Comment Re:It's nice that they're honest. (Score 1) 174
Well, perhaps it was an inside job...
Well, perhaps it was an inside job...
FTA, "Obviously, you only need to do this if you checked you are indeed running the backdoored version, as mentioned above."
A skilled attacker will have replaced md5sum so that it returns the hash that corresponds to the good version, and in general installed a rootkit. The remediation advice they provide is broken.
If you have installed the affected software, you should probably assume you are owned, regardless of what any local tests tell you.
There's a nice handy place for all of Microsoft's express editions
Practice Active Listening from day one, and be humble about your own skills and abilities. Yes, you're smart. But over the years as you learn more you will discover that you know less and less, until you are absolutely confident that you know nothing.
You will find some people who do not seem to be very smart, but they are there for a reason. Dismiss them at your peril. Instead, try to learn from them.
Active listening will help you learn faster, gain respect among your colleagues, avoid misunderstandings, and build valuable relationships quickly.
NoSQL and "reliable" don't go together. Implementing a safety system in which integrity is critical with NoSQL would be a significant mistake. While it may be that the data doesn't have to be relational, as another poster commented it surely does need to be ACID.
Cross-site request forgery or Cross-site scripting may be the culprit, which of course renders the browser mostly irrelevant, except to the extent that modern browsers, IE8 included, have a certain degree of protection against badly-implemented web sites.
Am I missing something, or is this the stupidest idea on slashdot all year long?
How do they propose to patch the software? Or are they going to distribute perfect software on the first try?
I realize of course that you can't persist the malware (leaving aside the possibility of modifications to the firware of various peripherals or a 'Deep Door' style attack), but that's hardly all that matters. And even still, you could achieve the results better by using a VM with automatic disk-undo.
This is really a vulnerability in any meaningful sense of the word. Rather, this means that certain advanced protections that Windows uses are less effective in a Virtual PC. Microsoft is actually in a leading postion when it comes to memory protection features as compared to anyone this side of OpenBSD.
What isn't someone issuing an "advisory" that the MacOS implementation of things like GS, ALSR, early-heap-termination and SafeSEH are either weak or nonexistent?
ASLR could use more entropy. Stack coookies could be present in every function, instead of just some. Every defense can be improved, and I don't think Microsoft has ever claimed that ASLR or GS is a reason NOT to produce a patch.
IMHO, Microsoft is completely correct to not issue a bulletin for this since that is an indication of a severe issue. And Core is free to make the issue known publically as well, and people can decide for themselves. But the Slashdot title is midleading at best.
Its an interesting estimate, but I don't buy the argument for favorable tax treatment for "social welfare." For many companies, open source is one side of a many-sided business model: i.e., they're making their money somewhere else. Giving special tax treatment for such a thing would be similar to giving Adobe special tax treatment for Adobe Reader, or AT&T for giving away free cell phone. The freebie is a necessary for them to build a profitable market elsewhere.
FTA
Coverity asks, “would you like to know about 0day defects months in advance?” They ask that to promote their work in scanning open source projects for security vulnerabilities. Quoting from Coverity’s 2009 report:
“In January 2006, Coverity, Inc., was awarded a contract from the U.S. Department of Homeland Security [] to improve the security and quality of open source software[] Since 2006 [Coverity] scanned over 60 million unique lines of code on a recurring basis from more than 280 open source popular source projects.”
[...]
"You might argue that the mere fact that Coverity can do this work is just another set of eyeballs. But I reject that argument entirely. This is a government subsidy to go do some hard and useful work, not a magic property of the fact that these are open source projects. The real beneficiaries of the subsidy are not Coverity (who is providing a fine service), but other companies whose business model is primarily about services and not software.
We think that’s great. The work that Coverity is doing falls into a category of analysis known as “static analysis,” which Coverity defines as “a set of techniques for examining a software system and making determinations about what its behavior will be at run time, using information collected without running the code.” Microsoft and the SDL are big proponents of static analysis. "
You knew the job was dangerous when you took it, Fred. -- Superchicken