oToday ois ointernational "o" oday. oTo ohonour othe ocontribution of "o" oto our oliterature otoday oevery oword ohas oto ostart owith "o".
oWe othank "o" ofor oits ocontribution.
,
,
Sunday, August 27, 2006
Tuesday, August 22, 2006
"Responsible Disclosure" and "Responsible Behaviour"
The latest Microsoft attempt to hide a serious IE related bug from its users in the pretext of "responsible disclosure" is outrightly pathetic !!
This is from their blog entry:
It seems that responsible researchers and security analysts have a huge burden of this one-sided responsibility, due to which they are not supposed to tell the general public of the extent of damage that a faulty/buggy software can do and should rather let the company decide when and how the information about its faults will be released!
The company which produces the software has no responsibility however towards the numerous users of their software to tell them about how critical the bug really is.
While "Responsible Disclosure" is expected, "Responsible Behaviour" is not guaranteed.
At the very least, the users of a particular software have to be informed at all times of the bugs which are serious and can be dangerous to the user of the software product. This is what the customer would expect in return for the trust that the customer puts in the company's advisories. But Microsoft did not do this and instead now are faced with this situation wherein they are forced to reveal that they knew of a serious bug and were hiding its presence from their customers who trust them.
eEye in their advisory stated:
eEye did a commendable job in disclosing this vulnerability to the public.
Microsoft seems to think that the public should and will continue to use a bug ridden product and thus to save the user from harm, it is advisable to not reveal the bugs. They forget, that users will move to other products in case they loose trust. Microsoft itself should responsibly accept the problems in IE and suggest that users use a more secure web browser. That would be real responsibility !
UPDATE: Here is a link to what vendors define as Responsible Disclosure.
--------------
Tag: Technical
, ,
This is from their blog entry:
Shortly after the release of MS06-042, independent security researchers responsibly disclosed to us the fact that they had discovered the crash was exploitable. We worked with them responsibly during the creation of the update. As soon as we knew we would have to halt the re-release, we informed the third party researchers. Due to the fact we did not want to communicate the existence of the exploitability of the crash prior to an update being available, we also began the process of holding our communication on the issue so that attackers would not have clear public information available that the current problem was exploitable.
This was another difficult decision on our part. There was no intent here to misrepresent the issue as not being exploitable. Often times however, we find ourselves in the position of having to strike a balance between providing information equally to users who would use the information to protect themselves, and attackers who, history has proven, will immediately use the information for criminal purposes. In this case, we felt that, due to the fact the platform and specific vector of the crash was known, publicly disclosing that it was an exploitable security vulnerability prior to our being able to provide customers with an update to address it would have breached our position on responsible disclosure and would have put customers at increased risk.
Unfortunately, one of the security researchers who reported this to us disagreed with our decision to hold communications and has publicly pointed out the exploitability of the specific crash and the affected platform. ....SNIP.... Since the exploitability of this is public now however, there is certainly increased risk of attack. We have issued a security advisory detailing workarounds and mitigations for the vulnerability while we have our teams working at full speed to resolve the quality issue and release the update as soon as it meets our quality bar.
It seems that responsible researchers and security analysts have a huge burden of this one-sided responsibility, due to which they are not supposed to tell the general public of the extent of damage that a faulty/buggy software can do and should rather let the company decide when and how the information about its faults will be released!
The company which produces the software has no responsibility however towards the numerous users of their software to tell them about how critical the bug really is.
While "Responsible Disclosure" is expected, "Responsible Behaviour" is not guaranteed.
At the very least, the users of a particular software have to be informed at all times of the bugs which are serious and can be dangerous to the user of the software product. This is what the customer would expect in return for the trust that the customer puts in the company's advisories. But Microsoft did not do this and instead now are faced with this situation wherein they are forced to reveal that they knew of a serious bug and were hiding its presence from their customers who trust them.
eEye in their advisory stated:
This information is already known in various research circles and also with exploit writers. So it is important that IT administrators understand the true threat of this problem that this is not simply a crashing bug as Microsoft has been incorrectly misrepresenting it but in fact that it is an exploitable security bug. Researchers and exploit developers know this, therefore it is extremely important that IT administrators are told what really is going on.
eEye did a commendable job in disclosing this vulnerability to the public.
Microsoft seems to think that the public should and will continue to use a bug ridden product and thus to save the user from harm, it is advisable to not reveal the bugs. They forget, that users will move to other products in case they loose trust. Microsoft itself should responsibly accept the problems in IE and suggest that users use a more secure web browser. That would be real responsibility !
UPDATE: Here is a link to what vendors define as Responsible Disclosure.
--------------
Tag: Technical
, ,
Saturday, August 19, 2006
World's end and MS06-040 Exploit
Just after Microsoft released their patch for MS06-040 and in the few days before that, there was a huge hue and cry as to how the world will end due to a worm outbreak !
But things happened otherwise. LURHQ has a nice article on this titled: "MS06-040 Exploit: More Hype Than Threat".
Interestingly the bot exploiting this vulnerability is using the compromised machines for relaying spam ! Business minded hackers/crackers are here. This might be the trend of things to come. There is nothing gained in releasing a worm and crippling the internet to a great extent. Business savvy hackers/crackers can instead make some money out of the exploits if they release it in small quantities out in the wild to avoid detection. The more the impact the more the attention and more would be the prevention measures. Instead an attack which targets relatively few machines rather than the whole internet, would at the least assure of some financial gain.
As it is said, it is futile to kill the goose which lays the golden eggs.
, ,
But things happened otherwise. LURHQ has a nice article on this titled: "MS06-040 Exploit: More Hype Than Threat".
Interestingly the bot exploiting this vulnerability is using the compromised machines for relaying spam ! Business minded hackers/crackers are here. This might be the trend of things to come. There is nothing gained in releasing a worm and crippling the internet to a great extent. Business savvy hackers/crackers can instead make some money out of the exploits if they release it in small quantities out in the wild to avoid detection. The more the impact the more the attention and more would be the prevention measures. Instead an attack which targets relatively few machines rather than the whole internet, would at the least assure of some financial gain.
As it is said, it is futile to kill the goose which lays the golden eggs.
, ,
Wednesday, August 16, 2006
Privacy and Google
Google is making so many inroads into our daily lives that it must be pretty easy for them to know a lot of stuff about each individual.
Using the search engine itself leaves a trace. If Google wishes, then for a given fixed IP address, it can gain a whole lot of personal information on the person/people who use that IP address to search stuff on the web.
Recently we had the AOL blunder which showed how much of data on an individual these service providers can collect over time. And the fact that we can't assume that this data will be safely guarded by the company.
Now there is this new idea of google, of offering shopping coupons (discounts) to customers who used local google maps to search for a store/business establishment. Given the fact that the person using such a service will have to give the home address to get the route to the store, Google will get one more critical piece of information on the user. Combining this information with the IP address and all the search engine logs, will almost open up the life story of a net savvy individual.
blogger.com is also a google product. Anonymous blogs are really not anonymous. What are the odds that a person writing an anonymous blog at blogger.com will not use google as the search engine? What if this anonymous author then decides to use google maps to get directions?
As google gets more and more involved into our daily 'on-the-internet-lives' our privacy is at stake.
---------------
Tag: Technical
, ,
Using the search engine itself leaves a trace. If Google wishes, then for a given fixed IP address, it can gain a whole lot of personal information on the person/people who use that IP address to search stuff on the web.
Recently we had the AOL blunder which showed how much of data on an individual these service providers can collect over time. And the fact that we can't assume that this data will be safely guarded by the company.
Now there is this new idea of google, of offering shopping coupons (discounts) to customers who used local google maps to search for a store/business establishment. Given the fact that the person using such a service will have to give the home address to get the route to the store, Google will get one more critical piece of information on the user. Combining this information with the IP address and all the search engine logs, will almost open up the life story of a net savvy individual.
blogger.com is also a google product. Anonymous blogs are really not anonymous. What are the odds that a person writing an anonymous blog at blogger.com will not use google as the search engine? What if this anonymous author then decides to use google maps to get directions?
As google gets more and more involved into our daily 'on-the-internet-lives' our privacy is at stake.
---------------
Tag: Technical
, ,
Such small small answers...oof !!
"..kitne chotte chotte ans oof..."
The bigger the question is, the smaller is the answer. Isn't that true?
(?) What time will the train arrive?
(ans) Its running late. It is expected to arrive .....
(?) Did he pass or fail?
(ans) ...silence....
(?) Is it going to rain today?
(ans) This weather is killing me. Yesterday it was too......
(?) Is it a boy or a girl?
(ans) girl
(?) How do I get to the beach?
(ans) Oh, take the second right and then keep following until....
(?) Is he recovering now?
(ans) He is no more.
(?) Can I date you this weekend?
(ans) That would be great! But you know there is this...
(?)Will you marry me?
(ans) yes.
----------------
Tag: My Thoughts
, ,
The bigger the question is, the smaller is the answer. Isn't that true?
(?) What time will the train arrive?
(ans) Its running late. It is expected to arrive .....
(?) Did he pass or fail?
(ans) ...silence....
(?) Is it going to rain today?
(ans) This weather is killing me. Yesterday it was too......
(?) Is it a boy or a girl?
(ans) girl
(?) How do I get to the beach?
(ans) Oh, take the second right and then keep following until....
(?) Is he recovering now?
(ans) He is no more.
(?) Can I date you this weekend?
(ans) That would be great! But you know there is this...
(?)Will you marry me?
(ans) yes.
----------------
Tag: My Thoughts
, ,
Tuesday, August 15, 2006
The 'So' Problem
"So", American English somehow seems to demand that each sentence should start with 'so', even if it is the first sentence. This problem plagues the speakers to such a great extent that once one starts looking out for it, it is tough to control oneself from being amused ! The average speaker will use it a great many times having started the conversation with a 'so' and ending it also with a 'so' sentence.
Dictionary.com defines it thus:
====================================
so
adv.
1. In the condition or manner expressed or indicated; thus: Hold the brush so.
2. To the amount or degree expressed or understood; to such an extent: She was so weary that she fell.
3. To a great extent; to such an evident degree: But the idea is so obvious.
4. Because of the reason given; consequently: She was weary and so fell.
5. Afterward; then: to the gas station and so home.
6. In the same way; likewise: You were on time and so was I.
7. Apparently; well, then. Used in expressing astonishment, disapproval, or sarcasm: So you think you've got troubles?
8. In truth; indeed: “You aren't right.” “I am so!”
adj.
1. True; factual: I wouldn't have told you this if it weren't so.
2. In good order: Everything on his desk must be exactly so.
conj. Usage Problem
1. With the result or consequence that: He failed to appear, so we went on without him.
2. In order that: I stayed so I could see you.
pron.
Such as has already been suggested or specified; the same: She became a loyal friend and remained so.
interj.
Used to express surprise or comprehension: So! You've finished your work at last.
Idioms:
so as to
In order to: Mail your package early so as to ensure its timely arrival.
so that
1. In order that: I stopped so that you could catch up.
2. With the result or consequence that.
so what
Used to express contempt or lack of interest.
Usage Note: Many critics and grammarians have insisted that so must be followed by that in formal writing when used to introduce a clause giving the reason for or purpose of an action: He stayed so that he could see the second feature. But since many respected writers use so for so that in formal writing, it seems best to consider the issue one of stylistic preference: The store stays open late so (or so that) people who work all day can buy groceries. ·Both so and so that are acceptably used to introduce clauses that state a result or consequence: The Bay Bridge was still closed, so (or so that) the drive from San Francisco to the Berkeley campus took an hour and a half. ·So is frequently used in informal speech to string together the elements of a narrative. In most cases, this practice should not be carried over into formal writing, where readers need connections to be made more explicit. ·Critics have sometimes objected to the use of so as an intensive meaning “to a great degree or extent,” as in We were so relieved to learn that the deadline had been extended. This usage is most common in informal contexts, perhaps because, unlike the neutral very, it presumes that the listener or reader will be sympathetic to the speaker's evaluation of the situation. Thus one would be more apt to say It was so unfair of them not to invite you than to say It was so fortunate that I didn't have to put up with your company. For just this reason, the construction may occasionally be used to good effect in more formal contexts to invite the reader to take the point of view of the speaker or subject: The request seemed to her to be quite reasonable; it was so unfair of the manager to refuse.
Regional Note: New England speakers often use a negative form such as so didn't where other varieties would use the positive so did, as in Sophie ate all her strawberries and so didn't Amelia. Since this usage may confuse a speaker who has not previously encountered it, it is best avoided in writing.
====================================
Some of this was new to me!!
Wiktionary has something to say about this word too: http://en.wiktionary.org/wiki/so
One example of the American use of 'so' spilling out to a blog (which is generally informal) is a recent entry in the Microsoft Security Respose Center Blog.
"So", let me end this now.
----------------
Tag: My Thoughts
, ,
Dictionary.com defines it thus:
====================================
so
adv.
1. In the condition or manner expressed or indicated; thus: Hold the brush so.
2. To the amount or degree expressed or understood; to such an extent: She was so weary that she fell.
3. To a great extent; to such an evident degree: But the idea is so obvious.
4. Because of the reason given; consequently: She was weary and so fell.
5. Afterward; then: to the gas station and so home.
6. In the same way; likewise: You were on time and so was I.
7. Apparently; well, then. Used in expressing astonishment, disapproval, or sarcasm: So you think you've got troubles?
8. In truth; indeed: “You aren't right.” “I am so!”
adj.
1. True; factual: I wouldn't have told you this if it weren't so.
2. In good order: Everything on his desk must be exactly so.
conj. Usage Problem
1. With the result or consequence that: He failed to appear, so we went on without him.
2. In order that: I stayed so I could see you.
pron.
Such as has already been suggested or specified; the same: She became a loyal friend and remained so.
interj.
Used to express surprise or comprehension: So! You've finished your work at last.
Idioms:
so as to
In order to: Mail your package early so as to ensure its timely arrival.
so that
1. In order that: I stopped so that you could catch up.
2. With the result or consequence that.
so what
Used to express contempt or lack of interest.
Usage Note: Many critics and grammarians have insisted that so must be followed by that in formal writing when used to introduce a clause giving the reason for or purpose of an action: He stayed so that he could see the second feature. But since many respected writers use so for so that in formal writing, it seems best to consider the issue one of stylistic preference: The store stays open late so (or so that) people who work all day can buy groceries. ·Both so and so that are acceptably used to introduce clauses that state a result or consequence: The Bay Bridge was still closed, so (or so that) the drive from San Francisco to the Berkeley campus took an hour and a half. ·So is frequently used in informal speech to string together the elements of a narrative. In most cases, this practice should not be carried over into formal writing, where readers need connections to be made more explicit. ·Critics have sometimes objected to the use of so as an intensive meaning “to a great degree or extent,” as in We were so relieved to learn that the deadline had been extended. This usage is most common in informal contexts, perhaps because, unlike the neutral very, it presumes that the listener or reader will be sympathetic to the speaker's evaluation of the situation. Thus one would be more apt to say It was so unfair of them not to invite you than to say It was so fortunate that I didn't have to put up with your company. For just this reason, the construction may occasionally be used to good effect in more formal contexts to invite the reader to take the point of view of the speaker or subject: The request seemed to her to be quite reasonable; it was so unfair of the manager to refuse.
Regional Note: New England speakers often use a negative form such as so didn't where other varieties would use the positive so did, as in Sophie ate all her strawberries and so didn't Amelia. Since this usage may confuse a speaker who has not previously encountered it, it is best avoided in writing.
====================================
Some of this was new to me!!
Wiktionary has something to say about this word too: http://en.wiktionary.org/wiki/so
One example of the American use of 'so' spilling out to a blog (which is generally informal) is a recent entry in the Microsoft Security Respose Center Blog.
"So", let me end this now.
----------------
Tag: My Thoughts
, ,
Saturday, August 12, 2006
Emails, IMs, scraps and blogs
A long ago, it started out as emails. The person you knew and wanted to contact with, would be sent an email which would be answered in return and thus both sides would communicate with each other and share the happenings of life.
Then it was the Instant Messenger (IM) craze. Everyone would be hooked onto chatting and hours and hours would pass by in typing furiously into the IM client window. It was a completely new thing. There would be so many people to chat with, one could also search for like minded people and add them to the buddy list and thus communicate with total strangers. Social interaction through the internet was reaching new heights.
And now the latest thing is writing 'scraps' in Orkut or writing 'Friends Comments' in myspace (which by the way is missing an apostrophe after 'Friends'). This is again a completely new behavioral pattern. Now not only do people want to get in touch with their friends, but also do not mind others reading their conversations! It seems people would rather engage in frivolous talk with a big group of others rather than send detailed personal emails to close friends. Personal life is all on the web and everybody knows about everybody's life.
Of course then there are blogs, such as this and many many others, which are another way of expression (what I do here) and communication (what I don't do here).
Pick your way of communication and expression. The menu card is big, thanks to the internet !
-----------------
Tag: My Thoughts
, ,
Then it was the Instant Messenger (IM) craze. Everyone would be hooked onto chatting and hours and hours would pass by in typing furiously into the IM client window. It was a completely new thing. There would be so many people to chat with, one could also search for like minded people and add them to the buddy list and thus communicate with total strangers. Social interaction through the internet was reaching new heights.
And now the latest thing is writing 'scraps' in Orkut or writing 'Friends Comments' in myspace (which by the way is missing an apostrophe after 'Friends'). This is again a completely new behavioral pattern. Now not only do people want to get in touch with their friends, but also do not mind others reading their conversations! It seems people would rather engage in frivolous talk with a big group of others rather than send detailed personal emails to close friends. Personal life is all on the web and everybody knows about everybody's life.
Of course then there are blogs, such as this and many many others, which are another way of expression (what I do here) and communication (what I don't do here).
Pick your way of communication and expression. The menu card is big, thanks to the internet !
-----------------
Tag: My Thoughts
, ,
Have you?
Subscribe to:
Posts (Atom)
Posts
