Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!



Microsoft Announces Windows 10

benjymouse Re:Catching up with Fedora (359 comments)

Doesn't see to have a real shell yet. Bash, csh, tcsh, I don't care. Windows is a gaming OS unless it can put productivity back. Otherwise it's OS X or Linux...

PowerShell beats anything *sh on consistency, terseness, expressiveness, risk management, integration, remoting, job control, interactive assistance.

And it is not as dangerous :-)

2 hours ago

Apple Faces Large Penalties In EU Tax Probe

benjymouse Re:Finally (120 comments)

You, like most her, completely misunderstood what's going on. QTFA: "While the companies themselves aren't under investigation, their input is being sought because they would be required to return any unpaid taxes."

I repeat: Apple is not under investigation, they will not be fined. The worst that can happen to them is be required to pay taxes saved. It's only Ireland who is in trouble (and the other countries under investigation).

Thanks. I stand corrected :-)


Apple Faces Large Penalties In EU Tax Probe

benjymouse Re:Finally (120 comments)

But if the Irish laws supported Apple what's the legal basis for trying to claim back taxes?

I believe that the claim is that *both* Apple and the Irish government colluded to bypass Irish laws (derived from EU directives). In that case the Irish government is also going to be in trouble, treaty-wise.

I have a feeling that we'll soon see a pattern where Microsoft, Apple, Google and more did get illegal tax-breaks by moving european HQs to Ireland. If it can be demonstrated that they colluded to keep the arrangement secrets (to avoid EU commision inquiries) and that Apple et al thus should have known they did not comply with EU law, they could - and should - be in trouble.

Apple has a big coffer - so naturally that is where the EU commision will look first. I doubt that there is political will to risk the statibily of the Irish economy by forcing fines on Ireland.

Ireland is a leech, just like Luxembourg, Switzerland, Lichtenstein, the Channel Islands etc.


Bash To Require Further Patching, As More Shellshock Holes Found

benjymouse Re:Nothing to do with language (322 comments)

Second of all, whether the programming language is bad or not is totally not relevant.

On the contrary, it is deeply relevant. As long as you manipulate simple values you can do so pretty safely, even with a single-type (text) language like bash. But the second you also represent code as a value, you are setting yourself up for security problems.

This goes deeper than bash: All of the POSIX-like shells were always dangerous in the way file names and other parameters were passed to commands. Miss a proper quoting and you set yourself up for injection through a simple filename (one with a few unusual characters).

Admittedly, bash has taken it a bit further and wanted a way to allow passing functions to subshells. Again, it was a way to mitigate an inherent limitation with *sh shells: The way every command on a pipeline was executed in its own process and thus could not leverage functions and other constructs from the ultimate parent shell.

But the real problem is lack of strong types. As I said above, strong types are not terribly important (but can still help) as long as you manipulate simple values. But when those values can include executable content, knowing what type a passed parameter is supposed to be (string or code?) become a security feature.

In PowerShell you have advanced scripting where functions can be invoked from nested scopes. But in PowerShell, script blocks is a separate type. Nowhere will a function or cmdlet just execute a string, except for the cmdlet called Invoke-Expression which is roughly equivalent to bash eval. You have to ask for it to interpret a string as code. bash also has an eval function, but parameters passed to utilities such as find can also execute text!


Bash To Require Further Patching, As More Shellshock Holes Found

benjymouse Re:Soon to be patched (322 comments)

What makes you think Windows doesn't have problems like this?

They did. But it is a long time since that last vulnerability on this scale. Following the embarrassing Nimda and Code Red (and many vulnerabilities in IIS), Microsoft started it's "security push". The central part of that is the Secure Development Lifecycle (SDL) which as a collection of processes, methodologies, tooling, mandatory education, guidance and mandatory threat modelling, reviews and auditing.

The difference is that being open source third parties can review the code and find problems. There is no way to keep them secret and from the public.

That all fine and dandy. Only, these bugs (the original Shellshock and these later) have existed for 22+ years! During all that time, nobody (we hope) "reviewed the code and found problems". So, if there were any third parties looking at the source, they failed miserably (or sold exploit information on the black market).

Look, there have been bugs found in old MS code as well. A few years back there was a vulnerability in the old DOS emulation code.

It is time to let the myth of the many eyes die. The community is not going to help you by reviewing code unless you *pay* them to do so. It is the most boring discipline of developing code, and nobody does it out of interest.

A company like Microsoft can *pay* people to review and audit code. A big part of SDL is exactly those supporting roles and checks/gates. The open source community must wake up and set up foundations OpenSSL style and start asking those who reap the biggest benefits for some funding.

Also, fixes were pushed out within hours of notification.

Do you really want to go there, given the incomplete patches and host of related problems which could have been found had the maintainers taken more time?

Part of SDL in Microsoft is exactly a process where, when a vulnerability has been reported, they must take time to analyze if there are related or similar vulnerabilities, what impact a patch could have. On top of that they have a gigantic test farm where they test for compatibility with a huge number of popular software applications.

Essentially, what Microsoft does *internally* and prior to releasing information on the bug, is now what for bash takes place *externally* (external security researchers) and *after* the vulnerability info was released.

Look at it this way. BASH has had this problem evidently for years and there haven't been any exploits. It was discovered by researchers analyzing the code. In an MSoft world, where nobody has access to the code but MSoft, the public finds out about security holes after they have been exploited.

No no no no. This bash problem was discovered by someone trying to see if you could pass a lambda (an anonymous function) from a bash shell instance to a subshell. He then noticed some weirdness and investigated.

After the bug has become known, security "researchers" homed in on the bash interpreter. Still from *the outside* (i.e. NOT looking at the source code), more vulnerabilities were found (see Tavis Ormandy's tweets).

The easiest way to find these bugs remains to just play around with bash and try to throw it off with weird syntax. And that is how these bugs are being found.

There is absolutely no evidence that having open source code makes the product more or less secure. To be honest, only the most obvious bugs are ever found by inspecting the code - which tend to be the same class of bugs that would be found with just some cursory testing.

No, the quality of the code is impacted by the quality assurance processes that surround the development process, such as testing, threat modelling, security audits, tooling, guidance etc.


Bash To Require Further Patching, As More Shellshock Holes Found

benjymouse Re:Call it what you will (322 comments)

There's nothing in the CGI specification that requires or suggests that there needs to be any kind of intermediary in handling the reqests aside from the web server. The environment is a perfectly legitimate way of passing data, and if the web server calls the CGI safely (i.e. pipe()/fork()/exec()) there's no reason for a transient interpreter like bash to get involved.

The BIG problem here is that environment variables are inherited by default by and child processes. A semi-persistent mechanism is being used (by CGI) to pass what should have been transient data.

The passed values from CGI to the command processor is intended ONLY for the command processor. This is a specification vulnerability almost on par with PHP register_globals: If you know that a certain sub-process *also* uses environment variables to pass parameters, you can poison those environment variables from the web context.

PHP register_globals was bad exactly because of this: Sometimes a script would assume that a variable having no value (e.g. "CURRENT_USER") meant that the user had not logged on; and conversely that a value meant that the user had indeed authenticated. Presto: Inject "CURRENT_USER" as a request parameter and PHP would register a global variable which would cause the test to believe that you were logged on.

The CGI way is very, very similar: Environment variables are indeed "global" and it is very difficult for the immediate receiving processor to check whether extra variables have been set (as it itself could inherit variables from its parent process).

The wrong mechanism (a semi-persistent environment) is being used to transfer what should have transient data. That is a vulnerability in the spec.


Bash To Require Further Patching, As More Shellshock Holes Found

benjymouse Call it what you will (322 comments)

The fact is that bash allows external entities to poison environment variables ahead of invocation, causing unintended behavior in bash when it is launched as a child process.

You are correct that this is not a remote exploit by itself. Only with CGI does it become remote. It is a code injection vulnerability that when used with CGI becomes a remotely exploitable vulnerability.

This is not a "blanded" attack that combines with a CGI vulnerability. There is no vulnerability in CGI; it works as specified (you could say that there is a design vulnerability in CGI - and I would agree about that).


Bash To Require Further Patching, As More Shellshock Holes Found

benjymouse Is the bash parser a lost cause? (322 comments)

Seems to me that there are multiple indications that the parser is quirky, ad-hoc and error-prone. Parser construction is an old discipline. Was the bash parser created by people without the proper training, and has later maintenance ignored code because it was too weird?


Outlining Thin Linux

benjymouse Re:Maybe read the thread (221 comments)

Citation needed. I have never seen anyone declaring Windows Server 2012 the best ever OS because of the CLI.

With respect, the above poster is replying to someone that appears to be asserting that. I suggest reading other posts higher up in the thread before wasting time writing such long replies that miss the point.

With respect, the GP of my post never asserted that. For reference this is the entire post:

We used to run linux in the server room because it was lean and easy to admin. Windows was slow, mousy, and dependencies were hellish.

Now we run Windows Server 2012 with no GUI, virtualized, and admin with powershell. We've ripped out tens of thousands of dollars of Red Hat; windows is cheaper.

Basically there aren't any linux server distros that are like Red Hat used to be before the Fedora fiasco. It seems like Red Hat today is doing a bad job of trying to be a GUI laptop distro running on server hardware. And they are letting mature stuff like PADL's LDAP modules go to seed while shipping raw, buggy stuff like SSSD, instead of maintaining the old stuff until the new is reliable enough for real world use.

There is no assertion of "all those Windows sysadmin flunkies are declaring Server 2012 is the bestest ever because you can run in headless with a CLI" in that quote, is there?

There is a certain bias towards Server 2012, but no claim of it being the best ever server OS. Much less a claim that others think it is the best ever server OS.

I suggest reading other posts higher up in the thread before writing short post that you cannot even get right.

about a week ago

Outlining Thin Linux

benjymouse Re:Yes, just like that. (221 comments)

Windows sysadmins amaze. For fifteen years I listened to them rattle on about how the GUI in Windows NT and its descendants was absolutely necessary, that it opened up servers to people who couldn't or wouldn't learn how to work from a CLI.

You are inventing a demographic that we cannot verify, then you are ascribing a position to "them" which you then proceed ridicule because of the alleged hypocritical 180. The very definition of a strawman: Create it, pretend it is real, "kill" it.

So a few server distros put the head on their installs, worked like mad dogs to build GUI and web-based management systems like Webmin, and now suddenly all those Windows sysadmin flunkies are declaring Server 2012 is the bestest ever because you can run in headless with a CLI.

Am I getting this right: Are you seriously saying that the (alleged) argument from the Windows camp was what forced server distros [to] put the head on their installs? Seriously?

and now suddenly all those Windows sysadmin flunkies are declaring Server 2012 is the bestest ever because you can run in headless with a CLI

Citation needed. I have never seen anyone declaring Windows Server 2012 the best ever OS because of the CLI.

What you may have overlooked is the fact that Windows Server from very early on had policies. Policies even existed before AD. In Unix/Linux we scripted everything, often hoping that the scripts would perform the same on every server.
During all that time some 80% of what we scripted could be expressed declaratively and more robustly using policies. Policies could ensure that application packages (MSIs or EXEs) were installed (or uninstalled), that security permissions were set up correctly, could create, rename or delete accounts, files, registry entries etc.
Very little could not be expressed using declarative policies - and they could even be set to use scripts.

For the parts of remote administering that were too cumbersome to create policies for, there was always scripting. Yes, Windows scripting (.bat, .vbs and the like) used to kinda suck compared to Unix/Linux - but it *was* there.

Yes, Windows always had the GUI option - even if you did not use it. That kinda sucked for the big deployments - not so much for the smaller ones where the GUI could sometimes be an efficient way to troubleshoot a misbehaving server.

Listen you fucking asshole. *nix has been running CLI longer than most people posting here have been alive.

I am sorry that I have to be the one to break this to you, but: *nix did not invent the CLI. Indeed, every OS that came before Unix *all* of them had the CLI as the main shell.

Generations of system administrators have lived and fucking died while Windows was forcing a clunky GUI toolset that you couldn't fucking script properly, and that you ended up having to go to REGEDIT and a bazillion GPO entries to fine tune.

Seem like you had trouble with the declarative way of thinking. To me, GPOs made perfect sense. It was declarative in a way that 'nix did not have until Chef and Puppet arrived. With GPOs you could describe which application packages had to be installed on which group of machines, both servers and desktops.
Move the machine to another org unit or group and group policy would ensure that aqpplications were uninstalled and new ones installed to match the new provisioning. I guess you never got that.

Oh no, but Windows is so fucking cutting edge because in the last seven or eight years has developed a fucking shell that you can properly fucking script (even if the scripting language in question is a verbose and unbelievably slow executing piece of shit that is in almost every way the exact opposite of the elegance of *nix).

I assume that you are talking about PowerShell. Initially I just want to point out that you could indeed script Windows long before PowerShell. VBScript *was* kinda verbose - but you *could* get the job done. More importantly - to enable scripting Windows Management Instrumentation (WMI) was developed during the VBScript era.
WMI is a much better interface to system management than strange, clunky file-mapped /dev /proc and other contraptions. WMI is an object oriented API to systems management that enable remote management. Yes - you can invoke WMI objects from remote - opening the prospect that you do not need a GUI and not even a shell nor an editor at the local machine to properly administer it.

Back to PowerShell:
You are correct that during the last seven/eight years Microsoft has quickly evolved a new shell. PowerShell has taken the idea of pipes and improved it, creating pipes of object. Objects can be complex, and thus in one stroke solved a decades old problem with text pipes: How to represent complex structures in a common way.
Another problem solved was how the Unix pipeline always required reparsing and formatting between the tools. These are all well known traits of PowerShell at this time.

But here's the kicker: PowerShell aims are much, much higher than becoming just a CLI shell: From the start, PowerShell was designed as a hostable engine - an engine that you could build into your application to run in-process and manipulate your applications in-process objects because your application runs PowerShell as an in-memory engine.
Why is that significant? Because it allows you to build rich GUIs (web or native) that uses PowerShell as the logic layer. The Exchange Admin interface was the first to leverage this. At this time virtually all the admin GUIs in Server 2012R2 uses this approach. The idea is that this way you will always have the scripting interface - because you build that first. This way the GUI never gets to do more than what can be achieved through scripting.
Bash or other *sh shells on Unix will never be able do to that in the same way. The *sh shells always run in a separate process and communication between an admin interface and the shell has to serialize to text (or byte) streams back and forth, which apart from being unbelievable cumbersome is dangerous security-wise (think injection attacks).

That is why Unix fanboys are all up in arms about PowerShell: While PowerShell would never make as much sense on *nix (*nix'es do not have a common object model for the entire system and APIs like Windows does); PowerShell by virtue of how it integrates on Windows nevertheless exposes the inherent limitations of *sh shells.

And that was even before PowerShell achieved workflows functionality and Desired State Configuration. Workflow allows Windows admins to create resilient scripts that can branch out and execute on multiple nodes and survive system restarts and pick up and continue after interruption. Desired State Configuration is "declarative scripting" where the PowerShell scripting engine figures out what steps/scripts are necessary to bring a node into the described state.
The kicker: A "node" can be a Windows machine or any other equipment that conforms to WBEM/CIM industry standards. Many of these will be network equitment running Linux or a BSD. Being controlled by PowerShell DSC.

Well congrat-u-fuck-ulations Mr. "We paid a bazillion dollars to Redmond in licensing fees so we could have a scriptable CLI-based OS in our data center". I bet you even think you did an amazing thing.

You sound like a bitter old man?

Fucking Windows admins. Arrogance, stupidity and a total lack of knowledge of their own fucking operating systems incredibly dubious history as a Server OS.

A very angry, bitter old man. Why all the anger?

Meanwhile, in the time it takes you to type out the name of a Powershell scriptlet and its arguments to import a CSV and puke it out as a SQL script, I can do write the code in awk or Perl in a bash wrapper.

PowerShell will beat you any day of the week. Perl in a bash wrapper? WTF?

But hey, I must be stupid and you must the be the super fucking genius

I am not the GP. I don't think you are stupid. You seem, well, passionate. Your passion may be clouding your judgement and when challenged you seem to become aggresive rather than considering whether the challenge could have merit and whether there could be some learning opportunities. While you may not be stupid, refusing to learn and digging into a whole could - over time - make you appear as stupid because of the accumulated ignorance that comes with being stuck in a hole.

about a week ago

'Reactive' Development Turns 2.0

benjymouse Re:Reactive is an extension of event driven (101 comments)

Certainly cool, but most of the credit goes to C# supporting LINQ & lambda functions.

The point is, that when you view events as

public event EventHandler StockQuote;

you cannot use the LINQ goodness to compose events. Once you make the switch and view events as sequences where the items have not appeared yet, you enable the likes of LINQ and list comprehensions.

Mind you, these IObservable LINQ operators look like the IEnumerable counterparts - but they are all implemented quite differently. There is a beautiful duality between the two which enable us programmers to think about events the same way we think about collections.

Besides, if the so-called Reactive "movement" thinks nobody has been writing private event buffers & message lists for the past few decades then they're mistaken.

I'm with you. I'm certainly not part of any "movement" - I do not think every programming problem needs to be attacked from a "reactive" point of view. But I can recognize a good idea when I see one, and Reactive Extensions is one such good idea. And I am already aware of several places I should have used RX and LINQ instead of building complex finite state machine logic.

Another cool idea that I think this "movement" is embracing, is async. That has much more profound consequences for how we program and has been a real eye-opener. When I can program with async all the way down through multiple tiers, to the business logic that call external services or queries the database, a whole bunch of problems suddenly goes away: I no longer has to balance how many threads should serve the website, the app servers against how "idle" the threads are when waiting for a query to return or waiting for an external service to respond. When a request "waits" it yields the thread to the server so that it can be used for other requests. Once the answer arrives from the database or service, a thread is allocated to continue the request processing. The outcome is that all threads tend to become cpu bound - never idle. Which scales much, much better.

However, I still question that this is (or needs to become) a movement. It a discipline - or rather 2 related disciplines - that a good programmer should have in his/her toolbox.

about a week ago

'Reactive' Development Turns 2.0

benjymouse Reactive is an extension of event driven (101 comments)

As far as I can tell, this person (or persons) has discovered something that has a name already: Event-driven programming. It's been around for a very long time. It has many of the benefits of naive multi-threaded coding without the warts. But it introduces warts of its own, with event orderings being the big one.

What Erik Meijer discovered was that an event can be viewed as a sequence. Each occurrence of the event is an "item" of the sequence. What's why he wrote an article called "Your mouse is a database": The mouse is a sequence of multiple event types such as moves, buttons etc.

Once you start to view (and represent) events as "push" sequences interesting things start to happen: Suddenly you can *compose* events in the same way you compose collections/sequences.

Erik Meijer wrote the Active Extensions for .NET which does exactly that. Using LINQ you can transform, aggregate, group, partition, project/map, filter etc events.

Consider, for instance, stock market ticker values: Clearly you can see those as events: When a deal/offer it is an event. Multiple events is a stream/sequence. Now imagine you want to know each time a symbol has "peaked" - i.e. each time 3 consecutive values for any symbol has the maximum as the middle value. With Reactive Extensions and LINQ you would write:

var peaks = stockQuotes.GroupBy(sq => sq.Symbol).SelectMany(g => g.Buffer(3, 1).Where(IsPeak));

where IsPeak is defined as:

bool IsPeak(IList<Quote> b) {
        b[0].Rate < b[1].Rate && b[1].Rate > b[2].Rate;

1. stockQuotes is the IObservable stream of quotes.
2. GroupBy created a new stream of multiple streams. Each time a new symbol is encountered, a new group will be added (appear in the stream); if the symbol has already been encountered the quote is added to the end of the stream for the symbol.
3. Buffer creates a "sliding" buffers (increments of 1), each with 3 items.
4. Where filters the IObservable so that only "peaks" are let through.
5. SelectMany "flattens" multiple streams into a single stream again, i.e. creates a single stream of quotes regardless of their symbol (group)

Now, this is an IObservable stream with no subscribers (observers) yet. This also means that there is no subscription at stockQuotes. But as soon as you register a subscription like this:


It starts to invoke the Peaked method with peaks consisting of lists with exactly 3 items each. And this will go on and one.

Now imagine how you would write something like that using events and event handlers? It will probably take 10 times more code and be less readable than the above. (Yes, I know that it is not entirely straightforward if you are not used to RX and LINQ).

about a week ago

Microsoft Kills Off Its Trustworthy Computing Group

benjymouse TPM also handy for mneasured boot (99 comments)

During boot, Windows will write log entries to the TPM. Every time a module or driver is loaded, the signature, hash code etc. is written to the TPM.

When the OS is up and running a client can request the TPM to issue the collected log entries, digitally signed with a key residing in the TPM. The boot log is then sent to a "health certificate" server. The health certificate server can inspect the log (after verifying its authenticity thjrough the signature) to see if any untrusted or known malicious software was loaded during the startup process. If everything checks out OK, it can then issue a "Health certificate".

Other devices on the corporate/private net can be instructed to quaranteen servers until they can present a valid Health certificate. Ie. the TPM can play a central role in preventing malicious software from propagating on internal Networks: If a server suddenly load more drivers than expected, loads non-whitelisted drivers or directly blacklisted drivers, nobody wants to talk to it.

about two weeks ago

Apple Locks iPhone 6/6+ NFC To Apple Pay Only

benjymouse Re:WTF (335 comments)

Do Apple have the majority of the market in smartphones and exert an undue influence on that market? Nope, they're not even the biggest player in that market. Not at all the same as Microsoft having 95% of the desktop market and Google having over 70% of the internet search market and using their market position to keep out competitors. I don't like what Apple do but if people don't like Apple's behaviour there are half a dozen other manufacturers happy to take their money instead.

In the EU you do not need to have the majority of a market to run afoul with the Commision. If you have a dominant market position and use it to unduly lock out competitors you'll get in trouble. As you should.

This reeks like Apple want to establish their own payment system as the defacto standard. And they are prepared to use their significant market share to do it. That could (and should) get them into trouble.

about two weeks ago

Apple Outrages Users By Automatically Installing U2's Album On Their Devices

benjymouse Re:Simple (610 comments)

I've had Steam put promotional stuff in my library automatically on a couple of occasions.

Yes, but it doesn't download it to your computer automatically.

No, Steam is actually worse: I play CIV5 on occasion. It was purchased on Steam, but I start from the shortcut I asked it to create. Nevertheless, Steam creates a pop-under ad that I have to close *every* time I play the game.

The point is not that I could probably easily find the shortcut to the *real* game (and not the Steam launcher). The point is lack of respect. I already bought the game. As far as I am concerned that is a completed transaction. I have NOT asked for promotional offers.

about two weeks ago

Microsoft Paid NFL $400 Million To Use Surface, But Announcers Call Them iPads

benjymouse Re:$400 million (405 comments)

Yeah, I noticed after posting the comment that the summary was completely wrong.
But in my defence; how could I have known that a summary on Slashdot would be completely wrong?

Yes. My bad. I am sorry.

It wasn't you who pulled it out of thin air. I can see how it was implied by the submitter.

Damn. One could get the impression that submitters/editors sensationalize just to get page-clicks.

about three weeks ago

Microsoft Paid NFL $400 Million To Use Surface, But Announcers Call Them iPads

benjymouse Re:$400 million (405 comments)

Just to have the NFL officially use your brand of tablet.

What gave you that idea? Did you just pull it out of thin air?

It covers more than that. Read the MS press release on the deal:

The agreement provides Microsoft with the rights to create exclusive interactive experiences through products such as Xbox One and Surface, transforming the way fans will experience the NFL in the years to come. The NFL on Xbox will provide fans with an all-new viewing experience through innovations around Skype and Xbox SmartGlass; an all-new, innovative fantasy football solution allowing fans to view players and live competition side by side on a single TV screen; and a personalized NFL destination featuring information about the players, teams and games fans care about most. Xbox also retains the exclusive rights to extend these interactive experiences to tablets, enabling fans to use Xbox SmartGlass technology to enhance game day.

So, basically also the license to use NFL content on XBox and tablets (I see no mention of live content - but it could be buried in the "xbox experience")

No advertising seconds, no "official phone", "official supplier" or anything, just "official tablet".

Wrong. From the press release (see above):

As part of the partnership, Surface by Microsoft branding will appear on NFL sidelines in unique ways, including on the hoods of the official on-field NFL instant replay stations. As part of the relationship, Microsoft will be granted the following designations:

  Xbox remains “The Official Game Console of the NFL” and will also become “The Official Interactive Video Entertainment Console.”

  Microsoft is “The Official Sideline Technology Sponsor of the NFL.”

  Surface by Microsoft and Windows are “The Official Tablet and PC Operating System of the NFL.”

about three weeks ago

Microsoft Paid NFL $400 Million To Use Surface, But Announcers Call Them iPads

benjymouse Yes it is a lot of money (405 comments)

It is not just for "product placement", though.

From Microsofts press release on the deal:

The agreement provides Microsoft with the rights to create exclusive interactive experiences through products such as Xbox One and Surface, transforming the way fans will experience the NFL in the years to come. The NFL on Xbox will provide fans with an all-new viewing experience through innovations around Skype and Xbox SmartGlass; an all-new, innovative fantasy football solution allowing fans to view players and live competition side by side on a single TV screen; and a personalized NFL destination featuring information about the players, teams and games fans care about most. Xbox also retains the exclusive rights to extend these interactive experiences to tablets, enabling fans to use Xbox SmartGlass technology to enhance game day.

So MS has also licensed the rights to use the NFL brand, clips etc. (could be 3D instant replay on the xbox, streaming over Skype?).

And exclusive rights for tablets. Could be a driver for Surface uptake.

And also this:

As part of the partnership, Surface by Microsoft branding will appear on NFL sidelines in unique ways, including on the hoods of the official on-field NFL instant replay stations. As part of the relationship, Microsoft will be granted the following designations:

The instant review stations are in view during some of the most tense situations of a game, with a lot of attention. Surely, that is worth money.

400.000.000 is a lot of money. I have no idea if it is too expensive or not. But it does cover more than the right to equip the sidelines with tablets.

about three weeks ago

Akamai Warns: Linux Systems Infiltrated and Controlled In a DDoS Botnet

benjymouse Re:must me false (230 comments)

You do understand that it takes ROOT to set the SUID bit on a file right?

You do understand what the SUID bit does when the file is owned by ROOT, right? When you run such a file, you elevate to root just to change the password. That is *vastly* more power than you need, and it is a serious danger: Just a simple bug like a buffer overflow can cause total system compromise when it allows the attacker to execute as root.

This is why you will find all SUID programs set to read only and owned by an administrative user (such as root). It is why you instruct your sysadmin staff to NEVER SUID anything w/o good reason and permission and It is also why you scan systems for SUID binaries and scripts regularly so you can find and remove such nonsense as SUID security holes.

Yes, it is because the interent danger in SUID root utilities. Now imagine a security model that does not need anything like SUID.

And if you find any unexplained SUID stuff on your box, you pull the plug on everything and start looking for where the break in happened because you've been compromised and your whole network is suspect.

Yes, but how do you audit the "explained" SUID stuff? How do a security auditor really know what a user can do, which resources (files, etc) a specific user can access, when he is allowed execute access to SUID utilities like sudo, passwd and the likes? He may think he knows what the utility does by it's name, but how does he know *what else* it can do?

What do you think of a security model where you will have to compile all utilities from audited sources, with audited compilers to make sure that users cannot access resources they are not supposed to.

See, that's the difference between a security model that protects resources and one that tries to restrict access to utilities that can manipulate every resource on the system: You cannot effectively audit such a system.

about three weeks ago

Akamai Warns: Linux Systems Infiltrated and Controlled In a DDoS Botnet

benjymouse Re:Hmmm (230 comments)

But we are talking ONE issue now which has long been known and easily avoided.

No, we are talking an issue that is the result of an inadequate security model that is incapable of securing anything but files.

Windows NT was designed with access control in place for files, devices, mailslots, pipes (named and anonymous), jobs, processes, threads, events, keyed events, event pairs, mutexes, semaphores, shared memory sections, I/O completion ports, LPC ports, waitable timers, access tokens, volumes, window stations, desktops, network shares, services, registry keys, printers, Active Directory objects, and so on. Yes Active Directory objects are in that list, because the model was designed to be extensible

We are talking you claiming that an operating system which cannot even pass the Orange Book requirements without severe redesign by NSA is more secure out of the box than an operating system which has met those requirements from day 1.

Ever wonder why they picked the [CTL][ALT][DEL] key sequence in Windows NT? Think about it... Windows has the same kinds of issues, you just don't want to think about it

The secure attention sequence is guaranteed to be non-hookable by software on the box. The reason for that is added security (that Linux lacks), not a remediation of lacking isolation. Yes, Windows has had similar (but far from as severe) problems with shatter attacks. And there's learning for you in how it was handled:

After UAC was introduced with Windows Vista it was made illegal for lower-integrity processes to send messages (or hook keyboard etc) of higher-integrity processes - even if they were running as the same user. Combined with the fact that IE ran as low-integrity it was made exceedingly difficult for an attacker to hook the kayboard or remote control other windows, even if he compromised the IE process.

However, trojan malware that users were tricked into installing as normal-integrity processes could still hook the keyboard. With Windows 7 Microsoft added to the protection: No longer can an equal-level (integrity level) process hook another process' window or keyboard. To accomodate accessibility tools which frequently need to do that, Microsoft allowed a slightly *higher* integrity level *if* and only if a certain manifest requires it and the files has been digitally signed.

The point of this is that both enhancements were achieved through the already extensible security model. Integrity levels were simply assigned SIDs. If the low-integrity SID is in your process token you are a low-integrity process.

You can *never* extend the simplistic Linux security model like this. It is forever limited to user identities. A process under Linux does not have a token - it has an effective user. It was designed with the faulty assumption that a process in all aspects could represent the user who started it. Proper tokens recognize that processes may have fewer rights, or even more rights than the user who launched it.

You have uttered unbased claims through this entire thread. Now it's time to tell the world how - specifically - the Linux mode is inherently more secure than the Windows model.

about three weeks ago



VLC threatens Secunia with legal action in row over vulnerability report

benjymouse benjymouse writes  |  about a year ago

benjymouse (756774) writes "Following a blog post by security company Secunia, VideoLAN (vendor of popular VLC media player) president Jean-Baptiste Kempf accuses Secunia of lying in a blob post titled More lies from Secunia. It seems that Secunia and Jean-Baptiste Kempf have different views on whether a serious vulnerability has been patched. At one point VLC threatened legal action unless Secunia updated their SA51464 security advisory to show the issue as patched. While Secunia changed the status pending their own investigation, they later reverted to "unpatched". Secunia claimed that they had PoC illustrating that the root issue still existed and 3rd party confirmation (an independent security researcher found the same issue and reported it to Secunia)."

Pwn2Own 2009: Safari, IE8 and Firefox all pwned!

benjymouse benjymouse writes  |  more than 5 years ago

benjymouse (756774) writes "In a matter of seconds, Charlie Miller, last years winner of the PWN2OWN contest did it again at CanSecWest and successfully exploited a fully patched Safari running on a Mac. He came prepared, directed the operator of the browser to browse to a rigged website and it was all over.

He took the $10.000 first prize and the macbook home with him.

Last year he was quoted as saying "Every time I look for [a flaw in Leopard] I find one. I can't say the same for Linux or Windows. I found the iPhone bug a year ago and that was a Safari bug as well. I've also found other bugs in QuickTime.".

As I wrote this submission news came in that all of IE8, Safari (again) and Firefox was pwned by a researcher going by the name "Nils". So far only Chrome remains standing.

These were all drive-by exploits against fully patched browsers, not 3rd party plugins. Be careful out there."

Vista Capable lawsuit loses class action status

benjymouse benjymouse writes  |  more than 5 years ago

benjymouse (756774) writes "In a big setback for plaintiffs, a federal judge has stripped the class-action status from the Vista Capable suit against Microsoft.

Computerworld writes

The consumers who brought the original lawsuit, and those who followed as members of the class action, will be free to continue their cases, but they will have to do it individually, not as a group, Pechman said. "Approximately one year ago, this Court certified a class in this matter and allowed Plaintiffs 'to further develop their price inflation theory'," Pechman said. "It is now apparent that class treatment is no longer appropriate."

"Dr. Leffler did not attempt any regression analysis, much less an econometric analysis of the impact of 'Vista Capable' on demand," Pechman said. "It is ... critical to Plaintiffs' theory of proof to isolate Microsoft's purportedly deceptive efforts to increase demand from promotions OEMs had in the run up to the holiday season."

Presumably the lawyers for plaintiffs were expecting a good chunk of the potential damages. This will make it much more costly and risky to retrieve such damages. Will this effectively spell the end of the suits, or will the lawyers press on? IANAL so I wouldn't know whether they can appeal this ruling or not."


Microsoft urges Windows users to shun Safari

benjymouse benjymouse writes  |  more than 6 years ago

benjymouse (756774) writes "The Register has picked up on a recent Microsoft security bulletin which urges Windows users to "restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple". This controversy comes after Apple has officially refused to promise to do anything about the carpet bombing vulnerability in the Safari browser. Basically, Apple does not see unsolicited downloads of hundreds or even thousands of executable files to users' desktops as being a security problem.

The MS bulletin speaks of a possible "blended" attack. This is obviously recognizing that having the desktop carpet bombed with executable files does not imply that they can be executed. However, once the files are on the desktop all an attacker needs to do is to find some social engineering attack vector or a way to launch one or more of the files through some other vulnerability. At the very least it does not take much imagination to come up with scenarios where this vulnerability can be used by spammers or skiddies out to annoy users.

It is unprecendented for Microsoft to recommend Windows users to abstain from using a mainstream software product, especially a competing product. Could it be that Microsofts security response team have grown sensitive over Apple TV ads ridiculing Windows users over security while at the same time Apple software products, especially Quicktime, and now Safari threatening the security of those very same users? Surely the "Apple software updater" push of Safari haven't exactly earned them points in Redmond. Surely MSRT realizes that this may be controversial. Is this a "stab" back at Apple and/or a way to shine light on Apples own security problems?"

Netcraft: Microsoft IIS may soon overtake Apache

benjymouse benjymouse writes  |  more than 7 years ago

benjymouse (756774) writes "From the latest Netcraft web server survey:
In the August 2007 survey we received responses from 127,961,479 sites, an increase of 2.3 million sites from last month. Microsoft continues to increase its web server market share, adding 2.6 million sites this month as Apache loses 991K hostnames. As a result, Windows improves its market share by 1.4% to 34.2%, while Apache slips by 1.7% to 48.4%. Microsoft's recent gains raise the prospect that Windows may soon challenge Apache's leadership position."


benjymouse has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?