Posted on 04/19/2010 7:01:38 PM PDT by for-q-clinton
Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications.
(Excerpt) Read more at nytimes.com ...
Ok like I said you don’t consider 0-day exploits as real issues until they get exploited. So why bother even fixing them right?
I’m glad you are in the real minority (even amongst Apple users).
Actually I do know quite a bit about it, but if you read for understanding the response I was making was about the fact that windows could run on a Mac pre-Intel proc days.
And most with a reasonable understanding would understand that. But for those needing a lesson, well I can take you to school on virtualization. But then that’s outside this issue...you’re wanting to play gotcha is jsut silly.
Having worked in/with sysadmins in a corporate environment, one of my strongest reasons for pushing Unix or Macs to the desktop was to prevent the use of PC’s for games.
Here’s the details on the trojan that was injected:
http://blog.threatexpert.com/2010/01/trojanhydraq-exposed.html
http://blog.threatexpert.com/2010/01/trojanhydraq-part-ii.html
Obviously a Windows trojan.
Macs and Linux both have games. But Windows probably has more manageable software to control that in the environment (now). So when was that 1995? Not mocking you but just wondering.
Also who cares...there are games galore online now, so if you’re really worried about that you might as well pull the internet plug from them as well. And there are games that can be played via email or IM so you better pull that too. I work with extremely large enterprises everyday. In fact, I’d say I’m responsible for one of the largest networks in the world. Windows allows us to lock down the desktop quite nicely (now).
Interesting. I didn’t notice where it mentioned adobe reader. So did they use one exploit to get to another?
1995 through 2002.
The firewalls block a lot of the ports used by online games these days, and there are security appliances that can (and do) sniff the contents of http streams and close the connections in the proxies if they see non-approved traffic on the corporate networks.
cisco doesn’t depends on Windows security (such as it is) to secure networks. They have a network-centric view of the world (no big surprise there), so they like to assume dumb (or in the case of Windows, idiot savant) clients. The benefit to this approach is that by securing the network, you no longer are bound to any one OS’s view or implementation of security. The security on their Unix servers is quite tight, but we have to be realistic and say that the marketing and sales people are never going to get past the login prompt on a *nix system. The doc people don’t want to use Windows, but the engineers using AutoCAD have to, other engineers doing chip simulations have to use Solaris, yet others have to use *BSD implementations on PC’s, etc, etc, etc.
For all of that, while I was there, there was no bigger headache for security that Windows. And from talking to people still there, that’s still the case - mostly because when people take their PC laptops outside the corporate net, they forget to increase their paranoia about the threats that they would not see inside the corporate net with the IDS boxes between them and the rest of the world.
Quite right, they did. But it sucked so badly, nobody used it who didn't absolutely have to.
On Intel, they don't have to emulate. They just virtualize. Which means the CPU basically emulates itself (just bes itself in unprivileged mode) until it runs into a critical point (a system call), at which point the virtualization program intervenes and emulates the system call. The basic virtualization concept dates to the sixties and has benefited from hardware improvements to become just another app today. Decent virtualization apps (VMWare, Parallels) run well enough that performance is no longer an issue (but buy plenty of RAM — 4G is $100 from Crucial).
You can have Windows and Linux virtual machines, each with their own virtual hard drives and IP addresses, running as ordinary apps on your Mac. You do your work on OS X, move the results onto the virtual machines, test in the virtual machines, fix, re-test, etc. To switch to each VM's desktop, you configure one of your extra mouse buttons to invoke the Mac's Spaces app.
I’d think the biggest threat to security is the dumb user that is determined to get a virus no matter what you do :-)
And yes they do exist in abundance. And unfortunately that has forced Microsoft and other vendors to lock down the capabilities many of the “good” users like to have. It’s like socialism...we have to dumb it down to the dumbest user. Or I guess that’s Apple’s philosophy too.
Yes.
Here’s an analysis of the Adobe exploit:
http://isc.sans.org/diary.html?storyid=7867
BTW — I detest Javascript for this reason. I wish it had never been invented, along with ActiveX. Two huge gaping holes in browser security right there.
BTW2: I’ve been out of the day-to-day security loop for at least seven years now, but IMO, this attack has all the hallmarks of a pro operation. This wasn’t a bunch of kids out for goofs and grins and “l33t warez” — this was an engineered & co-ordinated attack, by serious people.
A lot of MS’s problems come from slovenly coding practice and the language they use - C++.
If you told me that a plane I was about to board used C++ in the flight management system, I’d turn around and get the hell off. I’m that convinced that C++ is such a crappy implementation language.
C is like pointing a loaded pistol at your feet.
C++ is like pointing a minigun at your house.
Actually after re-reading my statements I see you don’t understand English.
Let me disect it for you.
I’m pretty sure Mac had emulation before Intel. -> I’m saying I am pretty confident that Mac was able to emulate the hardware for Windows to run on a Mac before adopting the Intel platform.
Next sentence. It just runs better on Intel...now this is where you have to think and realize the post I was referring to...this means It (Windows) runs better on Intel. In other words on Intel hardware (you wanted to read that as emulated Intel). But anyone with knowledge of Emulation would realize you don’t need to emulate the hardware if the hardware is already the proper hardware. So your desire to play gotcha makes you look like a fool.
But most OS’s are written in C and C++. BTW: Isn’t windows kernel written in C?
Yes, many OS’s are written in C (Unix) and C++ (Windows, with C at lower levels). OS X is written in C and Objective-C, which is a different animal - better than C++, but still derived from C.
VMS was written in Bliss-32, IBM mainframe OS’s are a combination of ASM/370, PL/I and PL/S. The old minicomputer OS’s were written in their respective macro assemblers.
I’ve written code in more than a dozen languages. When I first converted to C from Pascal and FORTRAN, I thought I was really warm poop. Then I learned over the years that C, for all it’s down-n-dirty power to tweek the iron... is like keeping a loaded pistol in the same room with a child who abuses meth: Sooner or later, there WILL be some problems.
There was a wonderful little observation made by a wag in Datamation (which only the old farts here will remember) around 1984:
“C is a language for consenting adults, Pascal is a language for children and Ada is a language for hardened criminals.”
Most programmers on large projects fall into the latter class of human, especially when they have some middle-management dweeb with PERT charts trying to convince them that they can cut out much of the unit testing to meet their deadlines.
Ada-83 has/had a lot of shortcomings and wasn’t really ready for prime time. Ada-95 has cured most all of those, and the latest Ada spec cures the rest.
I’d vastly prefer to see operating systems now written in Ada. It would solve a lot of these security problems by enforcing clear thinking on the programmers’ part - rather than this idiotic “let’s just keep fixing it until it compiles” mindset that seems to have taken over the industry when the “children of the PC era” came of working age. Desk-checking of code has gone by the wayside now - when I started slinging code, you didn’t run the code on the machine for the first pass of debugging. You got a bunch of people together in a room, printed out the code on 66-line greenbar paper, then you sat down for several hours and walked through the entire unit, line by line, with people asking “What if X changes to Foo here? What happens if this input is wrong?” and so on.
Since we’re no longer going to have desk-checking and structured walkthroughs, it is time to make the tools do the enforcement of better programming practice.
With Ada, if you have not really thought through (all the way) how your interfaces work, how your data flows from type to type through the program - it won’t compile, much less link. A typical early Ada programmer has this reaction:
“Dammit, my code has been ‘finished’ for a week, but it STILL won’t compile! Damn this stupid language... in C, I’d be done by now!”
Then the kid finally gets it to compile by fixing all the type usage errors, interface errors, exception handling, etc. He finally gets it to compile... and then he links it.
And he finds out in unit testing that it just seems to work. Very few runtime errors are found... fancy that.
Overall, the manager would find (if they’d take the chance) that they spend less time overall getting the project’s goal met if they find the errors as early as possible. The later in the development lifecycle that an error is detected, the more expensive it becomes - by several orders of magnitude. This is nothing new to anyone who has read “The Mythical Man Month” or other tomes of that era, but today kids are too busy spouting nonsense about this, that or some other programming language vs. another, and not spending enough time thinking about the big issues in software development - like making sure the code matches the specifications, interface design, etc.
> Ok like I said you don’t consider 0-day exploits as real issues until they get exploited. So why bother even fixing them right?
No, of course they should get fixed. Don't be silly.
I'm talking about actual security threats. Something that is broken should get fixed, of course. But not everything that is broken represents a big freaking deal, security-wise. If the vuln can't be used, then it's just a software error, no big deal, fix it, move on to the next one.
But instead, Apple-bashers go out of their way to make a big deal out of every Mac vuln, just as Windows-bashers do the same thing with every Win vuln. It's marketing bullshit, having no real effect on system security.
Wankers are wankers, regardless of operating system. And the tech journalists who sit around having wet dreams about how they're going to show up Apple or show up Microsoft because their scripted exploit runs 15 seconds faster than the other guy's are wankers, pure and simple, nothing more.
My advice to you: don't follow wankers.
Item #2, emulation vs. virtualization.
> Actually I do know quite a bit about it, but if you read for understanding the response I was making was about the fact that windows could run on a Mac pre-Intel proc days... And most with a reasonable understanding would understand that. But for those needing a lesson, well I can take you to school on virtualization. But then that’s outside this issue...you’re wanting to play gotcha is jsut silly.
Thanks for the offer, but no need. I've been using VMware since 2005, presently have a couple of 8-core Xeon servers running ESX with over 4 dozen VMs on them, along with VMware Workstation on my Windows boxes, Fusion on my Macs, and VMware Server on my Linux boxes. Have used Parallels (don't like it as much), and am setting up Xen for a few installs where it makes sense. It's very unlikely you could teach me anything I don't already know in that regard, although you're welcome to try.
> Actually after re-reading my statements I see you don’t understand English.
Indeed, this should be fascinating.
> Let me disect it for you.
For starters, Mr. English, it's spelled "dissect".
> I’m pretty sure Mac had emulation before Intel. -> I’m saying I am pretty confident that Mac was able to emulate the hardware for Windows to run on a Mac before adopting the Intel platform.
Close enough, I won't pick nits.
> Next sentence. It just runs better on Intel...now this is where you have to think and realize the post I was referring to...this means It (Windows) runs better on Intel. In other words on Intel hardware (you wanted to read that as emulated Intel).
Sorry, that excuse doesn't wash. Windows ONLY runs on Intel x86/x64 hardware. You're surely not going to haul out the early 90's Alpha builds of NT, or HP's Itanium servers, to claim that Windows is CPU-independent in any sense that applies to this conversation.
Neither of us is silly enough to claim that Windows could conceivably run better in emulation on a PPC, than on an Intel CPU. Saying "Windows runs better on Intel" is like saying "Automobiles run better with round tires"... ummm, that's right, where's your point?
Anyway, I'm not playing "gotcha", I'm simply pointing out your apparent mistakes, just as you are doing to me. But that process seems to annoy you, and I don't care to annoy anyone, so I'll leave you to your own devices.
Have a good evening. Cheers! :)
WOW.
This is like trying to talk to an 8 year old. You have to go back to my reply to another post (before you jumped in)...where it was implied that Windows can NOW run on Mac. My point was it could run on Mac previously under emulation but at a cost to performance.
Really, what's so hard to understand about that? You're just looking to pick a fight to try and show how smart you are, but in reality you're showing your ignorance.
NOOO!!!!! Not Ada again. I remember the government trying to force that down everyone’s throat. Yes it has some good points (that you point out), but it needs user community acceptance to be a viable solution. It was just too much a red-headed step child that the big government was trying to shove down programmers throats. If it had a different backer it may have been more successful.
There are other options, but they’re not suitable for multi-thread programming as Ada now is.
The government was right to push some manner of standard for their software - after all, they were spending a huge whackin’ pile of money on software, in no less than about 15 languages in the 70’s and 80’s. There was no “push down programmers’ throats.” There was a requirement that if you were writing mission critical software for a government contract, you had to write it in Ada or show very good cause why you could not. That’s entirely reasonable.
The reasons why there is so little acceptance of better languages in the US software community has to do with what is taught in CS/EE programs across the country. C came with Unix, and Unix swept across campuses in the 80’s because it was *free* (ie, free as in ‘free beer’.)
While C is/was an OK language for putting up kernels on PDP-11’s, it is a horrible application language.
I agree c is horrible for applications. I actually like C#. I know you’ll probably find that awful, but I like it when writing managed code.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.