http://www.osnews.com/story/4584/NYT_Writer_Repents_for_Oversimplifying_Security Exploring the Future of Computing en-us Copyright 2001-2009, David Adams adam+nospam@osnews.com Tue, 10 Nov 2009 05:44:58 GMT http://www.osnews.com/images/osnews.gif http://www.osnews.com http://osnews.com/thread? http://osnews.com/thread? And nice to see that he is a big enough man to accept that he was wrong. Maybe if Microsoft could do that then maybe they could then move onto doing something about the problems with Windows. How about every user that is made on the computer is relegated to retricted mode only allowing them to load applications and write access to the home directory, anything that requires interaction with any other part of the system will require the user to input the root password.

This is not rocket science, this is basic computer security that Microsoft has seemed to put to one side for the sake of ease of use, well, apparent, "ease of use" because Apple has been able to produce a reasonably secure operating system without manking the average user account overly restrictive. Fri, 19 Sep 2003 16:18:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? I can easily imagine a worm abusing something like the recent SSH-exploit, and many of us remember the bind worm of a few years back. I'm too young to remember it, but I've read about the Great Worm that RTM did that almost crashed the net, as well. Fri, 19 Sep 2003 16:20:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? Well, considering the patch was applied 2 seconds after everyone read about it, I don't suspect it would get too far just as none of the other ones ever have.. Fri, 19 Sep 2003 17:10:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? How about providing a link to the NY Times article which bypasses the NY Times Subscriber Login page? I myself am not a programmer or script writer so I don't know how to do this, but it is routinely done over at slashdot, for instance, by readers whenever the editor fails to provide a hyperlink which bypasses the Subscriber Login page, for whatever reason. Fri, 19 Sep 2003 17:20:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? I didn't know that was possible. Does anyone have and details about how that's done? Fri, 19 Sep 2003 17:34:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? How you do it this.

1. save this page to your hdd http://www.majcher.com/nytview.html
2. Turn on cookies and referrer logging and privoxy off (if you have it)
3. enter the link given in the local nytview.html Fri, 19 Sep 2003 17:36:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? I'm not sure that's a good idea from a legal standpoint. Better to point to a page that gives instruction on how to bypass the login along with the article - that way you're not circumventing the access restrictions, but you are instructing viewers how to do so.

Or, like, people can also just subscribe. It's free and they've never ever sent me any junk mail. Fri, 19 Sep 2003 17:45:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? How do you turn on referrer logging in IE or Mozilla? Fri, 19 Sep 2003 18:00:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? Well, AFAIK the editors at slashdot dont' do this because the NYTimes asked them not to or threatened them wil legal action. The way its done, AFAIK is that NYT creates an archive page right away that can be accessed, if you know how, but I've never looked into it, because subscribing has been easier for me. So its usually the archive page that gets posted in the comments. Fri, 19 Sep 2003 18:01:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? This method I have provided bypasses nothing... it just enters the fake info you would otherwise give in a quicker manner. Fri, 19 Sep 2003 18:02:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? "How do you turn on referrer logging in IE or Mozilla?"

It should be on by default in those browsers Fri, 19 Sep 2003 18:04:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? The page that the guy said to save to your hard drive actually tells you to turn referrer logging OFF, which I don't know how to do either. Fri, 19 Sep 2003 18:06:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? Yes, yes it does. It is incorrect. NYT now checks for one. Fri, 19 Sep 2003 18:08:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? [offtopic but i get sick of the nonsens about OpenSSH]

SSH exploit? Which exploit? Show us!

1) You're probably talking about recent bugs in _OpenSSH_. Mind you there are other SSH implementations then just OpenSSH.
2) There is no public exploit. Don't talk about like this is remotely exploitable. This is not proven. This is a rumor. Everyone can spread rumors. For now, it's still FUD.

[/]

Here's a few words about the article:
http://www.macdailynews.com/comments.php?id=P1804_0_1_0
Found with:
http://news.google.com

I couldn't find the article. I do know that one can read NYT using this method:
http://www.robertkbrown.com/2003/02/17/partnergoogle.html

Here are examples:
http://216.239.59.104/search?q=cache:GwBgP9xAaX0J:www.mikeshea.net/...

But i couldn't get it workin'. Fri, 19 Sep 2003 18:52:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? ...and no "free registration" required.

http://www.sunspot.net/technology/custom/pluggedin/bal-mac082803,0,... Fri, 19 Sep 2003 19:56:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? How about every user that is made on the computer is relegated to retricted mode only allowing them to load applications and write access to the home directory

but it is, damn! It's just that people can't be arsed typing passwords (even if Windows XP and later offer to save them), and they always create and use administrator accounts. On top of that, Explorer isn't easy to launch twice as two different users (hint: the easiest way is to use Internet Explorer instead of Explorer), so people who often do file management will just run as administrators Fri, 19 Sep 2003 20:46:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? To turn off the refer logging in Mozilla do this. If you're using versions 1.3 and above you can type about:config at the URL bar then right click on any entry, select new and integer and type this without the quotes:
network.http.sendRefererHeader
You should see 2 in there; change it to 0
Alternatively you can edit the prefs.js file in your profile directory. The entry is: user_pref("network.http.sendRefererHeader", 0);
Change the value to 0. Fri, 19 Sep 2003 21:11:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? And nice to see that he is a big enough man to accept that he was wrong. Maybe if Microsoft could do that then maybe they could then move onto doing something about the problems with Windows.

Oh quit that, MSFT is one of the fastest companies to switch gears and jump into something full-force. Witness the internet -- people think they were slow, but every other large company would have moved at a glacial pace. Everyone's real problem with Microsoft is they're too fast and smart.

Security takes time. You're in the weird position that every security hole you fix, will result in an exploit weeks later. Fri, 19 Sep 2003 21:49:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? Right, Microsoft once again had to backpedal because the internet was just a "fad". Ditch the AOL, witness the real world. lol!

- http://www.tbs.co.jp/bc/gates/gatesE.html
- http://archive.salon.com/21st/books/1999/03/cov_30books.html

"1994 I see little commercial potential for the Internet for at least ten years. (Bill Gates)"

- http://www.sysprog.net/quothist.html Fri, 19 Sep 2003 22:22:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? "1994 I see little commercial potential for the Internet for at least ten years. (Bill Gates)"

Who controls over 95% of the web browsers? Just wondering.

Maybe billg isn't all talk.

"lol!" Fri, 19 Sep 2003 23:02:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? I don't bother registering and just user the login ID
slashuser
witht the password
slashuser

easy enough, no spam.. Fri, 19 Sep 2003 23:21:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? Nope, not all talk.. He's more the murdering type.

http://www.techtv.com/news/story/0,24195,2160846,00.html
http://zdnet.com.com/2100-11-512634.html?legacy=zdnn
http://abcnews.go.com/sections/tech/DailyNews/msdoj990125_dp.html

Then again, maybe he's just a thief..

http://www.vnunet.com/News/1131606
http://www.base.com/software-patents/articles/stac.html
http://www.aspnews.com/news/article/0,,4191_1368971,00.html

LOL

Why does billg control over 95% of web browsers?

Hmm, maybe this will help..

http://www.usdoj.gov/atr/cases/f3800/msjudgex.htm

Have a nice day. Fri, 19 Sep 2003 23:54:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? Nope, not all talk.. He's more the murdering type.

Take a good look at your arguments. This True Believer hyperbole is precisely what makes a fundamentalist. If you can stoke your hatred so much that you call a successful businessperson a "murderer," then any atrocity you commit is justified.

I'm tired of these fanatics who say stupid things about the computer industry. Shouldn't they be out bombing the Great Satan or something? I don't have energy for you anymore. Sat, 20 Sep 2003 00:57:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? but it is, damn! It's just that people can't be arsed typing passwords (even if Windows XP and later offer to save them), and they always create and use administrator accounts. On top of that, Explorer isn't easy to launch twice as two different users (hint: the easiest way is to use Internet Explorer instead of Explorer), so people who often do file management will just run as administrators

Install Windows XP and at the "intro" create just one account. That account will have full administration privilages. Compare that to MacOS X where by there is only ONE administrator and you can't directly log in as it (try going su in shell).

As I said previously, Microsoft puts comvienence ahead of security. If they were interested in security, they wouldn't have the option to save password or allow the user to create an account with a password shorter than 6 charaters. Sat, 20 Sep 2003 04:05:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? Right, Microsoft once again had to backpedal because the internet was just a "fad". Ditch the AOL, witness the real world. lol!

No use trying to correct the person. If he is stupid enough to use AOL, considering there are ISPs that are 1/10 the price for 2x the service, what is the likely hood that they know anything beyond their Windows computer and how to draw pictures in paint. Sat, 20 Sep 2003 04:14:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? Of course I talked about OpenSSH, not some other little dinky toy implementation.

And even though it's been proven possible to root boxes with this exploit, and even though I could say that "Not everyone reads geek news webpages, and of course everyone will report to have patched their machines in a discussion about the problem - since they're by definition as discussion-participators aware of the exploit", I'll just say that it was an example, nothing more.

I use and love OpenSSH, the GNU tools, Linux, open web servers and so on. And they're more secure, a hell of a lot more secure - but they're not bulletproof yet. Sat, 20 Sep 2003 11:01:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? He's still rather clueless. Doesn't understand the difference between a virus and a worm, for one. Actually, lots of people don't seem to understand that, which makes discussions on whether Linux is more secure against *viruses* usually entertainingly misguided... Sat, 20 Sep 2003 11:21:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? Of course not, when faced with the truth you make up lies about the person telling it then tuck your tail and run away. Sat, 20 Sep 2003 11:27:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? And nice to see that he is a big enough man to accept that he was wrong.

Except he probably wasn't. Certainly, some of the replies he's gotten back are, at best, misguided.

For example:
"Unix [which underlies Mac OS X] and Linux ARE more secure," wrote one reader. "They have been developed, open-source style, by people who know exactly what they are doing. Unix and Linux have had at least 10 years of battling hackers to better themselves. This leads to an extremely secure environment."

NT, of which XP is just the latest release, has also been developed by people who know exactly what they are doing. It has had about 15 years to develop and mature.

When a program tries to install itself in Mac OS X or Linux, a dialog box interrupts your work and asks you permission for that installation -- in fact, requires your account password.

Every version of OS X I've ever used allowed users (and by extension, anything they run) to "install" applications with neither warning nor prompting.

Not only that, but it would be trivial to have a worm or virus just pop up an authentication box asking for a password anyway - 99% of people would just merrily type in their password without thinking.

Administrator accounts in Windows (and therefore viruses that exploit it) have access to all areas of the operating system. In Mac OS X, even an administrator can't touch the files that drive the operating system itself. A Mac OS X virus (if there were such a thing) could theoretically wipe out all of your files, but wouldn't be able to access anyone else's stuff -- and couldn't touch the operating system itself.

This is simply false. Anything running as root can access any part of a Unix system.

However, I'm willing to bet that whoever wrote this is confusing an OS X "Administrator" account with an XP "Administrator" account.
An admin account under OS X just means the user can su to root or use sudo ro run things as root.
An admin account under XP really is an admin account. XP's equivalent to OS X's "admin" account is probably a "power user".

No Macintosh e-mail program automatically runs scripts that come attached to incoming messages, as Microsoft Outlook does.

Outlook does not automatically run scripts.

From a purely objective perspective, NT's design is a generation ahead of most Unix variants in terms of security.
Implementation bugs certainly remain, but pretty much every OS suffers from buffer overflows and the like.
Similarly, there are several security-oriented features that could be implemented out-of-the-box on XP systems that aren't due to its target audience.

The simple fact is - from a technical standpoint - there's little standing in the way of a virus or worm rampaging through the ranks of technically disinclined Linux and OS X users just like it does on Windows.


How about every user that is made on the computer is relegated to retricted mode only allowing them to load applications and write access to the home directory, anything that requires interaction with any other part of the system will require the user to input the root password.

This is possible and always has been. However, it breaks a great deal of old software many customers still run is written under the assumption it can do anything it pleases. Heck, a great deal of current software is still written with this assumption. Sat, 20 Sep 2003 11:27:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? Nope, just have to make sure you embed your worm in the subject line or use a midi embed tag. LOL

HAHAHAHA Sat, 20 Sep 2003 13:29:00 GMT donotreply@osnews.com (Anonymous) Comments http://osnews.com/thread? http://osnews.com/thread? Install Windows XP and at the "intro" create just one account

never installed or used Windows XP. My only experience has been with Windows NT 4 and 2000, which create just the initial "Administrator" account and ask the password for it. All the users you create subsequently will be members of the Users group by default

As I said previously, Microsoft puts comvienence ahead of security. If they were interested in security, they wouldn't have the option to save password

don't be monorail-minded, KDE and Gnome allow it too

or allow the user to create an account with a password shorter than 6 charaters.

passwords longer than 6 characters on a home computer? are you serious? Sat, 20 Sep 2003 16:06:00 GMT donotreply@osnews.com (Anonymous) Comments