Slashdot Mirror


User: cbhacking

cbhacking's activity in the archive.

Stories
0
Comments
4,314
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 4,314

  1. Re:Always. on When Is a Self-Signed SSL Certificate Acceptable? · · Score: 1

    Thank you for pointing this out so clearly. It's sad to see sites that claim that since they actually send the credentials securely, they don't need to encrypt the whole login page. They totally don't get that if I have enough access to read their packets on the way to the server (which is what encrypting the credentials is supposed to prevent), I probably have enough access to inject or modify the login page (which, without encryption, is unpreventable and difficult to detect).

  2. Re:hipotesis on When Is a Self-Signed SSL Certificate Acceptable? · · Score: 1

    A very nice explanation.

    I'd like to point out that the above attack is NOT purely hypothetical; my university's computer science security class included a project to implement a man-in-the-middle attack using a self-signed certificate that was indistinguishable from the valid cert - we retrieved the valid cert, and copied all the relevant details off it - except that it wasn't signed by a CA, and the public key it presented corresponded to our attack server's private key. We read everything that went over it in clear text, the real server never knew they were being spoofed because we re-encrypted the data using the server's cert, and the client got only a single pop-up warning (Firefox 3 complains much more bitterly than Firefox 2, which is what we used at the time).

    Now, our attack server was a proxy - the client had to configure their browser to use it. However, it would have been trivial to set this up as an apparent open-access router. Use either Linksys or, for example, a cafe's SSID, a wireless card that can be configured to act like an access point (most can, with the right driver), and another network card to connect your MITM attack box to the Net. Configure your computer to act as a router between the two connections, pipe all SSL traffic coming over the access point lookalike through the attack program, and kick back while you read (and log) everybody's encrypted traffic. It's really not hard.

    In other words, for all the problems with getting a CA-signed cert, from a user's perspective anything that doesn't have a trusted signature chain is just that - untrusted.

  3. Re:To wait or not to wait on OS X Snow Leopard Details · · Score: 1

    By default, the firewall allows all outgoing connections. It's possible to restrict them, however. It may need the higher editions - I'm not sure; I do my firewall configuration through the Management Console rather than the Control Panel, but I'm not sure that particular snapin is available in the lower editions.

  4. Irfanview as well on Wine 1.0 — Uncorked After 15 Years · · Score: 2, Informative
    Irfanview (http://irfanview.com) also advertises that it works under Wine. From the FAQ:

    Q: Can I use IrfanView on Linux?
    A: Yes. There is no native-Linux version of IrfanView. However, you can use IrfanView in conjunction with Linux programs like WINE, Windows Linux emulators and Linux-based virtual machines.

    It would be great to see more of this kind of thing.

    No, I'm not affiliated with Irfanview in any way other than being a long-time user.
  5. Re:API can be used in any language... on Microsoft Releases First Open XML SDK · · Score: 0

    Erm... leaving aside the trollish "barely" (have you done any .NET development? It works, and works well), calling .NET "platform dependent" is a bit excessive. Mono is quite mature yet still improving rapidly; I don't know if this API requires features Mono doesn't support yet but I guarantee they'll be supported soon. Aside from that, Wine now supports .NET (you can install .NET 2.0 from Microsoft - I think .NET 1.1 may even be included in the Wine installation).

  6. Re:To wait or not to wait on OS X Snow Leopard Details · · Score: 1
    Slightly OT, but it needs to be said.

    Say what you will about the problems you've had (not the ones you've heard of, please; there's enough FUD already), but suggesting that Vista was light on new features is absurd. A quick and very partial rundown:
    • New driver display model that moved most of it out to user-mode
    • Address space layout randomization
    • Full disc encryption via BitLocker
    • Transactional operations in NTFS
    • Volume shadow copies
    • Highly configurable bi-directional firewall
    • Built-in IPv6 and WiFi network stack
    • Program-by-program volume adjustment
    • Extensive power configuration tools
    • System-wide voice command capability
    • Repartitioning tool that supports growing and shrinking partitions even while mounted
    • The ability to easily run any command with elevated permissions (if you ran XP as a limited user, you know what I'm talking about. If you didn't, why the fsck don't you run Linux as root?)
    • Instant search
    • Integrated anti-spyware scanner
    • Windows Calendar


    Not to mention vast improvements to everything from Task Manager to Calculator (far more precise now, though the interface is unchanged). NT4 to XP probably introduced fewer serious features - low-level stuff (the real OS components), or user-space features (almost none of which I mentioned above) - than XP to Vista.
  7. Re:Vista solution? on Sneaky Blackmailing Virus That Encrypts Data · · Score: 2, Informative

    I was waiting for somebody to mention this. Shadow copies, also known as Previous Versions, is a great way to undo this kind of thing (at least long enough to take a backup before reformatting, unless you're 100% sure you can purge all the malware). It's worth mentioning that they are also on Windows Server 2003/2008.

    So, the answer is yes, but only for a limited time. The number of shadow copies that can be kept is determined by the "free" space on the drive. On the other hand, there's usually at least several revisions there, so if the folder isn't changed often you can probably find the old version. If the folder IS changed frequently, you'd probably notice right away.

    I say folder because if a file's name is changed (or a file is deleted), you need to recover it by going to the folder's shadow copy and restoring from there (you can restore the whole folder, but can also extract individual files). You can also rename the file and check for shadow copies under its original name.

    Finally, don't forget that the shadow copies can be deleted. It takes more than normal permissions - I don't think even normal Administrators can delete them directly, though if you have Administrator it's easy enough to get System - which means you would need to have approved a UAC prompt somewhere - but that's true of most software installation. That said, the actual attack (encrypting personal files) requires no special permissions at all - it would work even on a properly locked-down Linux or OS X box. IE under Protected Mode wouldn't have sufficient permissions, however.

  8. Re:Why is this modded flamebait? on Windows 7 Multitouch Demonstration · · Score: 1

    Having actually used a Microsoft Surface computer (used in the sense of played with, not did anything serious on), which has very nearly identical software (it uses an on-screen keyboard that this obviously doesn't need, but some of the programs - particularly the rippling pond - were lifted right from Surface), I don' see any reason the software couldn't be included. Surfaces are already being manufactured, and they use "a modified version of Windows Vista" so I don't see any particular reason those modifications couldn't be integrated into the mainstream Windows 7 distribution.

  9. Re:Hmmm on Windows 7 Won't Have Compact "MinWin" Kernel · · Score: 1

    MinWin was never a "promised feature" to begin with. It was based on the same codebase as windows 7 but was purely an internal product, not intended for production use. At least, not in the current/next generation - possibly future products, but even that is hardly something I'd call a promise.

  10. Re:..and will lose the rumored MinWin kernel. on Windows 7 Won't Have Compact "MinWin" Kernel · · Score: 1

    Classic, as it was called (I say was because it doesn't work on Intel Macs and is therefore essentially dead, I don't know whether it's still present in PPC Leopard) was nowhere near perfect - it was more backward compatible than, say, the XBox360... but far less so than Vista (I've had precisely one issue with backward compatibility in Vista and I've been using it for over two years including pre-releases) but apparently even that much incompatibility is unacceptable.

    Mind, I find the idea appealing. I've actually thought for some time now that they should switch to a managed code (.NET, in other words) runtime for next-to-everything and use either a compatibility layer a la Wine (or Classic) for legacy applications, or get full hardware acceleration working in VirtualPC or similar and include that (along with a Windows Legacy virtualized operating system based of the 6xxx kernel used in Vista and Server 2008) for running older programs. Yes, gamers and probably some other people would complain bitterly, but t could simultaneously solve a lot of security issues, clean up the API, and reduce backward-compatibility baggage in the main runtime environment.

  11. Re:hmmmmm Vista... powershell ... winfs..... etc on Windows 7 Won't Have Compact "MinWin" Kernel · · Score: 1
    I'll bite:

    And seeing how difficult it is to get software to run on Vista, it won't be long before Linux is more software-compatible as well.
    Just wondering: what have you tried to run on Vista that wouldn't? Seriously, name a program that doesn't fsck with the kernel in some horrible and undocumented way (antivirus, I'm looking at you) which won't even run in compatibility mode (which has been necessary for some software I use regularly since Windows 2000; I'm used to it and Vista will actually offer to set compatibility mode for you) and I'll be a bit surprised. Name one that isn't obsolete with a newer version that is better anyhow, and I'll actually be surprised. From ancient DOS programs to open-source stuff to games old or new, I've had no issues I couldn't work around easily enough (compatibility mode, or run as administrator/change a few file permissions), and most of those were fixed long ago to work out of the box.

    Linux has easily passed Windows in hardware compatibility.
    Erm... WTF? Tell that to my old Compaq's Broadcom WiFi that neither ndiswrapper nor the native driver can use. Let me know when I can both have hardware-accelerated graphics with nVidia and reliable suspend/hibernate and resume. I'm sure there's a way to make my touchpad work with a quarter the features it has on Windows (adjustable horizontal and vertical scroll regions, tap zones, variable sensitivity to motion and to tapping, etc.) and even add support for all the buttons on my external mouse, but I've yet to find it. The analog TV tuner isn't recognized AT ALL. I've never gotten an internal modem to work. An older MP3 player I had could be read but not written to by Linux.

    This is all on two computers, a 36-month-old Compaq laptop and a 18-month-old HP laptop (which I specifically bought with an eye to Linux compatibility - Intel WiFi, nVidia graphics since they were better supported back then). By comparison, in 28-odd months (including betas/RCs) I've encountered exactly one device that I could neither find a Vista driver for (discontinued product) or use an XP driver for by running the installer in compatibility mode (it was a WiFi card, and they changed the wireless network stack and apparently the NDIS - it could scan for stations but couldn't connect to them). Friends of mine have had a multitude of other issues.

    I'm thinking of getting some new hardware - a tablet, perhaps. How well does Linux handle those? Does the digitizer work? Will it auto-rotate the screen? How about thumbprint readers? Handwriting recognition (technically user-mode software as opposed to a driver, but still important for the hardware)?

    With no sarcasm at all, I'm actually looking forward to hearing back on the tablet issue - I was figuring it would be a Windows-only box but if Linux is practical on tablets I'll try and avoid the components that I know Linux doesn't handle well at present.
  12. Re:Not embrace and extend, but embrace and squeeze on Microsoft Office 2007 to Support ODF - But Not OOXML · · Score: 1

    There's an open-source plugin for Office 2007 ODF support already (search SourceForge for "odf converter"). It was sponsored by Microsoft and has been around since "Office 12" (as it was then called) was in beta. A fairly major update was released with the Office service pack. I've been using this plugin for well over a year now, and I can't say I've ever seen a glitch or "artifact" on either importing a file written in OO.o or KOffice, or on opening in one of those a document written in MS Office. It's certainly a LOT better than OO.o's handling of .DOC files.

  13. Re:Larger question on Microsoft Office 2007 to Support ODF - But Not OOXML · · Score: 1

    I might as well mention this here - Microsoft has already supported a ODF extension for Office 2007. Full import and export, and also a command-line batch converter. It's a SourceForge project with a very liberal license (search for odf-converter). Microsoft didn't develop it directly but sponsored (paid for) the development, and assisted with the OOXML side of things.

    Heavens people - this thing has been in existence since Office 2007 was still called Office 12 and in beta! Am I the ONLY one who has heard of it? Yes, native support will be nice - once upon a time it also had built-in PDF export but that was made an optional download after Adobe complained - but the capability is nothing new. It works, too; I use it for transferring files to Linux machines (or reading documents written on Linux) and it converts better than OO.o ever managed at reading MS Office formats.

  14. Re:Mono on Microsoft Launches WorldWide Telescope · · Score: 1

    Wine then, perhaps? I hear it's possible to install the .NET 2.0 framework in Wine now.

  15. Re:Intrest in astronomy on Microsoft Launches WorldWide Telescope · · Score: 1

    Does it work in Wine, by any chance (On OS X or Linux or other *nix)?

  16. Wine support? on Microsoft Launches WorldWide Telescope · · Score: 0, Redundant

    Apparently this is a desktop app, not a web app. Any idea if it works in Wine (or Mono, if it's managed code)? I'd try it myself but must run - it's worth a shot though.

  17. Re:Adobe is Poised to Lose It on Microsoft Prefers Flash To Silverlight · · Score: 2, Informative

    I'm actually surprised you're haing troubles with Flash and IE7 - I had the same issues, but with Firefox. It eventually got so bad I just stopped going to certain sites at all using Firefox, and since the IE8 beta came out I've been testing it heavily - while I won't claim it's un-crashable (though remarkably stable for an early beta) I've had no issues with Flash.

    Silverlight seems to work fine on both, though I've only run across a few sites that use it.

    As for Acrobat, are you talking the PDF creation tool or the reader? If it's the reader, try Foxit Reader from http://foxitsoftware.com/ . It loads much faster and doesn't require rebooting or anything ludicrous like that. Foxit also has PDF creation tools, but they aren't free downloads (they have trials available, however). I won't claim that Foxit and Adobe have perfect feature parity, but they're damn good and Foxit actually has a few nice features Adobe could stand to add.

  18. Laptop (GeForce Go) support? on NVIDIA GeForce To Quadro Software Mod · · Score: 1

    I doubt I would *need* to do so, but does this hack work on laptop nVidia cargs (their GeForce Go or Mobile series)?

    I already use a desktop driver with a modded INF file from http://laptopvideo2go.com/ (nVidia's drivers for their older - 7600 in my case - laptop cards are crap, especially on Vista), so I'm not afraid of installing a desktop driver on a laptop, but might this driver make demands of the card that the mobile versions are incapable of?

  19. Re:Yast is slow and resource hog on Linux Desktop Distro Shootout · · Score: 1

    I've never checked the memory usage Yast, but on my 2GB machine it never hits the swap space, so as far as I'm concerned it's fine.

    Also, 10.3 added a lot of caching to the package management, which amkes it start up WAY faster now (except on the first time after install). It keeps the repository status updated using background jobs.

    Finally, nobody ever said you had to use Yast for package management - I do, (and yes, it was a pain in 10.2, but honestly that was roughly a year ago - a long time in Linux) but there are other GUIs available as well as CLI tools (YUM and Zypper, which is similar but better). For most other things it's snappy and causes no problems if I try and open four or five modules at once, so I suspect the RAM usage isn't bad either.

  20. No mention of Yast on Linux Desktop Distro Shootout · · Score: 2, Insightful

    All jokes aside, I'd say the biggest screw-up in this article (from the personal perspective of a openSuse user) is no mention, whatsoever, of Suse's truly fantastic configuration tool Yast. There's a lot of good stuff in Suse, but I'd go so far as to say Yast is *the* reason I use it. Everything from server configuration to driver management to partition/mounting management to package management to X configuration all in one place, with excellent help tools and generally fully as much control as one could get by editing the config files manually (some of them, like the bootloader config, actually allow this - with helpful information and comments). Add the ability to run it in a console using a very well-done ncurses interface, and you have the perfect tool for administration via SSH or fixing an xorg.conf SNAFU.

    What is really odd is that considerable mention was made of a few other distros' config tools, and while I can't claim to have used all of the reviewed distros, I would state that Yast blows away the config tools of, for example, SimplyMEPIS (which was promoted largely on the basis of such tools, and which I'll admit are good - but hardly as comprehensive or permitting so much control).

  21. Re:Actually, some things make sense on Stephen Hawking Thinks Aliens Likely · · Score: 1

    One quick comment with regard to the eyes: Water is very nearly opaque to EM radiation at nearly all frequencies outside of visible light. While it's possible to conceive of a species evolving in such a way that the ability to see through water is less of a survival trait than the ability to see radiation of a frequency that is fairly effectively blocked by a bit of rain (even with a powerful, highly directed source - which evolving creatures are unlikely to have), but I can't imagine one on any planet remotely like Earth.

  22. Re:5-year release cycle on Ballmer Calls Vista 'A Work In Progress' · · Score: 1

    Erm... exactly how much have you *used* Windows since NT4? I'm only responding because this is at +5; it makes no sense if you think a bit.

    First, NT has been ported to a LOT more than x64. The Itanium port is the only one still active, as far as I know, but there were many others.

    A handful of major upgrades or additions between NT versions:

    Proper process cleanup - a crashed process no longerleaks *any* resources. This was one of XP's big features over 2000. NT4 might have survived a process crash but you had to restart shortly thereafter to do much else.

    System restore - in XP it worked reasonably as long as the restore files didn't get corrupted, but in Vista it's fantastic - a real life-saver if something screws up (in 2+ years, I've had to use it twice, once on a beta version. Both times fixed the problem in under 15 minutes.)

    User data / OS data separation. "Documents and Settings" is a bloody stupid folder name (mostly due to its length and the presence of spaces, it actually describes its purpose reasonably well) but it's better than storing user profiles under C:\Windows (or WINNT or whatever). Vista renamed Docume~1 to Users, which is far more reasonable.

    Running processes as another user/permission level. It's been long enough since NT 4 that I can't remember if it had the "Run as..." option, but even if it did that's a poor substitute for the basic premise behind UAC. Linux was designed from the ground up to be a multi-user OS that was normally run as a limited user. NT was designed to have the CAPABILITY to do so, but based on my experience running XP as a limited user, it simply sucks. The question of WHICH things require UAC escalation is a valid one (though change a few security settings and it's much less of an issue), the suggestion that the ability for such user-friendly privilege escalation is not a majorly useful feature is absurd.

    The firewall could have been a service pack, I suppose (XP actually had a firewall pre-SP2; it just wasn't very user friendly), though it would have been a big one. Data Execute Protection (marking stack and heap data non-executable) probably would have been a rather major patch. Ditto for Address Space Layout Randomization.

    Voice recognition (if you've got a good mic and Vista it works quite well in a quiet area). Tablet features, including handwriting recognition. Also, Media Center. Maybe they should have been completely separate products, but they were certainly major features/improvements over the original OS for those who use them.

    I'm going to stop now, before I get the urge to post AC and sign Summer Glau

  23. Re:biased bullshit on Eee Is 1st Windows Laptop To Support Multi-Touch · · Score: 1

    Erm... what hardware actually requires a driver CD anymore? I haven't seen one in about 3 years. Even back then, it was standard that the CD was optional - it might enable some additional functionality (though it was more likely to simply eat system resources for no real advantage) but everything needed was either built into Windows or downloaded automatically. These days, ANY driver (and the software to use any special features) is available online, in my experience.

    Anything that requires Vista hasn't a snowball's chance in hell of running on Linux either (at this point). Of course, thus far damn little hardware actually requires Vista anyhow. At the driver level, XP and Vista are generally compatible, at least insofar as most XP drivers working fine on Vista (and yes, I've used it for 2+ years across a wide variety of hardware). Special cases like the developer intentionally crippling the driver if it detects a particular OS don't count.

  24. Re:Where's the patent??? on Eee Is 1st Windows Laptop To Support Multi-Touch · · Score: 1

    I've actually used a Surface computer. Granted, it was on MS Campus, but in a more-or-less public location (i.e. no card-key access needed). It was in a fairly limited demo mode, but it was functional, with very smooth multi-touch.

    I asked about it, and was told that they are actually being built and shipped, and that some businesses are already starting to deploy them. I haven't *seen* one yet, but this was only a few weeks ago, and I haven't visited any hotels (apparently the most interested customer thus far) since then.

  25. Re:Something is Fishy on Last Year's CanSecWest Winner Repeats on Vista, Ubuntu Wins · · Score: 1

    You completely misunderstood. There literally is no "ElevationPolicy" key. I found that substring in the data field of a couple of values, mostly involving backed-up data, but none of them directly involved Flash anyhow.

    I'll search for that GUID, but I doubt it will help. As I said, IE8 seems to have shifted things around a lot.