Double-replying to apologize for my previous comment! I saw what I felt was a leading question and answered it with a leading question in kind, but I got turned around reading the thread and realized much later that I actually agree with you and my answer would to your question would probably be more similar to yours than to the person you were replying to.
> How many countries are led by the far right? What about the far left?
Since you asked the question, I assume you have an answer, and I'm curious to hear it. I imagine it will reveal more about your personal politics than any observable political reality.
As another commenter said, it's a criminal conspiracy or something to that effect. If terrorism is supposed to be the use of violence against non-combatants to attain a political or ideological goal... then would de-Flock be anti-terrorism? Removing Flock cameras makes me feel less terrorized.
AD is perfectly fine. It's actually really good at what it is: a highly-available Kerberos implementation with an integrated directory server. It's not as dominant as it used to be because there are better ways to handle identity for web applications and zero-trust environments, but I don't think that diminishes what AD was good at.
> AD has built-in mecanisms where a random person can execute code on the AD themselves
Could you provide an example? I'm sure I know what you're talking about, but the way you put it I'm having a hard time figuring out what you mean.
> Most people are not perfect; Hence, most people have security issue with AD (see the never ending tail of cryptolocked companies)
Yeah, but, how many of those ransomware attacks exploit misconfigured AD environments rather than something more banal like harvesting credentials accidentally checked into Git, or spear phishing for a target? Identity, in general, is hard.
AD allows connections between two computers that are registered against the active directory, including a random laptop and the AD themselves
This is a fundamental difference versus something like oauth: in the former, everything is done to allow RCE on the AD: the code exist; in the later, everything is done to prevent RCE on the issuer;
Identity is hard ? Identity is a lot simpler once you assume that:
- people make mistakes
- code is buggy
- infrastructure has issue
This is why using things like oauth instead of AD's authentication mecanism is good: because it is secured by default and you must try really hard to allow a wide range of attack
In the windows world, you connect to a server using RDP. I thought this would be implied. RDP is a mean to connect to a remote host and, from there, execute code. Hence, code execution.
What on earth are you talking about? RDP and AD are pretty much orthogonal to each other. You can use an AD account to connect to a domain-joined remote server over RDP, but at that point you're just... logging into a machine, same as any other remote protocol. You prevent bad actors from doing this by not giving them permissions to log in to that server. To call this "code execution" is really odd. Remote code execution as a vulnerability almost always refers to an unintentional behavior in software that allows an attacker to execute arbitrary code as part of that process. Referring to a user logging into a machine with the appropriate permissions and running software as "code execution" is not typical, and is not a vulnerability in any normal sense of the term.
Because logging to a remote server is not "executing code in that remote server" .. ?
Same as any other remote protocol ? Yes. But we are not talking about that, we are talking about active directory, whose main purpose is to authenticate and authorize stuff. Yes, you can configure everything. But just like a wall is better than a door with a lock .. see what I'm saying ? In the AD world, allowing remote code execution is not a bug, it's a feature. Call it a vulnerability if you want;
A direct competitor of AD is oauth, which does not allow people to execute code on the issuer
Number of cryptolock due to oauth: none (that I know of); As if theory and practice sometimes meet ..
I understand that you like AD, and that's fine. The original post was about security and I stand by my point: thinking that we are perfect, that others are doing mistakes but "not us" is not good for security. Neither is playing with fire, as per the vast quantity of burnt people
> In the AD world, allowing remote code execution is not a bug, it's a feature.
This is the assertion that I think you have failed to prove. RDP and WinRM are just remote access protocols, like SSH or what have you. AD doesn't have to be involved in their use, so I'm not sure how "RDP allows you to log into a server remotely" is AD's problem. Or even a problem at all, since that's what its meant to do.
> A direct competitor of AD is oauth,
It really isn't. OAuth is for authorizing third parties access to client resources, not for authentication. By the time you're getting access tokens with OAuth, you've already authenticated with your identity provider. Perhaps you're referring to OpenID Connect, which is built on OAuth 2.0? In any case, AD and OAuth/OIDC don't really compete with each other. AD is intended to be used on internal enterprise networks to simplify authentication and authorization across a fleet of machines, and OAuth/OIDC have a much more pronounced focus on web.
> which does not allow people to execute code on the issuer
I'm not sure what this means. When you say issuer, are you referring to the auth server that issues ID tokens? What if I'm hosting my IDP in AWS and use an OIDC integration to access my AWS admin console and remotely log-in to my IDP server? Am I not then using it to execute code on my auth server?
"This is the assertion that I think .." - you are showing bad faith;
"OAuth is for authorizing third parties access to client resources, not for authentication" - just like AD, oauth is used for authentication and authorization; See the fields sub, scope, audience etc;
"OAuth/OIDC have a much more pronounced focus on web" - of course, we do not use "web" inside internal enterprise networks;
"When you say issuer" - issuer is a keyword, not a random word; But again: you know it;
"Am I not then using it to execute code on my auth server" : can you execute any kind of code on AWS' IAM servers (any server will do) ? Please share some details;
> just like AD, oauth is used for authentication and authorization
In a sort of roundabout way, but in those cases what the relying party is accessing are the user's identifying details.
> of course, we do not use "web" inside internal enterprise networks
That's not really what I mean. I would never expose an AD domain to the internet, that's not what it's for.
> can you execute any kind of code on AWS' IAM servers
That's not what I was saying, I was saying it in the context of a self-hosted identity provider. If all you've meant by this entire exchange is that OAuth means you don't have to worry about security because you've outsourced it to someone else, then I've really wasted my time.
However, according to Apple's docs, they only allow alternative app stores in the EU and Japan, so you have to be using an iOS account with the region set to one of those two places and be physically located there in order to install the app store. Not something that's easy to experiment with for people in the USA to see how the other half lives.
> Or is EU just trying to milk rich USA tech giants (I think I know the answer).
I don't really see an angle for the EU to do much milking here. Actually I think the AltStore founders are Americans? So they seem to be reaping the benefits of EU and Japanese legislation, remotely.
They were uploading these for free. The end result of the videos being taken down is that they are now even more inaccessible to that 4% than they were before.
Making things more accessible is a worthy goal, but the world is imperfect and making things better requires resources.
Our society is better when the things that are available are available to everyone, not just the privileged. I don't see why accommodations for the disabled are considered some unnecessary burden; they should be considered a cost of doing business, for everyone who does business.
This wasn't business. There were no profits to divert into making better subtitles.
And the ratio of effort between making a recording versus making a recording and then manually subtitling it is completely out of whack compared to the ratio you have in full produced works. There's a reasonable level of accommodation, and the reasonable level is below a doubling in costs.
I'm someone that would significantly raise the subtitling requirements on youtube if I could. But in this case I just don't feel it.
I shouldn't have used the term "business," because that made people think that I was referring more to economics instead of "doing the right thing even when the right thing is slightly more expensive." Look, UC Berkeley is a public university and they have to adhere to certain rules around disabilities and accommodations. It's well established law at this point; the ADA is 35 years old. They should know this, and they should be able to comply. To take down the videos suggests laziness and ignorance on Berkeley's part.
> doing the right thing even when the right thing is slightly more expensive
And that's why I made the argument that it wasn't slightly more expensive. It's possible it would have cost more to add subtitles than the entire rest of the project combined.
I think it's fair to mandate subtitles when there's a certain level of budget. I don't think it's a good idea to unconditionally mandate subtitles.
> UC Berkeley is a public university and they have to adhere to certain rules
In their normal course of action. I don't think this side project was plugged in to the core tasks of the university.
Shutting it down counts as lazy but what do you want a project with minimal budget to do?
We're not shaming other universities for not putting courses online. We're only shaming one that did it "badly" and then gave up. That's unfair. Every other university that doesn't fund similar subtitles and uploads should get the same reaction.
And by "badly" I mean it still had okay subtitles, just not particularly good ones.
Yeah, and without subtitles, the course content is not accessible to the deaf and hard of hearing... which the law says it has to be. UC Berkeley decided not to make their content accessible, and when someone complained, they took it all apart rather than making a reasonable (and legally required) accommodation. I guess I don't see why I'd blame the person filing the lawsuit here. UC Berkeley could have just... put up subtitles.
It had subtitles. The demand was better subtitles, and the project had barely any budget.
While I think fixing it or even having a fundraiser would have been a much better response, I do put a good share of blame on the person that filed the lawsuit against a free side project.
The person could have volunteered to write the subtitles themselves or, if they were deaf, to hire someone or even ask someone to volunteer to write subtitles. Or any other number of solutions.
To jump immediately to litigation is aggressive and shows that their true motive was not to actually enable the production of courses with good subtitles.
Why is the onus on the person with the disability to fix the lack of accommodation for the disability? A lawsuit is their remedy. Berkeley chose the laziest form of compliance rather than attempting to do the right thing.
I'm also a Miele canister vacuum owner, and everywhere in my house where I vacuum is within range of a wall outlet. When I'm done, the cord retracts into the vacuum so I don't need to wind it or stow it myself. I guess, for me, that takes care of the issue to a great enough extent that I just never saw an advantage that justified the expense?
If you are ok with it, I think that's fine. Cordless to me is a huge productivity boost since I can just pick it up and vacuum whenever. I think most people see it as a huge win, but I haven't conducted a formal poll or anything.
Having a robot do everything is just another step in the convenience direction. It is great if you have expensive floors that you want to maintain on a daily or bi-daily basis.
reply