You're letting your hatred of MS blind you to the likely, and perfectly reasonable, response they would take. You're then using it to justify condemning them here. If Google started blocking Microsoft's ads, I'm sure that Microsoft would just use something like IE's Tracking Protection feature - essentially a built-in ad-blocker - to ignore all requests for AdWords/AdSense, DoubleClick, and all other Google ad revenue streams they could find. Microsoft has a traditional business model based on selling things to customers; the revenue they derive from ads hosted on their sites is trivial compared to what Google stands to lose.
I doubt they'll throw the first punch in that war, but if Google were to block Microsoft ads, the perfectly logical response for Microsoft to take in response would hurt Google far more than it would hurt MS!
No actually, legally speaking they do not have that right. You may feel that the deserve to be compensated, but they are distributing the video files. Legally, I have a right to *not* watch the ads they would like to serve along with the videos, and they have a right to not serve me the videos if they don't want to, but they have no right to force me to watch ads as compensation for receiving the video files that they provide freely in response to an HTTP GET request.
It's exactly the same as the reason why ad-blockers are completely legal, but sites are also legally allowed to not display their web page if they detect you using an ad blocker. Nothing, however, gives them a right to require that I view their ads. There is no right to make an auxiliary income stream (advertising) off of something that you give away for free (stuff hosted publicly on the web).
Incorrect; that's not how copyright works. Microsoft isn't [re]distributing anything except an app they wrote themselves. The actual video content is still being distributed by YouTube; it's just being rendered through a client that Microsoft wrote. They cannot (legally, under copyright law) dictate what you do with the content once it is distributed to you, so long as you aren't making copies. Things like "copied into RAM for purposes of being rendered to a display" already have special exemptions, so there's really no legitimacy to the claim that by default MS has no right to use the content.
To adapt your own analogy to the real world, despite what the Windows installer for Pidgin will display to you, the GPL is not a EULA. Open source (which is copyright thing) licenses do not, and can not, regulate what you use the software for so long as you aren't sending it to anybody else. To use a different analogy, provided I'm not plagiarizing it (claiming that it's my own content), I can legally deep link any publicly hosted content that I want to, at least as far as copyright law goes; if the provider of the content doesn't like that, the onus is on them to not distribute it in that manner.
Microsoft's app is just grabbing the video stream - same as, for example, what you would get if you used the HTML5 mode - and displaying it. Displaying it requires downloading it to *somewhere*, saving that to a temp file is logical (allows the user to seek back, for example), and saving that temp file to a persistent file is trivial.
On the website, YouTube overlays ads on the video window or plays an ad video before the requested one or whatever they're doing these days. Those aren't in the raw video streams that MS is using. To do that in an app either requires screen scraping the actual site to find the ad layers, which is a labor-intensive, error-prone, non-future-proof, and inefficient way to go about it... or they can just display that video files that YouTube happily serves to anybody who asks.
"URL to an encrypted site" (https://slashdot.org) != "encrypted URL". Don't confuse them. There is absolutely nothing at all wrong with going to a random HTTPS site.
I rather strongly suspect that it's the Skype client, rather than the Microsoft-run servers, that is extracting those URLs from messages and sending them to MS for testing. In other words, MS isn't decrypting your traffic at all (except for the obvious necessary decryption by the Skype client when you receive a message). This might be incorrect, though. In any case, it's definitely a concern - whatever the source of the URLs, URLs in your messages are being sent somewhere without you knowing - but it's relatively mild compared to full-text scanning.
Taste, texture, and have the nutritional charactersitics of beef? Not without engineering them well past anything you could properly call a soybean anymore...
Yep. "0-day" is just security talk for "newly discovered" and tends to get a bit overused. Nonetheless, it's a useful and sometimes very interesting categorization. A lot of the famous worms of the past were not 0-days, but actually exploited vulnerabilites which had been known (and mitigated) weeks or month prior to the worm's release into the wild. People don't always patch in a manner that can even vaguely be called timely. I wish I could say they'd learned their lesson already, but I still see outdated web servers, SSH servers, database servers, etc. all the time.
"crashes applications" is the least of what you can do with %n. In fact, heavy misuse of the other format string specifiers is usually enough to crash the program; just keep reading strings (or doubles, or whatever) until you wander into unallocated memory and trigger a Read AV / segfault.
No, %n is what you do when you want arbitrary code execution in the vulnerable process. Format string vulnerabilites are as serious as buffer overflows, and as stupid (as in, no excuse for having them) as using gets() (which is itself guaranteed unsafe).
Calling printf() with an un-sanitized user supplied format string is an exploitable security vulnerability
I don't usually say this, but FTFY. There are only three limits on the security impact of a program that passes a user-supplied format string to a.*[print|scan]f function: 1) What privileges the program runs as. If it's not sandboxed, it can probably run rampant over your user profile. If it runs as Admin/root, that's seriously bad news. 2) What privileges are required to specify that format string. If it can only be done by a local user, and the program only runs as local user, you're mostly OK (and that's the case here). If the source of the format string is external, such as a message from another user in a game, you're in serious trouble. 3) Exploit mitigations in use. The MS Visual C/C++ runtime (MSVCRT.DLL) disables the %n format specifier by default, because using %n and a reasonably long format string, you can write pretty much arbitrary values into memory (one unaligned byte at a time). DEP and ASLR help, but due to the way that printf can be used to extract pointers as well as use them, it can be used to leak info needed for bypassing ASLR.
Format string vulns are a serious threat. Fortunately, they're also dead trivial to avoid: DON'T EVER PROVIDE A USER-CONTROLLED FORMAT STRING. If for some reason is is every absolutely necessary to do this (I can't think of a single situation fitting this bill; anybody care to fill me in?) you can ensure the string has no un-escaped % characters, but that's a terrible way to go about it.
With that said, how do you propose they block it? Filter by user-agent string? Assuming Microsoft isn't already spoofing that, this approach will work right up until they add such spoofing. Where are you going to go next?
FYI, that was only one version of the device. The second-gen models were able to handle leap days fine. The first-gen failed at that because their clock code was developed by Toshiba, who also manufactured the hardware, and apparently Toshiba can't code their way out of a wet paper bag.
No tl;dr this time, since I'm addressing you directly:
Your first question is ambiguous, and I suspect whichever way I answered you'd twist my answer against me. Therefore I will answer the two non-ambiguous, non-red-herring variants separately: Q) Do you really think that everybody who purchases a movie (or a ticket for a movie) with Tom Cruise in it is in favor of the so-called Church of Scientology? A) No, of course not. Most people are stupid about their purchases and/or incapable of actually voting with their wallet.
Q) Do you really thing that everybody who purchases a movie (or a ticket for a movie) with Tom Cruise in it is financially supporting Scientology whether they intend to or not? A) Yes; I hopefully don't have to explain the extremely simple chain of logic that leads to this conclusion.
For your second point, why is your reading comprehension so bad? Nobody is trying to silence Card. If that was my goal, I could do so in a number of ways much more effective and permanent than denying him a bit of royalty payment. We - those who are boycotting his works in response to his association with the NOM - are trying to reduce his influence on the politcal process to that which any other citizen could exert. Given that his basic leving expenses are well taken care of, those royalty payments are going directly to support a cause that I consider outright evil (and most certainly contrary to the ideals of this country). You seem to be in favor of freedom from a state religion; well, I'm in favor of freedom from a state sexual orientation.
You claim that puchasing decisions should be based [solely] on the product/service being sold. Does this mean that you would consider there no difference between shopping at two PC stores which offer identical machines for identical prices when one store advertised publicly "10% of our gross revenue goes to Al Quaeda" and the other advertised "10% of our gross revenue goes to cancer research"? Because that's a perfectly vald marketing technique (assuming truth in advertising, of course). What if the terrorist-supporting store had more knowledgable employees and got newly released parts sooner, and was a block closer to your house to boot?
On account of the likelihood of you failing to grasp my point *again*, allow me to indulge in a little hyperbole myself (you seem to enjoy employing it; if the roughly 50% of the US population that supports gay marriage all joined the boycott against OSC, he would *merely* make a very confortable living - well above average for an American novelist, incidentally - rather than being a fantastically successful one, so cut it with the "denying him a livelihood" bullshit). Please consider the following scenario: Suppose there was a very popular author, and you discovered that once his basic lifestyle needs were met - which happened very quickly - he would secretly hire a child prostitute* every time he received enough additional royalty payments. Would you continue buying his books, knowing they funded his twisted perversion? If so, you are a sick and twisted waste of oxygen. If not, you are basing your purchasing decisions on something other than "quality of service/product".
* This is a somewhat more evil act than lobbying (bribing, effectively) the federal government to mandate nationwide discrimination against a harmless minority group, but not hugely so; at least one poor girl is getting paid, rather than millions of people being denied the many legal (including tax) benefits of marriage.
Also, since you failed to address it before, I'll ask again: what part of "free speech" and "have a debate" and "open society" requires (or even permits) that one side should be able to throw their money (rather than their arguments) at the problem of getting enough votes? In what you seem to think would be an ideal American society - and one that I'd personally love to see, as well - lobbying groups like the NOM wouldn't exist. That's not free speech; that's very highly paid speech, and if you can't pay just as much for your own lobbyists, the government will ignore you. How do you reconcile supporting or even justifying the actions of somebody like that with your arguments about "how a free and open society is supposed to operate"?
Everybody dies. Can you legally reproduce, provided that it can be considered murder?
This is an unusually stupid question. Dead on Earth is just as dead as in space or on Mars. Similarly, assuming the project succeeds, you'll be alive on Mars for some period of time ranging from the instant after arrival to the remainder of your natural life, inclusive.
I don't care if a bunch of crazies* want to exclude other crazies** from their personal asylum. I do care when the crazies try to enforce their asylum's rules on the rest of the country. Look up the National Organization for Marriage, why it exists, what it does, who finacially supports it, and its board of directors.
Then consider whether you're a dupe, a troll, or an apologist of homophobia and bigotry for suggesting that people are primarily objecting to an article Card once wrote...
* Religious people in general, but Mormons in particular here if that makes it easier for you to consider the argument. ** Again, religious people (not gay people).
You're arguing the immorality of receiving something (the art in Card's case, a beer in the bartender example, good service in the barista example) without paying for it. That's a perfectly reasonable position to take, although in the case of art it's an interesting one; some artists would rather that the art be enjoyed without pay than that a potential observer of the part skip it entirely (I have no idea what Card's views on the matter are).
Once again, though, it has nothing to do with your earlier post. Your excerpt from Janis Ian, and your commentary below it, express the value of art as distinct from the value of the artist. If you believe that so strongly, shouldn't you be calling for people to see the movie even if they aren't willing to pay Card for the privilege?
For the record, I don't care for the view that it's OK to pirate content you don't want to pay for, regardless of the reason. I'll probably just do without, though (maybe borrow if at some point). Maybe if Card wants his art to be appreciated by people, he should consider not being a hate-mongering douchebag trying to force institutionalized discrimination against a minority group into our nation's legal system, though...
Also, you apparently completely missed it (on account of having clicked "Submit" as it stands) but your analogy with the barista is bullshit. I'm not boycotting Card because I don't like how he dresses or because he's Mormon or because he (presumeably) eats meat or because I can't prove he doesn't murder little children and then mail their ashes to the parents. None of those things (including the inability to disprove something that I have no evidence in support of either) harm anybody to any meaningful degree. Using your celebrity status and wealth to push for government-enforced discrimination? That hurts people. I wouldn't tip somebody who did that either, no matter how politely they served me!
"what you are effectively saying is that you are trying to do is to force someone to change their beliefs or lose their job... remember that by doing so you are going against those ideals of free speech and belief that the US was founded on" Logically inconsistent. This is what passes for +5 these days?
TL;DR: It's not his personal beliefs that we're objecting to, it's his attempts to force them on the nation as a whole. That's directly counter to the ideals of the USA, incidentally.
First of all, none of the people I've met who have stated their goal of avoiding giving Card money have said it was because they don't agree with his beliefs, it's because they don't agree with how he spends his money. It's more akin to not giving money to a wino who spends every cent he acquires on turning himself into a human-shaped puddle of urine and rags in an alley. That said, there are almost certainly some who would nonetheless boycott his works even if he announced that henceforth he would have nothing to do with, nor provide any funding to, the National Organization for Marriage or any similar group, yet stood by the beliefs he had expressed, so that's a relatively weak point. On to "force somebody" in paricular: if a street preacher or televangilist shouts at me about sin and hellfire and damnation for anybody who doesn't donate to his particular church, and I choose not to donate, would you claim I am attempting to "force somebody to change their beliefs"? Not at all! I don't care whether his beliefs change, but I'm not going to pay him after he shouts them in my face and attempts to indoctinate me in beliefs that are contrary to my own. People whose beliefs are in line with his will take care of him, or perhaps not, but it's not my job to ensure he has a job! Of course, that's really the crux of the issue: "forcing" somebody to do something by voting with your wallet. Hypothetically, is OSC gets blacklisted by all major publishing houses and all bookstores refuse to carry his works - an extremely absurd hypothetical, but that's pretty much what it would take for an author to "lose his job", he can still self-publish and start his own distribution system. Nobody is stopping him from authoring books. The decision of whether that's worth doing when nobody will buy them is on him, but nobody is forcing him not to. Oh, and while we're discussing "forcing somebody...[to] lose their job", bear in mind that people lose jobs as a consequence of actions which are unappreciated by their employers (and for an author, one's "employers" are really "the people who purchase your books") all the time. If somebody breaks into a house and steals a TV, they can be fired for that. "Thief" is not an employment-discrimination-protected category of person. Nor is "homophobe". Incidentally, in many states, "homosexual" is, though that's not really relevant here. That brings us to the "ideals of free speech and belief" part of your post. Exactly which ideal upon which the US was founded indicates that we should financially support people who use their wealth to push for institutionalized discrimination against a minority population, again? Card is allowed to talk all he wants. The government isn't going to shut him up (unless he starts threatening violence against people). Any citizen who tries to shut him up will be committing a crime, and be prosecuted for it. Nobody has to give him a podium, though. The podium Card uses is the money he receives in return for his writing. Why do you imply that he is entitled to that podium? "All men are created equal" certainly doesn't suggest that just because one person writes good science fiction, that person's opinion on civil rights should be given more weight than those of a pauper in the streets! I could also turn your argument right back on you: a boycott is a form of speech. Why should Card be permitted to preach hate and prejudice, and the rest of us not permitted to tell him that we refuse to support his position? As for "... and belief", that's really the crown on the
Remember where the term "Speaker for the Dead" comes from (in-universe), though. Ender himself, anonymously, wrote The Hive Queen (also The Hegemon, though that's not relevant here) to tell the story from the perspective of the buggers, and that story is the one that the vast majority of the human universe read. Not an explanation of how the military treated him - if anything, that was covered up - and not the story of how humanity never had any other chance. Ender's goal was to give the Buggers a voice, to make humanity sympathetic toward them. If he was to succeed in that, it was neccessary that the one human who ordered the entire species wiped out be considered a monster. Sure, he could have (and it probably would have been more justified) pinned that on Graff, or on Mazer Rackham, or on any number of other people who put him in the position to unknowingly give that order... but that would have distracted from the story, and they didn't have the insight into the alien race that he did, anyhow. He made himself the scapegoat, accepting responsibility for what he did without knowing the consequences, because it made the story better, and thus furthered the goal of "speaking for the dead".
As a sort of side note, a little over a hundred years ago, Americans who managed to kill an unusually large number of "Indians", or to hold out against them in desperate combat, were regarded as heroes. Today, they are still sometimes seen as legends, but also sometimes as monsters or at least murderers. From a time when "wiping them out" was perceived as a laudable goal, to a time when there is a sort of nationwide shame for what we did, in a mere century. That's without anything even remotely close to the impact of The Hive Queen (as described in Card's fiction), and without an actual, literal [g|x]enocide. Imagine how it will be viewed after another 400 centuries...
The likelihood that new Lookout users will encounter malware or spyware is heavily dependent on their geography and behavior, varying from 0.20 percent in Japan to 0.40 percent in the US and as high as 34.7 percent in Russia
Almost 35% will "encounter" malware in a given year. What precentage of those end up infected, I'm not sure - that would require more investigation into what "Lookout" is and how it works - but the subtitle of the article indicates that "encounter" means infection. Then there's the many devices that will already be infected. 40% doesn't sound high in that light.
I wasn't even trying to defeat AVs, mind you - just messing with polymorphic code because the concept sounds cool. That said, defeating heuristics is a *lot* harder - which is why any self-respecting AV scanner uses them. There's lots of techniques, of course - things like self-decrypting code, for example, where any given instance of the actual malicious code (on disk) bears no resemblance to any other one because they use random keys and/or IVs - but there still has to be a decryptor that bootstraps the process, and that can be heuristically identified. I'm waiting to see somebody write malware that lives inside a variety of completely innocuous codebases via ROP gadgets, where the payload executes by "exploiting" a vulnerability in the malicious program and using ROP to generate a completely different instruction sequence out of all that benign code. You still have the bootstrap problem, though; the the ROP stack needs to be loaded and traversed, and that means some heuristically-detectable portion of the malware.
On the other hand, you have to be careful about false positives as well when using heuristics. A number of legitimate programs, such as Skype, use self-decrypting code. The more broad a net you use to catch malware, the more non-malicious programs you'll inadvertently block. "File has the Execute permission set" is a (taken to extremes) example of a heuristic for detecting Trojans, for example... but a 100% true positive rate isn't that impressive when you also get a 100% false negative rate!
Ahahahaha, that's a good one. I lived on a sailboat cruising tropical islands. The US - even Hawaii, which I came through on the way back from Tahiti once - is downright prudish compared to that lifestyle. Sure, holding a steady relationship wasn't really an option, but almost anything else was - not much chasing needed. As for professional success, I keep that off my profile but it's not hard to figure out who I am if you really want to. "Lack of professional success" indeed!
But sure, call me arrogant for pointing out that I also knew how to code from a relatively young age (or whatever thell you felt was arrogant about my prior post), my good Anonymous Coward. I'm sorry you both were and still are too immature to get over your bitterness at those who have had a good life.
A lot of the world does not heavily use the Play market and prefers to use alternatives. Studies have estimated that around 40% of Android devices in Russia are infected, for example, mostly due to installing apps from third-party sources.
Do you have WP7 Root Tools installed on your Trophy? If so, at least three different exploits were used: the ZIP path traversal that made the interop-unlock "app" work (all the work was actually done by the installer), the Connection Setup hack that achieved interop-unlock by hijacking the network database using some debug code to inject a script that modified the registry, and the exploit that Root Tools itself used in the HTC drivers to gain arbitrary code execution in the kernel.
Just because Heathclif74 was not, so far as anybody knows, embedding any malware in his software doesn't mean he couldn't have been, or one of the many other authors posting their work on XDA-Devs and WPCentral.
Not talking about ChevronWP7 or anything like it. The actual homebrew stuff for WP7 wasn't well publicized, partially because a lot of it was flying under the MS radar so far as possible, but it existed. The best-know "root" program is called WP7 Root Tools (http://www.wp7roottools.com) and exploits various firmware bugs in HTC, LG, and Samsung firmware (and possibly others) for WP7 to gain near-complete control over the OS, disable many of the "security" restrictions (such as the prohibitions on third-party non-"app" executables), give full access to the filesystem, registry, and certificate store, and allow running any other app as TCB (WP7's equivalent of "root" or "Admin"). Other apps before it, including things like TouchXplorer and Advanced Config, took less complete control but nonetheless had permission to do any number of nasty things had that been the intention of the developers. Additionally, once the later versions of Root Tools (with the "elevate other apps" feature) came out, a considerable number of homebrew apps that needed such permissions immediately sprung up, providing a perfectly good avenue for somebody to slip in a Trojan app. Indeed, it was a considerable concern.
The point about requiring manual sideloading is valid (in fact, installing WP7 Root Tools would have been a lot easier if Microsoft would have signed it and put it in the store, since otherwise it could be difficult to install on some devices after Mango introduced the interop-lock). However, I fail to see the important difference between installing an app you think is safe because it's on the store, and an app you think is safe because it comes out of the developer community that has been adding such cool features to your phone. Either way, it's a manual action on your part to install the app, and most people aren't going to decompile it and examine it for malicious code even if they had the know-how to do so. As for whether Trojans in general constitute "real" malware, that's all that the Android apps in question are, or the malicious iOS apps for jailbroken phones, or similar.
To address your little analogy, social engineering is one of the best ways to bypass security there is; the weakest link in computer security usually sits between the user's ears. Also, your analogy seriously falls flat on its face when you consider that it wasn't supposed to be *possible* to "[log] in as a local administrator" on WP7. A seriously locked-down system wouldn't allow your scenario either.
Then there's the minor, but really easy, attacks which were possible against WP7 without requiring firmware access or bypassing interop-lock or any such thing. For example, the XAP files that would let you access other device or operator marketplaces could just have easily crippled your phone's marketplace functionality, overwritten your personal documents, broken your installed apps, and other things. Those were just carefully crafted ZIP archives with a.XAP extension and some XML files to make the installer recognize them; the same attack was actually possible using.ZIP files as well and wouldn't have been that hard to socially engineer somebody to try, or could have been bundled into an otherwise-legit XAP on the store.
Oh, hardly even then. I wrote my first polymorphic program when I was 16, and I was late to the game for that. Making a completely trivial change to the binary - have a meaningless 32-bit constant that you add (modulo 0xFFFFFFFF) with the current time in miliseconds on each run, for example - will completely bypass typical types of checksum/hash checks unless you want to store 4 billion signatures. Slightly more complex signature schemes are nonetheless equally easy to defeat. Filename checks are even easier to defeat; there's lots of ways to indicate the next file to run which can use dynamic file names. It's a game of cat and mouse, but the cats are too dumb to do anything but watch known mouseholes, while the mice can make new holes whenever they please and it only takes a mouse getting out once for the cats to lose the game.
It was possible on WP7, at least in the earlier patch versions. I'm not aware of any malware anybody actually created, but there were a few known vulns in most devices that could be exploited for elevation of privilege. They were routinely used for beneficial homebrew software, though.
On WP8... well, there's no malware known to exist for it yet, but there's nothing much in the way of homebrew either. Microsoft locked the OS up so tightly that it's somewhat limited in terms of actual usability and very limited for extensibility.
Slashdot Mirror
You're letting your hatred of MS blind you to the likely, and perfectly reasonable, response they would take. You're then using it to justify condemning them here. If Google started blocking Microsoft's ads, I'm sure that Microsoft would just use something like IE's Tracking Protection feature - essentially a built-in ad-blocker - to ignore all requests for AdWords/AdSense, DoubleClick, and all other Google ad revenue streams they could find. Microsoft has a traditional business model based on selling things to customers; the revenue they derive from ads hosted on their sites is trivial compared to what Google stands to lose.
I doubt they'll throw the first punch in that war, but if Google were to block Microsoft ads, the perfectly logical response for Microsoft to take in response would hurt Google far more than it would hurt MS!
No actually, legally speaking they do not have that right. You may feel that the deserve to be compensated, but they are distributing the video files. Legally, I have a right to *not* watch the ads they would like to serve along with the videos, and they have a right to not serve me the videos if they don't want to, but they have no right to force me to watch ads as compensation for receiving the video files that they provide freely in response to an HTTP GET request.
It's exactly the same as the reason why ad-blockers are completely legal, but sites are also legally allowed to not display their web page if they detect you using an ad blocker. Nothing, however, gives them a right to require that I view their ads. There is no right to make an auxiliary income stream (advertising) off of something that you give away for free (stuff hosted publicly on the web).
Incorrect; that's not how copyright works. Microsoft isn't [re]distributing anything except an app they wrote themselves. The actual video content is still being distributed by YouTube; it's just being rendered through a client that Microsoft wrote. They cannot (legally, under copyright law) dictate what you do with the content once it is distributed to you, so long as you aren't making copies. Things like "copied into RAM for purposes of being rendered to a display" already have special exemptions, so there's really no legitimacy to the claim that by default MS has no right to use the content.
To adapt your own analogy to the real world, despite what the Windows installer for Pidgin will display to you, the GPL is not a EULA. Open source (which is copyright thing) licenses do not, and can not, regulate what you use the software for so long as you aren't sending it to anybody else. To use a different analogy, provided I'm not plagiarizing it (claiming that it's my own content), I can legally deep link any publicly hosted content that I want to, at least as far as copyright law goes; if the provider of the content doesn't like that, the onus is on them to not distribute it in that manner.
Microsoft's app is just grabbing the video stream - same as, for example, what you would get if you used the HTML5 mode - and displaying it. Displaying it requires downloading it to *somewhere*, saving that to a temp file is logical (allows the user to seek back, for example), and saving that temp file to a persistent file is trivial.
On the website, YouTube overlays ads on the video window or plays an ad video before the requested one or whatever they're doing these days. Those aren't in the raw video streams that MS is using. To do that in an app either requires screen scraping the actual site to find the ad layers, which is a labor-intensive, error-prone, non-future-proof, and inefficient way to go about it... or they can just display that video files that YouTube happily serves to anybody who asks.
"URL to an encrypted site" (https://slashdot.org) != "encrypted URL". Don't confuse them. There is absolutely nothing at all wrong with going to a random HTTPS site.
I rather strongly suspect that it's the Skype client, rather than the Microsoft-run servers, that is extracting those URLs from messages and sending them to MS for testing. In other words, MS isn't decrypting your traffic at all (except for the obvious necessary decryption by the Skype client when you receive a message). This might be incorrect, though. In any case, it's definitely a concern - whatever the source of the URLs, URLs in your messages are being sent somewhere without you knowing - but it's relatively mild compared to full-text scanning.
Taste, texture, and have the nutritional charactersitics of beef? Not without engineering them well past anything you could properly call a soybean anymore...
Yep. "0-day" is just security talk for "newly discovered" and tends to get a bit overused. Nonetheless, it's a useful and sometimes very interesting categorization. A lot of the famous worms of the past were not 0-days, but actually exploited vulnerabilites which had been known (and mitigated) weeks or month prior to the worm's release into the wild. People don't always patch in a manner that can even vaguely be called timely. I wish I could say they'd learned their lesson already, but I still see outdated web servers, SSH servers, database servers, etc. all the time.
"crashes applications" is the least of what you can do with %n. In fact, heavy misuse of the other format string specifiers is usually enough to crash the program; just keep reading strings (or doubles, or whatever) until you wander into unallocated memory and trigger a Read AV / segfault.
No, %n is what you do when you want arbitrary code execution in the vulnerable process. Format string vulnerabilites are as serious as buffer overflows, and as stupid (as in, no excuse for having them) as using gets() (which is itself guaranteed unsafe).
I don't usually say this, but FTFY. There are only three limits on the security impact of a program that passes a user-supplied format string to a .*[print|scan]f function:
1) What privileges the program runs as. If it's not sandboxed, it can probably run rampant over your user profile. If it runs as Admin/root, that's seriously bad news.
2) What privileges are required to specify that format string. If it can only be done by a local user, and the program only runs as local user, you're mostly OK (and that's the case here). If the source of the format string is external, such as a message from another user in a game, you're in serious trouble.
3) Exploit mitigations in use. The MS Visual C/C++ runtime (MSVCRT.DLL) disables the %n format specifier by default, because using %n and a reasonably long format string, you can write pretty much arbitrary values into memory (one unaligned byte at a time). DEP and ASLR help, but due to the way that printf can be used to extract pointers as well as use them, it can be used to leak info needed for bypassing ASLR.
Format string vulns are a serious threat. Fortunately, they're also dead trivial to avoid: DON'T EVER PROVIDE A USER-CONTROLLED FORMAT STRING. If for some reason is is every absolutely necessary to do this (I can't think of a single situation fitting this bill; anybody care to fill me in?) you can ensure the string has no un-escaped % characters, but that's a terrible way to go about it.
This is Windows Phone 8, not Win8.
With that said, how do you propose they block it? Filter by user-agent string? Assuming Microsoft isn't already spoofing that, this approach will work right up until they add such spoofing. Where are you going to go next?
FYI, that was only one version of the device. The second-gen models were able to handle leap days fine. The first-gen failed at that because their clock code was developed by Toshiba, who also manufactured the hardware, and apparently Toshiba can't code their way out of a wet paper bag.
No tl;dr this time, since I'm addressing you directly:
Your first question is ambiguous, and I suspect whichever way I answered you'd twist my answer against me. Therefore I will answer the two non-ambiguous, non-red-herring variants separately:
Q) Do you really think that everybody who purchases a movie (or a ticket for a movie) with Tom Cruise in it is in favor of the so-called Church of Scientology?
A) No, of course not. Most people are stupid about their purchases and/or incapable of actually voting with their wallet.
Q) Do you really thing that everybody who purchases a movie (or a ticket for a movie) with Tom Cruise in it is financially supporting Scientology whether they intend to or not?
A) Yes; I hopefully don't have to explain the extremely simple chain of logic that leads to this conclusion.
For your second point, why is your reading comprehension so bad? Nobody is trying to silence Card. If that was my goal, I could do so in a number of ways much more effective and permanent than denying him a bit of royalty payment. We - those who are boycotting his works in response to his association with the NOM - are trying to reduce his influence on the politcal process to that which any other citizen could exert. Given that his basic leving expenses are well taken care of, those royalty payments are going directly to support a cause that I consider outright evil (and most certainly contrary to the ideals of this country). You seem to be in favor of freedom from a state religion; well, I'm in favor of freedom from a state sexual orientation.
You claim that puchasing decisions should be based [solely] on the product/service being sold. Does this mean that you would consider there no difference between shopping at two PC stores which offer identical machines for identical prices when one store advertised publicly "10% of our gross revenue goes to Al Quaeda" and the other advertised "10% of our gross revenue goes to cancer research"? Because that's a perfectly vald marketing technique (assuming truth in advertising, of course). What if the terrorist-supporting store had more knowledgable employees and got newly released parts sooner, and was a block closer to your house to boot?
On account of the likelihood of you failing to grasp my point *again*, allow me to indulge in a little hyperbole myself (you seem to enjoy employing it; if the roughly 50% of the US population that supports gay marriage all joined the boycott against OSC, he would *merely* make a very confortable living - well above average for an American novelist, incidentally - rather than being a fantastically successful one, so cut it with the "denying him a livelihood" bullshit). Please consider the following scenario:
Suppose there was a very popular author, and you discovered that once his basic lifestyle needs were met - which happened very quickly - he would secretly hire a child prostitute* every time he received enough additional royalty payments. Would you continue buying his books, knowing they funded his twisted perversion? If so, you are a sick and twisted waste of oxygen. If not, you are basing your purchasing decisions on something other than "quality of service/product".
* This is a somewhat more evil act than lobbying (bribing, effectively) the federal government to mandate nationwide discrimination against a harmless minority group, but not hugely so; at least one poor girl is getting paid, rather than millions of people being denied the many legal (including tax) benefits of marriage.
Also, since you failed to address it before, I'll ask again: what part of "free speech" and "have a debate" and "open society" requires (or even permits) that one side should be able to throw their money (rather than their arguments) at the problem of getting enough votes? In what you seem to think would be an ideal American society - and one that I'd personally love to see, as well - lobbying groups like the NOM wouldn't exist. That's not free speech; that's very highly paid speech, and if you can't pay just as much for your own lobbyists, the government will ignore you. How do you reconcile supporting or even justifying the actions of somebody like that with your arguments about "how a free and open society is supposed to operate"?
Everybody dies. Can you legally reproduce, provided that it can be considered murder?
This is an unusually stupid question. Dead on Earth is just as dead as in space or on Mars. Similarly, assuming the project succeeds, you'll be alive on Mars for some period of time ranging from the instant after arrival to the remainder of your natural life, inclusive.
I don't care if a bunch of crazies* want to exclude other crazies** from their personal asylum.
I do care when the crazies try to enforce their asylum's rules on the rest of the country.
Look up the National Organization for Marriage, why it exists, what it does, who finacially supports it, and its board of directors.
Then consider whether you're a dupe, a troll, or an apologist of homophobia and bigotry for suggesting that people are primarily objecting to an article Card once wrote...
* Religious people in general, but Mormons in particular here if that makes it easier for you to consider the argument.
** Again, religious people (not gay people).
You're arguing the immorality of receiving something (the art in Card's case, a beer in the bartender example, good service in the barista example) without paying for it. That's a perfectly reasonable position to take, although in the case of art it's an interesting one; some artists would rather that the art be enjoyed without pay than that a potential observer of the part skip it entirely (I have no idea what Card's views on the matter are).
Once again, though, it has nothing to do with your earlier post. Your excerpt from Janis Ian, and your commentary below it, express the value of art as distinct from the value of the artist. If you believe that so strongly, shouldn't you be calling for people to see the movie even if they aren't willing to pay Card for the privilege?
For the record, I don't care for the view that it's OK to pirate content you don't want to pay for, regardless of the reason. I'll probably just do without, though (maybe borrow if at some point). Maybe if Card wants his art to be appreciated by people, he should consider not being a hate-mongering douchebag trying to force institutionalized discrimination against a minority group into our nation's legal system, though...
Also, you apparently completely missed it (on account of having clicked "Submit" as it stands) but your analogy with the barista is bullshit. I'm not boycotting Card because I don't like how he dresses or because he's Mormon or because he (presumeably) eats meat or because I can't prove he doesn't murder little children and then mail their ashes to the parents. None of those things (including the inability to disprove something that I have no evidence in support of either) harm anybody to any meaningful degree. Using your celebrity status and wealth to push for government-enforced discrimination? That hurts people. I wouldn't tip somebody who did that either, no matter how politely they served me!
"what you are effectively saying is that you are trying to do is to force someone to change their beliefs or lose their job... remember that by doing so you are going against those ideals of free speech and belief that the US was founded on"
Logically inconsistent. This is what passes for +5 these days?
TL;DR: It's not his personal beliefs that we're objecting to, it's his attempts to force them on the nation as a whole. That's directly counter to the ideals of the USA, incidentally.
First of all, none of the people I've met who have stated their goal of avoiding giving Card money have said it was because they don't agree with his beliefs, it's because they don't agree with how he spends his money. It's more akin to not giving money to a wino who spends every cent he acquires on turning himself into a human-shaped puddle of urine and rags in an alley. That said, there are almost certainly some who would nonetheless boycott his works even if he announced that henceforth he would have nothing to do with, nor provide any funding to, the National Organization for Marriage or any similar group, yet stood by the beliefs he had expressed, so that's a relatively weak point.
On to "force somebody" in paricular: if a street preacher or televangilist shouts at me about sin and hellfire and damnation for anybody who doesn't donate to his particular church, and I choose not to donate, would you claim I am attempting to "force somebody to change their beliefs"? Not at all! I don't care whether his beliefs change, but I'm not going to pay him after he shouts them in my face and attempts to indoctinate me in beliefs that are contrary to my own. People whose beliefs are in line with his will take care of him, or perhaps not, but it's not my job to ensure he has a job!
Of course, that's really the crux of the issue: "forcing" somebody to do something by voting with your wallet. Hypothetically, is OSC gets blacklisted by all major publishing houses and all bookstores refuse to carry his works - an extremely absurd hypothetical, but that's pretty much what it would take for an author to "lose his job", he can still self-publish and start his own distribution system. Nobody is stopping him from authoring books. The decision of whether that's worth doing when nobody will buy them is on him, but nobody is forcing him not to.
Oh, and while we're discussing "forcing somebody...[to] lose their job", bear in mind that people lose jobs as a consequence of actions which are unappreciated by their employers (and for an author, one's "employers" are really "the people who purchase your books") all the time. If somebody breaks into a house and steals a TV, they can be fired for that. "Thief" is not an employment-discrimination-protected category of person. Nor is "homophobe". Incidentally, in many states, "homosexual" is, though that's not really relevant here.
That brings us to the "ideals of free speech and belief" part of your post. Exactly which ideal upon which the US was founded indicates that we should financially support people who use their wealth to push for institutionalized discrimination against a minority population, again?
Card is allowed to talk all he wants. The government isn't going to shut him up (unless he starts threatening violence against people). Any citizen who tries to shut him up will be committing a crime, and be prosecuted for it. Nobody has to give him a podium, though. The podium Card uses is the money he receives in return for his writing. Why do you imply that he is entitled to that podium? "All men are created equal" certainly doesn't suggest that just because one person writes good science fiction, that person's opinion on civil rights should be given more weight than those of a pauper in the streets!
I could also turn your argument right back on you: a boycott is a form of speech. Why should Card be permitted to preach hate and prejudice, and the rest of us not permitted to tell him that we refuse to support his position?
As for "... and belief", that's really the crown on the
Remember where the term "Speaker for the Dead" comes from (in-universe), though. Ender himself, anonymously, wrote The Hive Queen (also The Hegemon, though that's not relevant here) to tell the story from the perspective of the buggers, and that story is the one that the vast majority of the human universe read. Not an explanation of how the military treated him - if anything, that was covered up - and not the story of how humanity never had any other chance. Ender's goal was to give the Buggers a voice, to make humanity sympathetic toward them. If he was to succeed in that, it was neccessary that the one human who ordered the entire species wiped out be considered a monster. Sure, he could have (and it probably would have been more justified) pinned that on Graff, or on Mazer Rackham, or on any number of other people who put him in the position to unknowingly give that order... but that would have distracted from the story, and they didn't have the insight into the alien race that he did, anyhow. He made himself the scapegoat, accepting responsibility for what he did without knowing the consequences, because it made the story better, and thus furthered the goal of "speaking for the dead".
As a sort of side note, a little over a hundred years ago, Americans who managed to kill an unusually large number of "Indians", or to hold out against them in desperate combat, were regarded as heroes. Today, they are still sometimes seen as legends, but also sometimes as monsters or at least murderers. From a time when "wiping them out" was perceived as a laudable goal, to a time when there is a sort of nationwide shame for what we did, in a mere century. That's without anything even remotely close to the impact of The Hive Queen (as described in Card's fiction), and without an actual, literal [g|x]enocide. Imagine how it will be viewed after another 400 centuries...
I didn't find the article positing that number in my first 10 secodns of searching, but I did find this: http://www.esecurityplanet.com/mobile-security/lookout-predicts-18-million-android-malware-infections-by-end-of-2013.html .
Almost 35% will "encounter" malware in a given year. What precentage of those end up infected, I'm not sure - that would require more investigation into what "Lookout" is and how it works - but the subtitle of the article indicates that "encounter" means infection. Then there's the many devices that will already be infected. 40% doesn't sound high in that light.
I wasn't even trying to defeat AVs, mind you - just messing with polymorphic code because the concept sounds cool. That said, defeating heuristics is a *lot* harder - which is why any self-respecting AV scanner uses them. There's lots of techniques, of course - things like self-decrypting code, for example, where any given instance of the actual malicious code (on disk) bears no resemblance to any other one because they use random keys and/or IVs - but there still has to be a decryptor that bootstraps the process, and that can be heuristically identified. I'm waiting to see somebody write malware that lives inside a variety of completely innocuous codebases via ROP gadgets, where the payload executes by "exploiting" a vulnerability in the malicious program and using ROP to generate a completely different instruction sequence out of all that benign code. You still have the bootstrap problem, though; the the ROP stack needs to be loaded and traversed, and that means some heuristically-detectable portion of the malware.
On the other hand, you have to be careful about false positives as well when using heuristics. A number of legitimate programs, such as Skype, use self-decrypting code. The more broad a net you use to catch malware, the more non-malicious programs you'll inadvertently block. "File has the Execute permission set" is a (taken to extremes) example of a heuristic for detecting Trojans, for example... but a 100% true positive rate isn't that impressive when you also get a 100% false negative rate!
Ahahahaha, that's a good one. I lived on a sailboat cruising tropical islands. The US - even Hawaii, which I came through on the way back from Tahiti once - is downright prudish compared to that lifestyle. Sure, holding a steady relationship wasn't really an option, but almost anything else was - not much chasing needed. As for professional success, I keep that off my profile but it's not hard to figure out who I am if you really want to. "Lack of professional success" indeed!
But sure, call me arrogant for pointing out that I also knew how to code from a relatively young age (or whatever thell you felt was arrogant about my prior post), my good Anonymous Coward. I'm sorry you both were and still are too immature to get over your bitterness at those who have had a good life.
A lot of the world does not heavily use the Play market and prefers to use alternatives. Studies have estimated that around 40% of Android devices in Russia are infected, for example, mostly due to installing apps from third-party sources.
Do you have WP7 Root Tools installed on your Trophy? If so, at least three different exploits were used: the ZIP path traversal that made the interop-unlock "app" work (all the work was actually done by the installer), the Connection Setup hack that achieved interop-unlock by hijacking the network database using some debug code to inject a script that modified the registry, and the exploit that Root Tools itself used in the HTC drivers to gain arbitrary code execution in the kernel.
Just because Heathclif74 was not, so far as anybody knows, embedding any malware in his software doesn't mean he couldn't have been, or one of the many other authors posting their work on XDA-Devs and WPCentral.
Not talking about ChevronWP7 or anything like it. The actual homebrew stuff for WP7 wasn't well publicized, partially because a lot of it was flying under the MS radar so far as possible, but it existed. The best-know "root" program is called WP7 Root Tools (http://www.wp7roottools.com) and exploits various firmware bugs in HTC, LG, and Samsung firmware (and possibly others) for WP7 to gain near-complete control over the OS, disable many of the "security" restrictions (such as the prohibitions on third-party non-"app" executables), give full access to the filesystem, registry, and certificate store, and allow running any other app as TCB (WP7's equivalent of "root" or "Admin"). Other apps before it, including things like TouchXplorer and Advanced Config, took less complete control but nonetheless had permission to do any number of nasty things had that been the intention of the developers. Additionally, once the later versions of Root Tools (with the "elevate other apps" feature) came out, a considerable number of homebrew apps that needed such permissions immediately sprung up, providing a perfectly good avenue for somebody to slip in a Trojan app. Indeed, it was a considerable concern.
The point about requiring manual sideloading is valid (in fact, installing WP7 Root Tools would have been a lot easier if Microsoft would have signed it and put it in the store, since otherwise it could be difficult to install on some devices after Mango introduced the interop-lock). However, I fail to see the important difference between installing an app you think is safe because it's on the store, and an app you think is safe because it comes out of the developer community that has been adding such cool features to your phone. Either way, it's a manual action on your part to install the app, and most people aren't going to decompile it and examine it for malicious code even if they had the know-how to do so. As for whether Trojans in general constitute "real" malware, that's all that the Android apps in question are, or the malicious iOS apps for jailbroken phones, or similar.
To address your little analogy, social engineering is one of the best ways to bypass security there is; the weakest link in computer security usually sits between the user's ears. Also, your analogy seriously falls flat on its face when you consider that it wasn't supposed to be *possible* to "[log] in as a local administrator" on WP7. A seriously locked-down system wouldn't allow your scenario either.
Then there's the minor, but really easy, attacks which were possible against WP7 without requiring firmware access or bypassing interop-lock or any such thing. For example, the XAP files that would let you access other device or operator marketplaces could just have easily crippled your phone's marketplace functionality, overwritten your personal documents, broken your installed apps, and other things. Those were just carefully crafted ZIP archives with a .XAP extension and some XML files to make the installer recognize them; the same attack was actually possible using .ZIP files as well and wouldn't have been that hard to socially engineer somebody to try, or could have been bundled into an otherwise-legit XAP on the store.
Oh, hardly even then. I wrote my first polymorphic program when I was 16, and I was late to the game for that. Making a completely trivial change to the binary - have a meaningless 32-bit constant that you add (modulo 0xFFFFFFFF) with the current time in miliseconds on each run, for example - will completely bypass typical types of checksum/hash checks unless you want to store 4 billion signatures. Slightly more complex signature schemes are nonetheless equally easy to defeat. Filename checks are even easier to defeat; there's lots of ways to indicate the next file to run which can use dynamic file names. It's a game of cat and mouse, but the cats are too dumb to do anything but watch known mouseholes, while the mice can make new holes whenever they please and it only takes a mouse getting out once for the cats to lose the game.
It was possible on WP7, at least in the earlier patch versions. I'm not aware of any malware anybody actually created, but there were a few known vulns in most devices that could be exploited for elevation of privilege. They were routinely used for beneficial homebrew software, though.
On WP8... well, there's no malware known to exist for it yet, but there's nothing much in the way of homebrew either. Microsoft locked the OS up so tightly that it's somewhat limited in terms of actual usability and very limited for extensibility.