Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!



Highly Advanced Backdoor Trojan Cased High-Profile Targets For Years

benjymouse Re:Microsoft Windows only (105 comments)

It's the world's biggest target for malware, it's a monoculture, and it has a security model that tends toward convenience over security

Yes - the "dragnet" attacks tends to go after the most victims. If your attack has a certain chance of succeeding (like a social engineering attack), you'd be stupid to go after the 1% instead of the 90%. Now, in a *targeted* attack where the attacker singled out a specific victim or group of victims - the attacker will go after whatever those targets use.

and was actually bolted on after-the-fact.

Nope. The current strain of Windows was created from scratch with the present security model from the get-go. The security model is based on tokens and it was designed to be extensible from the start. Also from the start, the designers envisioned that a process or even a thread could have a token *different* from the user token - i.e. a process could run with permissions/privileges different from the user.

The Windows security model also goes beyond the naive file system-focused model where only file system-like objects were seen as important to secure. In Windows - from the start - all system objects (files, directories, windows, processes, threads, shared memory regions, mutexes, users, groups etc) are accessed through object-oriented handles. When you open a handle you specify the access you request, where each object type has it's own access types. The security check is performed right there when opening the object - instead of on each syscall. If the access you request is granted, a system object is created with a jump table (think virtual method table) where the functions you requested access are mapped to the actual system functions, and the other functions mapped to "denied". The upshot of this is that even though Windows has a much more advanced security model which could make security checks more involved, it will usually perform better because it does *not* have to check security permissions on each syscall.

Contrast that with Unix/Linux where the security model initially only considered file system objects. There were only 2 levels: regular users and root, and a large number of functions could only be performed by root. When it was realized that other system types might also need security descriptors, the existing file system was "adapted" by "mapping" non-file system objects to become file system-like. Talk about bolted on!

The Unix/Linux security model is also the only one with a deliberate drilled hole: The SUID/setuid. Here you have a too limited model where regular users are unable to perform perfectly reasonable functions, like changing their own passwords. So what do you do? You let them run as the only user that *can* perform the function, and pray that the process somehow prevents them from performing any of the other functions root can do while running they are running as root. This is a blatant violation of the least privilege principle, but it is now deeply engraved in all Unix systems. Needless to say that this is the most common path for pwning Unix/Linux systems, going all the way back.

The Unix/Linux model was so bad that NSA had to create SELinux (talk about bolted-on!) which creates it's own competing security "context" (a token). When you want to audit the security of a Unix/Linux system you have to consider 3 competing models: 1) The "original" file-system oriented discretionary model with the SUID hole, 2) the sudoers and 3) SELinux/apparmor or whatever has been bolted on the top.

Especially 1) and 2) are worrying, because it is neigh impossible to audit those sufficiently as long as just a single SUID/sudo command is allowed: How do you (as an auditor) know *what* the SUID/sudo command can actually do? Did *you* install the executable, did *you* monitor the compilation from source? What *other* things can ps or even ping do that you don't know about? If I hold up a file or point to a process on your system as asks "who can access this" - you cannot give me a conclusive answer - because the original file system discretionary permissions may not tell the entire story. There may always be a SUID or sudo utility that can access the file *despite* the discretionary access control.

On Windows there are no deliberate holes in the security boundary: If an auditor points to a file or a process or any other object type, you can give a conclusive answer to who can access the object with what access level. It is all in the ACL. If a user is not in that ACL - he cannot access the object.

When considering the desktop it is even worse: Windows actually has meaningful user interface privilege isolation. On Unix/Linux there is *no* isolation. X is about as promiscuous as can be: Any process and snoop on *any* other process keyboard, mouse moves etc. Which means that is an attacker slips by and get to run his code in e.g. Firefox - he can snoop on *anything* you type in *any* window - including terminal where you type sudo or root passwords. Go figure. Windows security model (since Vista) prohibits lower-integrity processes from snooping on higher-integrity processes. Even a normal integrity process cannot snoop on other normal-integrity processes unless a number of conditions are met (it has to declare it's intention in the manifest, it has to be installed in Program Files or System32 etc). And then there's the stupid password caching for sudo...

Unix (Linux) is about as far from a monoculture as you can get while still remaining reasonably compatible between distributions, and it was built with security in mind.

Shellshock, Heartbleed, ...

Not to mention that a common reason to run Linux is LAMP - The P of which is PHP - the swiss cheese monoculture of web programming languages.

4 hours ago

Visual Studio 2015 Supports CLANG and Android (Emulator Included)

benjymouse Re:We all dance in the streets (192 comments)

I know this is is meant as a jokey comment, but it's worth noting that VS2015 has native Git support as well so Github etc. works without any plugins.

VS 2013 (including Community) has Git support out of the box and works just fine with GitHub as well.

Ahem. It works. Sorta. It's slow, mildly confusing and it totally screws up if you use subrepositories. Looking forward to VS2015.

about a week ago

Microsoft To Open Source .NET and Take It Cross-Platform

benjymouse Re:Open, but will it run? (525 comments)

disclaimer: I'm on the VB/C# language team.

Question: PowerShell is implemented using .NET. Will we see PowerShell on Linux?

about two weeks ago

Microsoft To Open Source .NET and Take It Cross-Platform

benjymouse Re:Open, but will it run? (525 comments)

Excuse my ignorance but is there such a thing as plain ascii conf files in the Microsoft world? Or will the proprietary binary registry be ported/required too for the .NET libs to access app/system settings? How will it adhere 100% to the *nix security conventions? TIA.

.NET does not rely on the registry, except for some of the COM that will not be ported. In .NET the config files are XML files, e.g. a program called MyStuff.exe will have a config file called MyStuff.exe.config - which must contain XML configuration according to the (extensible) schema. Pretty sweet, actually, if only they would modernize it a bit. I'm hearing that they are doing exactly that - making the config system even more "pluggable".

Config files for server applications can "inherit" base config files: First, the base config file is applied and then the more specific config file. The specific config file can remove, replace, change or add items from configured collections/items, unless explicitly forbidden by the base file.

about two weeks ago

Microsoft To Open Source .NET and Take It Cross-Platform

benjymouse Re: RIP Java! (525 comments)

Can you explain?

I'm not the GP and I'm a self-proclaimed C# fan, but: The Java collections seems to have been more well thought out from the beginning with abstract types (interfaces) for different types of collections, such as bag, list, set, stack, queue, vector etc and then concrete implementations with separate characteristics, such as hashed, sorted etc. .NET is catching up, especialy in the 4.x versions, but Java (IIRC) still has proper priority queues that has no equivalent in .NET.

If you see comparisons between .net and java, it's usually that the past 10 years .net has evolved and java sometimes catches up a tiny bit.


I always thought that java collections were weaker since in .net even an array is also still a collection, they have collections for just about anything you need, and with LINQ you've got an incredibly powerful way of manipulating/creating/accessing collections.

I always found the Java collections a bit stronger conceptually. For instance, it really bothered me that there was no hashed set (there is now), and I had to play tricks with HashTable by using the same value for key and value to mimic a set. It was particularly annoying as I went from C++ to Java to C#. Java seemed to have lifted the collections from STL where they seemed to have been very well designed. C# collections always stroke me as having been "thrown in there". Thankfully they have improved a lot since then.

and with LINQ you've got an incredibly powerful way of manipulating/creating/accessing collections.

LINQ cannot be overestimated. Large parts of code is actually manipulating collections, and LINQ is just awesome. Also the fact that C#/.NET generic collections were always properly reified, unlike Javas fake generics (type erasure) which causes all kinds of strange corner cases and problems. C# generic collections allow primitive types to be used for type parameters, and always without performance loss due to runtime downcasting like in Java.

about two weeks ago

Denmark Faces a Tricky Transition To 100 Percent Renewable Energy

benjymouse Re:Are renewable energy generators up to task ? (485 comments)

This is Denmark, yes? You know, the country that is surrounded by oceans that have some of the strongest tides? I think Denmark could produce almost all of it's power though tidal power plants. The only real trick is how to buffer the power during the lull of high and low tide.

You are mostly correct solar (fotovoltaic) is a dumb idea, but there are more renewable power sources than solar and wind.

There is no tide to speak of in Denmark. I'm not sure that we'd classify the sea between the islands (Denmark is basically an island nation) as "oceans". The tides are usually 1m or less, most pronounced in the eastern part facing the North Sea, much less pronounced in the western parts that sits in the Baltic Sea.

But the flat topology and the fact that most of Denmark is islands, there's a *lot* of coastline, and wind is a much preferred as renewable energy source here. I don't think people realize how much it is blowing here. Damned wind!

It is correct that generating most energy from wind runs the risk that prolonged periods with high pressure (which means little wind and clear skies == frezzing cold during winter) can not generate enough wind to meet the demand.

Another problem is that in large parts of Denmark (e.g. the entire Copenhagen metropolitan area) most households get their heating from centralized "surpluss" heat from electricity production - burning coal at the moment.

It is commendable not to waste heat,and as you can probably imagine, Denmark has a huge investment in this centralized heat distribution system.

But I'd like to know, where will we get the heating from once electricity is produced from wind and solar?

about two weeks ago

Worrying Aspects of Linux Gaming

benjymouse Re:Ultimately... (265 comments)

The OpenGL API is fundamentally opposed to an efficient implementation. It allows developers to do fundamentally inefficient things (like dramatically changing configurations at the last second, before rendering, requiring the driver to recompile/reoptimise shaders and/or reverify states) immediately before rendering. Furthermore, it doesn't allow developers to do fundamentally efficient things (i.e. giving the driver a heads up about exactly what state/shader combinations it's going to use, so that they can be made ready at compile/launch time).

Good points. But while the API may not coerce you into writing performant code like (perhaps) the alternatives, it does not make it impossible or practically unobtainable. I will readily admit that I know very little about 3D programming, shaders and the like.

However, modern games are all built upon some form of game engine that in turn is typically used in multiple games. Few game developers write to the API anyway, so if the few (relative to number of games they support) game engines were optimized, wouldn't this difference go away?

Which brings us back to the developers of the game engines: If the developers of the game engines would invest the effort to create engines with high performance on Linux, multiple games would benefit from it immediately. OTOH, if the game engine developers *do not* optimize their code for Linux, there is very, very little actual game developers can do about it, short of creating their own game engine. Which is a monumental task.

about two weeks ago

Will HP's $200 Stream 11 Make People Forget About Chromebooks?

benjymouse Re: No (232 comments)

So microsoft's relationship with the govt is relavent here but google's is not?

Yeah, the NSA hacked Google to get at their data, Microsoft was a willing collaborator.

Since you so dishonestly quoted text from an article without linking back to it, here is the link:

This concerns the "Prism" program - which since the initial bruhaha has been revealed to be little more than an automated way to comply with (presumably) lawful requests from law enforcement agencies. (Note: I strongly disagree with the constitutionality of having a secret court issuing secret orders; it totally undermines the democracy)

The participation in the automated system (aka Prism) does not require a company to comply with more FISA requests, nor does non-participation allow a company to *not* comply with FISA requests. It simply has no bearing on it.

Importantly, the automated system does NOT(!) allow the agencies more access to users' data. Each FISA request will STILL have to be considered on a
case-by-case basis, and lawyers for the company will STILL have to review all material sent to the agency through PRISM before hitting the "send" button.

And conspicuously absent from your quote is the fact that while Microsoft was mentioned in the title, Skype, Apple, Google, Facebook and Yahoo were also mentioned.

Little information is available on the actual design of PRISM, and basically all of the speculation was based on this single slide from the Snowden leak:

From that slide you can see that Microsoft was indeed the first company to comply with FISA orders through PRISM, but that Yahoo, Google, Facebook, Paltalk(?), YouTube, Skype, AOL and Apple all followed.

So you are grossly misrepresenting facts, being dishonest and out lying about the information in a transparent attempt to taint Microsoft while letting Google of the hook. Now, why would you do that? Anonymous cowardly liar.

about three weeks ago

Denmark Plans To Be Coal-Free In 10 Years

benjymouse Re:I don't know what they are doing to burn coal n (332 comments)

Also note, very few people in Denmark uses electric heating as you can get hot water from centralized production into your home (not clean only for use in radiators). My parents gets their heating from a power plant 20km away.

Not to nitpick, but danes refer to that centralized production as "surplus heat". The "surplus" heat is heat generated as a bi-effect from producing electricity.... - from coal. So, when the electricity all comes from wind, the danes need to find some other way to heat their houses during winter.

about three weeks ago

Drupal Warns Users of Mass, Automated Attacks On Critical Flaw

benjymouse Re:PHP (76 comments)

How do prepared statements handle the not uncommon situation where you want to include an "in" clause? For example:

select * from customers where city in ?citylist

This was the problem they tried to solve by dynamically creating a statement like:

select * from customers where city in (?city-1, ?city-2, ?city-3)

So, to generate the -1, -2, and -3 parts they relied upon the index of the array.

Only in PHP an array will turn around and bite you with it's dual personality as a hash table. A hash table where one key was not "-1" but rathersomething like (pseudo):

-1); drop table students; --

You cannot really fault the Drupal developers for trying to support this commonly occurring pattern, for which there are no good solutions with plain prepared statements. After all, if they could write secure code for a common problem that could prevent less experienced developers for falling back to error-prone and insecure string interpolation.

Don't get me wrong: The drupal developers is at fault. But they were set up by the criminally insecure PHP.

about three weeks ago

Drupal Warns Users of Mass, Automated Attacks On Critical Flaw

benjymouse PHP (76 comments)

Should be outright banned.

While the responsibility for this rests with Drupal, they were set up by another strange design decision of PHP: The fact that arrays are also hashtables and vice-versa. There are *tons* of these strange design decisions in PHP.

about three weeks ago

Windows 10 Gets a Package Manager For the Command Line

benjymouse Re: Oh boy, another infection vector (230 comments)

I'm sure we can do some stuff with signed repositories and signed packages to detect when things 'change' and/or keep unsigned repositories 'untrusted'.

Suggestion: For "trusted" repositories, toenable automatic updating, developers must sign the original install package with a certificate. Self-issued certs could be ok for this part. Any subsequent updates must be signed with the *same* certificate. If not, it will *not* automatically update - even if the repository is "trusted". OneGet clients will only allow auto-update if the product/vendor names are the same and the certificate public key is the same. Otherwise a warning should be issued and the local administrator should choose whether to trust the new cert going forward.

about three weeks ago

Windows 10 Gets a Package Manager For the Command Line

benjymouse Re:We can do that thing you like (230 comments)

The installer should put abc.dll in the same directory as the .exe file instead of a shared location.


If the DLL is indeed candidate for being shared (e.g. part of a shared product) it should put the assembly/DLL in the Global Assembly Cache (GAC). This is a side-by-side store where the same assembly/DLL can exist in multiple versions.

If security vulnerabilities are found and a patch is released, only the version in the GAC needs to be updated, often by registering a new version with a manifest/redirection that will ensure that anyone requesting the old (vulnerable) version will be treated to the new (fixed) version.

Windows Installer does this. And supports patching.

about three weeks ago

Windows 10 Gets a Package Manager For the Command Line

benjymouse Re:We can do that thing you like (230 comments)

In Linux, I've had all kinds of dependency hell.

Yes, Linux never solved dependency hell, it has been swept under the rug that is distro+version specific repositories. The problem is still very, very real, but if you constrain yourself to the repositories of the distro + version that you use, the package maintainers will have ensured that the package dependencies do not conflict with each other and with the version of the ABI that your distro+version is on.

DLL hell was *very* real in the Windows 9x days. Side-by-side assemblies was introduced with Windows 98SE (IIRC) - but really only became de rigueur with Windows XP. During the 9x days, software developers took advantage of the fact that nothing prevented them from writing files to the system directories. When they encountered a problem where they needed a DLL - they simply installed it in the system directory - often overwriting whatever was there before. Obviously this caused all sorts of problems where only the latest installed product had a robust state.

about three weeks ago

Windows 10 Gets a Package Manager For the Command Line

benjymouse Re:We can do that thing you like (230 comments)

Rather than leaving the dependency resolving responsibility to package maintainers, the Windows OS contains a brokering mechanism that will load the correct version of an assembly - even if multiple versions of the same assembly exists in the global assembly.

Linux package managers have dual responsibilities: Provide available software (with update mechanism) and ensure dependency hell does not rear its ugly head. Linux dependency hell is very real, once you step outside the repositories.

Windows has binary compatibility with software that was developed for Windows 95 / Windows NT 3.1 (where Win32 debuted). The dependency problem (called DLL hell in Windows) was solved with the SxS and the broader use of the Windows Installer package manager, which integrated with SxS.

about three weeks ago

More Eye Candy Coming To Windows 10

benjymouse Re:Wat? (209 comments)

Posting AC since I already moderated here.

After going to the Youtube page, I gotta say - Just what the fuck?

So now in order to salve the wounds of people butthurt by the monumental sucakge of Windows 8, will be treated to the awesome best ever spectacle of rotating menu items, what they've always been waiting for?

Ahem. The youtube link (showing the flipping menus) shows a Linux desktop. It was intended by submitter jonas-supa to show how much more advanced Linux desktops are.

Can't wait until the fanbois come out and tell us how waiting for a menu to spin around a few times is based on extensive research done by Microsoft that proves once and for all that most users want the operating system to waste their fucking time, and that anyone who doesn't just love the steaming hot piece of shit is an idiot who doesn't kow that they are doing.

Lol. We have to wait for the Linux fanbois to explain why the hell Linux needs compiz and all of the (agreed: Horrid!) animations from that youtube link.

Way to go there, buddy.

about a month ago

Microsoft Gearing Up To Release a Smartwatch of Its Own

benjymouse Behold (172 comments)

The new Microsoft Time Telling and Instant Notification Wrist Computer Ultimate Edition

about a month ago

BBC Takes a Stand For the Public's Right To Remember Redacted Links

benjymouse Re:Article or link (113 comments)

The whole article is de-indexed. That is the only way it can work

What? Google already uses a huge directory of "stop words" - words or phrases that should not be indexed. What is required is that they can create such stop words per link (article). Maybe they are not done with that yet, but it could certainly work that way.

The goal is not to suppress articles, the goal is to protect individuals right to privacy. Google does not control the article, and they should not remove all links (associations) to articles. But they can and should respect individuals right to privacy. So when an association is outdated, irrelevant or misleading they should - upon request - remove the association - not the article, not all the other links to the article.

And yes - that includes the right to delete associations between your name and a possible crime you committed 30 years ago. Most modern judicial systems (US the notable exception) recognize that when you've done your time you have "paid" your debt to society - and should have a chance to start over. If youthful stupidities will follow you your entire live you will *never* get a chance to prove that you have corrected yourself.

And this is NOT just for criminals. Controversies, your participation in demonstrations, debates, political parties, deliberate smear campaigns etc. all have the potential to seriously inhibit your chances with future employers.

about a month ago

BBC Takes a Stand For the Public's Right To Remember Redacted Links

benjymouse Article or link (113 comments)

Was the article removed in its entirety, or was the *association* between the name and the article removed.

Of course Google should not remove the entire article. That was never what the law said. If they did so, it was just another blatant attempt at manipulating opinions of journalists in the hope that journalists reporting will start sway public opinion.

If it was just the *link* between a commentator name and the article that was removed, i.e. you would still find the article through googling words from the content of the article, then what is BBSs problem?

Google is blatantly trying to manipulate public opinion through journalists. They are deliberately misinterpreting the law to create an impression of draconian consequences.

about a month ago



VLC threatens Secunia with legal action in row over vulnerability report

benjymouse benjymouse writes  |  about a year ago

benjymouse (756774) writes "Following a blog post by security company Secunia, VideoLAN (vendor of popular VLC media player) president Jean-Baptiste Kempf accuses Secunia of lying in a blob post titled More lies from Secunia. It seems that Secunia and Jean-Baptiste Kempf have different views on whether a serious vulnerability has been patched. At one point VLC threatened legal action unless Secunia updated their SA51464 security advisory to show the issue as patched. While Secunia changed the status pending their own investigation, they later reverted to "unpatched". Secunia claimed that they had PoC illustrating that the root issue still existed and 3rd party confirmation (an independent security researcher found the same issue and reported it to Secunia)."

Pwn2Own 2009: Safari, IE8 and Firefox all pwned!

benjymouse benjymouse writes  |  more than 5 years ago

benjymouse (756774) writes "In a matter of seconds, Charlie Miller, last years winner of the PWN2OWN contest did it again at CanSecWest and successfully exploited a fully patched Safari running on a Mac. He came prepared, directed the operator of the browser to browse to a rigged website and it was all over.

He took the $10.000 first prize and the macbook home with him.

Last year he was quoted as saying "Every time I look for [a flaw in Leopard] I find one. I can't say the same for Linux or Windows. I found the iPhone bug a year ago and that was a Safari bug as well. I've also found other bugs in QuickTime.".

As I wrote this submission news came in that all of IE8, Safari (again) and Firefox was pwned by a researcher going by the name "Nils". So far only Chrome remains standing.

These were all drive-by exploits against fully patched browsers, not 3rd party plugins. Be careful out there."

Vista Capable lawsuit loses class action status

benjymouse benjymouse writes  |  more than 5 years ago

benjymouse (756774) writes "In a big setback for plaintiffs, a federal judge has stripped the class-action status from the Vista Capable suit against Microsoft.

Computerworld writes

The consumers who brought the original lawsuit, and those who followed as members of the class action, will be free to continue their cases, but they will have to do it individually, not as a group, Pechman said. "Approximately one year ago, this Court certified a class in this matter and allowed Plaintiffs 'to further develop their price inflation theory'," Pechman said. "It is now apparent that class treatment is no longer appropriate."

"Dr. Leffler did not attempt any regression analysis, much less an econometric analysis of the impact of 'Vista Capable' on demand," Pechman said. "It is ... critical to Plaintiffs' theory of proof to isolate Microsoft's purportedly deceptive efforts to increase demand from promotions OEMs had in the run up to the holiday season."

Presumably the lawyers for plaintiffs were expecting a good chunk of the potential damages. This will make it much more costly and risky to retrieve such damages. Will this effectively spell the end of the suits, or will the lawyers press on? IANAL so I wouldn't know whether they can appeal this ruling or not."


Microsoft urges Windows users to shun Safari

benjymouse benjymouse writes  |  more than 6 years ago

benjymouse (756774) writes "The Register has picked up on a recent Microsoft security bulletin which urges Windows users to "restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple". This controversy comes after Apple has officially refused to promise to do anything about the carpet bombing vulnerability in the Safari browser. Basically, Apple does not see unsolicited downloads of hundreds or even thousands of executable files to users' desktops as being a security problem.

The MS bulletin speaks of a possible "blended" attack. This is obviously recognizing that having the desktop carpet bombed with executable files does not imply that they can be executed. However, once the files are on the desktop all an attacker needs to do is to find some social engineering attack vector or a way to launch one or more of the files through some other vulnerability. At the very least it does not take much imagination to come up with scenarios where this vulnerability can be used by spammers or skiddies out to annoy users.

It is unprecendented for Microsoft to recommend Windows users to abstain from using a mainstream software product, especially a competing product. Could it be that Microsofts security response team have grown sensitive over Apple TV ads ridiculing Windows users over security while at the same time Apple software products, especially Quicktime, and now Safari threatening the security of those very same users? Surely the "Apple software updater" push of Safari haven't exactly earned them points in Redmond. Surely MSRT realizes that this may be controversial. Is this a "stab" back at Apple and/or a way to shine light on Apples own security problems?"

Netcraft: Microsoft IIS may soon overtake Apache

benjymouse benjymouse writes  |  more than 7 years ago

benjymouse (756774) writes "From the latest Netcraft web server survey:
In the August 2007 survey we received responses from 127,961,479 sites, an increase of 2.3 million sites from last month. Microsoft continues to increase its web server market share, adding 2.6 million sites this month as Apache loses 991K hostnames. As a result, Windows improves its market share by 1.4% to 34.2%, while Apache slips by 1.7% to 48.4%. Microsoft's recent gains raise the prospect that Windows may soon challenge Apache's leadership position."


benjymouse has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?