Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:The toxic community worries me. (Score 1) 161

I lurk on the Nim IRC channel sometimes. The toxicity there can be unbelievable.

I don't know any of the people who created any of the non-DSL languages I use every day. I don't know if they worship Natas and sport Hitler Mustaches or if they have some kind of oxymoron "tolerance" thing going on like the Rust heads. I don't know if they are into Satanic rituals while being employed by NSA as part of ongoing efforts to compromise all the worlds systems.

How can anyone take the language seriously when they have to put up with so much anger and rudeness from its community?

How can anyone seriously care? People select languages for RESULTS not social hour. The only thing I care about is technical merit.. whether NIM can deliver. I have never in my life heard of anyone contemplate criteria for selecting a language based on who said what in an IRC channel.

Comment Microsoft's Malware Operating System? (Score 1) 159

I'm trying really hard to understand the difference between Malware and Windows 10 and..... so far I... well honestly... have not the faintest idea.

1. Malware tricks people into installing it.
Check..

2. Once installed it spies on users
Check and Check...

3. Malware monetizes its victims with ads and shit
Check..

4. Malware bundles other malware to financially reward the original malware author. ... and Check..

What is the difference? I'm not trying to be a smart alec, or bash Microsoft. This is an honest to god serious question.

What is the daylight between what Microsoft's doing and your average malware vendors business models?

Much of the malware I see these days will actually uninstall itself from add-remove programs... Both Microsoft and Malware vendors generally seem to be trying to walk a tight rope of not acting in a blatantly illegal manner.

What's the difference? Why isn't Windows malware? Why isn't Microsoft a malware vendor?

Comment Re:already exceeding expectations (Score 1) 1429

Well, Obama was at war for all eight years of his presidency. Beating all other presidents. Hard to argue that he was better than Bush with that record.

Imagine I were president.. out of sheer boredom I decide to start a war on the very last day of my warless presidency.

Imagine the very next president spends the bulk of his remaining 8 years calming the hornets nest I kicked around like a football.

Even in this maximally ridiculous case your argument is no more or less valid. It's unfalsifiable gibberish.

Comment Re:fake news from cnn (Score 4, Interesting) 272

And there is no way in hell Russia will ever release Snowden. They have coerced him for example to "call" into the Putin's Propaganda hour show (either that or Snowden is really really naive). The Russians will not release

His interview question was fair in my view. It at the very least put Putin on record as being a liar when competing information enters the public domain.

Snowden so he can talk about his treatment or detail what he released to the Russians. They have absolutely nothing to gain.

What impressed me about Snowden was what he has actually said about the Russian government while in Russia.

Some tweets from Snowden:

"Signing the #BigBrother law must be condemned. Beyond political and constitution consequences, it is also a $33b+ tax on Russia's internet."

"#Putin has signed a repressive new law that violates not only human rights, but common sense. Dark day for #Russia."

Comment Re:Expected /. response (Score 1) 502

Also do you have any idea how hard it is to find an ASLR leak? These are the same or similar features to those found in gcc / Ubuntu. You can read about the Ubuntu implementations here. https://wiki.ubuntu.com/Securi... These are features implemented by all modern operating systems / compilers. But they weren't common in the Windows 7 era. Again we could all *prefer* that MSFT back port features to Win/7 and or give up on Windows/10 telemetry.

There are things like DEP/NX and ASLR that require varying degrees of buy in from the OS/loader/processor however what you seem to be referring to (stacks) are security checks injected at COMPILE TIME adding various protections with a nominal performance tradeoff. This makes a lot of sense. Once code is compiled information necessary to make any kind of coherent determination is severely diminished to do anything about it later at runtime.

I can use GCC to compile windows programs if I want and take advantage of GCC security features in my app running on Windows XP. Mozilla can follow through with their threat to compile Mozilla in Rust enabling users to become immune from certain classes of security bugs in the subset of code using that language (assuming it actually behaves with advertised constraints).

Numerous security checking features have been available directly in visual studio and as add-on libraries from third parties for as far back as I can remember.

Now you can argue since the operating system itself is not compiled with x, y and z that it is less secure. To which my response is users tend to sit behind stealth mode firewalls anyway in a single user/household environment. If you can protect applications from external compromise this is sufficient in practical terms since the application is the thing sticking its neck out. You can of course still exploit vulnerable OS provided aspects the application relies on. Font processing for example has previously been a successful target but holistically the security of the application is way more important than OS selection for most users.

This obviously is not sufficient in other settings such as multi-user systems/ application servers yet I have never in my life trusted an operating systems ability to fend off privilege escalation from interactive users... It's too unrealistic...too big an ask. Associated stream of CVE's in this regard is hardly surprising.

Comment Re:Options (Score 1) 502

Use Windows 7, and everybody with access to malware techniques from the last decade can get in, or

Use Windows 10, and only the nation-state threats with access to the latest techniques or legal avenues will be able to get in.

More likely use either, click on the wrong email and get hit with ransom for continued access to files you neglected to ever backup.

I know it's Slashdot's fetish to think that the NSA really cares what websites you're visiting, and to think that you're all protecting the rights of freedom fighters around the globe, but really, using antiquated software just means that the barrier for entry is lowered. The NSA might not be able to pull your telemetry directly from Microsoft, but their regular old RATs and spyware will work just fine, along with the same kit from every hacker group around the world. Not only will the NSA still have access to your data, but so will everyone else.

I just want to be left alone. It simply isn't anyone's business what I do or what software I install and run. Using Windows 10 guarantees I won't be left alone.

Comment Re:Expected /. response (Score 1) 502

The proof that ASLR and DEP work is that when they are enabled, the exploits always require an ASLR leak!

So what? What effect did this have in the real world? People either go through an extra hoop to find a bypass which exist or they focus on social engineering.

Any data or references you care to offer showing objectively Windows 10 offers substantially better security outcomes? Not extra security features but actual outcomes to real world users?

This what everyone cares about. Nobody gives a crap about alphabet soups of three and four letter acronyms. They care about results.

Stack sentinels work wonders.
It took from 1970 to 2015 to find a solution for buffer-overflows.

Are you talking about VS2015 "CFG" feature that instruments *code* at compile time to add extra stack checks? Otherwise I have no idea what your referring to.. sentinels are as old as the oldest computers and buffer-overflows are still alive and well in 2017.

We now have it and the Slashdot crowd pans it because they hate the telemetry more than they like the features. I personally hate the telemetry too.

Yes absolutely. I hate telemetry to the extent features are irrelevant. I refuse to accept an operating system that is in fact malware.

You are free to make a different value judgment. Some people abandoned RISERFS out of spite just because the developer turned out to be a murderer. Sometimes political considerations and principals trump technical considerations.

At the end of the day I look at windows and I notice they are still using insecure authentication protocols such as Kerberos leaving users at risk of offline credential compromise. I see MS pushing all kinds of unsafe biometric password replacement gimmicks. It is great they are taking the initiative to improve security but to be honest if I really cared deeply about security I would be running BSD or qubes. Probably would only use a browser from a throwaway VM or an isolated computer. I don't care that much and it seems clear neither do most users because if they did they would never accept the status quo.

I personally think the best security features of Windows is Hyper-V virtualization and sandboxing of browsers 'n shit. Hypervisors are simple enough to have a snowballs chance in hell of being defensible which is way more than can be said for the execution environment exposed to applications.

But if I'm in a position where I have to decide what's better for my company or my customers, the visceral hate cannot be the deciding factor.

Visceral hate is your characterization and your opinion. It is a characterization I neither agree with or see happening. You are free to disagree. The issue of importance of telemetry relative to other considerations is political not scientific and everyone has different security requirements. People are entitled to assign a suitable weight and take measures they see fit.

Comment Re:Expected /. response (Score 1) 502

The underlying thought here on /. seems to be that we should talk down Windows 10 so that MSFT repents and gives us a Windows/10 without telemetry. This isn't a good strategy.

What makes you say that? How would you know the difference? How do I know your not just a paid schill for some Microsoft hired PR firm?

What isn't a good strategy is questioning motives in the first place.

Comment Re:Bashing Windows 10 (Score 2) 502

Now on to some bashing, we'll start with force updates that everyone complains the most about. Sorry, but this is a necessary evil,

Sorry, but you have no right to force people to update. It's their choice. More importantly normalizing constant updates provides extremely perverse incentives to software vendors. It signals they can get away with crappy QA using customers as beta testers and endless streams of security vulnerabilities at no cost to them.

leaving them vulnerable and they just don't give a flying f. The only way to address this needless insecurity is to force updates.

Most consumer desktop users are behind a stealth mode firewall where their external exposure is mediated by the security of their browsers and other network connected software. From publically available web statistics majority of Windows users don't even run a Microsoft web browser.

The overwhelming majority events that cause people to get hacked have nothing to do with operating system bugs. Social engineering and associated lapses in judgment account for upwards of 90% of compromises.

Insecure computers connected to the internet AFFECT ALL OF US, and since that includes way too many non-technical (aka muggles) people, who refuse to update when asked to, we have to force you, to protect ALL OF US from YOUR insecure system.

The Internet had better be engineered to fend for itself. Requiring permission or license or certification affects ALL OF US far worse than any unpatched desktops. Look at what the brilliant 1337us3rs who run the Internet are doing. Nobody is taking fixing DNS amplification seriously. SMTP email continues to be deemed an acceptable form of communication and every website on the Internet is using adhoc user authentication forms driven by plaintext over HTTP encrypted or not. The basis of trust on the Internet is a series of redundant CA's several of which are run by "unfriendly" governments and most of which perform completely automatic signing based on completely INSECURE protocols. If all windows vulnerabilities were completely fixed tomorrow and everyone updated their computers **NOTHING** would change. I think it is rich in the extreme to start dictating anything to users.

Next: Spying. Telemetry. Malware. So much accusations. Has anyone actually taken apart the packets being sent to M$ to see what the hell is being sent? I didn't think so, I haven't seen any reporting on precisely what is being sent.

My characterization of Windows 10 as malware is informed simply by reading Microsoft's own documentation on the subject.

https://web.archive.org/web/20...

At the enhanced level of reporting (which you can turn off) it also supposedly sends info on what applications you're using, and how long they're running. Again

List of software on device and uptime of applications are also sent for the lowest level (BASIC).

But I have a pretty good educated guess. Usage statistics, performance markers, errors that occur, those are the basic things that're sent home. Probably shoved into a giant database along with every other computer that reports back.

I don't care why they use the data. I don't care what they do with it. It's none of their business. I don't want them to have mine. If you don't agree you are welcomed to your view. It's irrelevant to me.

I highly doubt anyone can successfully take telemetry data out of this database and tie it back to some individual. So who cares?

I was most comforted to learn the NSA telephone database is just numbers not names and addresses.

Do you really think you're so important that someone actually cares what you're doing with your PC? Again, probably all shoved into a DB and used to better understand what users do with their computers, not to spy on you. You're not that important, sorry.

Speaking for myself I simply don't give a flying fick. I don't care how the data is used. It's none of their business and I refuse to let them have it. Nobody has any idea what is going on and what they are doing. There is no transparency and no reason to trust a vendor with a proven track record of taking willfully premeditated action to intentionally deceive it's customers.

Telemetry isn't exclusive to Microsoft. Debian Linux has been doing telemetry since, uh, well since I started using it, in 1999 or 2000. True, it's completely optional and it asks you during installation if you'd like to participate. But somehow, because you can optout easily, its ok that Linux does Telemetry. Talk about double standard.

So as far as I can tell you really just did seriously compare OPTIONAL OPT-IN data collection with what Microsoft is currently doing in Windows 10?

Just a wild guess some people busy erecting firewall rules and taking a sledge hammer to the SCM would probably be willing to contribute if they had a choice and some oversight in terms of what was sent.

About the only legitimate complaint about Windows 10 I can agree with is already over with...the overly aggressive upgrade campaign with some underhanded UI choices to trick people into upgrading. That was bad and uncalled for, but it's also over now, so can't really bitch about this anymore.

Microsoft has by it's own actions and culture eroded **TRUST** in itself among it's paying customers. Trust is critical. Trust isn't something you can just push out a forced update for and get back. If Microsoft is willing to act in this manner what else are they capable of? What else are they doing behind my back? How was this allowed to happen? What has changed to prevent recurrence?

Comment Re:Expected /. response (Score 1) 502

The simple problem is that telemetry has been overstated and overblown. Try to find a comprehensive description of what Microsoft captures about users. What you get is things about Windows making DNS lookups against hundreds of domains, some chatter about what Windows 10 could be doing, and some criticisms of ill-thought-out features like Wifi network password sharing. Nobody knows what's happening, but they've all assumed so.

I'm hopelessly confused... should I believe "telemetry has been overstated and overblown" or should I think "nobody knows what's happening"?

The result is a bunch of people talking about how Microsoft is spying on you by doing such things as identifying all software installed,

I think the reason for this "misunderstanding" is their own documentation describing lowest possible rung of telemetry settings state the following:

"Helps provide understanding about which apps are installed on a device and to help identify potential compatibility problems."

"Some examples are the amount of time a connected standby device was able to full sleep, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app."

Microsoft not only knows about all of the porn apps on my computer but how long each are used.

meanwhile when you run yum or apt, it sends an HTTP request for each individual piece of software you're updating or installing back to a central server--which actually does what people said Windows 10 does, but doesn't freak anybody out because... reasons. EVERYBODY PANIC!

With most things Linux you are often downloading from independently operated mirrors and you always retain full control over whether and from where to obtain updates. You can also download them somewhere else and update from a CD-ROM if you want.

I find it hard to accept the premise people are upset about downloading software from remote servers. I think they may in fact be concerned about other things such as telemetry, retroactive software removal and both unwanted software installation and execution.

Cortana used to search the web if you typed search terms into the Cortana search bar, and people freaked out.

There is one search bar at the bottom next to start menu intentionally designed to leak local searches to Microsoft. They removed the start menu search functionality and provide no easily accessible option to control scope of search intentionally to cow people to use it unless they understood/figured out how to turn it off.

With not so clever UX design you can trick millions into creating a Microsoft account they might not want or need or leak URLs entered into the URL bar to search engines. You can even make dismissal of a consent form constitute consent.

Every keystroke you enter into your browser's search bar is sent to a remote server, where it's logged in Web server logs.

Extremely creepy.

Every domain you look up goes back to a Malware service to block bad sites.

If you want to help people you use a bloom filter. If you want to spy on them you download every domain and claim it's for their own safety.

To be fair, people freaked out when Ubuntu started searching Amazon through the Unity bar. It's not that they have legitimate fears; it's that they fear new things, and confusion in groups turns into mass hysteria

Privacy invasions and underlying incentives to go there are not "new things". They've been around as long as the social contract.

You get a few people suggesting folks are just afraid Amazon will see them trying to look for their child porn collection, but that's retarded; the truth is

Retarded is an apt description of the third party doctrine in the US.

everyone's scared because the next ten people are scared and nobody is inclined to take the time to verify that the next ten people aren't idiots, so they do the reasonable thing and assume (incorrectly) that a million people who have no fucking clue what they're talking about can't be wrong or someone would have told them by now.

Or be bothered to support their assertions with objective falsifiable evidence.

Comment Re:Expected /. response (Score 1) 502

Win95 had real pre-emptive multi-tasking and memory protection.

It had no such thing.

It also forced a new UI that people hated.

Program manager shell and related goodies were included with Windows 95.

Windows/10 has a lot of exciting new security features.

Which ones protect users from themselves? Most exploits are result of social engineering. Even if Windows worked perfectly nothing would change.

That's pretty common in commercial software.

Most commercial software vendors I know cannot afford to piss off their customers by inserting malware and ignoring widespread unambiguous negative feedback during product development.

Comment Re:Expected /. response (Score 1) 502

The security features in Windows/10 provide exploit mitigation. What this means is that Windows/10 may or may not have more bugs, but let's assume that it does have more bugs. The changes in Windows/10 mean that bugs do not become exploitable. Let's assume that there are twice as many bugs but 10% can be successfully exploited vs 30%.

We heard all this before when ASLR and DEP were introduced. Did it work? Where is the evidence informing your assumptions?

Comment Re:Expected /. response (Score 1) 502

The first posts are pretty much what one would have expected. Many people have concerns with Windows/10 telemetry. But it's still a more secure OS than Windows/7. There are an incredible number of security features built-in to thwart malware. Stack sentinels, call graph protection, delayed freeing of memory, et cetera. I'm in no way advocating for the telemetry data. You can disable it in the Enterprise edition of Windows. I don't like this business decision from Microsoft. But I'd still rather the telemetry data than other malware. The snide quips that show up in articles like this add no value to the discussion.

Most malware is *installed* by the end user.

Slashdot Top Deals

I have a theory that it's impossible to prove anything, but I can't prove it.

Working...