×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

The New 'One Microsoft' Is Finally Poised For the Future

benjymouse Re:Trolling? (270 comments)

Microsoft SHOULD have taken MVC design to its next logical level, and built upon .net instead of throwing it all away in the blighted name of Metro... common model and controller code across all Windows platforms, with different views for desktop, tablet, and maybe mobile devices whose displays are too small to treat like a tablet. They could have compiled the code to CLR, then had the installer itself compile it to native code optimized for the local platform. But no... they just *had* to ruin a good thing, and try to ram touch down everybody's throats.

This does not make sense to me at all. While I agree that's the way they should have taken (IMHO using MVVM instead of MVC), it is almost exactly the way they took. They didn't have all the ducks in row at the first iteration, but it was the plan all the way. They said so at the time.

You did not belive the FUD about Microsoft abandoning .NET did you? .NET is very, very much in the game. At /Build// Microsoft just announced Universal Apps.

MSDN has documentation

With universal apps you build one app for phone, tablets and laptops/desktops. The same app can share views and viewmodels (MVVM) across the form factors, or they can have completely different view/viewmodels. A view/viewmodel can also "adapt" to the formfactor - showing only primary and essential information on phones, more on tablets and include secondary/tertiary information on desktops.

When deployed, the universal apps are deployed as IL/CLR code. When a device installs an app, the cloud service will perform the compilation and serve a native app to the device, compiled for the architecture, memory requirements and core count. The delivery system will only serve resources used by the specific device, i.e. even if the universal app is distributed with extensive resources for desktop users, the package that is downloaded to a phone will strip those resources.

Metro was never mutually exclusive with .NET. Microsoft made plenty of blunders both with their messaging on Metro as well as the initial Dr. Jekyll-and-Hyde two-personality Windows 8. But they have been consistent on their messaging on .NET and apps.

4 days ago
top

The New 'One Microsoft' Is Finally Poised For the Future

benjymouse I call BS (270 comments)

The links have long disappeared due to DCMA takedowns.....

No they haven't. You just do not want slashdot readers to read them, because they do not say what you claim.

http://www.internetnews.com/de...

Quote from that article:

One technology enthusiast at Web site kuro5shin noted many of the hacks (additions) to the code base included some colorful comments and creative use of adjectives in noting programming changes.

In this case, the reviewer concluded the code was generally "excellent." But he also noted the many additions to the Windows code to be almost universally compatible with previous Windows versions. And third-party software has "clearly come at a cost, both in developer-sweat and the elegance (and hence stability and maintainability) of the code."

GP is correct, those who took a look at it indeed came away with the impression that it was quite pristine.

You, OTOH, are just lying.

4 days ago
top

OpenSSL Bug Allows Attackers To Read Memory In 64k Chunks

benjymouse Re:ASLR anyone? hype? (303 comments)

I've actually wondered about this too. Read overruns will crash a program just as badly as write overruns; Read AV in Windows [NT], Segmentation Fault in *nix (General Protection Fault in legacy Windows), etc. reading memory will tell you enough about the layout of memory to cherry-pick addresses pretty well, and probably to determine the ASLR mask, but you're still going to have the issue of what, within the heap, is allocated. You could probably do OK by starting from the stack (which is in a predictable enough location) and working from there, I guess?

ASLR was invented as a mitigation of "return oriented programming" which was itself a way to get around DEP/NX. As such, ASLR targets executable memory, making the memory addresses of candidate executable code fragments hard to guess. ASLR does not randomize data segments - there's no need since the original intent was to make executable locations hard to guess. Non-executable locations was not the problem ASLR tried to solve.

And in the case it would not matter at all if the location was randomized, since this bug is an unbounded offset to a memory location. The attacker does not need to know the actual memory location, he just needs to specify a too large or too small offset to read adjacent memory. Yes, going too far could trigger a segfault, but the attacker will have dumped all memory until then. So what? The attacker can just continue the attack once the service restarts.

The point is: The attacker does not need to know anything about the memory layout. The server already allows him to offset from a pointer to a known valid location.

about a week ago
top

Apple: Dumb As a Patent Trolling Fox On iPhone Prior Art?

benjymouse Re:The Slide-to-Unlock Claim, for reference (408 comments)

As mentioned in a different reply, I see non-continuous movement: slider at the left side; slider in the middle; slider at the right side. Three images, replaced in succession, as I said.

clearly demonstrates the intent to create an appearance of an animated continuous movement. The technology at the time did not allow for the same smoothness as today. But even today you can argue that the movement is *still* not continuous - it is just that Apple has "invented" smaller and more steps.

Let it go: The video is clearly prior art for state change. It is presented as a general way to change state on an electronic device with a touchscreen.

What Apple has is
      1) Apple "re-invented" the state change for an handheld device
      2) The Apple state change is "unlock" - a specific example of a state change

For 1: it is trivial to demonstrate that such a state change on a handheld device would derive automatically from the technological advances that shrink devices to the point where the touch screen can be handheld.

For 2: It is interesting if the *specific* (unlock) state change is not covered by the broader state change mechanism demonstrated in the video.

about a week ago
top

Apple: Dumb As a Patent Trolling Fox On iPhone Prior Art?

benjymouse Re:The Slide-to-Unlock Claim, for reference (408 comments)

Compare (original)

A method of unlocking a hand-held electronic device, the device including a touch-sensitive display, the method comprising:
detecting a contact with the touch-sensitive display at a first predefined location corresponding to an unlock image;
continuously moving the unlock image on the touch-sensitive display in accordance with movement of the contact while continuous contact with the touch screen is maintained, wherein the unlock image is a graphical, interactive user-interface object with which a user interacts in order to unlock the device; and
unlocking the hand-held electronic device if the moving the unlock image on the touch-sensitive display results in movement of the unlock image from the first predefined location to a predefined unlock region on the touch-sensitive display.

with

A method of (changing state of) an () electronic device, the device including a touch-sensitive display, the method comprising:
detecting a contact with the touch-sensitive display at a first predefined location corresponding to a (state) image;
continuously moving the (state) image on the touch-sensitive display in accordance with movement of the contact while continuous contact with the touch screen is maintained, wherein the (state) image is a graphical, interactive user-interface object with which a user interacts in order to (change state of) the device; and
(changing the state of) the () electronic device if the moving the (state) image on the touch-sensitive display results in movement of the (state) image from the first predefined location to a predefined unlock region on the touch-sensitive display.

The latter accurately describes what happens in the Microsoft video demonstration. All I did was to substitute (state) for "unlock", (change state of) for "unlocking". I also removed "handheld".

So what we have is that Apple is using the general application of switches with graphical representation to perform a specific function (unlock) rather than the general (changing state) and Apple applying it to handheld devices.

Everyone can recognize unlocking as a specific example of a state change. Your "invention" does not become more original because you narrow the scope to which it is applied.

Same goes for handheld. It was done on a electronic device with a touch screen. When the technology advances and allows the electronic device to be carried around it does not make the same idea new again.

about a week ago
top

.NET Native Compilation Preview Released

benjymouse Re:What about number-crunching performance? (217 comments)

I skimmed over the links, but I probably just missed it. So apps take 60% less time to start, and they use 15% less memory. What about run-time performance? How much faster are they when executing?

During runtime, a.NET already runs compiled. This saves on the JIT compiler.

However, they also announced (later session at /Build//) that the new compilers (including the JITs) will take advantage of SIMD. For some application types this can allegedly lead to serious (like in 60%) performance gains. Games were mentioned.

about two weeks ago
top

.NET Native Compilation Preview Released

benjymouse Re:Only benefits smaller devices (217 comments)

The raw speed of the code might actually diminish since the .net runtime could have optimized it better for the specific environment (CPU model, available RAM, phase of the moon, etc).

MS announced that developers still need to pass hints to the compiler on what architecture, CPU core count, available memory etch, to compile for. You can (cross) compile to multiple architectures.

This technology is already at work when deploying apps for Windows Phone 8: Developers pass IL code to the store, native compilation is performed per device type in the cloud (CPU architecture, OS version, memory, ...) and the binary is passed to the device.

about two weeks ago
top

.NET Native Compilation Preview Released

benjymouse Re:Translator? (217 comments)

Correct me if I am mistaken, but I'm pretty sure that if they are using the backend they are skipping the lexing and parsing steps and going straight to the generation of the intermediate representation. That would mean that there is no generated C++ code to see.

That is precisely what they announced. No correction needed. They use that C++ backend to emit code for specific processor architectures (and core counts) and do global optimizations.

about two weeks ago
top

Microsoft: Start Menu Returns, Windows Free For Small Device OEMs, Cortana Beta

benjymouse Re:What about 2012R2??? (387 comments)

Martian feel threatened by PowerShell. So he is spreading CUD.

PowerShell is an amazing shell. As a shell, its core is even simpler and more consistent than any of the *sh shells. Yet, it is based object models and is designed to be hosted by applications, not just a command line. The commands (cmdlets) are self-discoverable through metadata, meaning that parameter help etch can all be generated from the actual command itself rather than rely on authored text.

about two weeks ago
top

Ask Slashdot: Preparing For Windows XP EOL?

benjymouse Re:Windows SteadyState (423 comments)

From Steve Gibson and Leo Laporte:

Now, it's not quite as onerous in my experience as Jim's letter indicates because it does not
make an entire copy of your system partition and/or drive. Instead you set aside a block of
hard drive space. And using a feature, basically it's file system filtering, this is able to capture
any changes which are made to the system drive. And essentially it caches the changes. So, for
example, when any application, installer, literally anything you do, I mean, this thing is global.
You cannot turn it off without restarting Windows. So it's not something that just sort of easily
comes and goes. I mean, this is meant to be bulletproof.
And I discovered the hard way that it even protects the partition table, and that first track of
the drive which we were talking about recently could be prone to preboot kernel rootkits. I was
using something else that did deliberately change that first track, very much in a kernel rootkit
fashion. And that'll be the subject of an upcoming podcast because it involves performing whole
drive encryption. And it turns out that SteadyState uninstalled this thing, even though I had
SteadyState sort of in a mode where it was supposed to allow changes to be saved. So, I
mean...

about three weeks ago
top

Ask Slashdot: Preparing For Windows XP EOL?

benjymouse Windows SteadyState (423 comments)

Windows SteadyState from Microsoft is available for Windows XP.

SteadyState virtualizes the OS directories transparently on the disk. File writes/updates are directed to a secluded area. You can set it to simply delete those journaled updates upon restart/signoff. Any malware will be effectively gone. Windows Update would still be possible when signing in as the SteadyState administrator (creating an updated image), but that's kind of moot at this point.

about three weeks ago
top

Malware Attack Infected 25,000 Linux/UNIX Servers

benjymouse Re:The big problem with Linux security. (220 comments)

Is that why Windows and IIS got hacked all the time while Linux and Apache/PHP very rarely ?

Citation needed.

Because it had better security ?

Yes, Windows servers are compromised less because it is far easier to set those up securely. Especially IIS+ASP.NET is way more secure than Apache+PHP in almost any way; not least the programming model where PHP almost encourages SQL injections and XSS where with .NET/MVC it is hard to create SQL injections and XSS vulnerabilities.

There was a project for Linux kernel that gives advanced ACL capabilities to Linux systems. I forgot the name of it now, but basically.. whatever was possible to do, you could do it.

ACLs are available with most distros nowadays. However, the point is they are bolted on. They represent a MAC model which competes with simplistic linux file system permissions. You do not switch to ACLs, you turn them on and have to manage them in parallel with regular file system permissions. Thus they complicate the security model rather than refine it (and they still support inheritance pretty poorly). Now throw in SELinux, SUID root utilities and *nobody* stand any realistic chance of performing a reliable security assesment of a Linux system.

There are hundreds of projects that you can add and use.. (stable, tested projects).

The problem with security is an admin that thinks blocking port 22 is gonna keep him safe... if he uses Linux, and the other problem with security in general... is using Windows.
The other problem with security is management hiring idiots (above mentioned jolly bunch, block port 22 and all ok) and/or outsourcing administration to cheap indian companies that work for peanuts.

Coming from someone who cannot remember the "project" with (and obviously does not use) ACLs. Nice.

about a month ago
top

Malware Attack Infected 25,000 Linux/UNIX Servers

benjymouse Re:The big problem with Linux security. (220 comments)

The best locks in world, which Linux does come with, do not help if the door is left unlocked.
Microsoft OTOH has no doors.

The biggest threat to linux in the last five years has not been the architecture of linux

The biggest threat to Linux security is the number smug, amateurish Linux admins who believe they are all safe because their tribal platform is blessed with magic fairy dust that makes vulnerabilities un-possible.

On the architectural level, the biggest threat to Linux is the outdated security model inherited from the 1970 where saving a few bytes at the expense of better layered security was all the rage. This is exemplified by:
* The woefully outdated permission model where proper ACLs had to be bolted on, and to this day competes with and confuses security planning and auditing (Windows NT had ACLs from the start).
* The fact that only the file system objects were considered for access control. (In Windows the security model extends to all objects: Threads, processes, synchronization objects (locks, semaphores), sockets/ports etc)
* Security tokens do not exist. Instead of granular tokens you have to use "effective users" - breaking the Least Privilege Pinciple (Windows NT was designed with granular process tokens from the start).

When creating a new IIS in Windows, the site is automatically set up with the most restrictive isolation. You do not even have to create a user for the site to run under - the security model already knows about identities and each site gets it own identity which must be explicitly granted permissions to read the file system.

but the willingness of programmers, in particular weak programmers from the WIndows world coming over and applying the same philiosophies to linux development.

That's rich. The absolutely most security-ignorant ecosystem is the LAMP community. PHP with it's abysmal security record is the worst language *ever*.

about a month ago
top

OASIS Approves OData 4.0 Standards For an Open, Programmable Web

benjymouse Then use XML (68 comments)

One project might use "customer" another "client" or "businessname". Each of these may have a "description", "overview", "synopsis" and a "type"/"kind"/"businesstype" field.

So code discovery of data doesn't work unless we have agreed to standardized field names in advance

Why doesn't it work? Have a look at $metadata. You get schemas for your data. OData has full discovery. The only "standardized field name" you need to know in advance is $metadata.

... but now there's always exceptions to look out for and name conflicts.

Now even if we know the names of every field, how do we know exactly what sort of data will be returned? A name alone is nothing unless we can ensure its type, and remove all assumptions about what it can contain.

OData was originally designed for XML. JSON was added later. With XML you can (and should) use namespaces to disambiguate field names between different entities/domains.

about a month ago
top

Firefox Was the Most Attacked & Exploited Browser At Pwn2own 2014

benjymouse Re:No lowrights mode (not surprised) (207 comments)

W3C was something a committee did which was academic. Only Netscape and MS specific CSS and HTML mattered and websites needed to include specific workarounds for one or the other etc. Man, people forget how dark the web was 10 years ago.

This. And everyone seems to have forgotten how Netscape pushed the awful JSSS as an alternative to CSS. Microsoft actually pushed CSS at the time.

At the time, the best browser actually won. It was the neglect by MS in the years following that was/became the big problem, one for which MS has rightfully earned a lot of scorn. MS never wanted the web to evolve too fast as it could undermine the very lucrative desktop business.

But at the time of Netscape/MS rivaly, it was actually Netscape who tried to foist abominations like JSSS and the "layer" tag upon us.

about 1 month ago
top

Firefox Was the Most Attacked & Exploited Browser At Pwn2own 2014

benjymouse Re:No lowrights mode (not surprised) (207 comments)

You're an idiot as standard users still have access to threads, processes, and the file system. This means you can attach a rogue process or malware to an admin one which happens to run as a service. It can then be executed with full admin privileges.

Nope. A standard user (which even includes admins who have not elevated through UAC prompt yet) can only attach to processes running under *the same* account as itself, and then only to a process/thread within the same *session* as itself.

In Windows, all services are launched in a separate session from the shell - meaning that direct attachment is not possible from a user shell to a service - even if they are running as the same user.

Unlike *nix'es, Windows uses proper tokens. What a process is permitted to do is not limited by a user account - rather each process has its own fine-grained token. By default a process inherits the token from the process that spawned it - but it can be further limited. When you log in, the shell process is created with a token which has all administrator privileges stripped from it and which runs with medium integrity level. So even if you are an administrator you will still get a standard user token. Upon login another token was also created - one which has high integrity level and has not been stripped of administrative privileges you may hold.

When you launch a process where the manifest demands elevated rights, Windows will issue the UAC prompt. If you accept then you get to run the process with your "super" token. This prompt is running with "high" integrity level (and by default even on a separate desktop) to prevent malicious processes already running as you from "remote controlling" the prompt at click the ok button for you.

It is important to note that unlike on Unix where you elevate to "root" with sudo - and thus receive privileges far beyond what is called for - Windows UAC prompt *can not* grant you privileges you did not already hold (well - if *another* user authenticates at the prompt you can "borrow" that users privileges).

It is worth noting that while all browsers were successfully attacked, the "Unicorn" class challenge Windows 8.1 x64/IE11/EMET was *not* exploited - even though it would have netted the attacker a cool $150,000.

about 1 month ago
top

Book Review: Sudo Mastery: User Access Control For Real People

benjymouse Re:Is sudo broken or its audience? (83 comments)

It is broken by design because sudo protects the utility used to access the protected resource rather than protecting the resource itself.

Relying on and allowing such a mechanism does two things to your security model:

1) It forces users with otherwise legitimate access to go through specific utilities (actually fire up processes) just to access a they should have access to in the first place.

2) Worse, it takes away your ability to assess who has access to the resource. Since there are multiple SUID root utilities on the system, and multiple sudo utilities with sudoers config, you really have to know the capabilities of each of those utilities to know that they cannot be used by an unauthorized user to access the protected resource.

Had you used a system where the resource was protected and where there were no sudo/SUID bypass mechanism available, you can generate a report of users with access to the resource simply by querying the user/group permissions. As an added benefit, anyone with legitimate access could then access the resource and not be forced fire up a process and to go through a specific utility to access the resource.

about 2 months ago
top

Book Review: Sudo Mastery: User Access Control For Real People

benjymouse sudo is broken by design (83 comments)

Not only is the sudoers 144-page-incomprehensible, the whole idea is broken to begin with:

First, you design a simplistic security model where a single user/group (root) is hardwired to a number of privileges not available to anyone else and where standard users' privileges are inherently too limited.

Then you start drilling *holes* (big holes) because the model clearly does not meet real world requirements. SUID lets users run as root for the duration of the process. A single escape during the processing will allow the otherwise non-privileged user to drop up to a root shell. A single memory corruption may allow the user to run unrestricted as root. And there has been *many* such exploits in all variants of Unix, including Linux, OS X etc.

Because the operating system security model did not allow fine grained access control to resources, someone came up with the idea to protect the *utility* instead of the resource or system function (and took out a patent, no less) . WTF? Why does the OS not protect the syscall to change system time or change password? Why did they design a system where you would need to start a frigging SUID root process to do that?

It is a direct violation of the least privilege principle, one of the core security principles. Every time you let someone invoke sudo you let them run as root and just hope that the utility does not contain vulnerabilities, because the *consequence* of a vulnerability is total system compromise.

sudo is a design flaw in the ActiveX class. In fact, they are really very much alike: In both cases you hand over the keys to the house and cross your fingers that the visitor is well behaved while he is in there.

Once the holes have been drilled, sudo (and SUID roots) make it extremely hard for security auditors to assess whether the security has been set up with meaningful barriers: They can not audit a resource and determine who has access to view or change it. The sudo / SUID model always leave the possibility that some utility allows another access to the resource. I.e. the auditor cannot assess a single resource, rather he must assess the system in its entirety. And when doing that he must also trust that the SUID root utilities and sudo utilities are what they pretend to be, i.e. he must validate the utilities as well; or accept the possibility that one or more of the utilities is actually capable of more than it advertises.

Had the designers opted for a proper model where resources (processes, syscalls, devices, ports) were actually protected by access control lists, the auditor could have audited the security settings and remain confident that there was not some *other* way to access the resource.

The SUID root / sudo idea was a terrible one. It was necessitated because of an woefully inadequate security model. Rather than fixing the model (like e.g. create real tokens with claims) the designers decided to drill holes. Many holes.

about 2 months ago
top

Windows 9 Already? Apparently, Yes.

benjymouse Re:Metro on servers (1009 comments)

Good for individual commands, but not for learning the syntax. That's the bit that stumps me.


man syntax

system responds with 2 topics: about_Command_Syntax and about_Path_Syntax

man command_syntax

system responds with help "about the command syntax".

and the fact that some syntaxes work on some commands and not on others annoys me.

What are you talking about? PowerShell commands are extremely consistent - not like the different syntax conventions used for ls, find, xargs and dd - just to name a few examples of Nix inconsistencies. PowerShell commands always follow the pattern Verb-Noun. A limited set of verbs are strongly encouraged (to the point where a command author has to bend over to break the convention) and their conventional uses are explained in command author guidelines. While PowerShell commands may take positional parameters they *always* have a name (the position is optional to allow for a short form). Parameter names are *always* specified using dash (like -ParameterName). Parameter names can be shortened as long as they are still unambigious. This is all a feature of the *shell* - parameter parsing is not left to each command, i.e. a command is forced to use the consistent scheme.

I would like a good but brief overview of how powershell commands are actually structured without having to go through a massive Microsoft Press book

From running man command_syntax:


TOPIC
about_Command_Syntax

SHORT DESCRIPTION
Describes the syntax diagrams that are used in Windows PowerShell.

LONG DESCRIPTION
The Get-Help and Get-Command cmdlets display syntax diagrams to help
you construct commands correctly. This topic explains how to interpret
the syntax diagrams.

Syntax Diagrams
Each paragraph in a command syntax diagram represents a valid form
of the command.

To construct a command, follow the syntax diagram from left to
right. Select from among the optional parameters and provide values for
the placeholders.

Windows PowerShell uses the following notation for syntax diagrams. ....

(explanation of syntax, parameters etc. follows).

You really only have to look for it.

about 3 months ago
top

Windows 9 Already? Apparently, Yes.

benjymouse Re:Metro on servers (1009 comments)

The problem isn't GUI users, its the fact Powershell is complete shite.

All this time I cant get a basic instruction on how Powershell works without getting a 500 page book. Learning Linux and AIX wasn't this hard (granted the Linux training covered a lot of the AIX ground).

Try typing man. That should get you started. :-)

You can start by knowing only 4 commands. Everything is discoverable through those:
* Get-Help (aliases help, man): Get help for a command or for a topic, e.g. "man ls" gets help for the "ls" command (ls being alias for get-childitem). Try typing man about - that'll give you a list of "about" topics that explain PowerShell quite nicely.
* Get-Command (alias gcm): Lists available commands.
* Get-Member (alias gm): Lists available members on items output from a command, e.g. ls|gm will tell you that ls produces DirectoryInfo and FileInfo objects each with an extensive set of properties such as name, path, length, access time etc.
* Get-Alias (alias "alias"): Lists defined aliases. Several aliases help Nix users get started, e.g. "ls", "ps".

about 3 months ago

Submissions

top

VLC threatens Secunia with legal action in row over vulnerability report

benjymouse benjymouse writes  |  about 9 months ago

benjymouse (756774) writes "Following a blog post by security company Secunia, VideoLAN (vendor of popular VLC media player) president Jean-Baptiste Kempf accuses Secunia of lying in a blob post titled More lies from Secunia. It seems that Secunia and Jean-Baptiste Kempf have different views on whether a serious vulnerability has been patched. At one point VLC threatened legal action unless Secunia updated their SA51464 security advisory to show the issue as patched. While Secunia changed the status pending their own investigation, they later reverted to "unpatched". Secunia claimed that they had PoC illustrating that the root issue still existed and 3rd party confirmation (an independent security researcher found the same issue and reported it to Secunia)."
top

Pwn2Own 2009: Safari, IE8 and Firefox all pwned!

benjymouse benjymouse writes  |  about 5 years ago

benjymouse (756774) writes "In a matter of seconds, Charlie Miller, last years winner of the PWN2OWN contest did it again at CanSecWest and successfully exploited a fully patched Safari running on a Mac. He came prepared, directed the operator of the browser to browse to a rigged website and it was all over.

He took the $10.000 first prize and the macbook home with him.

Last year he was quoted as saying "Every time I look for [a flaw in Leopard] I find one. I can't say the same for Linux or Windows. I found the iPhone bug a year ago and that was a Safari bug as well. I've also found other bugs in QuickTime.".

As I wrote this submission news came in that all of IE8, Safari (again) and Firefox was pwned by a researcher going by the name "Nils". So far only Chrome remains standing.

These were all drive-by exploits against fully patched browsers, not 3rd party plugins. Be careful out there."
top

Vista Capable lawsuit loses class action status

benjymouse benjymouse writes  |  more than 5 years ago

benjymouse (756774) writes "In a big setback for plaintiffs, a federal judge has stripped the class-action status from the Vista Capable suit against Microsoft.

Computerworld writes

The consumers who brought the original lawsuit, and those who followed as members of the class action, will be free to continue their cases, but they will have to do it individually, not as a group, Pechman said. "Approximately one year ago, this Court certified a class in this matter and allowed Plaintiffs 'to further develop their price inflation theory'," Pechman said. "It is now apparent that class treatment is no longer appropriate."

"Dr. Leffler did not attempt any regression analysis, much less an econometric analysis of the impact of 'Vista Capable' on demand," Pechman said. "It is ... critical to Plaintiffs' theory of proof to isolate Microsoft's purportedly deceptive efforts to increase demand from promotions OEMs had in the run up to the holiday season."

Presumably the lawyers for plaintiffs were expecting a good chunk of the potential damages. This will make it much more costly and risky to retrieve such damages. Will this effectively spell the end of the suits, or will the lawyers press on? IANAL so I wouldn't know whether they can appeal this ruling or not."

top

Microsoft urges Windows users to shun Safari

benjymouse benjymouse writes  |  more than 5 years ago

benjymouse (756774) writes "The Register has picked up on a recent Microsoft security bulletin which urges Windows users to "restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple". This controversy comes after Apple has officially refused to promise to do anything about the carpet bombing vulnerability in the Safari browser. Basically, Apple does not see unsolicited downloads of hundreds or even thousands of executable files to users' desktops as being a security problem.

The MS bulletin speaks of a possible "blended" attack. This is obviously recognizing that having the desktop carpet bombed with executable files does not imply that they can be executed. However, once the files are on the desktop all an attacker needs to do is to find some social engineering attack vector or a way to launch one or more of the files through some other vulnerability. At the very least it does not take much imagination to come up with scenarios where this vulnerability can be used by spammers or skiddies out to annoy users.

It is unprecendented for Microsoft to recommend Windows users to abstain from using a mainstream software product, especially a competing product. Could it be that Microsofts security response team have grown sensitive over Apple TV ads ridiculing Windows users over security while at the same time Apple software products, especially Quicktime, and now Safari threatening the security of those very same users? Surely the "Apple software updater" push of Safari haven't exactly earned them points in Redmond. Surely MSRT realizes that this may be controversial. Is this a "stab" back at Apple and/or a way to shine light on Apples own security problems?"
top

Netcraft: Microsoft IIS may soon overtake Apache

benjymouse benjymouse writes  |  more than 6 years ago

benjymouse (756774) writes "From the latest Netcraft web server survey:
In the August 2007 survey we received responses from 127,961,479 sites, an increase of 2.3 million sites from last month. Microsoft continues to increase its web server market share, adding 2.6 million sites this month as Apache loses 991K hostnames. As a result, Windows improves its market share by 1.4% to 34.2%, while Apache slips by 1.7% to 48.4%. Microsoft's recent gains raise the prospect that Windows may soon challenge Apache's leadership position."

Journals

benjymouse has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...