With this new method they are able to push even more Commercials out the door and increase the amount of time people are watching their station/content. What does it matter if they are using one device verses another, at least they are watching!
My belief the danger is if the hackers get a chance for a man-in-the-middle attack they can do deep packet inspection of the SSL wrapped authentication session and grab the key-fob one time pad, put that into their magic decoder ring database generated from the source algorithm and then guess the next sequence to be generated. They may have to snoop several sessions to guess the seed used inside the fob, but with today's cloud computing throughput it seems doable to me. Once they have the seed and the current timing from a session or two then they could generate their own values to authenticate their own session. Certainly not easy, but then Nation States will spare no expense to do what they think they need to do.
In security circles it is a well established fact that if someone gains physical access to a system then you can't trust its security. That is Sony's problem. Any purchaser of any gaming system HAS physical access, and nothing can prevent them from gaining access to the internals of the system, both electronic and software. Anybody that suggest that software can protect itself from a well determined hacker is just blowing smoke and is right on par with an old time snake oil salesman. Even if Sony embedded their super-duper-secrets inside of a magic IC chip, and sealed it, that chip can be opened and reverse engineered, altered and or replaced. Don't believe it? Google for Flylogic Engineering and see how its done. They have a great blog on their site if you are into chip level reverse engineering and security. My thing is software security, and I have yet to see something that can't be reversed.
I think I have you beat. I'm running 10.3.162.29, and according to their page their latest is 10.2.154.12, so I'm approximately 0.1.8.17 into the future development cycle.;)
btw - I have a 64 bit plugin running under Firefox/Fedora.
Come on. What exactly is three minutes of down time have to do with changing your self esteem? Self esteem can not be changed in three minutes,(except for the very very very remote possibility of hitting the lottery). Does spending ones whole life sitting in front of FaceBook worrying about how other people perceive you work to raise your self esteem? Probably not. If you care about 'their thoughts about you' that much you *need* a boost of self esteem. Do you think that if you were actually doing something with your life instead, like going to school getting a Doctorate degree might do better? Or building a business?
Sitting there worrying about your friends thoughts for three minutes is not going to make any permanent life style changes. Doing something can. These people were simply 'not doing anything' for three minutes, except for the ones fiddling with their FaceBook. At least they were doing something rather than nothing. Self esteem takes a dive when you feel useless, and at least these FaceBook individuals had something to keep them from feeling bored. What the study was measuring was boredom, not self esteem.
As long as you trust the source of the LiveCD and it is on non-rewritable media, this is the best solution. The only vector left for the malware writers would be to store their malware in Flash memory in the GPU, NIC, or system chip sets in order to survive a reboot. If nothing is persistent on that machine then the malware has no place to hide. Each time the LiveCD comes up clean despite the state of the possibly infected 'normal' boot disk. Just don't surf the web prior to doing your banking and you will be reasonably safe.
It seems to me that this is finally a pretty good reason for having a feature enabled like call forwarding. Send the bloody message back to the handler instead.
</humor>
Quite frankly this has a darker story. The handler can't trust the person to push their own button, so the handler does it remotely without the persons consent. That would imply that a number of people have failed to do what they have been psychologically coerced to believe what their duty, when its not something they really wanted to do in the first place. Feelings of despair and insignificance are easily played upon by psychotic individuals.
Likely true. But then history has shown that when the Government is embarrassingly hacked on a wide scale basis, due to the lack of DNS security, they will be dragged kicking a clawing into the 21st century. Sooner or later some clueless congressman submits a bill that "fixes" the problem where the 'problem' is not even understood much less 'defined' adequately. In the mean time those doing business over the internet will have moved forward so that they can protect their profits from man-in-the-middle attacks once the customers start taking them to court with class action suits. Sadly, this means you have to get screwed and then complain before things actually get better.
After that things will start to progress as defined by this thing called 'common sense'. Everybody knows it needs doing, its just that nobody wants to financially put the effort into DNSSEC or IPv6 until everyone else has done the hard work and they can simply sit back and flip some switch, or hire someone with years of experience with it that knows how to turn it on.
btw - If you use Firefox as a browser look into the "DNSSEC Validator" plugin and see just how many websites there are that you can really trust. Very few. Awareness is half the battle. Note the News story ITFA can not be trusted, as it could be hosted in North Korea as a propaganda campaign and we wouldn't know unless you have a way to check that it really is from 'NetworkWorld'. NetworkWorld's web site in not secured with DNSSEC, so who can tell. Why should we even assume the story is true if by extension we can't trust who wrote it?
Intimidation is a two edged sword. You can't expect to try to ruin someone's financial life and not expect some kind of retaliation in return. When things are completely out of balance you will see more of one than the other, and there are certainly more poor people being sued than those rich ones doing the suing. Those that are more inclined to file share for financial reasons have little to loose in the high stakes legal arena, and they are therefore much more prone to engaging in such anti-social behaviour. Its human nature to want to fight back, and if all you have is email and a phone then that is what you will use. They are after all emotionally compromised. If you are going to try and sue a Jane Doe, don't expect her to just sit back and take it. For these people sitting back and 'enjoying it' is never going to happen, even if they know they should not do what they are doing. The threat just justifies their cause in their own mind and makes them want to fight back even more, by file sharing more. Emotionally speaking, intimidation by threat is a loosing move.
Your spot on. It was a laptop, and it was purchased with a work related discount, hence the affinity to Dell. I preferred a laptop for power efficiency reasons because I thought I would be running it 24x7. It was the one laptop I could find that had the specific processor in it that I was looking for, with up to 24 Gb of memory I required for my specific hardware virutalization requirements.
As for the build your own, been there, done that. Its great to have control over the parts going into your own system I admit, but it costs you more than buying one as a complete system. I would go either way, but as you suggested with a laptop things are different.
For what its worth, the Dell laptop Nvidea GPU fried after only a couple of months use (similar to several I have had fail at work), which is why I opted for the much larger HP power hog. HP's are not immune to the latest Nvidea GPU 'class action suit' issue, but you get a lot more bang for the buck with a full desktop/tower system. I just made sure this one did not have *any* chance of having a "Nvidea Inside" logo.
Sorry, I'm not giving up my "geek card" just yet.;)
How much "crap and trialware" does one get on an empty disk? HP, for all its faults, is one of the few machines which one can buy without the Microsoft tax/extortion-fee. I have had several HP's in the past and you are correct in that they can have their problems, but don't they all?
Funny, I thought that is what liveCD's and OS installation software was for?
Actually, I got so $%&&%$## off a year ago when I bought my last (as in never again) Dell and I was forced to purchase a 64 bit copy of Windoze just to get the amount of memory I wanted. Even though they knew I was going to wipe whatever they put on the disk drive as soon as it arrived I still had to pay the ransom/extortion fee. I never looked back. My next machine was an HP with twice the memory and a blank disk drive. Speak with your wallet, as that is the only language they truly understand.
A slight modification to your professors theory here. Computer scientists don't write phone apps, programmers do. Programmers are an interrupt driven technology where management and marketing are the interrupt prioritization arbitrator, which is synthetically sensitive to the smell of money. Unfortunately the smell of money is also more addictive than coffee, so much so, that your brains soon melt and you soon have no common sense when it comes to proper Information Security practices. The usefulness of using an app to display a barcode is marginal at best considering the setup, configuration, separate billing cycle, and the time required to thumb-up your app to display it. Wouldn't a barcode glued to your wallet do just as well?
Besides that, it takes only 15 seconds (i've seen it done) for a professional to breach your phone once they have the right information, with not physical contact, and all your accounts would be on it to be exfiltrated in seconds after that. Maybe you might not be too afraid of someone getting a free cup of coffee by presenting your barcode instead of your own, but there will likely be other information stored on that phone which puts that 'professional' one step closer to owning all your bank accounts. My advise, Don't put any banking information on your phone unless you want to live in the poor house. Trust me, your going to see a lot of angry people being swindled based on what they thought was safely stored on their phone. Its going to be the next crime wave. Just watch.
My bet is the "Windows Live" service. Why? The one complaint I saw with anything significant to say was a person complaining that they had everything turned off *except* for their Facebook sync through 'Windows live'. My bet, chances are that the Sync is pulling over all the images and bitmaps along with the web updates, and not pulling over just the delta changes to them. Perhaps its a re-download service, not a true sync.
If At&T is the primary service then Windows Live is a third party to that service. Since Microsoft did not name themselves as the culprit, they are in fact an Unnamed service. And of course why would Microsoft want to piss off their own their own management, or worse, to let potential buyers know what the real problem is?
No, you simply don't understand. Charlie Sheen was *put here* to make you want to go to church and *believe* that there must be a better place. Unfortunately it sometimes works too well, and some people take the 'early exit plan' to get it all over with. One can only take so much Charlie in a life-time.
If I were an investor of Trend Micro I would have serious issues with his logic, or lack there of.
1) If Closed source is more secure then why is he writing security software to "secure" it?
2) If Open Source is so much less secure then there must be a viable market to tap. All those CEO's who want to make *billeens and billeens of dollars* for the greedy investors please speak now. <sound of crickets>
The reality check is that Open Source is doing just fine in keeping up with the problem of software vulnerabilities leading to the likes of massive bot-nets which have become the bane of our society. By Chang's own definition of "secure" he is targeting the wrong market, yet the market he is targeting is the one with all the problems in need of being fixed, but he has done nothing to change that. His own products have done nothing to "secure" even the most "secure" systems out there. He should be removed from being CEO as he has proven that he is both ineffective as a corporate officer, and he has proven that he doesn't even understand the market that he should be marketing to. In either case he is a poor excuse for a CEO of a publicly traded company.
While you can't prove a negative you can certainly find causation for all the spook stories your friends are telling you about. Don't go looking for what isn't there, because you won't find it. Instead, take notes of their stories "sensations". There are likely reasons for their not-so-convincing stories, and you can find them. Then search their house as an investigative Engineer, and find the cause of the boards creaking in the middle of the night, such as the thermal contraction of the house as the night cools it. The banging is likely the heating system warming up and expanding the pipes pushing on the fittings. If they say they "get chills" in the middle of the night then find the drafty cracks where they need to caulk and insulate. You can use a FLIR camera for most of those issues.
No to bullets. There is way too much chance of the pilot hitting the throttle to Mach 1.5+ and flying through their own cloud of < Mach 1 bullets they just fired. Any manoeuvring will be to aim their missiles at the opponent they just visually saw our the side, or to doge the Mach 3.5+ missiles coming their way that the on board electronic counter measures can't deal with at that speed.
Really, the defendants are guilty of "comparing related information" using a computer system. If data is not related then exactly what is the point of comparing it? If the patent was about how to compare Apples to Oranges then perhaps there might be something to it, but this patent fails all reasonable tests for validity. Mr Allen better be ready to pay all court costs for all the defendants legal fees, and there will be many.
You are partially right with your statement to "address the economic issues". The problem it seems is that there are LOTS of companies that will pay good money to sell their products, and there are lots of spammers willing to take that money and perform their services with a "any means necessary" attitude. Its the company which is financing the operation, with no regards to "how" that message is delivered, that is the elemental problem. The product company must be visible in order to do business, which not only makes them the source of the financing, but also makes them an easy target for enforcement. They don't hide behind bot-nets either. The problem? The laws are not holding them responsible! We need to change the laws to make them accountable for their financing 'a crime'.
I will contrast this with an analogy. Hit men do not go around killing people just for fun (well not usually). Somebody first finances their operation. Its the person that puts up the $1.3M for the hit that is the one you want. Just because he didn't say how the target should be taken out is not a indemnification for financing the hit under US law.
This situation should be no different. If the product company does not say to advertise by "legally accepted practices" then they should be accountable for their actions. If they are doing legitimate business in the US then they are bound by US laws and the courts there of. If they do say that they had a contract with the spammer, then they can feel free to take the spammer to court to recoup their own financial losses after their own case is over. They of course DO know who they paid and how to locate them. Other companies will then demand to have a say in how their own ad-message is delivered. Once the word gets out that paying a "spammer" will shut your business down then the source of money financing the spam will dry up. No money, no spam. Simple economics. We are just going after the wrong people. The people paying for the spam are the low hanging fruit, the easiest to track down, and the easiest to modify their behaviour.
there isn't an "add exception" button in the error or anything
I think you just hit on the most major feature that MS left out. What is needed is a balance of usability and enforcement. One needs enough enforcement so that the developer will hear about the issues and have the incentive to correct them, but not so much that the user is prevented from getting the application to work properly. Wouldn't it be great if MS used a click through message to both correct the problem and to also notify the developer? I like that MS is now collecting information on application crashes for quality purposes, and this would be just an extension of that to help everyone improve both quality and overall stability.
Re:net zero; +1 MS -1 for MS
on
New IE Zero Day
·
· Score: 1
DEP and ASLR both cause problems with lots of poorly written software
Exactly! When MS came out with NT, and protected mode Win32, a lot of programmers had to straighten up and fly by MS's new rules, and things improved greatly. They are still bad, but much improved. The problem is MS is not trying to get them to fix their own problems and therefore MS suffers an image problem that needn't be. If MS said, "this is the way things are, you have X months to make it work under the new rules" then the third parties will put in the effort. Not until. Don't expect them to fix anything that doesn't put money in their pocket unless they have to. They have to. The platform would be greatly improved as a whole, and much more stable. Yes, the developers will complain, but in the long run *everyone* looks better.
I have been there. I have fought the issues with management before. They need a shove in the right direction, and Microsoft is the only company that can do it. Anyway, making it the system default but with the option of turning it off 'per application' would be a much improved situation with just enough incentive to those companies to fix their own issues. If they have to answer the phone to tell you to flip a switch they will certainly take the time to fix it, or die of embarrassment in the eye of public relations. If you fix your product you sell more copies. Quality does count.
Re:net zero; +1 MS -1 for MS
on
New IE Zero Day
·
· Score: 1
I understand that mentality completely! About 20 (?) yrs ago I was working for a company using Windows 3.xx and they had big problems with software bugs trashing customer databases. I asked why they didn't run with NT, or at least with the protected mode turned on, and their reply was it broke too many things. Well, Duh! There are bug in there that you won't find unless you do.
I came in one weekend and turned it on on my workstation and debugged everything I knew how to run (I was the new kid on the block in that shop), and by the time I left things were much more stable. After the next software release the phones stopped ringing off the wall and the sr tech actually had time to think for a change. His next conclusion, after thinking, was to run everything in protected mode and they never disregarded my advice after that. The product was much more stable and had fewer problems in the field, all because one person took the initiative to fix it rather than complaining that it would break.
Sometimes you have to stop running and realize its time to hop on the bike, because it takes longer to push it along than to ride it the way it is meant to be used.
How long would it take for the engineers to throw the switch during their normal development cycle? Not long. They just need to do it and get the job done as they stumble across the problems during the general course of the day. Just do it.
Re:Can someone please explain to me...
on
New IE Zero Day
·
· Score: 1
Generally speaking, the malicious site sends malformed network packets that are read into the browser and overlays memory that it was not supposed to use, then when that function returns it trips over the modified memory and winds up executing the injected code. If done correctly the malicious site will then gain access to the machine through the side effects of that code execution, and game over. The code will likely download a binary and configure it to be persistent, and coming from inside the machine it is generally permitted to bypass any local firewall due to a stupid 'default allow' rule. Dumb.
There are MANY ways to do this, but its tricky to get the injected code just right for each possible target system. Microsoft makes a good target, because here are so many machines configured exactly the same way, and Microsoft makes it too easy by not coding things in a secure manor to begin with.
net zero; +1 MS -1 for MS
on
New IE Zero Day
·
· Score: 5, Informative
Microsoft blundered again. No big supprise. They left off the/DYNAMICBASE randomization
switch when compiling mscorie.dll. Dumb, Oversight, or is it on purpose? (-1 score)
Well the (+1 score) is that they have called for using the “The Enhanced Mitigation Experience Toolkit” (EMET) tool to mitigate the problem. The bigger question is why is EMET not a part of the OS proper? If the EMET tool is capable of solving this problem then why the &83$$@# didn't they force an install of EMET to solve all the Adobe issues? Why are they NOT stepping forward to fix all the third party application security issues?
Now I have several questions, like why is this not part of the OS? Why is
it not a default where these can be turned off on a case by case basis?
Have untrusted browser plugins? And why isn't Flash/acrobat/shockwave
forced to run under it? Admittedly Acrobat-X (sandboxed version of Acrobat)
is a step in the right direction, but wouldn't it be better to have all
applications turned on by default?
Slashdot Mirror
With this new method they are able to push even more Commercials out the door and increase the amount of time people are watching their station/content. What does it matter if they are using one device verses another, at least they are watching!
My belief the danger is if the hackers get a chance for a man-in-the-middle attack they can do deep packet inspection of the SSL wrapped authentication session and grab the key-fob one time pad, put that into their magic decoder ring database generated from the source algorithm and then guess the next sequence to be generated. They may have to snoop several sessions to guess the seed used inside the fob, but with today's cloud computing throughput it seems doable to me. Once they have the seed and the current timing from a session or two then they could generate their own values to authenticate their own session. Certainly not easy, but then Nation States will spare no expense to do what they think they need to do.
In security circles it is a well established fact that if someone gains physical access to a system then you can't trust its security. That is Sony's problem. Any purchaser of any gaming system HAS physical access, and nothing can prevent them from gaining access to the internals of the system, both electronic and software. Anybody that suggest that software can protect itself from a well determined hacker is just blowing smoke and is right on par with an old time snake oil salesman. Even if Sony embedded their super-duper-secrets inside of a magic IC chip, and sealed it, that chip can be opened and reverse engineered, altered and or replaced. Don't believe it? Google for Flylogic Engineering and see how its done. They have a great blog on their site if you are into chip level reverse engineering and security. My thing is software security, and I have yet to see something that can't be reversed.
btw - I have a 64 bit plugin running under Firefox/Fedora.
Sitting there worrying about your friends thoughts for three minutes is not going to make any permanent life style changes. Doing something can. These people were simply 'not doing anything' for three minutes, except for the ones fiddling with their FaceBook. At least they were doing something rather than nothing. Self esteem takes a dive when you feel useless, and at least these FaceBook individuals had something to keep them from feeling bored. What the study was measuring was boredom, not self esteem.
As long as you trust the source of the LiveCD and it is on non-rewritable media, this is the best solution. The only vector left for the malware writers would be to store their malware in Flash memory in the GPU, NIC, or system chip sets in order to survive a reboot. If nothing is persistent on that machine then the malware has no place to hide. Each time the LiveCD comes up clean despite the state of the possibly infected 'normal' boot disk. Just don't surf the web prior to doing your banking and you will be reasonably safe.
</humor>
Quite frankly this has a darker story. The handler can't trust the person to push their own button, so the handler does it remotely without the persons consent. That would imply that a number of people have failed to do what they have been psychologically coerced to believe what their duty, when its not something they really wanted to do in the first place. Feelings of despair and insignificance are easily played upon by psychotic individuals.
After that things will start to progress as defined by this thing called 'common sense'. Everybody knows it needs doing, its just that nobody wants to financially put the effort into DNSSEC or IPv6 until everyone else has done the hard work and they can simply sit back and flip some switch, or hire someone with years of experience with it that knows how to turn it on.
btw - If you use Firefox as a browser look into the "DNSSEC Validator" plugin and see just how many websites there are that you can really trust. Very few. Awareness is half the battle. Note the News story ITFA can not be trusted, as it could be hosted in North Korea as a propaganda campaign and we wouldn't know unless you have a way to check that it really is from 'NetworkWorld'. NetworkWorld's web site in not secured with DNSSEC, so who can tell. Why should we even assume the story is true if by extension we can't trust who wrote it?
Intimidation is a two edged sword. You can't expect to try to ruin someone's financial life and not expect some kind of retaliation in return. When things are completely out of balance you will see more of one than the other, and there are certainly more poor people being sued than those rich ones doing the suing. Those that are more inclined to file share for financial reasons have little to loose in the high stakes legal arena, and they are therefore much more prone to engaging in such anti-social behaviour. Its human nature to want to fight back, and if all you have is email and a phone then that is what you will use. They are after all emotionally compromised. If you are going to try and sue a Jane Doe, don't expect her to just sit back and take it. For these people sitting back and 'enjoying it' is never going to happen, even if they know they should not do what they are doing. The threat just justifies their cause in their own mind and makes them want to fight back even more, by file sharing more. Emotionally speaking, intimidation by threat is a loosing move.
As for the build your own, been there, done that. Its great to have control over the parts going into your own system I admit, but it costs you more than buying one as a complete system. I would go either way, but as you suggested with a laptop things are different.
For what its worth, the Dell laptop Nvidea GPU fried after only a couple of months use (similar to several I have had fail at work), which is why I opted for the much larger HP power hog. HP's are not immune to the latest Nvidea GPU 'class action suit' issue, but you get a lot more bang for the buck with a full desktop/tower system. I just made sure this one did not have *any* chance of having a "Nvidea Inside" logo.
Sorry, I'm not giving up my "geek card" just yet. ;)
How much "crap and trialware" does one get on an empty disk? HP, for all its faults, is one of the few machines which one can buy without the Microsoft tax/extortion-fee. I have had several HP's in the past and you are correct in that they can have their problems, but don't they all?
Funny, I thought that is what liveCD's and OS installation software was for?
Actually, I got so $%&&%$## off a year ago when I bought my last (as in never again) Dell and I was forced to purchase a 64 bit copy of Windoze just to get the amount of memory I wanted. Even though they knew I was going to wipe whatever they put on the disk drive as soon as it arrived I still had to pay the ransom/extortion fee. I never looked back. My next machine was an HP with twice the memory and a blank disk drive. Speak with your wallet, as that is the only language they truly understand.
Besides that, it takes only 15 seconds (i've seen it done) for a professional to breach your phone once they have the right information, with not physical contact, and all your accounts would be on it to be exfiltrated in seconds after that. Maybe you might not be too afraid of someone getting a free cup of coffee by presenting your barcode instead of your own, but there will likely be other information stored on that phone which puts that 'professional' one step closer to owning all your bank accounts. My advise, Don't put any banking information on your phone unless you want to live in the poor house. Trust me, your going to see a lot of angry people being swindled based on what they thought was safely stored on their phone. Its going to be the next crime wave. Just watch.
If At&T is the primary service then Windows Live is a third party to that service. Since Microsoft did not name themselves as the culprit, they are in fact an Unnamed service. And of course why would Microsoft want to piss off their own their own management, or worse, to let potential buyers know what the real problem is?
</humor>
1) If Closed source is more secure then why is he writing security software to "secure" it?
2) If Open Source is so much less secure then there must be a viable market to tap. All those CEO's who want to make *billeens and billeens of dollars* for the greedy investors please speak now. <sound of crickets>
The reality check is that Open Source is doing just fine in keeping up with the problem of software vulnerabilities leading to the likes of massive bot-nets which have become the bane of our society. By Chang's own definition of "secure" he is targeting the wrong market, yet the market he is targeting is the one with all the problems in need of being fixed, but he has done nothing to change that. His own products have done nothing to "secure" even the most "secure" systems out there. He should be removed from being CEO as he has proven that he is both ineffective as a corporate officer, and he has proven that he doesn't even understand the market that he should be marketing to. In either case he is a poor excuse for a CEO of a publicly traded company.
While you can't prove a negative you can certainly find causation for all the spook stories your friends are telling you about. Don't go looking for what isn't there, because you won't find it. Instead, take notes of their stories "sensations". There are likely reasons for their not-so-convincing stories, and you can find them. Then search their house as an investigative Engineer, and find the cause of the boards creaking in the middle of the night, such as the thermal contraction of the house as the night cools it. The banging is likely the heating system warming up and expanding the pipes pushing on the fittings. If they say they "get chills" in the middle of the night then find the drafty cracks where they need to caulk and insulate. You can use a FLIR camera for most of those issues.
No to bullets. There is way too much chance of the pilot hitting the throttle to Mach 1.5+ and flying through their own cloud of < Mach 1 bullets they just fired. Any manoeuvring will be to aim their missiles at the opponent they just visually saw our the side, or to doge the Mach 3.5+ missiles coming their way that the on board electronic counter measures can't deal with at that speed.
Really, the defendants are guilty of "comparing related information" using a computer system. If data is not related then exactly what is the point of comparing it? If the patent was about how to compare Apples to Oranges then perhaps there might be something to it, but this patent fails all reasonable tests for validity. Mr Allen better be ready to pay all court costs for all the defendants legal fees, and there will be many.
I will contrast this with an analogy. Hit men do not go around killing people just for fun (well not usually). Somebody first finances their operation. Its the person that puts up the $1.3M for the hit that is the one you want. Just because he didn't say how the target should be taken out is not a indemnification for financing the hit under US law.
This situation should be no different. If the product company does not say to advertise by "legally accepted practices" then they should be accountable for their actions. If they are doing legitimate business in the US then they are bound by US laws and the courts there of. If they do say that they had a contract with the spammer, then they can feel free to take the spammer to court to recoup their own financial losses after their own case is over. They of course DO know who they paid and how to locate them. Other companies will then demand to have a say in how their own ad-message is delivered. Once the word gets out that paying a "spammer" will shut your business down then the source of money financing the spam will dry up. No money, no spam. Simple economics. We are just going after the wrong people. The people paying for the spam are the low hanging fruit, the easiest to track down, and the easiest to modify their behaviour.
I think you just hit on the most major feature that MS left out. What is needed is a balance of usability and enforcement. One needs enough enforcement so that the developer will hear about the issues and have the incentive to correct them, but not so much that the user is prevented from getting the application to work properly. Wouldn't it be great if MS used a click through message to both correct the problem and to also notify the developer? I like that MS is now collecting information on application crashes for quality purposes, and this would be just an extension of that to help everyone improve both quality and overall stability.
Exactly! When MS came out with NT, and protected mode Win32, a lot of programmers had to straighten up and fly by MS's new rules, and things improved greatly. They are still bad, but much improved. The problem is MS is not trying to get them to fix their own problems and therefore MS suffers an image problem that needn't be. If MS said, "this is the way things are, you have X months to make it work under the new rules" then the third parties will put in the effort. Not until. Don't expect them to fix anything that doesn't put money in their pocket unless they have to. They have to. The platform would be greatly improved as a whole, and much more stable. Yes, the developers will complain, but in the long run *everyone* looks better.
I have been there. I have fought the issues with management before. They need a shove in the right direction, and Microsoft is the only company that can do it. Anyway, making it the system default but with the option of turning it off 'per application' would be a much improved situation with just enough incentive to those companies to fix their own issues. If they have to answer the phone to tell you to flip a switch they will certainly take the time to fix it, or die of embarrassment in the eye of public relations. If you fix your product you sell more copies. Quality does count.
I came in one weekend and turned it on on my workstation and debugged everything I knew how to run (I was the new kid on the block in that shop), and by the time I left things were much more stable. After the next software release the phones stopped ringing off the wall and the sr tech actually had time to think for a change. His next conclusion, after thinking, was to run everything in protected mode and they never disregarded my advice after that. The product was much more stable and had fewer problems in the field, all because one person took the initiative to fix it rather than complaining that it would break.
Sometimes you have to stop running and realize its time to hop on the bike, because it takes longer to push it along than to ride it the way it is meant to be used.
How long would it take for the engineers to throw the switch during their normal development cycle? Not long. They just need to do it and get the job done as they stumble across the problems during the general course of the day. Just do it.
There are MANY ways to do this, but its tricky to get the injected code just right for each possible target system. Microsoft makes a good target, because here are so many machines configured exactly the same way, and Microsoft makes it too easy by not coding things in a secure manor to begin with.
Well the (+1 score) is that they have called for using the “The Enhanced Mitigation Experience Toolkit” (EMET) tool to mitigate the problem. The bigger question is why is EMET not a part of the OS proper? If the EMET tool is capable of solving this problem then why the &83$$@# didn't they force an install of EMET to solve all the Adobe issues? Why are they NOT stepping forward to fix all the third party application security issues?
What security features can you add with EMET?
Dynamic Data Execution Prevention (DEP)
Structure Exception Handler Overwrite Protection (SEHOP)
Heap Spray Allocation
Null Page Allocation
Export Address Table Access Filtering
Mandatory Address Space Layout Randomization (ASLR)
Now I have several questions, like why is this not part of the OS? Why is it not a default where these can be turned off on a case by case basis? Have untrusted browser plugins? And why isn't Flash/acrobat/shockwave forced to run under it? Admittedly Acrobat-X (sandboxed version of Acrobat) is a step in the right direction, but wouldn't it be better to have all applications turned on by default?
The Enhanced Mitigation Experience Toolkit 2.0 is Now Available
http://tinyurl.com/28znulg