IE Fans Beware: Hackers Are Exploiting a Serious Unpatched Flaw

Please dont use Inturdnet Exploder and plug up my inbox with spam and my firewall with mindless hammering when your crackheaded M$ Winders box gets trojaned and zombified! 80% of all spam is generated by infected Windows machines. Windows is a registered albatross of Micro$oft corp.

If you've never tried Firefox, Safari, Opera Google Chrome or other Internet Explorer alternatives, now might be a good time.
Micro$oft's flagship browser, the default choice on countless Windows machines, currently has a serious security flaw that affects all versions of the browser running on any version of Windows. The vulnerability allows hackers to gain access to any sensitive data on your PC.

Even more worrying, the exploit is already in the wild and no there's no fix in sight**, leading a number of security researchers to suggested that, in the interest of avoiding malicious software, users switch to another browser.

If you're the pry-it-out-of-my-cold-dead hands sort of IE fan, there is one bright side to news that some 10,000 sites are ready to pwn your PC: so far the sites are mostly Chinese and the malicious software is mainly after passwords for computer games, which can be sold on the black market.

But given the scope of the flaw and the fact that Microsoft has yet to release a patch**, don't expect that to last. Eventually far more sophisticated trojans will likely emerge with far more dangerous goals.

Obviously Microsoft isn't recommending you ditch IE (though the company didn't hesitate to suggest dumping Apple's Safari browser when it suffered from a far less serious vulnerability). Instead the company has released a security bulletin with possible workarounds, including running IE in Protected Mode and running Windows as an non-administrative user (to limit the damage an attacker can inflict).

Microsoft also says it is investigating the flaw and may push out an emergency software patch, rather than wait for the next monthly patch cycle to roll around.

**UPDATE - This has been patched. It took them far too long, but better late than never. Get the patch HERE

It is mentioned that other browsers have vulnerabilities... Yes that's true, but no other browser is so carelessly integrated with Windows as are Internet Explorer and the M$ HTML stack. When you look at your files and directories on your computer - IE libraries are accessed. The toolbar on Windows Explorer(what launches with "My Computer") uses IE libraries. IE is hooked by the shell and by a number of processes running with SYSTEM(higher than Administrator) level privileges such as Automatic Updates. Most people have to run Windows as a member of Administrators, thus, anything running as that user Runs As Administrator! And don't think just because you run Vista and you aren't running as admin, as numb to those G%#$amn (Confirm) (Deny) as people are, you're bound to _give_ permission to an app that needs it for world domination. As in WARGAMES, the only way to win the game, is not to play.

These were comments and my replies to those comments on the following /. story:

Apple Quietly Recommends Antivirus Software For Macs


Posted by timothy on Tuesday December 02, @08:59AM
from the wear-your-rubbers dept.
Security OS X Apple
Barence writes "After years of boasting about the Mac's near invincibility, Apple is now advising its customers to install security software on their computers. Apple — which has continually played on Windows' vulnerability to viruses in its advertising campaigns — issued the advice in a low-key message on its support forums. 'Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult.' It goes on to recommend a handful of products." Reader wild_berry points out the BBC's story on the unexpected recommendation.

===================================================

I wish people would stop parroting this fallacy all the time. Market share has nothing to do with how easy it is to break into a system.

Look at AROS [sourceforge.net]! It has no security whatsoever, not even memory management between processes, so despite only having a hundred or so users, it must have zillions of virusses. But, of course, it DOESN'T. So far as I'm aware, nobody's bothered to write one, and it's unlikely any AROS virus would actually be effective.

All viruses require a reasonable level of market share to operate, because one of the principles they rely upon is a network effect, and you just plain cannot get a network effect without a decent market share. So marketshare is, very much, a pre-requisite for a successful virus. It's not the only one, but when people say "Mac OS X hasn't been attacked yet because it doesn't have enough marketshare", they're right. That's one fundamental reason. And unless you can show that any other reasons apply, it's likely to be the only reason.

If you have something like windows where security is bolted on after the fact, and OS that was never meant to be a multi-user OS connected to the internet (all these were added as features later on and done poorly) then you will have a system that is much harder to keep secure.

UNIX on the other hand was designed from day one to be networked multi-user OS, and security and separation of concerns was there from beginning.

It's frankly hilarious that Unix, on which the first worms operated, can be held up as some system that had security built-in from the start. It's also untrue that Windows, that is, the operating system known as Windows today, was "never meant to be a multi-user OS connected to the internet". Unless you're talking about Windows Me and its predecessors (98, 95, 3.1, et al), then that's completely false. Current versions of Windows (XP, Vista, 2003, et al) are derived from Windows NT, which was designed, from the beginning, to be "a multi-user OS connected to the internet".

In fact, Windows NT and its successors have a more advanced security model than Unix, allowing more than a separation of users and groups.

The issue with Windows is two fold. First, marketshare. And second, an over complex user-environment where too much functionality is available on the "user" side of the security wall. Both of these issues affected Unix up until the mid nineties, where its disproportionate share of Internet nodes and the amount of stuff running as the default user (which in Unix was root, which also happened to be the account with the most rights.)

There's little reason to believe that Mac OS X is protected from viruses by anything other than its low market share at this point. There's not a large enough group of users for network effects to take over. It is not an inherently secure operating system. The default user is generally set up with administration privileges, and it just takes a buffer overflow or other ordinary vulnerability in a client application like a web browser plug-in for a virus or worm to have complete access to the user's files, and enough access to be able to modify many of the applications the user is likely to run.

Fundamentally, Mac OS X has the same problem as Windows, and the same problem the "run-everything-as-root" Unixes did in the eighties and early nineties: too much functionality available to the default user. To fix this, you need to change the model somewhat. The very least Apple could do is set Mac OS X up so that the installer actively discourages setting up the default user as an administrator.

AFAIK, OS-X processes run as the (nonprivileged) user, and only during software installation and system changes are user actions run as root. HAL implementations and things allow user interactions, such as a user being able to execute a dialup operation or to mount media. When a system update or a new piece of software is to be installed, or a system setting such as en/disabling a service, a dialog asks for the user's permission. Most better linux distros do this through sudo or it's guified variants. I almost NEVER am asked for permission to do something because I almost never make changes to the SYSTEM.

To play devils advocate, the same may be said for Fista, but Fista asks permission for EVERYTHING!! The user is so often annoyed by the stupid mother%$#@%%^# UAC bull%$#% that they no longer pay attention to whats going on requiring a priv elevation and just click (I agree)(I agree)(I agree)(I agree)WTF!?(I agree)(I agree)Leamme alone willya(I agree)(I agree)STFU i keel you(I agree)(I agree)(I agree)AGGGGGHHHHHHH THE %$#@!?(I agree)[DOOMSDAY] %&^%% NO CARRIER

That implementation is a recipe for disaster. I actually ship all Fista installs with UAC Off because it does no good anyway, plus, most remote control implementations don't work for %$%# under it.

Now, anything prior to Winders Fista, it's practically a hard REQUIREMENT to run as admin. Even something as harmless as Acrobat Reader will not run well without God privileges.


Oh and trojans and worms require dumb users and exploits, respectively. Virii require homogeneous platforms with consumer accessible scripting languages and universal admin access... Thusly Windows is the most fertile platform for pestilence of any and all kinds, due to by-design perfect availability of all these conditions.

Windows is a Norway rat or a smallpox blanket.

===============================================

Except the GP didn't say that it was easier to break into the system - he said that more people are going to try. I think he neglects to mention an underlying assumption that no software is perfect, and given enough time and effort, the chances of finding a security flaw that can be exploited is greater than zero in ANY piece of software. While this assumption won't always be true, it's completely reasonable for us to make it when considering the security of our systems - for we don't really have any way of disproving it for any particular piece of software.

Agreed, however this is still news because the platform is under such control by Apple. They could quietly and easily put not only hardware and software in place. But implement more effective procedures in their software process to make security tighter. And we wouldn't be the wiser.

Since it IS under such an Iron Curtain by the Turtlenecked-One, they could also just as easily just paint on some secure looking interfaces and in reality only have lukewarm porridge behind the scenes..

They could implement more effective procedures, but skilled programming requires either programmers whose input is revered and who are justly compensated, or it requires an open development model based on a meritocracy and peer review where people won't get shot at for finding, documenting, and responsibly disclosing flaws.

I had a boss who always said, "Don't just come to me with a problem, come to me with a 'how things are' and a 'what to do about it'."

=====================================================

I think he neglects to mention an underlying assumption that no software is perfect, and given enough time and effort, the chances of finding a security flaw that can be exploited is greater than zero in ANY piece of software.

I don't believe this to be true if enough focus on security is made.

Software can be made secure at the expense of functionality. Now this doesn't ever solve the problem of local access, but if you made your OS into a glorified terminal server, you can prevent automated attacks by restricted what the user can do by default.

Of course the user might be hindered somewhat, but sometimes that is the price to pay.

They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.
-Benjamin Franklin

Not to mention that implementations denying users privileges has been annoying at best (UAC on Fista (VISTA), destroyed and removed while OS still called Longhorn LOL ) and often disastrous (the crypto used on DVD and BluRay (cracked a few months and a few weeks post release, respectively).

Doing these things makes ordinarily whitehat power users seethe. We then violently crack the protection on general principal. Some two-bit weenie in Redmond or Cupertino is NOT going to tell me what I can and can't do with MY system!

=======================================================

The Real Plumbers of Ohio

The Real Plumbers of Ohio


Article Tools Sponsored By [Killed-http://graphics8.nytimes.com/adx/images/ADS/18/46/ad.184636//SLOB_banner_88x31_NOW.gif-by-size]
By PAUL KRUGMAN
Published: October 20, 2008
Paul Krugman
Columnist Page
Blog: The Conscience of a Liberal
Related
Times Topics: John McCain

Forty years ago, Richard Nixon made a remarkable marketing discovery. By exploiting America’s divisions — divisions over Vietnam, divisions over cultural change and, above all, racial divisions — he was able to reinvent the Republican brand. The party of plutocrats was repackaged as the party of the “silent majority,” the regular guys — white guys, it went without saying — who didn’t like the social changes taking place.
Skip to next paragraph
Fred R. Conrad/The New York Times


It was a winning formula. And the great thing was that the new packaging didn’t require any change in the product’s actual contents — in fact, the G.O.P. was able to keep winning elections even as its actual policies became more pro-plutocrat, and less favorable to working Americans, than ever.

John McCain’s strategy, in this final stretch, is based on the belief that the old formula still has life in it.

Thus we have Sarah Palin expressing her joy at visiting the “pro-America” parts of the country — yep, we’re all traitors here in central New Jersey. Meanwhile we’ve got Mr. McCain making Samuel J. Wurzelbacher, a k a Joe the Plumber — who had confronted Barack Obama on the campaign trail, alleging that the Democratic candidate would raise his taxes — the centerpiece of his attack on Mr. Obama’s economic proposals.

And when it turned out that the right’s new icon had a few issues, like not being licensed and comparing Mr. Obama to Sammy Davis Jr., conservatives played victim: see how much those snooty elitists hate the common man?

But what’s really happening to the plumbers of Ohio, and to working Americans in general?

First of all, they aren’t making a lot of money. You may recall that in one of the early Democratic debates Charles Gibson of ABC suggested that $200,000 a year was a middle-class income. Tell that to Ohio plumbers: according to the May 2007 occupational earnings report from the Bureau of Labor Statistics, the average annual income of “plumbers, pipefitters and steamfitters” in Ohio was $47,930.

Second, their real incomes have stagnated or fallen, even in supposedly good years. The Bush administration assured us that the economy was booming in 2007 — but the average Ohio plumber’s income in that 2007 report was only 15.5 percent higher than in the 2000 report, not enough to keep up with the 17.7 percent rise in consumer prices in the Midwest. As Ohio plumbers went, so went the nation: median household income, adjusted for inflation, was lower in 2007 than it had been in 2000.

Third, Ohio plumbers have been having growing trouble getting health insurance, especially if, like many craftsmen, they work for small firms. According to the Kaiser Family Foundation, in 2007 only 45 percent of companies with fewer than 10 employees offered health benefits, down from 57 percent in 2000.

And bear in mind that all these data pertain to 2007 — which was as good as it got in recent years. Now that the “Bush boom,” such as it was, is over, we can see that it achieved a dismal distinction: for the first time on record, an economic expansion failed to raise most Americans’ incomes above their previous peak.

Since then, of course, things have gone rapidly downhill, as millions of working Americans have lost their jobs and their homes. And all indicators suggest that things will get much worse in the months and years ahead.

So what does all this say about the candidates? Who’s really standing up for Ohio’s plumbers?

Mr. McCain claims that Mr. Obama’s policies would lead to economic disaster. But President Bush’s policies have already led to disaster — and whatever he may say, Mr. McCain proposes continuing Mr. Bush’s policies in all essential respects, and he shares Mr. Bush’s anti-government, anti-regulation philosophy.

What about the claim, based on Joe the Plumber’s complaint, that ordinary working Americans would face higher taxes under Mr. Obama? Well, Mr. Obama proposes raising rates on only the top two income tax brackets — and the second-highest bracket for a head of household starts at an income, after deductions, of $182,400 a year.

Maybe there are plumbers out there who earn that much, or who would end up suffering from Mr. Obama’s proposed modest increases in taxes on dividends and capital gains — America is a big country, and there’s probably a high-income plumber with a huge stock market portfolio out there somewhere. But the typical plumber would pay lower, not higher, taxes under an Obama administration, and would have a much better chance of getting health insurance.

I don’t want to suggest that everyone would be better off under the Obama tax plan. Joe the plumber would almost certainly be better off, but Richie the hedge fund manager would take a serious hit.

But that’s the point. Whatever today’s G.O.P. is, it isn’t the party of working Americans.
More Articles in Opinion » A version of this article appeared in print on October 20, 2008, on page A29 of the New York edition.

Auto Company Buyouts:

Auto Company Buyouts:

It's perfectly ok to aid those companies who use American labor at a living wage, to produce product that's environmentally and economically responsible.

However, to those companies who get themselves in a jam by specializing in vehicles that take two parking spaces and have fuel consumption ratings in Gallons Per Mile,
--No Soup For YOU!!--

To those who manufacture their vehicles in CHINA or other human rights trampling tin-pot dictatorships, while Americans sit in the union hall or unemployment line or worse,
--No Soup For You!!--

Each vehicle component that is made or assembled overseas when there is labor and reasonable manufacturing capacity (skilled workers) to make it HERE, shall lose Double the us market value in Buyout Bucks.

For Example, A headlamp envelope made in the land of Chairman Mao for a vehicle that costs Joe The Plumber $200 to replace will be $400*the number of vehicles it's installed on. If there are 300000 Vibes made this year with this headlight assembly, thats $400*300000=$120,000,000 in buyout bucks that will be put into a fund to reward American job creation. If contractual agreements are made to remedy this within 3 years of buyout, waive the penalty and help facilitate this change. China won't see one more cent from any company that receives corporate welfare.

It should be considered embezzlement to hand out or receive golden parachutes while the company has it's hand out to the taxpayers for a bailout and is cutting wages, pensions, healthcare, and jobs. Go Corrupt? Your leadership goes for 30 years hard in Sing Sing F--- me in the A-- Prison - General Population with a Friendly(hehe) bunkmate.

...And no more coddling companies on fuel efficiency standards. If Honda can meet these standards with 70% of each vehicle made in the 'states, the Big 3 (2?) have _NO_ excuse!

Just a thought.

In order to fund healthcare

In order to fund healthcare,

Tax the following:
alcohol
tobacco
prepackaged shredded Iceberg lettuce
Compact Industrial Iceberg Shredders
(Yes, I am going directly after the cholesterol clogged testicles of McD, BK, the 'Bell, and all other health destroying fast food places which will cost healthcare bigtime..)
people making over $700,000(who should be eligible for this healthcare btw)
moving violations
gas guzzler SUVs owned by households of one or two people.

Oh and tariff the **** out of companies that export our jobs and import melamine milk, leaded toys, and shitty tinfoil cars. Basically Wal*Mart becomes TariffMart!

Bring the troops home, or start wantonly pumping oil out of IRAQ.

Award defense contracts to _ethical_ companies.
Contractor commits gouging, ethics violations or corrupt acts? Lose your contract and your leadership goes for 30 years hard in Sing Sing F--- me in the A-- Prison - General Population with a Friendly(hehe) bunkmate.
(Yep I'm gonna have Swedish Halliburton Balls for Breakfast.)

Punish companies who make it corporate policy to screw their employees and destroy other local businesses. Tax their leadership. Ultimately, a screwed employee is a burden on the taxpayers in food stamps, childcare, and medicaid. It becomes a double whammy when the employee makes such crappy pay as not to have to pay taxes themselves due to being under poverty level. If as a faith based nonprofit you do this to your people while your leadership makes hundreds of thousands or more? you lose your 501c3 status.
Awwh, Sam Walton's kids might have to forgo one less Astin Martin each this year to pay the screw your employees fine, and the Prayse Jaysus Nursing Home gets new leadership or gets the chair. [violins play a sad waah waah story tune]

People who don't work or at least try to find work are to receive no benefits. no more of this "sit on your butt and draw welfare" garbage! If I'm going to pay taxes to support your dead a**, abuse will be treated as garden variety theft or fraud! its Sing Sing for you too!

There are other places to find money for this, but these are the ones kicking around my head right now. And spend not one dime of this revenue stream on anything BUT healthcare!

One sunny day in January, 2009,..

One sunny day in January, 2009,..
One sunny day in January,21st 2009 an old man approached the White House from
Across Pennsylvania Avenue, where he'd been sitting on a park bench. He
spoke to the U.S. Marine standing guard and said, 'I would like
to go in and meet with President Bush.'

The Marine looked at the man and said, 'Sir, Mr. Bush is no longer
president and no longer resides here.'

The old man said, 'Okay' and walked away.

The following day, the same man approached the White House and
said to the same Marine, 'I would like to go in and meet with President Bush.'
The Marine again told the man, 'Sir, as I said yesterday, Mr.Bush is no
longer president and no longer resides here.'

The man thanked him and, again, just walked away.
The third day, the same man approached the White House and spoke
to the very same U.S. Marine, saying 'I would like to go in and meet
with President Bush.'

The Marine, understandably agitated at this point, looked at the man and
said, 'Sir, this is the third day in a row you have been here asking to
speak to Mr. Bush. I've told you already that Mr. Bush is no longer the
president and no longer resides here. Don't you understand?'

The old man looked at the Marine and said, 'Oh, I understand. I
just love hearing it.'

The Marine snapped to attention, saluted, and said, 'See you tomorrow, Sir.'

Note from Karl Rove

Dear MoveOn member,


Time to relax!



Obama is way ahead in the polls. It's time for you to take victory for granted, and to stop paying attention.



And there's definitely no need to http://pol.moveon.org/obama/teams/training.html?office_id=3D11997&id=3D14395-9067885-qi.wvBx&t=3D1 spend
one more minute volunteering

You're probably thinking, "But Karl Rove, why would you—the mastermind behind the stealth get-out-the-vote program
that powered George Bush's victories—be advising us not to get out and talk
to voters?"


That is a good question. (And by the way, I prefer "Evil Genius" to "Mastermind.") It's true that voter
outreach can tip an election—but you're ahead in the polls, and they never lie.



So relax! Do some yoga. Check out the new season of Project Runway. Sip white wine lattes, or whatever it is that you people
like to drink.



Barack does not http://pol.moveon.org/obama/teams/training.html?office_id=3D11997&id=3D14395-9067885-qi.wvBx&t=3D2 need
you out talking to voters in Michigan—so there's finally time to tie-dye the seat covers for your Volvo. In fact,
you probably shouldn't even bother to vote.



Please forward this to all of your Democrat friends. Don't send it to Republicans, though. Thanks!

–"Karl Rove"



P.S. Again—no volunteering! Don't click this link to sign up to help Obama in Tecumseh:


http://pol.moveon.org/obama/teams/training.html?office_id=3D11997&id=3D14395-9067885-qi.wvBx&t=3D3


P.P.S. Our lawyers made us promise to tell you that Karl Rove didn't actually write this message—but we're pretty sure
this is what he'd write if he had.

the motherf$king gas prices

the motherf$king gas prices



Current mood: angry

I've never had to worry about taking a 30mi trip somewhere for a job, but what with unemployment, and th e gas prices caused by the $hitheels in government.. it costs $6 for a round trip to brooklyn from adrain!!!

HOUSTON, TX (IWR Satire) -- Mr. Bush (above) leads his supporters in the "Neocon Pledge of Allegiance" (Full Text below) at the Joe McCarthy Arena in downtown Houston.

After the pledge was recited, Mr. Bush and his followers goose-stepped around the arena in their jackboots as the loud speakers played the Horst Wessel Song.

I Pledge Allegiance

to the Authoritarian Leader of the United States of America

and to the Neocon Agenda for which he stands,

one Nation

under Fear,

divided,

with liberty and justice for ExxonMobil-Shell-Texaco-BPAmoco-EmroETC.

[http://www.internetweekly.org/photo_cartoons/cartoon_bush_neocon_pledge.html]

Migrate to Linux instead of Vista

[Get UBUNTU here] [Get FEDORA here] [Get OPENSUSE here]
Mr I's comment - a smart move for ANYONE (except gamers... for now)

Comment A smart move for business

By Egan Orion: Tuesday, 08 July 2008, 1:59 PM
ganked from the inquirer

BUSINESSES DISMAYED at the prospect of being forced to move to Windows Vista, due to its associated hardware upgrade costs and poorperformance, might consider moving to Linux instead as a viable alternative. Orso a recent article appearing at PC World suggests.

Since Windows XP remains available only as a "downgrade" from Vista, atadditional cost, businesses that want to replace obsolescent PCs or need to addstaff are compelled to buy Windows Vista and then pay extra if they want to staywith Windows XP. In order to avoid the cost of "downgrading" to XP by migratingall desktops to Vista, they're faced with the added cost of all new Vistalicences, plus high hardware replacement costs because Vista requires new PCskitted out with at least 2GHz CPUs and 2GB of memory in order to runacceptably. Then there's also the fact that Windows Vista performs poorly, evenafter SP1.

Businesses that want to avoid such a large hit to their IT budgets shouldperhaps consider migrating to Linux instead. All of the Linux distributions areavailable either entirely free of charge or at relatively low cost includingvendor support.

Linux runs well even on older PC hardware, which means businesses can avoidhaving to purchase all new desktop PCs.

All of the major Linux distributions include free file and print servers,website and email servers and clients, office productivity applications,development toolsets and utilities.

Good Linux support is available from the larger distribution vendors atreasonable rates. Also, most cities and large towns have a local community oftechies who offer support for Linux and applications running under it.

Sure, a business might incur some setup, initial support and stafffamiliarisation costs, but just the additional Windows Vista-related expensesavoided within the initial year alone by moving away from a Microsoft-centric ITenvironment will likely be well worth making the switch. In addition, thefirst-year cost savings might be dwarfed by further IT cost savings realised infuture years by using Linux to avoid Microsoft's treadmill of recurring charges.

How much cash can a business save by making the switch to Linux instead of "upgrading" to Vista? Here's an admittedly incomplete, per-seat estimate of thecost savings:

........

ITEM			MIN		MAX
New PC Hardware		$	700	$	1,200
Windows Vista Business Edition		$	300	$	300
Windows XP Downgrade		$	0	$	50
Office Professional 2007		$	0	$	500
TOTALS		$	1,000	$	2,050

The above breakdown shows that a business might save from $1,000 to $2,050per seat by moving to Linux. The lower estimate assumes that it buys a veryinexpensive replacement desktop PC, won't remain on Windows XP and so won'tincur the "downgrade" charge for that, and already has a user licence for MSOffice. The higher estimate assumes that it buys a higher end desktop ornotebook PC, will stay with XP and so will incur the "downgrade" charge forthat, and purchases a user licence for MS Office.

In contrast, switching to Linux won't require a business to replace itsexisting desktop PC hardware or buy expensive operating system or officeproductivity applications licences.

The PC World article has a lot more details, but the business casefor switching to Linux instead of suffering through a forced and costlymigration to Windows Vista seems clear. µ

L'Inq
PCWorld