista. I am not suggesting that Vista is less secure than XP, or even on a par with XP, I am saying that it does not present a great improvement over a current, fully patched XP client.
Taking your points in your other post,
1) Code layout randomization 2) Users don't run as administrators by default (this is impossible to achieve from the usability point of view). 3) Kernel patch protection 4) Managed code 5) Code rewritten from scratch while being constantly subject to unprecedented security audits (something you can't achieve with XP, unless you want them to rewrite it) 6) Etc., etc.
1) Code layout randomisation, presumably you mean Address Space Layout Randomisation, this is a benefit, it should prevent any attack that expects to be able to overwrite specific code when a buffer overrun occurs, it is of some limited use (and has been around in other OS's for some time). hopefully it will prevent the use of some of the nastier privilege escalation methods we have seen in the past.
2) In a corporate environment users haven't (or at least should not have been logging in as administrators in the past on XP, if they currently do then it is likely that this is for some specific and probably ill thought out reason, or as a result of poorly written 3rd party software which may or may not be true under Vista. Remember that in a corporate environment the end user should never see a UAC prompt, at most they might see a "this action has been disabled by your system administrator) after all business machines have fairly well known purposes, the users requirements should be available to the user, most other elements of the OS should be restricted. In short this re-implements what IT departments already do with XP. As for it not being possible to achieve, it is possible to achieve, and has been and is being achieved on a regular basis by corporate IT departments all over the globe, including those I have worked with. The biggest problem I have faced in this area is that management prefer to have their users have administrative access as it means they can make changes and install software / drivers ad hoc, independently of IT as and when it is deemed as necessary, not a good thing, but something that needs to be addressed. Nice to see that it has been addressed but frankly it is something that with a certain amount of work is attainable (and importantly that work has now been done by those using XP).
3) Kernel Patch protection is only present on x64 systems (AFAIK, correct me if I'm wrong though). However this technology would be a great leap forward in preventing a whole array of attacks, especially resident long term and close to non-detectable attacks, something that business is rightly worried about. However KPP has I believe been bypassed a number of times, moreover I believe that there are still at least 2 methods of dropping untrusted code into the kernel (Im not sure if they are seen in any in the wild malware, but they are apparently usable to add additional fs support to Vista.) So potentially a good thing, once it is sorted out. Again hardly a compelling reason to switch to Vista.
4 and 5) I don't see either of these as beneficial, mainly because managed code and rewritten code mean very little in and of t
if OS A has 10 vulnerabilities that are exploitable remotely and give root access to the exploited system whilst OS B has 50 vulnerabilities that are only exploitable from the machine and possibly only to the unprivileged account of the process that the exploit runs under then I'd sure as hell not pick OS A.
And the point is that n months after release for XP is October 2001 + n for Vista ist January 2007 + n, there have been advances in all sorts of areas since 2001, and guess what, some of these technologies have been incorporated into XP since release.
As a business customer I don't care how Vista now compares with XP at XP's release date, I care about how Vista compares to XP *now*, fully patched.
What's so hard to understand? For Vista, Security was touted as a big selling point, mainly because MS have historically been slow to address it and now people are concerned about it, however the improvement is only incremental over XP and it comes with many other issues, not least of which are cost and hardware requirements, but also interoperability and concerns over DRM, WGA, virtualisation, Upgrade paths and Licensing. So once again, The supposed benefits in terms of Security are not sufficient (clearly so based on business uptake) to get companies to upgrade because they do not provide sufficient benefit to overcome the negatives.
When the first n-month periods after initial release of each OS are compared, the number of vulnerabilities and exploits found in Vista is significantly lower than it was in Windows XP. We also know why that is (Microsoft finally hired security professionals and imposed rigorous internal pre-release and in-development security audits). 1) What study? 2) According to the statement above, they compared the vulnerabilities detected in corresponding periods after release. 3) The number of vulnerabilities does not equal number of actual exploits, although if you look at the criticality of the vulnerabilities and the time it takes to patch, you get some idea about the company selling the OS, not the OS itself. 4) You don't need to, and generally cannot compare figures to get a valid idea of security there are too many other factors involved.
Can you point to a single instance where a business using XP in a well managed environment would have seen significant issues related to security that a business running Vista would not? Or even a vulnerability in XP that has been in an un-patched state at some point since the release of Vista that is sufficiently significant to justify an upgrade (so one that didn't also affect Vista)? Remember that what we are talking about is a reason sufficiently compelling to business to make an upgrade worth while, a real world benefit.
I agree that a fresh install of XP in its 25 October 2001 incarnation probably wouldn't stand up against Vista at its release date, but businesses are unlikley to be comparing un-patched Vista vs un-patched XP. Vista patched vs XP patched, in a corporate environment, where usually AV is installed and maintained, there is a nice firewall to protect internal clients, there may even be an IDS to spot anything that was missed and other MS technologies are being used to 'lock down' the computers to ensure security the difference between Vista and XP is going to be non existent, well except that there is poor driver support for Vista, it may require other infrastructure changes, it costs more in hardware terms, it may require user training and oh it appears to be encumbered by restrictive technologies that bring no benefit whatsoever to a business.
The use of respective comparable after-release periods doesn't seem all that sensible as threat assessments go, mainly because the situation changes rapidly and systems are patched for threats as they appear, it should be more sensible to compare platforms as they are at a given point in time (i.e. compare XP vs Vista vs Debian as from Today, and then comparing them all only when they are functionally similar, i.e. comparing a base Debian install (with nothing other than the base) with XP would be unfair. In fact if you compare vulnerabilities reported in the first 10 months of release for both vista and XP using data from SANS, it would appear that Vista has 15 (1 un-patched) and XP had 0 in the same comparative period the first noted being after the 10 month period ( starting 26.10.2001).
The one thing about all the Sony Kit I have ever owned is that the screens are lovely, my clie had a gorgeous screen for reading text, the phone is a SE with a fantastic screen (resolution and colour vibrancy) and the various vio's I looked at and then didn't buy all had lovely displays too. How can an apparently evil company have such good sense when it comes to the part of the device most important to the user?
I have a PDA running Linux (recently replacing a different PDA). IT has a 4" SVGA screen which means that everything is nice and crisp, including images and colours (although frankly as I use it mainly as a book reader the colour element isn't really all that important.) With wifi on and the back light most of the way up to full it lasts about 6 hours, with the backlight down to a sensible level and wifi off it lasts closer to 16 hours, and I can carry a couple of batteries easily enough (this is with a new HP battery, and they are not expensive). Now add to that 2Gb of storage on a CF card and a few 512Mb SD cards (I use them as removable media and the CF as semi-permanent storage) and I can carry a vast number of e-books, as well as some music and videos (a couple of transcoded DVD's for example).
Now this setup isn't what I would use if I was sat in the living room of an evening and decided to read a book, mainly because in my living room I have space and decent light and no one else to bother me, I can turn the stereo on and read for however many hours without any issue, and most importantly my books are all close by, but if I am travelling anywhere its what I take. I get through a decent size novel in probably eight hours, so a long flight, or a long train journey, plus any hotel time or waiting time would usually mean carrying a couple of paperbacks (or buying them on the go) and probably an mp3 player. Now I can carry everything in one pocket, with the added bonus of the PDA looking like a phone rather than a laptop, and thereby less likely to be too attractive to thieves or airport security.
Now what would make me really happy is the ability to buy a book and then somehow receive a reduced price ebook with it (say £! extra) in a format that I can reduce to either html or preferably plain text, but maybe that will be something that I will have to wait for. I should also add that some way of getting newspapers in an ebook friendly format would also be nice, I'd pay if they emailed me a copy each day, (its not like the content isn't available online already).
Anyway, I guess my point is that I love a book, but the important part is being able to read when I want to, an ebook reading PDA does that for me (together with real books for when I am at home). Saying that I still wouldn't spend £200 on one (more likely to be £400 if the usual $=£ conversion for UK/US prices is observed) especially since it is a single use device, and by the looks of it its uglier and larger than my new PDA, which is just about as big as I would care t carry anyway.
Pretty much no one gets to elect whoever they want, but they do seem to have a choice both in terms of political party, policy and ideology when they do vote, the point I suppose is that if you are comparing nations I don't think that Iran comes below Pakistan in terms of democratic choice, yet one is demonised and one is not (quite the opposite, the last few weeks being the exception). The major difference seems to be receptiveness to US/EU foreign policy.
Iran is in a really unstable part of the world with two of its neighbours massively destabilised and quite potentially hostile (Iran's relationship with Iraq has never been rosy) yet it seems to have one of the more democratic systems in the region (At least up until the invasions of Iraq and Afghanistan. I'm not suggesting that Iran is a beacon of light, but it definitely doesn't seem to be the source of all evil either. The few Iranians that I have met, mostly students, seem to be fairly political, and will quite happily discuss their various ideas, they have all been fairly nationalistic (in the same way the US seems to be, i.e. proud to be Iranian and anti-interference) one of them was a dyed in the wool Marxist. So like I said, since there appears to be an active political system, with some real choices and since there are regular and apparently free elections, I cant quite see why Iran is seen as a dictatorship (especially whilst Pakistan is seen as a democracy)
for Pyongyang and Ryadh I agree, but with regards Iran I'm not sure, there isn't a hell of a lot of evidence to suggest that their elections are anything other than "free and fair", I mean, granted they have recently not voted for whoever the US and to a lesser extent the EU have wanted in charge, but that is hardly surprising, they also seem to have a huge amount of rhetoric and propaganda to sit through in relation to political candidates but that isn't exactly very different to a western democracy either.
It is interesting that the 2000 elections were hailed by the 'west' (I hate that term but it seems to work) as a "Victory for people power" on the basis that they elected reformers, then the 2005 election when Ahmadinejad was finally elected was a fairly close run thing, its funny, the amount of people that assume Ahmadinejad won with 99% or similar (ala most of the worlds people's republics or other dictatorships) when the reality is much different. Also as I understand it Iran has many political parties, of all stripes (even some communists) and these generally form blocks, rather than having any one group dominate, as such I would assume it is much more of a balancing act to stay on in politics in Iran than in the US.
Anyway, I doubt that I would want to live in Iran, but I am beginning to think that there is an awful lot of unwarranted FUD being spread around that really isn't fair, lumping Iran in with N Korea for one is probably a little over the top. The problem with Iran is that it *is* a republic of sorts and it *is* a democracy of a certain kind, although it would seem that most official documents list it as a theocracy, I would say that any country where the government and various oversight groups (including the one that deals with the succession of the "supreme leader" are popularly elected is a democracy of sorts, and sure as hell cant be deemed a dictatorship. It just doesn't seem fit into the US's world view that a country can be opposed to US foreign policy and have real support from its local population in doing so, even a country that has historically been very badly treated by both the US and the UK.
Oh and there may be factual errors in this, mainly as I haven't had time to check it, but AFAIK it should be close enough for the point to stand.
Slashdot Mirror
No offence, but did you notice earlier in our discussion that 6 of the vulnerabilities detected in Window's OS's since Vista's launch also hit XP (and in some cases other OS's as well...). LEts detail them shall we...
SA27134, Microsoft Windows RPC Authentication Denial of Service, affects Vista, XP and 2003 Server.
SA27112, Microsoft Windows NNTP Response Handling Buffer Overflow, affects Vista, XP, 2003 Server *and* 2000, *and* is marked Highly Critical *and* is exploitable from remote.
SA26409, Microsoft Windows Vector Markup Language Buffer Overflow, affects Vista, XP, 2003 Server *and* 2000, *and* is marked Highly Critical *and* is exploitable from remote.
SA25639, Microsoft Outlook Express and Windows Mail Multiple Vulnerabilities, affects Vista, XP, 2003 Server, *and* is marked Highly Critical *and* is exploitable from remote.
SA24659, Microsoft Windows Animated Cursor Buffer Overflow Vulnerability, affects Vista, XP, 2003 Server *and* 2000, *and* is marked Extremely Critical *and* is exploitable from remote. Most importantly, how can a sophisticated code review *and* better security practices *and* a rewrite, miss an extremely dangerous remote exploit in *animated cursors*, hardly a massively important part of the OS??
SA24245, Microsoft Windows Directory Monitoring Information Disclosure Weakness, affects Vista, XP, 2003 Server *and* 2000, to be fair this really isn't all that critical, but has been left unpatched across all OS's.
Now when someone confirms that this issue does not effect Vista and can prove it I'll believe it, for now I'd be unhappy to comment one way or another, especially given that this flaw was initially reported to net affect XP either, and especially given the issues listed above. Oh, and in addition, since it is apparently being patched for XP and 2000, I guess it is *still* not a reason to upgrade, not that I have to worry about this vulnerability one way or the other, especially as its presence in Vista has not been confirmed/denied, it doesn't seem to have any real exploit potential *yet* and will be patched soon (apparently).
Well the way I normally test to make sure a key is from who it claims to be from is to ask, or more likely because they have told me in advance using a medium that can be trusted (i.e. by phone, or any other communications method that you trust, for me to communicate with you securely getting in touch using the emails listed on /. would probably be sufficient because its not like you know who I am anyway, as long as you are talking to the person you expect to talk to it matters very little who I really am).
It is perfectly possible to fake almost any element of an email, from faking the sender, the headers, up to and including the creation and registration of encryption keys with PKI servers that have nothing to do with the person the email claims to be from (as far as an email address can claim anything). However, this is where the trust element of PKI comes in. If I sign up with a commercial supplier of PKI related products then that supplier may well carry out a number of checks to ensure that I am who I say I am, if I use a random and badly configured server on the net, it will work just as well but will not have the same level of trust. Most importantly it would then be up to you to decide if you trust my PKI provider to identify me correctly.
However disregarding the positive identification of a sender to some degree, you can get round most of the problems by using a little common sense, if you received an email from me now, encrypted and signed, all you would know is that someone had sent you an email, claiming to be me. If I call you first and tell you I am about to email you something encrypted, you can be 99.99% certain that its from me (you still don't know for sure who I am, but you know the email came from the person claiming to have sent it). More importantly we only need to go through that once, after all if I signed the message you know who I am and can can now use my public key to send me encrypted communications and you can verify that my key doesn't change between mails (unless I tell you it will be) just as I can do for you. The only remaining risk is me losing my private key, but that's what revocation is for. The big thing with PKI and mail is less to do with positively identifying someone, and everything to do with knowing it is the same person sending the mail (however you verify their identity in the first instance) or being able to ensure that only the holder of a specific private key is able to read an email you send (a key that only they have, and one they never have to share).
You decide to trust the public key and the identity of the person you are communicating with, if you blindly trust an email because its signed and it turns out its someone else then that's tough, it would be the same as assuming the mails from NatWest and Barcleys Bank I get about my account being closed unless I update my security data are valid and responding. Emails, Signatures, Keys, Passports, Letters etc.. are only valid for identification to a certain level, a level defined by the trust of the person relying on them of the system used to procure them, and the certainty they purport to provide with regard to identification.
Sorry, this post isn't all that clear and I think I rambled.
FFS, I pointed out that the security improvements are insufficient to to justify business upgrades from XP, I never asked you to explain why Vista is more secure, I'm more than capable of determining the merits of the various technologies involved, I am saying that you are *wrong* to suggest that Vista's enhanced security is enough to justify upgrades given the level of security already available to business *and* the mass of other issues that must be addressed to upgrade.
Do you agree with that yet or are you still convinced that the Vista's security advances alone trump all other potential negatives for businesses? IMHO there is no compelling justification to upgrade to Vista, the negatives outweigh the positives at this point, the enhanced security does *not* change that balance.
Yes migration of will probably happen over time, but that is why there is no immediate adoption of Vista, there is no killer feature and the hardware requirements are more onerous.
I did some 2000 (and even Win98) to XP upgrades in 2003 where the hardware, though older was still capable of running XP within a corporate environment quite well, this is likely not going to be possible with Vista, because the minimum specs are much higher than what I see on a normal corporate desktop (and I'm not assuming that business users will want Aero, 512Mb RAM seems about the norm at the moment (with 256 still common) and importantly low end and low capacity HDD's and processors (After all its much cheaper to pick up new clients with minimum specs)).
Interestingly, I also doubt that the migration will be piecemeal like it could be from 2000 to XP, an environment where either client could co-exist peacefully and without issue, I have it on moderately decent authority* that dropping a Vista box in as a straight replacement for an XP box and not making any changes in other areas (AD primarily, whether group policy or user profiles and scripts etc..)is not possible, whilst in a 2000 to XP transition it was (XP being fully backward compatible but without too many fundamental changes, you simply didn't get some of XP's other benefits with regard to group policy etc..)
* Corporate IT departments are fairly resistant to change so this may be somewhat related to that rather than the issue at hand
Its people like you who make IT in the workplace such a nightmare for your customers,
I mean granted you probably provide a reliable, secure, stable, scalable, well maintained, fit for purpose, fast, resilient, redundant and nicely cabled IT infrastructure, that meets the businesses needs, is well documented and complies with all policies and any legislation relating to it, but what is that when compared to the ability of your users to use whatever OS they happen top think is shiny?
All that saying no to your customers when they ask for the latest upgrades achieves is an easy life and a well functioning IT department, hardly worth the stigma your customers must suffer from being behind the times in terms of technology.
Damn you sir*,
* and well done if your position is backed by senior management and applied to them as well...
Why would a business want to buy additional hardware for this upgrade? They wouldn't need to if they didn't upgrade.
If a business has thousands of desktops from a few years ago, say 1.8Ghz CPU, 512Mb RAM, 40Gb hard disk etc... a bog standard corporate desktop, its not cheap to replace all that kit in one go with something vista will run on, its much easier (and more cost efficient) to upgrade as stuff breaks and then at some distant point in the future upgrade to vista because all your equipment is capable of running it and it fits in with the other infrastructure life cycles that you are working within.
I wish people would think about the difference between IT in business and at home, I can go and buy a £500 PC get it home and have it work in an hour or so, a business may need to do this for many hundreds of machines at tens of sites without excessive down time for the installation etc.., with relevant training for staff, both technical and end users. Every change has an impact and needs to have a pre-defined benefit, switching from XP to vista isn't going to justify spending a massive amount of money on hardware, training, licenses, down time and all the other bits surrounding a major change without any real benefit.
I suppose that could be a side effect of use for some people, didn't work for me tho...
Because you claim that security alone is a sufficient reason for businesses to upgrade to Vista. Clearly its not, there are too many other factors, spelled out repeatedly in my previous posts, and that is without considering other alternatives.
Are misunderstanding on purpose or is this concept simply too complex?
Vista vs XP, Vista is more secure.
Vista vs XP in a corporate environment with all the additional security systems and procedures already present, Vista is *not* significantly more secure than XP.
Since Vista requires a large investment in terms of hardware, licensing, training and time for migration, the significance of any minor security improvement is reduced.
Would a haulage operator re-purchase all of his vehicles because a new one was 25%* less likely to be stolen? Would he do so if the new vehicle required twice as much fuel to go twice as far, needed months of roll out planning time, different licenses for the drivers and didn't work with some of the ancillary equipment that was already in place?
What if 10 vehicles of his 30 vehicle fleet were stolen each year? Then he probably would.
What if 1 vehicle of his 250 vehicle fleet were stolen each year? Then he would not.
Security's is important, it is probably one of the *most* important element when looking at IT systems, mainly because a single failure can destroy a company and because there are so many potential issues, but IT security is *not* just about the OS, and its not the only factor. Get it through your head that the increased security in vista is not sufficient at this time to be a significant reason to buy.
Oh and thanks for the personal attack, I see that if you are incapable of making an argument you feel an insult is sufficient, I suggest that politics may be a good career choice at some point.
*25% being an arbitrary figure 50% or 150% works just as well.
You'd be right if anyone touted a single benefit as a reason to migrate, Security has been hailed as a major benefit of Linux, BSD, MacOS etc.. and quite rightly so, many of the benefits you see with Vita are already present in those systems. Now in addition to the security element, there are also benefits in terms of cost, hardware requirements, stability & reliability and a raft of others that depend on the organisation making the decision. Sure there are issues with retraining and compatibility, but they don't need to come with added expense in terms of hardware and licensing. In short moving from Windows to a Non-Windows environment has short term and long term benefits in more areas than simply upgrading to Vista at this time, keeping XP is probably an even better option if that's what's already present, as long as updates are not halted and as long as software continues to work with XP.
If you combine scruples and gruntles we could have scruntles or even gruples. Both seem to work, I'm sure employers would prefer employees with scruntles over ungrupulous ones.
It made me giggle anyway.
100% correct (take a look at this thread.).
For the home user Vista has many potential attractions, not least of which is that it will likely arrive on a new PC bought, not because vista is available but because a new computer is required. For business the thought of having to replace a huge number of machines, make changes to various other IT systems, solve any incompatibilities, deal with driver issues, retrain staff and then end up with an IT system that may or may not be more secure than the current one (as you said measures have already been taken) and one that will in all honestly probably deliver little or no productivity benefits, is simply repugnant. This is even more so the case since there are other OS's with similar or better levels of security that run very well on older hardware and are considerably cheaper to acquire and potentially cheaper to maintain, sure they have similar issues with regard to training and compatibility, but if you are throwing out everything else anyway, why not go in favour of something that will at least save you money in terms of licensing and hardware requirements (obviously this aproach is not suitable for all, but then those that is is not suitable for Vista as also not suitable.
I have been having this very discussion with trifish as a part of another story.
Trifish would argue that the security benefits alone are sufficient to justify businesses to upgrade. Personally I would say that Vista may be attractive to new businesses* but not ones with an existing investment in XP or 2000, not because the security is lacking, it is an improvement over XP (especially on x64 hardware) but with all the other issues its just not justifiable.
Vista may become viable as hardware becomes cheaper or if there is a sufficiently large threat to XP that is left unpatched but does not affect Vista.
* (but they should be looking at the alternatives regardless, see what my company tries to do..)
I have not said vista is less secure than XP, what I said is that it is not a big enough reason to migrate, this whole thread is in response to the following: Why in the @#$%! should we pay a boatload of money to slash our workers' productivity? Easy one: Significantly improved security. Now its not hard to understand, the security improvements in vista are *not* as significant as claimed, especially if you are not running x64 based hardware. The upgrade in terms security gained compared to capital investment and ongoing costs is not justifiable for most company's (i.e. those with pre-existing Windows 2000/XP Environments). This is not an anti Vista position, I cannot think of a better Microsoft Operating system to be used with the latest hardware, but the reality of the situation is that Vista has a huge number of negative aspects for the business user, and these are not balanced by the improved security.
Lets agree to disagree, you seem to be missing the point anyway so that path would seem to be an honourable one.
I'd be happy with SP5 ;)
(Did anyone else have issues applying SP4 by the way? It was apt to fail on G2 HP Servers. Never got to the bottom of why...)
Maybe you could explain where I am wrong then?
You listed a load of technologies, I pointed out what I thought of them 2 of them didn't seem to bring any benefit, one (the user privileges element) will have a massive impact on the home user, but much less on the corporate. I pointed out that with regards to KPP there are issues that devalue its impact and I stated that ASLR was a good preventative mechanism but not a show stopper. None of that is untrue nor it is factually incorrect as far as I am aware, if you know better then do tell. At the moment all you are doing is complaining that I do not agree with you and suggesting that somehow that is trollish behaviour.
It boils down to a simple statement.
The security improvements in windows Vista, when compared to Windows XP are not sufficient to justify upgrading in most instances as there are many other obstacles that hinder Vista adoption in a corporate environment.
As I indicated Vista may be more secure than XP, but given all the other issues that surround Vista, the amount of improvement is not sufficient to warrant upgrading. This is what I believe to be true, it is neither offensive, factually inaccurate (given the evidence with regard to corporate adoption of Windows Vista to date) nor is it propaganda aimed for or against one group or another. Quite simply unless you can come up with some compelling argument other than "Microsoft state that vista is more secure and there have been less patches, therefore it must be a valuable upgrade for corporates" you aren't going to get very far, trying to shift the argument by making me out to be something I am not simply suggests that there is no other argument to be made.
Further I will repeat it because it is worth repeating, the number of vulnerabilities detected in a program is not the be all and end all of categorising how secure something is, and as such how valuable extra or different levels of security are.
By your logic,
IE7 is less secure than IE6 (IE7 has had more vulnerabilities detected than IE6, 15 vs 13, both with 4 unpatched), so business should be using IE6.
Office 2000, 2003 and 2007 are all as secure as one another (as they all list the same issues since 08/05/2007), so business can use any of those.
2000 server is more secure than 2003 server (21 vs 28 vulnerabilities with 2000 server leaving 1 unpatched and 2003 leaving 2 unpatched), so business should be using 2000 server instead of 2k3.
Oh as for the Vista vs XP vulnerabilities, its 12 vs 26 vulnerabilities, with 1 and 2 unpatched for Vista then XP respectively. Of those 6 (SA27134, SA27112, SA26409, SA25639, SA24659, SA24245 ) affected both XP and Vista, and 6 were purely Vista issues, so I'm not sure if that is good or bad, or if it indicates that the re-write of vista, or the changes in policies are less useful than they could be from a security standpoint.
Can you see why there is more too it? A machine on a home users desk with a hard disk full of random software and no real attempt at security will be less secure than one sat in an office maintained by IT staff. So given that business users have the resources to add additional security, decent policies and management practices to the layers of security that already surround XP, given that they have IT staff to handle and monitor what is going on, and given that they have already paid to do so, do you think that the security benefits of Vista compared to XP are still significant enough for a *business* to switch?
Maybe he should post it again and people will get it.
First off, lets address the personal attack, if you think that disagreeing with you and explaining why is trolling then I'm not sure why I am having this discussion with you as you clearly wont re-evaluate your position regardless of what I say. I would suggest that describing any of the posts I have made in this thread as trollish is both unfair and inaccurate, further if you look at my historical posts I doubt you will be able to find any other trollish behaiviour.
Secondly, We are not discussing what features have been added to mitigate security threats to a platform we are discussing the benefits of replacing XP clients used in business with Vista on the basis of security enhancements in Vista. I am not suggesting that Vista is less secure than XP, or even on a par with XP, I am saying that it does not present a great improvement over a current, fully patched XP client.
Taking your points in your other post,
1) Code layout randomization
2) Users don't run as administrators by default (this is impossible to achieve from the usability point of view).
3) Kernel patch protection
4) Managed code
5) Code rewritten from scratch while being constantly subject to unprecedented security audits (something you can't achieve with XP, unless you want them to rewrite it)
6) Etc., etc.
1) Code layout randomisation, presumably you mean Address Space Layout Randomisation, this is a benefit, it should prevent any attack that expects to be able to overwrite specific code when a buffer overrun occurs, it is of some limited use (and has been around in other OS's for some time). hopefully it will prevent the use of some of the nastier privilege escalation methods we have seen in the past.
2) In a corporate environment users haven't (or at least should not have been logging in as administrators in the past on XP, if they currently do then it is likely that this is for some specific and probably ill thought out reason, or as a result of poorly written 3rd party software which may or may not be true under Vista. Remember that in a corporate environment the end user should never see a UAC prompt, at most they might see a "this action has been disabled by your system administrator) after all business machines have fairly well known purposes, the users requirements should be available to the user, most other elements of the OS should be restricted. In short this re-implements what IT departments already do with XP. As for it not being possible to achieve, it is possible to achieve, and has been and is being achieved on a regular basis by corporate IT departments all over the globe, including those I have worked with. The biggest problem I have faced in this area is that management prefer to have their users have administrative access as it means they can make changes and install software / drivers ad hoc, independently of IT as and when it is deemed as necessary, not a good thing, but something that needs to be addressed. Nice to see that it has been addressed but frankly it is something that with a certain amount of work is attainable (and importantly that work has now been done by those using XP).
3) Kernel Patch protection is only present on x64 systems (AFAIK, correct me if I'm wrong though). However this technology would be a great leap forward in preventing a whole array of attacks, especially resident long term and close to non-detectable attacks, something that business is rightly worried about. However KPP has I believe been bypassed a number of times, moreover I believe that there are still at least 2 methods of dropping untrusted code into the kernel (Im not sure if they are seen in any in the wild malware, but they are apparently usable to add additional fs support to Vista.) So potentially a good thing, once it is sorted out. Again hardly a compelling reason to switch to Vista.
4 and 5) I don't see either of these as beneficial, mainly because managed code and rewritten code mean very little in and of t
Erm, no,
if OS A has 10 vulnerabilities that are exploitable remotely and give root access to the exploited system whilst OS B has 50 vulnerabilities that are only exploitable from the machine and possibly only to the unprivileged account of the process that the exploit runs under then I'd sure as hell not pick OS A.
And the point is that n months after release for XP is October 2001 + n for Vista ist January 2007 + n, there have been advances in all sorts of areas since 2001, and guess what, some of these technologies have been incorporated into XP since release.
As a business customer I don't care how Vista now compares with XP at XP's release date, I care about how Vista compares to XP *now*, fully patched.
What's so hard to understand? For Vista, Security was touted as a big selling point, mainly because MS have historically been slow to address it and now people are concerned about it, however the improvement is only incremental over XP and it comes with many other issues, not least of which are cost and hardware requirements, but also interoperability and concerns over DRM, WGA, virtualisation, Upgrade paths and Licensing. So once again, The supposed benefits in terms of Security are not sufficient (clearly so based on business uptake) to get companies to upgrade because they do not provide sufficient benefit to overcome the negatives.
2) According to the statement above, they compared the vulnerabilities detected in corresponding periods after release.
3) The number of vulnerabilities does not equal number of actual exploits, although if you look at the criticality of the vulnerabilities and the time it takes to patch, you get some idea about the company selling the OS, not the OS itself.
4) You don't need to, and generally cannot compare figures to get a valid idea of security there are too many other factors involved.
Can you point to a single instance where a business using XP in a well managed environment would have seen significant issues related to security that a business running Vista would not? Or even a vulnerability in XP that has been in an un-patched state at some point since the release of Vista that is sufficiently significant to justify an upgrade (so one that didn't also affect Vista)? Remember that what we are talking about is a reason sufficiently compelling to business to make an upgrade worth while, a real world benefit.
Hmm, Really?
I agree that a fresh install of XP in its 25 October 2001 incarnation probably wouldn't stand up against Vista at its release date, but businesses are unlikley to be comparing un-patched Vista vs un-patched XP. Vista patched vs XP patched, in a corporate environment, where usually AV is installed and maintained, there is a nice firewall to protect internal clients, there may even be an IDS to spot anything that was missed and other MS technologies are being used to 'lock down' the computers to ensure security the difference between Vista and XP is going to be non existent, well except that there is poor driver support for Vista, it may require other infrastructure changes, it costs more in hardware terms, it may require user training and oh it appears to be encumbered by restrictive technologies that bring no benefit whatsoever to a business.
The use of respective comparable after-release periods doesn't seem all that sensible as threat assessments go, mainly because the situation changes rapidly and systems are patched for threats as they appear, it should be more sensible to compare platforms as they are at a given point in time (i.e. compare XP vs Vista vs Debian as from Today, and then comparing them all only when they are functionally similar, i.e. comparing a base Debian install (with nothing other than the base) with XP would be unfair. In fact if you compare vulnerabilities reported in the first 10 months of release for both vista and XP using data from SANS, it would appear that Vista has 15 (1 un-patched) and XP had 0 in the same comparative period the first noted being after the 10 month period ( starting 26.10.2001).
So no, You don't have a major reason to upgrade.
The one thing about all the Sony Kit I have ever owned is that the screens are lovely, my clie had a gorgeous screen for reading text, the phone is a SE with a fantastic screen (resolution and colour vibrancy) and the various vio's I looked at and then didn't buy all had lovely displays too. How can an apparently evil company have such good sense when it comes to the part of the device most important to the user?
I have a PDA running Linux (recently replacing a different PDA). IT has a 4" SVGA screen which means that everything is nice and crisp, including images and colours (although frankly as I use it mainly as a book reader the colour element isn't really all that important.) With wifi on and the back light most of the way up to full it lasts about 6 hours, with the backlight down to a sensible level and wifi off it lasts closer to 16 hours, and I can carry a couple of batteries easily enough (this is with a new HP battery, and they are not expensive). Now add to that 2Gb of storage on a CF card and a few 512Mb SD cards (I use them as removable media and the CF as semi-permanent storage) and I can carry a vast number of e-books, as well as some music and videos (a couple of transcoded DVD's for example).
Now this setup isn't what I would use if I was sat in the living room of an evening and decided to read a book, mainly because in my living room I have space and decent light and no one else to bother me, I can turn the stereo on and read for however many hours without any issue, and most importantly my books are all close by, but if I am travelling anywhere its what I take. I get through a decent size novel in probably eight hours, so a long flight, or a long train journey, plus any hotel time or waiting time would usually mean carrying a couple of paperbacks (or buying them on the go) and probably an mp3 player. Now I can carry everything in one pocket, with the added bonus of the PDA looking like a phone rather than a laptop, and thereby less likely to be too attractive to thieves or airport security.
Now what would make me really happy is the ability to buy a book and then somehow receive a reduced price ebook with it (say £! extra) in a format that I can reduce to either html or preferably plain text, but maybe that will be something that I will have to wait for. I should also add that some way of getting newspapers in an ebook friendly format would also be nice, I'd pay if they emailed me a copy each day, (its not like the content isn't available online already).
Anyway, I guess my point is that I love a book, but the important part is being able to read when I want to, an ebook reading PDA does that for me (together with real books for when I am at home). Saying that I still wouldn't spend £200 on one (more likely to be £400 if the usual $=£ conversion for UK/US prices is observed) especially since it is a single use device, and by the looks of it its uglier and larger than my new PDA, which is just about as big as I would care t carry anyway.
Pretty much no one gets to elect whoever they want, but they do seem to have a choice both in terms of political party, policy and ideology when they do vote, the point I suppose is that if you are comparing nations I don't think that Iran comes below Pakistan in terms of democratic choice, yet one is demonised and one is not (quite the opposite, the last few weeks being the exception). The major difference seems to be receptiveness to US/EU foreign policy.
Iran is in a really unstable part of the world with two of its neighbours massively destabilised and quite potentially hostile (Iran's relationship with Iraq has never been rosy) yet it seems to have one of the more democratic systems in the region (At least up until the invasions of Iraq and Afghanistan. I'm not suggesting that Iran is a beacon of light, but it definitely doesn't seem to be the source of all evil either. The few Iranians that I have met, mostly students, seem to be fairly political, and will quite happily discuss their various ideas, they have all been fairly nationalistic (in the same way the US seems to be, i.e. proud to be Iranian and anti-interference) one of them was a dyed in the wool Marxist. So like I said, since there appears to be an active political system, with some real choices and since there are regular and apparently free elections, I cant quite see why Iran is seen as a dictatorship (especially whilst Pakistan is seen as a democracy)
for Pyongyang and Ryadh I agree, but with regards Iran I'm not sure, there isn't a hell of a lot of evidence to suggest that their elections are anything other than "free and fair", I mean, granted they have recently not voted for whoever the US and to a lesser extent the EU have wanted in charge, but that is hardly surprising, they also seem to have a huge amount of rhetoric and propaganda to sit through in relation to political candidates but that isn't exactly very different to a western democracy either.
It is interesting that the 2000 elections were hailed by the 'west' (I hate that term but it seems to work) as a "Victory for people power" on the basis that they elected reformers, then the 2005 election when Ahmadinejad was finally elected was a fairly close run thing, its funny, the amount of people that assume Ahmadinejad won with 99% or similar (ala most of the worlds people's republics or other dictatorships) when the reality is much different. Also as I understand it Iran has many political parties, of all stripes (even some communists) and these generally form blocks, rather than having any one group dominate, as such I would assume it is much more of a balancing act to stay on in politics in Iran than in the US.
Anyway, I doubt that I would want to live in Iran, but I am beginning to think that there is an awful lot of unwarranted FUD being spread around that really isn't fair, lumping Iran in with N Korea for one is probably a little over the top. The problem with Iran is that it *is* a republic of sorts and it *is* a democracy of a certain kind, although it would seem that most official documents list it as a theocracy, I would say that any country where the government and various oversight groups (including the one that deals with the succession of the "supreme leader" are popularly elected is a democracy of sorts, and sure as hell cant be deemed a dictatorship. It just doesn't seem fit into the US's world view that a country can be opposed to US foreign policy and have real support from its local population in doing so, even a country that has historically been very badly treated by both the US and the UK.
Oh and there may be factual errors in this, mainly as I haven't had time to check it, but AFAIK it should be close enough for the point to stand.