This will be my last post in the thread because *I* clearly don't know what you're talking about and refuse to realize that.
Point is, they just fixed one that they think may bypass privileges.
Citation please.
Since Vista's release (again, remember I didnt mention ones being in existence at this moment) - Some recent, some not:
http://www.scmagazineus.com/hot-or-not-local-privilege-escalation-vulnerabilities/article/34794/
http://digg.com/news/technology/Vista_Exploit_Surfaces_on_Russian_Hacker_Site
http://xforce.iss.net/xforce/xfdb/60679
http://www.neowin.net/news/microsoft-warns-of-critical-unpatched-windows-shell-vulnerability
- (Sophos, even though MS downplayed it, claims "that the flaw bypasses all Windows 7 security mechanisms, including UAC, and doesn't require administrative privilege to run. In a blog posting, Sophos researchers demonstrate the flaw on Windows 7, which becomes infected with a rootkit as a result." - wow, seems I mentioned something like this in an earlier post).
http://www.iss.net/security_center/reference/vuln/win-ms10kb2160329-update.htm
- I wonder what "specially-crafted application" means... maybe a "specially-crafted".NET "application"?
I could go on for days.
Explain why.NET ClickOnce and other.NET exploits still infect machines that are locked down (up until Aug 10th supposedly).
Citation please.
Or perhaps, the malware authors will simply choose one of the other numerous attack vectors created by.NET's security holes. As has happened for almost the last 10 years with.NET and ActiveX.
They might. And maybe you could give a citation of a currently unpatched privilege escalation attack vector.
I never said there was a current one. I said, we were promised that all such vulnerabilities were fixed with the patch this summer (the one in response to the hell they got for the.NET plugin surreptiously being installed in Firefox). I said that such a claim was ridiculous, since they've never managed to fix ALL vulnerabilities in the past. I said such a claim was more ridiculous considering the slew of.NET patches SINCE THEN to fix vulnerabilities, that by their statement, shouldnt exist.
So, if a rootkit drops a piece of malware (hmmm, maybe named svchost or smss?) into a "secure" folder
If a standard user has write access to a "secure folder" it isn't very secure, is it? Oh, and the name of the file doesn't really matter.
You dont understand the difference between a rootkit and a standard user? Really?
You dont realize that PRE-BOOT things (just like "non-disk-boot" things) dont care about system privileges or such?
As for the "non-disk-boot" things (trying to keep it simple for you), I refer to things like a Windows Bootable Environment such as BartPE or WinPE, which CAN read such files. I only bring it up because you seem to think that the operating system's protection of those folders is some magical thing, when in reality, things like BartPE, or a pre-boot process, can in fact access those folder. Heck, there are tools designed specifically for that purpose, that run on reboot and clear those folders of unwanted things before the OS enables it's "security" of them.
maybe in the System Volume Information folder?
Administrator and/or SYSTEM rights are required to even read from that folder, let alone write to it.
Nice try... I never said an escalation exploit is needed or not needed. My premise was IF it was needed, it could still happen.
Point is, they just fixed one that they think may bypass privileges. Point was, it wasnt the first time. Point is, they have claimed more than once to fix this - and then another piece of malware proves them wrong, and a new patch is released and they claim "ooh, really, we fixed it this time" and another piece of malware comes out.
Explain why.NET ClickOnce and other.NET exploits still infect machines that are locked down (up until Aug 10th supposedly). And then tell me you think that this time, the issue is really fixed.
Or perhaps, the malware authors will simply choose one of the other numerous attack vectors created by.NET's security holes. As has happened for almost the last 10 years with.NET and ActiveX.
So, if a rootkit drops a piece of malware (hmmm, maybe named svchost or smss?) into a "secure" folder (hmmm... maybe in the System Volume Information folder?) and registers it as a service under the System account, does it matter that the account of the next person who logs in is a limited user account? Somehow I dont think so. BTW, without going into technical details, this exploit and piece of malware I describe is real, and very recent. Infection vector?.NET. Mitigated? Supposedly in a recent security update. Similar to others in the past? Yes. Similar to some recent ones that are making headway? Sadly.
Which one? Look it up. It's a beast to remove for those who dont know what they are doing. For instance, killing the fake svchost or smss services will cause Windows to reboot because it thinks they are vital system services. Removing them does nothing (they will reappear at next boot - or sooner if other pieces of the malware are still present).
That's odd. I thought there were hundreds of fixes (and near a dozen large patches) for the.NET framework due to a plethora of vulnerabilities. Well, I know that's the case. The list is daunting. I thought that the most recent one was just this month (3 fixes for exploit vectors).
And I thought that Java implementations could not escalate privileges on a fully secured machine that a user was not using as an admin without explicit permission(s) being given. And I know that various.NET "technologies" allow bypassing that stuff, such as ClickOnce (or "DontEvenNeedToClick,JustVisit_aBadSite" as it should really be named).
No, it does not. A standard user infection that utilizes privilege escalation (exploits), then becomes the same as one installed when an admin was logged in. There have been numerous.
Here's an example of one escalation - and NOT a big (or prominent) one, that was only partially fixed.
http://en.wikipedia.org/wiki/Shatter_attack
There are bigger and worse ones. Now perhaps my statements make more sense.
Wow, not just did you ignore most of the text in the advisory, but you dont know anything about how malware works either, do you? Gee, adding things to the startup folder/registry means it might take what... two boots? to fully infect a machine with a piece of malware that has then gained full privileges? I've watched (on both Windows 7 and Vista) malware initiate itself using svchost and smss to, with admin privileges, install themselves with the same privileges. All it took, on a locked down machine, was a couple reboots. So yeah, kernel mode drivers and full access may be worse, but in the end, it doesnt matter. The end results are the same.
.NET is actually a security success-story. Compared to similar (i.e. Java),.NET has experienced almost an order of magnitude fewer vulnerabilities, especially if you consider the severity of the vulns.
SteadyState makes a virtual harddisk. In essense it is itself a "rootkit" in that uses copy-on-write at reads/writes the changed block from/to a log file. When rebooting it simply deletes the logfile and the disk is back to the original state. I would like to see the rootkit which can survive that...
Wouldnt the answer to that last statement be ANY real rootkit? Just curious. Isn't infecting the MBR the way that rootkits bypass such protections? Wouldn't some rootkits then also be able to hose SteadyState's ability to revert the file system back to previous state? Aren't the file system and MBR two different things, even though they work in conjunction?
Just curious, hence the questions instead of statements.
Also, it's a bit disingenuous to simply pick one version of.NET, as systems come with all of them installed and in use from at least 1.1 upwards. Also, it's a bit irrelevant to look at the advisories for.NET as opposed to the numerous hotfixes (hundreds) and multiple large patches (near a dozen) to fix known, in the wild, exploits. Then one should probably factor in the length of time it took for these fixes to come out... and then consider (in the context of this conversation, thus regarding privilege escalation) which, on a properly locked down system can escalate (with NO user interaction and NO user prompts) it's privileges to infect a locked down, limited rights system - I think the answer to that one is.NET - what do you think?
A MUCH more appropriate icon would be Ballmer in a jester hat with a I heart Apple!" T-Shirt, since he seems bound and determined to try to be Steve Jobs. And THAT would fit with the current situation at MSFT much more than the old Gates Borg, since without Gates it is like the Borg being led by Reno 911.
...unless a serious rootkit gets installed with whatever piece of malware infected your machine while you were using it
A user without administrative access cannot install a rootkit.
Incorrect (at least as I was discussing). The *user* doesnt have to install it, the escalated malware (via.NET or other methods) does. There are a bunch of escalation exploits available via.NET and especially it's ClickOnce crapnology. But they've been fixed!!! For almost TEN years, that promise has been made repeatedly. The June announcement went way too far in claiming that all such issues were permanently and properly fixed - as opposed to the more truthful statement that the should have used indicating that a patch for the specific exploit was released (and leaving it at that).
Sadly,.NET is still broken. The exploits still affect all versions of the OS. The exploits still dont need the user to have admin rights. The exploits still bypass security measures on a locked down machine.
It sounds like you're talking about a local privilege escalation exploit, and those are usually patched pretty quickly.
No... those are sometimes patched quickly, sometimes not (like the.NET exploit noted in June that took months to improperly patch.
If you are referring to the hotfixes they release that hope to mitigate the circumstance until a real (though usually not fully fixed - at least in the case of.NET) patch is released, well, I dont count those, since, as I noted, they generally dont really fix the hole.
Do you have any examples or sources to back up that claim?
Yeah, as I indicated, it's called "Windows Updates" - check it out sometime! You can go right into your (XP) "Add/Remove Programs" or (Vista upwards) "Programs and Features" and enable viewing of all updates, and check the last few weeks - then check the associated Microsoft pages which will tell you exactly what I posted in Microsoft's own words.
Use Google if you really want to learn more. In the meantime, with your lack of knowledge, and lack of interest/willingness to do the very simple check on a Windows machine that's up to date to verify my claims, don't assume/claim they are wrong.
This security update resolves two privately reported vulnerabilities in Microsoft.NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications, or if an attacker succeeds in convincing a user to run a specially crafted Microsoft.NET application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerabilities could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and executing the page, as could be the case in a Web hosting scenario.
This security update is rated Critical for all affected releases of Microsoft.NET Framework for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2; Microsoft Silverlight 2; and Microsoft Silverlight 3. For more information, see the subsection, Affected and Non-Affected Software, in this section.
As I wrote it, xAMP was to stand for "(anything)AMP" (where x is any operating system, such as Linux, AIX, OS/2, eComStation, and (ugh) Windows and so on).
Coulda just written AMP I guess, but figured people would understand xAMP with less brain effort than they would simply AMP - and it was easier than writing "LAMP/WAMP/OAMP (or WAMP or AMP2)", etc.
I know that RTA is not commonplace, so I guess I don't expect many to go even further and go to the MS SDL page, and then go even further to the "What is the Microsoft Security Development Lifecycle (SDL)?" page, but I was bored, so I did.
The Microsoft SDL is a security assurance process that is focused on software development. It is a collection of mandatory security activities, grouped by the phases of the traditional software development life cycle (SDLC). Many of these security activities would provide some degree of security benefit if implemented on a standalone basis.
Ooooh, wow!!!! Microsoft is open sourcing a list of methods that developers should follow to ensure security of their applications!!!! Wow!!!
Inotherwords, (at least from their "What is") this isnt about code. This isn't about APIs. This is about methodology to write secure software.
Think about this... isn't this:
(1) The type of stuff programmers should be taught in college, or self learn from reputable places?
(2) Something Microsoft's track record proves they have limited or no knowledge about?
(3) Something somewhat irrelevant to the Linux and Open Source world?
(4) Something that is more likely simply a publicity stunt? (look how many people think this has to do with actual APIs and such)
So, whoop-de-do!!!! One could already learn this stuff from better sources, implement it in better ways, and gain more knowledge from other companies who are quicker with security updates and better at designing programs with security in mind.
Perhaps developers that use Microsoft's development tools, and Microsoft's frameworks MAY gain some advantage from this, but even that advantage is limited by what security holes there are in those frameworks (.NET and so on) and Windows as a whole.
Isn't it long past time it be updated and possibly the correct one be used?
Bill Gates hasn't worked at Microsoft in years, and really has almost no involvement with the company any longer.
It would be like used the Edsel to represent Ford, or still using the New Coke logo.
It no longer serves its purpose, and says more about slashdot than Microsoft these days.
I disagree. The Edsel is dead and gone. The legacy Gates has left us is definitely very alive and prevalent. There is the big difference. Unless.NET and ActiveX are entirely killed and Windows is honestly rewritten from the ground up, and the damage that Microsoft has done to competitors is reversed, then Gates' legacy - especially as related to things like this topic, is alive, well and still on control of most of the PC related marketplace. Credit where credit is due thus indicates it should be his logo used.
lseltzer wrote this little bit of nonsense:
Mod this coward up. AFAIK there are no other icons on/. that are designed to denigrate the subject.
lseltzer, you do realize it's hardly denigration if it's true, dont you? The whole EEE principle. That's not myth. It's fact. It's proven fact. It's been proven in numerous courts of law. It's been proven via internal memos and emails from Gates and others. The image clearly indicates the concept of Embrace, Extend, Extinguish.
Perhaps when Microsoft actually (and truly) changes their tune and drops such behavior, then it's time to change the image - but in the meantime, these are principles that Microsoft, due to Gates' direction, have embraced (no pun intended) since their earliest days. Thus, his legacy, his actions, their continuing actions based off the direction he set. Very appropriate image, if you ask me. Let me know if they change direction, and I'll gladly change my mind about whether the image is appropriate.
Windows can be very heavily locked down so end-users can literally do nothing more than that which is explicitly made available to them. Heck, with something like SteadyState, it can even roll back any changes with a simple reboot...
...unless a serious rootkit gets installed with whatever piece of malware infected your machine while you were using it, locked down or otherwise, due to exploiting the numerous.NET security holes that are still not patched. In which case, your machine will possibly be still as nicely infected after your reboot.
Sadly,.NET is still broken. The exploits still affect all versions of the OS. The exploits still dont need the user to have admin rights. The exploits still bypass security measures on a locked down machine.
Sadly, though I may get modded troll for this, it is true. The last time (covered in June's article on.NET and Microsoft's snuck in Firefox plugin) that Microsoft promised this exploit was fixed, I boldly claimed that, just like the 6 other MAJOR attempts, and hundreds of minor attempts to fix it, Microsoft was making an incorrect statement (their marketing team was either brain dead or lying, in claiming that the vulnerabilities were fully patched forever). Sadly, there are people who still believe those statements. Sadly, there are those of us who actually check what the Windows updates are that are being installed, and have noticed numerous attempts to re-fix the same vulnerability that Microsoft previously promised was fixed. As a matter of fact, the most recent attempt was in the last two weeks, via multiple patches.
And sadly, of the infected machines that come into our shop, far more than half of them have a rootkit component that comes with the malware, and the vast majority of them get installed via the.NET exploits.
THUS, not being very familiar with the current state of SteadyState, how does it handle removing rootkits on a reboot to a previous state? If it can actually do that, (not if it CLAIMS it can do that, but if it REALLY can do that), then I will have to renew my interest in it.
Overly complex code
Lax permission requirements,
Too many admins (still default on workstation installs)
Poorly written apps that in turn requires them to bend the rules or to provide workarounds.
You forgot a few very very important ones:
- Way too much legacy code that was not written with network security in mind
- Way too many technologies, that by their design and the functions they provide, can never be made secure (ActiveX,.NET Click Once and more)
- NO interest in removing "core components" that compromise the security of Windows systems (.NET and ActiveX) as (1) too many of their clients use it and (2) (the really important one) those technologies are Microsoft's bread and butter in the server marketplace and the only thing that differentiates them from other implementations. With the ease of use of.NET and ActiveX, it allows a larger IT entry point and provides a support model that xAMP does not have (and while that does not make the choice better, we all know there are numerous "admins" and "developers" who do not deserve their titles - but the Microsoft products and "technologies" give them an entry point into those fields that other technologies (PHP for instance) do not - all with Microsoft's support behind them.
I had great hopes for their VirtualPC bit and was hoping they would take a more Apple-centric approach, allowing them to just start with a fresh slate while virtualizing old OS compatibility. It appears that was a wasted hope however...
C'mon, you really didnt, did you? I dont know anyone in the IT or support industry who thought that or even had any real hopes for that to happen. The day they bought Connectix, we in the OS/2 world knew that the OS/2 version would be killed, followed by the MacOSX version (I even made such posts on the OS/2 World Forum when the announcement of the acquisition was made public), followed by any version Microsoft deemed as detrimental to their server and high end client OS sales. Of course, their promises of the exact opposite behavior notwithstanding, that is exactly what happened. Maybe because we're part of the OS/2 Community and have seen it happen to a far greater extent, it made it easier to see the writing on the wall. So, I cant blame anyone for that. I suspect that MacOSX users may have seen that writing as well, especially after the broken promises on fully feature compatible versions of Office, updated versions of IE and so on.
Fact is, as some of us speculated, due to issues they've had and never fully resolved with backwards compatibility, we were quite sure that Microsoft's biggest intent was to grab the Connectix stuff to use it as a compatibility layer, while at the same time, preventing people from using other operating systems as the host OS. And thus, the current (Vista onwards) WoW implementation was born. This too was finally admitted to by Microsoft when they touted the better backwards compatibility Vista would provide due to their acquisition.
I'm not saying that's a bad thing... I'm saying I dont know any IT Professional who thought of any of those situations differently or didnt understand the reasoning behind it, or what the outcome would be. I suspect that you too saw where things would go. I guess the only difference is you decided to hope, while my colleagues and I knew it wasnt worth hoping.
The only question is: How do these scanners work, and How can we make them unable to see into our vehicles and other private places ?
Is there a material we can apply to the walls in our house and the windows + frames of our vehicles to negate the utility of these scanners against our possessions?
Yes, I think they call it lead. Sadly, I hear it's pretty toxic, pretty high mass and thus pretty heavy.:-)
Say i was one of these terrorists everybody is so worried about.
All you need is a Van(or a car, van is better), a Fertilizer bomb (easy to manufacture) you could add bags of nails around the bomb to encrease fragmentation and a nice, public place with a lot of people.
...
If one whanted to kill people there is nothing stoping him/her.
Ah, so what you are saying is this technology wont do anything to stop scenarios like yours? Then why do you seem to be arguing for it's need?
It is somewhat unnerving when evil things mentioned in books and old TV shows become reality.
Get with the times! First it was pets, then it was humans. For now, it's not mandatory, but rich parents can indeed chip their kids "at birth" (sometime afterwards, but close enough) - or each other, or themselves or whatever. There was a company trying to pass a law making it legal for companies to be able to require their employees to be chipped (RFID supposedly, but nearly as bad).
Search Google for human GPS chip if you don't believe me.
Oh, I know... most of you (except hard core Trekkies, or someone like me who helps make the stuff) miss the reference. Watch "Where No Man Has Gone Before" and you will see them using gesture based computing. Sadly, the concept didnt make it beyond the second pilot (probably because it was too ahead of it's time and would not be a recognizable input method, unlike the even greater quantity of buttons used in the 2nd episode onwards to replace gesture computing).
Yet another piece of Trek technology making it into today's world.:-)
So am I. I'm hoping that the efforts in distributed DC power being used in some server farms will be the trials and stepping stones needed for such - that or the existing efforts being used for various low voltage halogen lighting and low voltage outdoor lighting. One can hope....
Thanks for the ego trip. The guy obviously talked to a lot of people, some of them surely more knowledgeable than you are. The problem , as me mentions, is that people don't agree on what is a good idea. You seem to be giving questionable advice just like he was given.
Don't use the wattage of refrigerator to determine the energy use . That's the power consumed when its on. The 200W fridges are unlikely to be energy efficient because they have to run constantly to keep up (if they do keep up). Insulation matters too. Look at rated kWh per year. The rates are published.
Let's point out again just how unknowdlegable you are and how unwarranted your +1 mod is.
Fridges using dialectric units for part of their cooling (or temperature maintenance) use smaller compressors for the "hard cooling" - savings in money.
A fridge using 200W needs to be running 6 times as long as one using 1200W to use the same power. At an average of 6 hours a day, that means running nonstop all day - PLUS an impossible extra TWELVE hours a day, making a day 36 hours - at 200W. Even if one's fridge runs 4 hours compared to a 200W fridge running 24, you aren't factoring in a lot of other things. Surely you see the absurdity of that. If not, let me help you out. Much of the run time will be during peak hours. Of the 6 hours the standard fridge is running, 4 may be billed at peak rates. Do the math. Even at 24 hours a day, the 200W fridge is *cheaper* to run unless there is very little difference in power cost during peak and non-peak times.
Now, take that same 200W fridge in your new (as discussed in the article) installation, and vent off the heat elsewhere. Net heat gain, used however you want. Decrease in cooling needed, as the area the fridge is recessed into is no longer over 100 degrees.
Put all of those together, and a variety of other techniques used, and viola! The end result is... well... you're wrong! I'd go into more detail, but I dont see the reason. Obviously, one looks at the kWh/yr rating. I have. You on the other hand simply speculated, based on your presumption that you had to be right even without first hand experience or knowledge. But others have already pointed out better fridges sold elsewhere with lower ratings (kWh/Yr) than the inefficient ones sold in most stores here.
The DMCA (section 512f I *think*) covers that, and other sections of it and other copyright law. I am hoping Google pursues such avenues and counter-sues Viacom and puts them in it's place. The penalties for such are pretty severe (well, maybe not for a Viacom or Sony, but large in respect to what we'd think is a large fine or monetary damages award).
Sorry I gave you an ego trip. I surely dont have one.
The guy obviously talked to a lot of people, some of them surely more knowledgeable than you are.
Or apparently not. As I said, I've done this stuff... the people (err... and magazines) he talked to apparently dont have much experience.
The problem , as me mentions, is that people don't agree on what is a good idea.
They sure do in my part of the country. Thicker walls (very easy in a new installation) at least twice the thickness of standard ones, and, oh, I dunno... talking to the electric company to find out what the proper grid tie-in system should be, properly installing the solar assembly, ensuring it meets the rebate requirements... really, should I go on?
You seem to be giving questionable advice just like he was given.
Don't use the wattage of refrigerator to determine the energy use . That's the power consumed when its on. The 200W fridges are unlikely to be energy efficient because they have to run constantly to keep up (if they do keep up).
Ah... I love the use of the word "unlikely" - which simply means you are speculating on something you (unlike me) have no knowledge of.
Insulation matters too. Look at rated kWh per year. The rates are published.
Of course it does. We've done existing installations where we've doubled wall thickness (wow, a whopping 7" less room space), we've re-insulated existing installations in walls almost two feet thick (older ballon-construction style homes) with proper blown in insulation (eco friendly and otherwise) and it's made a massive difference.
Now, mistakes we have made... LEDs comes to mind. LEDs in and of themselves are great, BUT, they are a new technology. They do NOT play well with electronic dimmers. We bought 30 of them. The ones on any variety of electronic dimmer had a decreased output in a few months (down to about 50% and still dropping, albeit slower). The ones on switches, on the other hand, are just as bright now (over a year later) as the day they were installed.
But here's the thing... I dont blame that on anyone else. Getting and using them in such ways was rather a new thing when we first bought them over a year ago (or even when we first installed them a year ago). We should have waited perhaps. Now, we dont have that problem as we dont use them on new electronic dimmers. But the rest... insulation, truly energy efficient appliances, solar, grid-tie in systems, heating, cooling, zone control valves for heating and cooling, and so on... those are NOT new. Neither is blown in insulation (eco friendly or otherwise), neither is thicker walls - especially in NEW construction like his. Neither are pretty eco-friendly houses.
He's picked areas to complain about that anyone with a brain and construction experience knows how to do properly, eco friendly or otherwise.
Yes, A guy who actually has DONE it is probably far less informed than random people on the internet quoting numbers.
PS. Ever own a house? Sure, my double-pane windows rock... the casings, on the other hand, leak like a sieve.
Actually, he was less informed. Take that from someone who has done all sorts of construction. The fact that he has missteps and made bad choices does not mean it's not doable, nor does it mean it's not economically feasible. As some for instances, there are various utility companies who will not pay money for power generated. You still get a bill for what you use though. Oh, wait, that's not legal. Yep! Ask BGE why, they tell you that though it is the law that they have to buy power from you, that there is no law yet that tells them how they are supposed to do it. Until then, they aren't paying anyone (at least not as of the last time I checked - by now, enough people may have made a stink to force them to follow the law). Our friend just had an installation done that cost him $6000 after rebates (because it was done right), and we've started on ours. Much of the time, he's selling back to the electric company (which our current one, fortunately, does properly buy power back and credit you for it).
Take the insulation... there are tons of new insulation, lab tested, R value and all, all eco-friendly - oops, guess he simply made a bad choice there too. Take the solar. Oddly, most people who install them get enough rebates that the system can be paid for in 5 years... not 15. Of course, if one does it wrong, there are a lot less rebates (or none). The system has to be able to generate a certain amount of electricity during each season - if not (because you stuck it under trees, in the shade, or facing the wrong direction), then you aren't eligible for a lot of (or any) rebates. Take his other suggestions (stone walls... btw, they work great on the outside too... no reason to have a living room with a stone wall), thick slab foundation, and so on... duh! Sounds like he forgot those and realized them as an "ooops, here's what you should consider which would have made things better for us had we considered it"
Should I go on? Also, green homes do not need to be ugly. Wanna know how you can cut costs? Get good appliances. And no, I dont mean the top of the line "crap" sold at your local appliance store (Sears, Home Depot, Lowes, wherever). They make full size refrigerators that use 200W - NOT 1200W. Similar (electricity) savings can be found on other appliances as well. Ensure you have entirely LED or CFL lighting. Once you are done, during spring and summer, how much electricity is it to run a house? Let's see... 200-300W for the fridge, 20 lights at 3W is another 60W, plus the incidentals. During summer, use cooling from a heat/cooling pump (pumps coolant into a ground chamber, comes out at 55 degrees or so... inotherwords, ideal to drop the house temperature to something nice - or to something cool with AC using a LOT less electricity). In the winter, the same can be done to "warm" the water before it's used to heat the house. Things like floor heating, when not needed, can simply be a flow valve away from being removed from the loop - and since the lines are filled with "antifreeze" (a chemical like it), no worries about it freezing and busting a pipe (c'mon, this flow valve idea is common sense - people use stuff like that all the time for lawn sprinklers that have multi-zones, for ponds and fish pools and more). As for the lawn, one can use runoff, if one builds a cistern or some other containment. People are already doing that, and collecting enough in most areas like his, to water a full lawn, and have water extra for toilets, and an overflow for when it gets too full.
Well, I could keep going on and on. Honestly, he made mistakes (BIG ones), read the wrong magazines/websites, and is complaining (whining?) about it now.
You'll only need 8 Mb/sec to get that 2.7 TB over a 30 day period. If I fully utilized my (Danish connection) I could get more than double of that. Koreans and Japanese would get 20 times. I suspect both UL and DL are included.
We regularly hit that, and though the "download" traffic isnt actually initiated on our end (it's actually uploads to our server), I am sure it's still measured the same way. The post production work for Star Trek Phase 2 eats a LOT of bandwidth in both directions. The website on the other hand is only 1/4 to 1/2 a terabyte (outgoing - and of course roughly 1/10th incoming).
Fortunately, we've got a business account, and no traffic throttles or such. Dreading the day when/if more US ISPs decide to start metering again.
It's very common to sell the same product both branded and unbranded. Not everyone can afford the branded product, and selling it cheap and unbranded to those customers is better than not selling it at all.
Yes, I am aware of that, but as this thread was discussing, it does prove that the cables are not worth the exorbitant amount they were being sold for. The branding of the exact same cable does not increase it's performance.
Slashdot Mirror
This will be my last post in the thread because *I* clearly don't know what you're talking about and refuse to realize that.
Point is, they just fixed one that they think may bypass privileges.
Citation please.
Since Vista's release (again, remember I didnt mention ones being in existence at this moment) - Some recent, some not:
http://www.scmagazineus.com/hot-or-not-local-privilege-escalation-vulnerabilities/article/34794/
http://digg.com/news/technology/Vista_Exploit_Surfaces_on_Russian_Hacker_Site
http://xforce.iss.net/xforce/xfdb/60679
http://www.neowin.net/news/microsoft-warns-of-critical-unpatched-windows-shell-vulnerability
- (Sophos, even though MS downplayed it, claims "that the flaw bypasses all Windows 7 security mechanisms, including UAC, and doesn't require administrative privilege to run. In a blog posting, Sophos researchers demonstrate the flaw on Windows 7, which becomes infected with a rootkit as a result." - wow, seems I mentioned something like this in an earlier post).
http://mspatchwatch.com/microsoft/microsoft-windows-sfnlogonnotify-local-privilege-escalation-vulnerability-ms10-048/
http://www.iss.net/security_center/reference/vuln/win-ms10kb2160329-update.htm .NET "application"?
- I wonder what "specially-crafted application" means... maybe a "specially-crafted"
I could go on for days.
Explain why .NET ClickOnce and other .NET exploits still infect machines that are locked down (up until Aug 10th supposedly).
Citation please.
Or perhaps, the malware authors will simply choose one of the other numerous attack vectors created by .NET's security holes. As has happened for almost the last 10 years with .NET and ActiveX.
They might. And maybe you could give a citation of a currently unpatched privilege escalation attack vector.
I never said there was a current one. I said, we were promised that all such vulnerabilities were fixed with the patch this summer (the one in response to the hell they got for the .NET plugin surreptiously being installed in Firefox). I said that such a claim was ridiculous, since they've never managed to fix ALL vulnerabilities in the past. I said such a claim was more ridiculous considering the slew of .NET patches SINCE THEN to fix vulnerabilities, that by their statement, shouldnt exist.
So, if a rootkit drops a piece of malware (hmmm, maybe named svchost or smss?) into a "secure" folder
If a standard user has write access to a "secure folder" it isn't very secure, is it? Oh, and the name of the file doesn't really matter.
You dont understand the difference between a rootkit and a standard user? Really?
You dont realize that PRE-BOOT things (just like "non-disk-boot" things) dont care about system privileges or such?
As for the "non-disk-boot" things (trying to keep it simple for you), I refer to things like a Windows Bootable Environment such as BartPE or WinPE, which CAN read such files. I only bring it up because you seem to think that the operating system's protection of those folders is some magical thing, when in reality, things like BartPE, or a pre-boot process, can in fact access those folder. Heck, there are tools designed specifically for that purpose, that run on reboot and clear those folders of unwanted things before the OS enables it's "security" of them.
maybe in the System Volume Information folder?
Administrator and/or SYSTEM rights are required to even read from that folder, let alone write to it.
See above.
does it matter that the account of the next per
Nice try... I never said an escalation exploit is needed or not needed. My premise was IF it was needed, it could still happen.
Point is, they just fixed one that they think may bypass privileges. Point was, it wasnt the first time. Point is, they have claimed more than once to fix this - and then another piece of malware proves them wrong, and a new patch is released and they claim "ooh, really, we fixed it this time" and another piece of malware comes out.
Explain why .NET ClickOnce and other .NET exploits still infect machines that are locked down (up until Aug 10th supposedly). And then tell me you think that this time, the issue is really fixed.
Or perhaps, the malware authors will simply choose one of the other numerous attack vectors created by .NET's security holes. As has happened for almost the last 10 years with .NET and ActiveX.
So, if a rootkit drops a piece of malware (hmmm, maybe named svchost or smss?) into a "secure" folder (hmmm... maybe in the System Volume Information folder?) and registers it as a service under the System account, does it matter that the account of the next person who logs in is a limited user account? Somehow I dont think so. BTW, without going into technical details, this exploit and piece of malware I describe is real, and very recent. Infection vector? .NET. Mitigated? Supposedly in a recent security update. Similar to others in the past? Yes. Similar to some recent ones that are making headway? Sadly.
Which one? Look it up. It's a beast to remove for those who dont know what they are doing. For instance, killing the fake svchost or smss services will cause Windows to reboot because it thinks they are vital system services. Removing them does nothing (they will reappear at next boot - or sooner if other pieces of the malware are still present).
That's odd. I thought there were hundreds of fixes (and near a dozen large patches) for the .NET framework due to a plethora of vulnerabilities. Well, I know that's the case. The list is daunting. I thought that the most recent one was just this month (3 fixes for exploit vectors).
And I thought that Java implementations could not escalate privileges on a fully secured machine that a user was not using as an admin without explicit permission(s) being given. And I know that various .NET "technologies" allow bypassing that stuff, such as ClickOnce (or "DontEvenNeedToClick,JustVisit_aBadSite" as it should really be named).
No, it does not. A standard user infection that utilizes privilege escalation (exploits), then becomes the same as one installed when an admin was logged in. There have been numerous.
Here's an example of one escalation - and NOT a big (or prominent) one, that was only partially fixed.
http://en.wikipedia.org/wiki/Shatter_attack
There are bigger and worse ones. Now perhaps my statements make more sense.
Wow, not just did you ignore most of the text in the advisory, but you dont know anything about how malware works either, do you? Gee, adding things to the startup folder/registry means it might take what... two boots? to fully infect a machine with a piece of malware that has then gained full privileges? I've watched (on both Windows 7 and Vista) malware initiate itself using svchost and smss to, with admin privileges, install themselves with the same privileges. All it took, on a locked down machine, was a couple reboots. So yeah, kernel mode drivers and full access may be worse, but in the end, it doesnt matter. The end results are the same.
and nor about SteadyState.
.NET is actually a security success-story. Compared to similar (i.e. Java), .NET has experienced almost an order of magnitude fewer vulnerabilities, especially if you consider the severity of the vulns.
.NET (using 2.0): http://secunia.com/advisories/product/6456/
Java (JRE 1.5 which is contemporary): http://secunia.com/advisories/product/4228/
------
SteadyState makes a virtual harddisk. In essense it is itself a "rootkit" in that uses copy-on-write at reads/writes the changed block from/to a log file. When rebooting it simply deletes the logfile and the disk is back to the original state. I would like to see the rootkit which can survive that...
Wouldnt the answer to that last statement be ANY real rootkit? Just curious. Isn't infecting the MBR the way that rootkits bypass such protections? Wouldn't some rootkits then also be able to hose SteadyState's ability to revert the file system back to previous state? Aren't the file system and MBR two different things, even though they work in conjunction?
Just curious, hence the questions instead of statements.
Also, it's a bit disingenuous to simply pick one version of .NET, as systems come with all of them installed and in use from at least 1.1 upwards. Also, it's a bit irrelevant to look at the advisories for .NET as opposed to the numerous hotfixes (hundreds) and multiple large patches (near a dozen) to fix known, in the wild, exploits. Then one should probably factor in the length of time it took for these fixes to come out... and then consider (in the context of this conversation, thus regarding privilege escalation) which, on a properly locked down system can escalate (with NO user interaction and NO user prompts) it's privileges to infect a locked down, limited rights system - I think the answer to that one is .NET - what do you think?
A MUCH more appropriate icon would be Ballmer in a jester hat with a I heart Apple!" T-Shirt, since he seems bound and determined to try to be Steve Jobs. And THAT would fit with the current situation at MSFT much more than the old Gates Borg, since without Gates it is like the Borg being led by Reno 911.
Well, you've got my vote for that!!!! :-)
...unless a serious rootkit gets installed with whatever piece of malware infected your machine while you were using it
A user without administrative access cannot install a rootkit.
Incorrect (at least as I was discussing). The *user* doesnt have to install it, the escalated malware (via .NET or other methods) does. There are a bunch of escalation exploits available via .NET and especially it's ClickOnce crapnology. But they've been fixed!!! For almost TEN years, that promise has been made repeatedly. The June announcement went way too far in claiming that all such issues were permanently and properly fixed - as opposed to the more truthful statement that the should have used indicating that a patch for the specific exploit was released (and leaving it at that).
Sadly, .NET is still broken. The exploits still affect all versions of the OS. The exploits still dont need the user to have admin rights. The exploits still bypass security measures on a locked down machine.
It sounds like you're talking about a local privilege escalation exploit, and those are usually patched pretty quickly.
No... those are sometimes patched quickly, sometimes not (like the .NET exploit noted in June that took months to improperly patch.
If you are referring to the hotfixes they release that hope to mitigate the circumstance until a real (though usually not fully fixed - at least in the case of .NET) patch is released, well, I dont count those, since, as I noted, they generally dont really fix the hole.
Do you have any examples or sources to back up that claim?
Yeah, as I indicated, it's called "Windows Updates" - check it out sometime! You can go right into your (XP) "Add/Remove Programs" or (Vista upwards) "Programs and Features" and enable viewing of all updates, and check the last few weeks - then check the associated Microsoft pages which will tell you exactly what I posted in Microsoft's own words.
Use Google if you really want to learn more. In the meantime, with your lack of knowledge, and lack of interest/willingness to do the very simple check on a Windows machine that's up to date to verify my claims, don't assume/claim they are wrong.
But to give you a head start, here's ONE of the various CRITICAL updates (this one from this month): .NET issue
We Never Really Fixed the
This security update resolves two privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications, or if an attacker succeeds in convincing a user to run a specially crafted Microsoft .NET application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerabilities could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and executing the page, as could be the case in a Web hosting scenario.
This security update is rated Critical for all affected releases of Microsoft .NET Framework for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2; Microsoft Silverlight 2; and Microsoft Silverlight 3. For more information, see the subsection, Affected and Non-Affected Software, in this section.
Even users with "fe
As I wrote it, xAMP was to stand for "(anything)AMP" (where x is any operating system, such as Linux, AIX, OS/2, eComStation, and (ugh) Windows and so on).
Coulda just written AMP I guess, but figured people would understand xAMP with less brain effort than they would simply AMP - and it was easier than writing "LAMP/WAMP/OAMP (or WAMP or AMP2)", etc.
I know that RTA is not commonplace, so I guess I don't expect many to go even further and go to the MS SDL page, and then go even further to the "What is the Microsoft Security Development Lifecycle (SDL)?" page, but I was bored, so I did.
What is the Microsoft Security Development Lifecycle (SDL)?
The Microsoft SDL is a security assurance process that is focused on software development. It is a collection of mandatory security activities, grouped by the phases of the traditional software development life cycle (SDLC). Many of these security activities would provide some degree of security benefit if implemented on a standalone basis.
Ooooh, wow!!!! Microsoft is open sourcing a list of methods that developers should follow to ensure security of their applications!!!! Wow!!!
Inotherwords, (at least from their "What is") this isnt about code. This isn't about APIs. This is about methodology to write secure software.
Think about this... isn't this:
(1) The type of stuff programmers should be taught in college, or self learn from reputable places?
(2) Something Microsoft's track record proves they have limited or no knowledge about?
(3) Something somewhat irrelevant to the Linux and Open Source world?
(4) Something that is more likely simply a publicity stunt? (look how many people think this has to do with actual APIs and such)
So, whoop-de-do!!!! One could already learn this stuff from better sources, implement it in better ways, and gain more knowledge from other companies who are quicker with security updates and better at designing programs with security in mind.
Perhaps developers that use Microsoft's development tools, and Microsoft's frameworks MAY gain some advantage from this, but even that advantage is limited by what security holes there are in those frameworks (.NET and so on) and Windows as a whole.
Isn't it long past time it be updated and possibly the correct one be used?
Bill Gates hasn't worked at Microsoft in years, and really has almost no involvement with the company any longer.
It would be like used the Edsel to represent Ford, or still using the New Coke logo.
It no longer serves its purpose, and says more about slashdot than Microsoft these days.
I disagree. The Edsel is dead and gone. The legacy Gates has left us is definitely very alive and prevalent. There is the big difference. Unless .NET and ActiveX are entirely killed and Windows is honestly rewritten from the ground up, and the damage that Microsoft has done to competitors is reversed, then Gates' legacy - especially as related to things like this topic, is alive, well and still on control of most of the PC related marketplace. Credit where credit is due thus indicates it should be his logo used.
lseltzer wrote this little bit of nonsense:
Mod this coward up. AFAIK there are no other icons on /. that are designed to denigrate the subject.
lseltzer, you do realize it's hardly denigration if it's true, dont you? The whole EEE principle. That's not myth. It's fact. It's proven fact. It's been proven in numerous courts of law. It's been proven via internal memos and emails from Gates and others. The image clearly indicates the concept of Embrace, Extend, Extinguish.
Perhaps when Microsoft actually (and truly) changes their tune and drops such behavior, then it's time to change the image - but in the meantime, these are principles that Microsoft, due to Gates' direction, have embraced (no pun intended) since their earliest days. Thus, his legacy, his actions, their continuing actions based off the direction he set. Very appropriate image, if you ask me. Let me know if they change direction, and I'll gladly change my mind about whether the image is appropriate.
I think it's simpler than that.
Windows can be very heavily locked down so end-users can literally do nothing more than that which is explicitly made available to them. Heck, with something like SteadyState, it can even roll back any changes with a simple reboot...
...unless a serious rootkit gets installed with whatever piece of malware infected your machine while you were using it, locked down or otherwise, due to exploiting the numerous .NET security holes that are still not patched. In which case, your machine will possibly be still as nicely infected after your reboot.
Sadly, .NET is still broken. The exploits still affect all versions of the OS. The exploits still dont need the user to have admin rights. The exploits still bypass security measures on a locked down machine.
Sadly, though I may get modded troll for this, it is true. The last time (covered in June's article on .NET and Microsoft's snuck in Firefox plugin) that Microsoft promised this exploit was fixed, I boldly claimed that, just like the 6 other MAJOR attempts, and hundreds of minor attempts to fix it, Microsoft was making an incorrect statement (their marketing team was either brain dead or lying, in claiming that the vulnerabilities were fully patched forever). Sadly, there are people who still believe those statements. Sadly, there are those of us who actually check what the Windows updates are that are being installed, and have noticed numerous attempts to re-fix the same vulnerability that Microsoft previously promised was fixed. As a matter of fact, the most recent attempt was in the last two weeks, via multiple patches.
And sadly, of the infected machines that come into our shop, far more than half of them have a rootkit component that comes with the malware, and the vast majority of them get installed via the .NET exploits.
THUS, not being very familiar with the current state of SteadyState, how does it handle removing rootkits on a reboot to a previous state? If it can actually do that, (not if it CLAIMS it can do that, but if it REALLY can do that), then I will have to renew my interest in it.
...I think their problems are on multiple fronts:
Overly complex code
Lax permission requirements,
Too many admins (still default on workstation installs)
Poorly written apps that in turn requires them to bend the rules or to provide workarounds.
You forgot a few very very important ones:
- Way too much legacy code that was not written with network security in mind
- Way too many technologies, that by their design and the functions they provide, can never be made secure (ActiveX, .NET Click Once and more)
- NO interest in removing "core components" that compromise the security of Windows systems (.NET and ActiveX) as (1) too many of their clients use it and (2) (the really important one) those technologies are Microsoft's bread and butter in the server marketplace and the only thing that differentiates them from other implementations. With the ease of use of .NET and ActiveX, it allows a larger IT entry point and provides a support model that xAMP does not have (and while that does not make the choice better, we all know there are numerous "admins" and "developers" who do not deserve their titles - but the Microsoft products and "technologies" give them an entry point into those fields that other technologies (PHP for instance) do not - all with Microsoft's support behind them.
I had great hopes for their VirtualPC bit and was hoping they would take a more Apple-centric approach, allowing them to just start with a fresh slate while virtualizing old OS compatibility. It appears that was a wasted hope however...
C'mon, you really didnt, did you? I dont know anyone in the IT or support industry who thought that or even had any real hopes for that to happen. The day they bought Connectix, we in the OS/2 world knew that the OS/2 version would be killed, followed by the MacOSX version (I even made such posts on the OS/2 World Forum when the announcement of the acquisition was made public), followed by any version Microsoft deemed as detrimental to their server and high end client OS sales. Of course, their promises of the exact opposite behavior notwithstanding, that is exactly what happened. Maybe because we're part of the OS/2 Community and have seen it happen to a far greater extent, it made it easier to see the writing on the wall. So, I cant blame anyone for that. I suspect that MacOSX users may have seen that writing as well, especially after the broken promises on fully feature compatible versions of Office, updated versions of IE and so on.
Fact is, as some of us speculated, due to issues they've had and never fully resolved with backwards compatibility, we were quite sure that Microsoft's biggest intent was to grab the Connectix stuff to use it as a compatibility layer, while at the same time, preventing people from using other operating systems as the host OS. And thus, the current (Vista onwards) WoW implementation was born. This too was finally admitted to by Microsoft when they touted the better backwards compatibility Vista would provide due to their acquisition.
I'm not saying that's a bad thing... I'm saying I dont know any IT Professional who thought of any of those situations differently or didnt understand the reasoning behind it, or what the outcome would be. I suspect that you too saw where things would go. I guess the only difference is you decided to hope, while my colleagues and I knew it wasnt worth hoping.
The only question is: How do these scanners work, and How can we make them unable to see into our vehicles and other private places ?
Is there a material we can apply to the walls in our house and the windows + frames of our vehicles to negate the utility of these scanners against our possessions?
Yes, I think they call it lead. Sadly, I hear it's pretty toxic, pretty high mass and thus pretty heavy. :-)
Say i was one of these terrorists everybody is so worried about.
All you need is a Van(or a car, van is better), a Fertilizer bomb (easy to manufacture) you could add bags of nails around the bomb to encrease fragmentation and a nice, public place with a lot of people.
...
If one whanted to kill people there is nothing stoping him/her.
Ah, so what you are saying is this technology wont do anything to stop scenarios like yours? Then why do you seem to be arguing for it's need?
How far till we are 'chipped' at birth?
It is somewhat unnerving when evil things mentioned in books and old TV shows become reality.
Get with the times! First it was pets, then it was humans. For now, it's not mandatory, but rich parents can indeed chip their kids "at birth" (sometime afterwards, but close enough) - or each other, or themselves or whatever. There was a company trying to pass a law making it legal for companies to be able to require their employees to be chipped (RFID supposedly, but nearly as bad).
Search Google for human GPS chip if you don't believe me.
Here's a few to get you started:
(2003) GPS Implant Makes Debut
Chip Implants Already Here
There was an article on /. a while back, and there are links you will find in your Google search to larger publications.
Wow, just like Star Trek TOS!!!
Oh, I know... most of you (except hard core Trekkies, or someone like me who helps make the stuff) miss the reference. Watch "Where No Man Has Gone Before" and you will see them using gesture based computing. Sadly, the concept didnt make it beyond the second pilot (probably because it was too ahead of it's time and would not be a recognizable input method, unlike the even greater quantity of buttons used in the 2nd episode onwards to replace gesture computing).
Yet another piece of Trek technology making it into today's world. :-)
So am I. I'm hoping that the efforts in distributed DC power being used in some server farms will be the trials and stepping stones needed for such - that or the existing efforts being used for various low voltage halogen lighting and low voltage outdoor lighting. One can hope....
Thanks for the ego trip. The guy obviously talked to a lot of people, some of them surely more knowledgeable than you are. The problem , as me mentions, is that people don't agree on what is a good idea. You seem to be giving questionable advice just like he was given. Don't use the wattage of refrigerator to determine the energy use . That's the power consumed when its on. The 200W fridges are unlikely to be energy efficient because they have to run constantly to keep up (if they do keep up). Insulation matters too. Look at rated kWh per year. The rates are published.
Let's point out again just how unknowdlegable you are and how unwarranted your +1 mod is.
Fridges using dialectric units for part of their cooling (or temperature maintenance) use smaller compressors for the "hard cooling" - savings in money.
A fridge using 200W needs to be running 6 times as long as one using 1200W to use the same power. At an average of 6 hours a day, that means running nonstop all day - PLUS an impossible extra TWELVE hours a day, making a day 36 hours - at 200W. Even if one's fridge runs 4 hours compared to a 200W fridge running 24, you aren't factoring in a lot of other things. Surely you see the absurdity of that. If not, let me help you out. Much of the run time will be during peak hours. Of the 6 hours the standard fridge is running, 4 may be billed at peak rates. Do the math. Even at 24 hours a day, the 200W fridge is *cheaper* to run unless there is very little difference in power cost during peak and non-peak times.
Now, take that same 200W fridge in your new (as discussed in the article) installation, and vent off the heat elsewhere. Net heat gain, used however you want. Decrease in cooling needed, as the area the fridge is recessed into is no longer over 100 degrees.
Put all of those together, and a variety of other techniques used, and viola! The end result is... well... you're wrong! I'd go into more detail, but I dont see the reason. Obviously, one looks at the kWh/yr rating. I have. You on the other hand simply speculated, based on your presumption that you had to be right even without first hand experience or knowledge. But others have already pointed out better fridges sold elsewhere with lower ratings (kWh/Yr) than the inefficient ones sold in most stores here.
The DMCA (section 512f I *think*) covers that, and other sections of it and other copyright law. I am hoping Google pursues such avenues and counter-sues Viacom and puts them in it's place. The penalties for such are pretty severe (well, maybe not for a Viacom or Sony, but large in respect to what we'd think is a large fine or monetary damages award).
Bingo! A similar "Energy Star" GE in this country uses 60kWh more per year.
Thanks for the ego trip.
Sorry I gave you an ego trip. I surely dont have one.
The guy obviously talked to a lot of people, some of them surely more knowledgeable than you are.
Or apparently not. As I said, I've done this stuff... the people (err... and magazines) he talked to apparently dont have much experience.
The problem , as me mentions, is that people don't agree on what is a good idea.
They sure do in my part of the country. Thicker walls (very easy in a new installation) at least twice the thickness of standard ones, and, oh, I dunno... talking to the electric company to find out what the proper grid tie-in system should be, properly installing the solar assembly, ensuring it meets the rebate requirements... really, should I go on?
You seem to be giving questionable advice just like he was given.
Don't use the wattage of refrigerator to determine the energy use . That's the power consumed when its on. The 200W fridges are unlikely to be energy efficient because they have to run constantly to keep up (if they do keep up).
Ah... I love the use of the word "unlikely" - which simply means you are speculating on something you (unlike me) have no knowledge of.
Insulation matters too. Look at rated kWh per year. The rates are published.
Of course it does. We've done existing installations where we've doubled wall thickness (wow, a whopping 7" less room space), we've re-insulated existing installations in walls almost two feet thick (older ballon-construction style homes) with proper blown in insulation (eco friendly and otherwise) and it's made a massive difference.
Now, mistakes we have made... LEDs comes to mind. LEDs in and of themselves are great, BUT, they are a new technology. They do NOT play well with electronic dimmers. We bought 30 of them. The ones on any variety of electronic dimmer had a decreased output in a few months (down to about 50% and still dropping, albeit slower). The ones on switches, on the other hand, are just as bright now (over a year later) as the day they were installed.
But here's the thing... I dont blame that on anyone else. Getting and using them in such ways was rather a new thing when we first bought them over a year ago (or even when we first installed them a year ago). We should have waited perhaps. Now, we dont have that problem as we dont use them on new electronic dimmers. But the rest... insulation, truly energy efficient appliances, solar, grid-tie in systems, heating, cooling, zone control valves for heating and cooling, and so on... those are NOT new. Neither is blown in insulation (eco friendly or otherwise), neither is thicker walls - especially in NEW construction like his. Neither are pretty eco-friendly houses.
He's picked areas to complain about that anyone with a brain and construction experience knows how to do properly, eco friendly or otherwise.
THAT is my complaint.
Yes, A guy who actually has DONE it is probably far less informed than random people on the internet quoting numbers.
PS. Ever own a house? Sure, my double-pane windows rock ... the casings, on the other hand, leak like a sieve.
Actually, he was less informed. Take that from someone who has done all sorts of construction. The fact that he has missteps and made bad choices does not mean it's not doable, nor does it mean it's not economically feasible. As some for instances, there are various utility companies who will not pay money for power generated. You still get a bill for what you use though. Oh, wait, that's not legal. Yep! Ask BGE why, they tell you that though it is the law that they have to buy power from you, that there is no law yet that tells them how they are supposed to do it. Until then, they aren't paying anyone (at least not as of the last time I checked - by now, enough people may have made a stink to force them to follow the law). Our friend just had an installation done that cost him $6000 after rebates (because it was done right), and we've started on ours. Much of the time, he's selling back to the electric company (which our current one, fortunately, does properly buy power back and credit you for it).
Take the insulation... there are tons of new insulation, lab tested, R value and all, all eco-friendly - oops, guess he simply made a bad choice there too. Take the solar. Oddly, most people who install them get enough rebates that the system can be paid for in 5 years... not 15. Of course, if one does it wrong, there are a lot less rebates (or none). The system has to be able to generate a certain amount of electricity during each season - if not (because you stuck it under trees, in the shade, or facing the wrong direction), then you aren't eligible for a lot of (or any) rebates. Take his other suggestions (stone walls... btw, they work great on the outside too... no reason to have a living room with a stone wall), thick slab foundation, and so on... duh! Sounds like he forgot those and realized them as an "ooops, here's what you should consider which would have made things better for us had we considered it"
Should I go on? Also, green homes do not need to be ugly. Wanna know how you can cut costs? Get good appliances. And no, I dont mean the top of the line "crap" sold at your local appliance store (Sears, Home Depot, Lowes, wherever). They make full size refrigerators that use 200W - NOT 1200W. Similar (electricity) savings can be found on other appliances as well. Ensure you have entirely LED or CFL lighting. Once you are done, during spring and summer, how much electricity is it to run a house? Let's see... 200-300W for the fridge, 20 lights at 3W is another 60W, plus the incidentals. During summer, use cooling from a heat/cooling pump (pumps coolant into a ground chamber, comes out at 55 degrees or so... inotherwords, ideal to drop the house temperature to something nice - or to something cool with AC using a LOT less electricity). In the winter, the same can be done to "warm" the water before it's used to heat the house. Things like floor heating, when not needed, can simply be a flow valve away from being removed from the loop - and since the lines are filled with "antifreeze" (a chemical like it), no worries about it freezing and busting a pipe (c'mon, this flow valve idea is common sense - people use stuff like that all the time for lawn sprinklers that have multi-zones, for ponds and fish pools and more). As for the lawn, one can use runoff, if one builds a cistern or some other containment. People are already doing that, and collecting enough in most areas like his, to water a full lawn, and have water extra for toilets, and an overflow for when it gets too full.
Well, I could keep going on and on. Honestly, he made mistakes (BIG ones), read the wrong magazines/websites, and is complaining (whining?) about it now.
You'll only need 8 Mb/sec to get that 2.7 TB over a 30 day period. If I fully utilized my (Danish connection) I could get more than double of that. Koreans and Japanese would get 20 times. I suspect both UL and DL are included.
We regularly hit that, and though the "download" traffic isnt actually initiated on our end (it's actually uploads to our server), I am sure it's still measured the same way. The post production work for Star Trek Phase 2 eats a LOT of bandwidth in both directions. The website on the other hand is only 1/4 to 1/2 a terabyte (outgoing - and of course roughly 1/10th incoming).
Fortunately, we've got a business account, and no traffic throttles or such. Dreading the day when/if more US ISPs decide to start metering again.
It's very common to sell the same product both branded and unbranded. Not everyone can afford the branded product, and selling it cheap and unbranded to those customers is better than not selling it at all.
Yes, I am aware of that, but as this thread was discussing, it does prove that the cables are not worth the exorbitant amount they were being sold for. The branding of the exact same cable does not increase it's performance.