Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:Well duh (Score 1) 75

Then how does Symantec see such a huge number of attacks? It's the same broken argument we've heard for years: don't run as admin on Windows, you wouldn't run as root on Linux. Then why does every single computer get installed with admin privileges enabled by default? It's because the Windows ecosystem and ACL system is fundamentally broken.

If hackers suddenly start sending PowerShells en masse it is because they are exploiting a feature or setting that allows them to use it.

Comment Re:Well... (Score 1) 75

No, what he is referring to is that you get into a command shell, you can invoke an unsigned PowerShell script with PowerShell.exe -file. But that's not much different than source in bash.

But it's hard to imagine a social engineering attack that would get a user to download a file and then get them into a CLI session to override execute flags or signing to invoke the script file.

Comment Re:Not that big a leap (but I doubt OOP @ times) (Score 1) 75

This is one of the reasons micro kernels have a much more manageable security model. The problem being microkernels have some performance penalties that, at least in previous generations of CPUs, lead most OS developers to work in monolithic or mixed models. Yes, there are user space device drivers, so there has been a lot of work done to move device drivers a lot further away from Ring 0 and Ring 1, but even this simply makes monolithic kernels even more complex, and complexity is always the enemy of security.

Comment Re:(bash|sh|ksh|zsh) && !PowerShell (Score 1) 75

The kinds of vulnerabilities that PowerShell suffers would be suffered by any operating system that has a fairly comprehensive scripting language. The issue simply is if you can automate OS functions like creating, altering or deleting files and other system resources, someone can write a malicious script that, if run even in an non-super user context, can wreak havoc, but if run in a super user or similar higher access context can lead to enormous damage or to compromised systems. There are ways to mitigate this for both Windows and *nix, but more often than not you have to be proactive about it.

Comment Re:ARM Server CPUs, x86 on ARM (Score 1) 82

When I've heard people talk about "ARM servers," the fine print tends to be that they're not really talking about ARM CPUs, they're talking about ARM SoCs ... so however many ARM CPU cores paired with other components that tailor the SoC for specific workloads. The resulting ARM servers probably won't be general-purpose hardware for everybody to use, they will be marketed to people who know the specific thing they want to do and now they just want to hit the sweet spot on power consumption/cost/whatever.

Comment Re:Not all emulation (Score 1) 82

That's not actually that big of a downside. With Microsoft Office, for example, Microsoft still recommends most users install the 32-bit version, even though almost everybody is running a 64-bit OS these days. The exception is people who need to run crazy big Access databases (or ... shudder ... Excel spreadsheets).

Comment Re:I haven't been to a movie theater in years (Score 1) 248

Then there are the idiots who turn on their phones in front of you, blinding you, to make or receive a call or an SMS and talk their head off.

It's a fast way to get kicked out of a theatre, actually... I've even seen it happen, thankfully only a couple of times, but I think when the attendees know that the theatre doesn't tolerate it, that tends to keep most everyone in line with regards to theatre etiquette. Usually, they will even have a commercial during the commercials before the film starts that addresses one aspect or another of theatre etiquette such as texting on a phone or talking during a movie that makes people aware that it is unacceptable.

Comment Re:Microsoft Bash to the rescue (Score 1) 75

They're not, and suffer the same inherent vulnerability that Powershell or any other executable scripting language does; that even if you have core network and system resources ringfenced, malicious scripts can still play havoc with anything even regular users have access to (like shared file resources and the like).

The reality is, and this has been known for a couple of decades now, email and web clients simply should not be able to execute code. But since executable code, whether macros or scripts, show up in so many file formats it's all but impossible to fully enforce such a regime.

Comment Re:Replacing CMD (Score 3, Interesting) 75

Some of the nastier scripts out there nowadays aren't really about gaining elevated privileges. Some of them, like the encrypting ransomware requires no special privileges at all, but simply access to user files, and to network files that the user has read/write access to. So while the critical aspects of a computer or a network are protected by execution and system resource access limitations, you need to prevent execution of unauthorized scripts completely.

I have to admit I've found signing Powershell scripts to be a mighty pain in the arse, but it does provide some protection against external scripts running when you maintain the blocking of execution of unsigned scripts. It isn't a complete protection, unfortunately, and Powershell is only one route by which this kind of ransomware could end up on a system. Vulnerabilities in Java, MS-Office files, and even the execution of Windows Scripting Host files (vbscript and jscript) seem more common from my experience.

The one bit of ransomware I saw got loose through a vbscript file attached to an email. For whatever reason, Outlook allowed it to be executed, and the user clicked the dialog that might have prevented it, and then the script went to town encrypting files on the user's own folders and the share. Fortunately there's a good backup regime in place, so there was very little actual loss, but it demonstrated that along with some vulnerabilities in Windows' execution protection schemes, the real weak link as always is users themselves.

Comment Re:Lorex security cameras just as bad max password (Score 1) 52

How do you think we "IoT" device makers are making money on 'free' devices or '$10/month unlimited storage'. It's not because we have a 2GHz processor in every device, these are the specs on the 'latest' "Smart WiFi/BT application SoC": 256KB embedded Flash and 32KB SRAM. Often these devices are made with yesteryear's chips that are half or even quarter of that.

And in that 256KB must fit: 2-4 web pages with graphics, the various triggers, motion code (send a picture to SMTP, FTP, SMB)

Comment If a movie isn't worth going to the theatre for... (Score 1) 248

.... then I probably wouldn't want to get the movie particularly early anyways.

So, no.

I have a home theatre setup at my place... large screen, an old-fashioned popcorn maker, comfortable seating and I *STILL* prefer going to the theatre for certain movies.

Comment Re:I Would Rather Go To Theatres (Score 5, Insightful) 248

As would I. I actually prefer the theater experience, providing you don't have a theater full of assholes. When I went to The Force Awakens last year on its opening day, that old communal experience I remember from theaters when I was a kid came back. There was cheering and clapping when the Star Wars theme played and in general it really was a wonderful experience. My experience with Deadpool was even better, as people laughed at the jokes through the whole thing. And there's the big screen, which I really do love. Can't reproduce that at home.

Slashdot Top Deals

HELP!!!! I'm being held prisoner in /usr/games/lib!