Slashdot Mirror

If the network is using TKIP there's a chance of content injection. AES-CCMP is safe from that, for now. More here.

It will display a warning and let you continue

No, it won't - and that's the whole problem. It prompted me to write this piece on re-enabling SSLv3 on Firefox which is probably the most heavily-trafficked post I've done on that blog.

Most of these devices will support HTTP and HTTPS. The posture of the browser developers is to blow up HTTPS support on SSLv3 everywhere, regardless of the risk profile.

There are very few people who are going to get $1100 to replace a PDU because the current one only supports SSLv3. As it currently stands, those people have to re-enable SSLv3 for the whole Internet on their browsers to admin their local devices. Pretty soon they will have to stop updating their web browsers entirely.

There are only two possible real world outcomes:
1) people will re-enable HTTP administration and start sending their passwords cleartext on their LANs
2) the very people in companies who do security work will be running outdated browsers, on purpose, to connect to their gear.

3) a million dollars will appear overnight in a company's budget to replace gear for highly theoretical risks

simply is not an option that exists concurrent with reality.

If the browser engineers had handled the situation the same way as self-signed certs, or even made a more complex UI to specifically whitelist certain hostnames or subnets, then we could have made a reasonable transition. But that would have been hard work with real analysis required, and why do that when flipping a switch and boldly posturing is more crypto-macho?

The very same people who jeered corporate people for staying on IE6 are creating exactly the same situation in regards to SSLv3. They may understand a narrow aspect of cryptography very well, but they completely fail to understand the security of complex systems. They are hurting the security and privacy we're working so hard to achieve. Jeers indeed.

As soon as I change my master password as prompted by the LastPass email, they have nothing.

As far as I can tell - "not so fast". You also have to tell LastPass to not allow you to automagically revert to your previous master password. That's hidden under 'Advanced Settings'.

I doubt it. Their vision for the future is sound, but they're not strongly connected to the reality of maintaining a good browser for the present at the same time. Mostly chest-beating rather than doing the hard work required.

Mozilla has gotten brazen lately about forcing questionable changes on users

Right. I have to manage $1200 PDU's that use SSLv3, so to use Firefox I had to re-enable SSLv3 for all sites. That's the only choice Mozilla felt like giving users. That's not bold, it's lazy and worsens overall security for the Internet.

If they think I'm going to get $30K to replace working gear "because Firefox" they're delusional.

I think he means this.

This one doesn't seem so bad, but the way Mozilla has handled SSLv3 deprecation has been a disaster.

I'm not going to go buy a new $900 PDU because the one I have only supports SSLv3 and not TLS1.2. Maybe I should switch it back to plain HTTP "for security"? Sheesh. Obviously a whitelist per-site/device would have been a smart approach, but that's not easy.

Secure isn't easy and security isn't a setting, it's a process and an ecosystem. Pisser when they weaken security overall just to avoid the off chance that a stupid person will erroneously blame Mozilla.

Systemd vs init: It's a Swiss Army knife vs a chef's knife. A shiny abomination that does "everything" complexly and half-assed,

systemd needs improvements in many areas - I can't argue with that.

However, it's worth noting that in my past few days of playing with CentOS 7, it's been tremendously faster than CentOS 6 on every workload I've been able to throw at it.

I haven't done a deep dive to figure out why exactly, but I have noticed 'tuned' running, doing some dynamic system optimizations, it seems via systemd's control of cgroups.

Lennart's handling of bug reports makes my blood boil as much as the next guy, but there may very well be some baby in that dirty bathwater.

There's no one-size fits all solution. I've made the argument for informed disclosure here in the past, but in this case it probably wouldn't work. The DTLS code is so small and self-contained and the code so obvious to an auditor that just saying that there's an exploit in DTLS or to compile without heartbeat is probably enough to give the blackhats a running start. But there are other situations where informed disclosure is better than responsible disclosure.

Did Google do the right thing here? I'm not sure, but it's not completely clear that they didn't. There are several factors that bridge the gap between theoretical ideal and what can work in every situation in the real world.

Additional thought: responsible disclosure only works because of the threat of full disclosure.

Sometimes. Other times the vendor threatens the researcher. Other times the researcher never takes it public. In all of those cases, there is a problem the community doesn't know about for some period of time.

I've advocated for Informed Disclosure in the past. In a nut shell, you tell the public that there is a problem, that the problem is related to X, that to work around it you can do Y, and that there will be a full disclosure release in n days. At that point you contact the vendor with the full details of the exploit and give them the time to fix it.

It avoids the aforementioned problems, but you better choose 'n' wisely or your name will be mud.

Both full disclosure and responsible disclosure have problems and we can do a little better.

tell ME, the user, so I can stop using the vulnerable software until it's fixed.

Yes, tell you the user that there's a problem in a piece of software, and what part of that software, but also give the vendor some amount of time to fix it before dumping the exploit into metasploit. I once called this Informed Disclosure for lack of a better term.

I HAVE however run into my fair share of HDDs go bad within 3 years and definitely 5 years.

Right, I think almost all of the drives I've bought in the past 5 years have died within 5 years. But a 1-year warranty might as well be a 90-day warranty, in my experience. I keep everything on RAID, so I just accept that every couple months I need to send a few drives off to WD, or Seagate for repair. The anticipated cost of a drive for me is retail-price + $10, roughly the cost of postage for a return (to be accurate: plus the cost of one onsite spare per capacity of drives in use). I've never had to send one to Hitachi, though I only switched to them a year ago - to get away from Seagate. Now that Seagate and WD are approaching cartel status, I guess this policy change isn't too surprising.

Normally I buy the newest biggest drives for my backup system (aside: howto upgrade on the fly) and then trickle down the drives to other volumes/systems. At this point I don't really have any use for 160GB 3.5" drives but 300GB+ are still good. I have a small cache of 300,500,750GB drives for use when I build 1-off systems.

Now, though, with this change, instead of n+$10 for the cost of a drive, it's going to be $1.5n going forward (I'm being generous here - it's really $2n for a given unit but with larger capacities I can often consolidate). That's a huge increase in product price, in a way that's hidden at first glance. Their warranty claims will fall, I'd guess, by 80%.

Hidden price inflation is really nasty, whether it's WD, Seagate, or the Fed that's doing it.

Generally, my hard drive buying priorities are: stability, warranty, capacity, price, heat, sound, performance*, in that order. A vendor that offers a good warranty on a stable drive is going to get my business if their prices are under the $1.5n mark of these now-1-year-warranty bozos. Somebody else mentioned Samsung - I need to look into that.

* I put SSD in front of anything where performance matters

My experience may be a bit US-centric, but here we already have anti-competitiveness laws that prevent a business from hurting competition using a monopoly. Unfortunately, we also grant monopolies that prevent competing ISP's, but more laws don't seem to be required. We had one ISP try to block VoIP about 5 years ago and our FCC smacked them down promptly with threats of such litigation.

But the problem remains, if you replace your cable TV with Netflix, the ISP makes the same monthly fee as if you don't. Clearly their costs increase, but their prices are fixed, so they have incentive to stop the behavior. That it cuts into their Cable TV business also provides them with unethical incentive to interfere, but they're put into a position where they can't be called to task for only an ethical lapse - they have real cost concerns too. I'm not insensitive to the problem - I was complaining about it almost 5 years ago, but since then I've learned to bait, not hunt.

Some people will say, "but they advertise to me a 10Mbps connection so I'm going to use it," ignoring the realities of internet connections being oversold as the reason they can get a 10Mbps connection out in suburbia for $45/mo. Yeah, we can all max them out, but if we do we have to expect prices to rise. Things like YouTube's 'preferred' colos are a step in the right direction (in theory, they don't seem to work well) to reduce peering costs but something like Skype will always be a many-to-many problem by its nature. We want ISP's to want to pass Skype. The most effective way to get somebody to behave is to incentivize them. Rewards and positive reinforcement work better than threat and negative reinforcement, that's just human nature.

If the ISP's had any upside to increasing traffic they'd behave more like they wanted to see increased traffic.

So, why not buy a non-widescreen display, then?

Here's a calculator I wrote a while back to help compare relative areas.

Really? We had a 28" screen, which seems to be about average even today

That's about right. You'd need around a 35-inch set to get the same height as your 28" CRT. I find height-matching to be more equivalent than area-matching, on a perceptual basis.

2) I believe that there are patents around the randomising idea.

Yeah, there are. I came up with a variation on the idea I called wokkey which I used for the times when I was left with no option but to use a "cybercafe" terminal for logging into my accounts. I had a patch against SquirrelMail for a while, worked fine, but it's slow and onerous, so only useful for the paranoid, not the android users.

c. 2005 I ran some numbers on re-training for the new Office based on some rudimentary testing. I'm not sure if the numbers are still right, but the conversation is the same 4 years hence.

Relative usefulness can depend on the size of your organization and the degree to which you're using virtualization. I used to use unique names for hardware hosts specifically because lots of services might be running on a server at any given time, and those services might move around between hardware devices over time, so using ethernet aliases for services, each with a logical name was useful. But now with virtualization, each of those services is now a VM so the utility has gone away.

Personally I used the occasion to honor a hero who deserves recognition, but that's just for hardware; vm's get utilitarian names. Monitoring software dependency graphs can also substitute for servernames as location knowledge.

The FCC is undoubtedly a runaway bureaucracy, but there are some good apples there. Kevin Martin has been in favor of net neutraility, anti-government censorship, pro-competition, and Michael Copps understands exactly where the FCC has screwed up on high-speed Internet policy.

I know, that's two out of how many, but some guys there deserve kudos; there's been some progress in the past couple years.

They can tell you have TrueCrypt installed, they see you unlock it for them, and then have no way of knowing there's another encrypted volume there at all.

You're quite right, but to clarify, the danger isn't them knowing you have another encrypted volume it's them suspecting you have another encrypted volume. Here I'm measuring risk relative to your person, not your data. The only way out of this is Complete Deniability, which I don't think we have yet.

Remember, it's encrypted volumes all the way down.

And what about the screwing around with P2P traffic? Are they still going to do that and pretend that they aren't?

No, well, not unless they can overturn the fcc order.

I'm still suspicious though. Why aren't they monetizing this? Why not "250GB included, 0.25/GB thereafter"?

I'd happily pay it if I needed it, wouldn't you?

Not even that complex. I wrote a little tutorial, here - just invert the meaning of the block rule and add a default deny.

He will, however, be suing them.

Good. Security is never cost effective if you can push off the costs of not doing it onto someone else. Heck, some companies like Visa base their entire business model on this kind of thinking.

If you're going to have an Employment Policy layered on a Porn Policy (gosh, what a bad idea in itself) layered upon a Security Policy, then your Security Policy ought to be pretty damn good, given the costs of a bad Employment Policy.

Yeah, this is How Gartner Works. You're not the target audience; it's middle managers at Fortune 1000 companies - you know, the kind who can pay for reports.

That's exactly the right model. And I happen to agree with you :)

The problem Comcast faces is it's trying to sell "Free". That's unpossible. Stuff costs money, and if you're trying to peddle something "for free" you're not eating the cost, you're trying to spread it out over all you customers, and you get burned if you bet wrong.

This creates a vendor vs. customer antagonism which is bad for both.

An even bigger issue is that Comcast sets this limit right at about what is reasonable for replacing Cable TV with Internet content. So, especially where they own the local monopoly, they have a conflict of interest.

That's exactly the right model. And I happen to agree with you :)

The problem Comcast faces is it's trying to sell "Free". That's unpossible. Stuff costs money, and if you're trying to peddle something "for free" you're not eating the cost, you're trying to spread it out over all you customers, and you get burned if you bet wrong.

This creates a vendor vs. customer antagonism which is bad for both.

An even bigger issue is that Comcast sets this limit right at about what is reasonable for replacing Cable TV with Internet content. So, especially where they own the local monopoly, they have a conflict of interest.

He must have had the blessing of at least Bill Gates and Paul Allen, and probably oth

A couple days before they announced the attempted takeover of Yahoo!, Bill Gates did a talk at a conference where he asked for a kinder, gentler form of capitalism.

Now, the irony is painful, and I didn't understand it until the Yahoo! takeover play was announced. This was Bill Gates' way of saying, "I don't agree with this, but Steve is the CEO and I'm not going to tell the CEO what to do - he'll thrive or fail on his own merits."

Regardless, Microsoft will be back for blood unless Yahoo! spins off Zimbra. I think the Yahoo! board was shocked when Microsoft walked away from $37, and now Microsoft will engage in stock price destruction until it feels it can go no lower, then do the hostile takeover. Yahoo! played hardball and lost.

You want the most vicious, gut-ripping, back-stabbing, ball-cutting executive you can find.

Yep, Steve Ballmer would make a good llama.

Shift the blame for the infection to the user, away from the system. That's all UAC is about.

Yes, and once everybody declares Vista too difficult to use and administer, Microsoft will have an alternative for you.

Since I wrote that essay last year, Office Live has become real(-ish).

I think that consumer protection laws need to be beefed up to protect consumers against the outrageous practices of ISPs.

We're in this mess partly because the governments saw fit to grant monopolies to various companies who now behave like monopolies. Raise your hand if you're shocked. We should always be leery of patching bad government with more government, because it's probably going to turn out to be bad government, and then people will want to...

But, yes, your're right, these guys are selling 'Free' stuff and 'free' doesn't exist. In a non-monopoly position you might assume the customers are fools, but when they have no choice, it could be either. Certainly it's hard to chasten the customer put into this position if he doesn't have choice.

What the hell does Yahoo have that MS wants so badly?

Zimbra is the significant viable competition to Exchange, which is Microsoft's stranglehold on 'enterprise' computing. This group would like the government to stop the deal on anti-competitiveness grounds.

I think Yahoo! knew what would happen when they bought Zimbra and they know how important it is ($$$) for Microsoft to own it.

"if you can SEE the neighbours, they're too close!") ... dunno about NH, but surrounding states have become quite kennel-hostile.

There are plenty of towns without zoning ordinances but your important point is about seeing the neighbors.

I have a friend who wanted to start a kennel right in the middle of an area with like 4 houses on not much property. I told her not to, but it was cheap. She wound up not buying the house (fortunately) at the last moment because the neighbors went apeshit. As would be expected.

In NH you need to get 10 acres of land or more to qualify for the "Current Use" program, where taxes are low on the property that isn't developed. If you have 9.5 acres, you're really screwed. I have 32 acres myself, but our house is near the road rather than in the middle of it, so we can see three of our neighbors. In my zone there's 400' minimum of road frontage, and we have 12 houses on a mile-long road so it's not too bad. And it's easier to plow my 200' driveway than if I had to go 1/4 mile like one of my neighbors does, but for a kennel it would be worth it.

There is a distinct lack of good kennels around here. Our dog passed last summer, but we were driving half an hour to get to the good one, and the others (closer) are always booked. So the business climate is probably pretty good. Not sure how the gas prices are affecting people's travel frequency of late, though.

If you have any interest the FSP is sponsoring a week-long festival in June for prospectives. I was way out in front, and beat the FSP by a number of years, but I came for the same reasons and try to give 'em a hand where I can.

I do know that there's a proposed standard for Bluetooth specifically for medical devices--there are some pacemakers and ICDs out there (most of 'em these days, I understand) that have bluetooth built into 'em so that the doctors can read information off of 'em without having to place electrodes and whatnot--and also so that they can patch the firmware, if necessary.

There's still the question of what happens if somebody fuzzes their Bluetooth stack. And what happens if the pacemaker is in a high-profile government official, and the directional antenna is hidden in a TV camera. Or something like that.

How secure are their firmware update routines? Is anybody checking?

If Microsoft put the XBox team in charge of coming up with a version of Windows for the XO, then it would probably fit onto the flash disk and have a usable interface.

Depends if Microsoft wants to kill the XO the same way it wants to kill the PC.

Meanwhile the cocksucking trial lawyers get a cool 1.8mn in cash.

Right, so everybody who feels this way needs to opt out of the settlement. There's a form letter on my blog you can copy and paste if you'd like.

The real meat of the blog post is bitching about how much it'll cost the class to opt out vs. what it costs the lawyers to create the class. This is an asymmetrical attack against society. It makes it really easy for the lawyers, but hard for everybody else. I wonder who wrote those laws!

Either it doesn't affect the audio, in which case whatever reads the audio can re-write it without the watermark, or it does affect audio, in which case, well, it affects audio.

Yes, it does affect the audio, but modern watermarking algorithms affect the audio less than lossy compression techniques do. I wrote about this here back in March.

I guess I've got some self-evaluation to do if Microsoft is starting to raid my blog for ideas. ;)

I mentioned this on my blog on Friday - when Dr. Ron Paul was at Google he said that the spectrum should just be auctioned off to the highest bidder and let the Free Market sort it out. I don't think all the folks in the room at Google thought that was the right answer at the time, but it's good to see the decision makers at Google have taken that kind of advice to heart and applied Corporate Good to the equation.

Just because it goes to the high bidder doesn't necessarily mean that it has to be Verizon or Microsoft who will subvert the public good with the property. To all those who constantly rejoin here that corporations have to be evil - this is a good counter-example; good corporate governors just need to be astute enough to make the proper financial plays that will mutually benefit the corporation and society. Granted, we could use a bit more of that.

A SIP provider like les.net? I've been using that service for a long time now.

Are you having any trouble with dropped calls on their termination? I've been seeing some of that lately, but debugging is a hard problem, between firewalls, ISP's, providers, etc.

Here's an IAX2 tutorial for les.net I did, in case anybody needs it.

They gave away the store with this AT&T deal.

I don't think Apple is that dumb. We know they have a 5-year exclusive for the iPhone on AT&T. But I really doubt they have a 5-year exclusive on any device that uses a mobile network. e.g. the iPod Mobile. It seems clear to me that Phase 2 is already in progress.

OK, now it's time for Sun to grab the bull by the horns. They've been waiting for GPL3 for a year and a half - and just recommitted to it a couple weeks ago, pending final language - if Java and OpenSolaris get released with GPL3 things are going to get *very* interesting.

Everybody please join me in exhorting Jonathan to take the bungee jump.

The trick here is using Apache 2.2 + mod_proxy + Mongrel. The Mongrel book [awprofessional.com] is well worth the $15, too.

Yeah, what Tom said - everything else I've tried I've had to declare broken, and I've tried a few (and I've done good battle with all kinds of apache stuff since they forked from NCSA).

You can also implement mod_proxy in Apache to lighten the load on Mongrel. I have a brief tutorial for doing this from behind a NAT on my blog, but I still haven't figured out how to get mod_proxy to ignore a down backend and just serve the cache in that case (tips appreciated).

Fairpoint, whose motto is "128K DSL is the wave of the future."

What do you base that on? At a talk I went to FairPoint was pushing their 6+Mbps DSL infrastructure.

Though I have to admit I'd be happy to pay for 128K DSL over my 26.4K modem, which is all Verizon is ever going to provide in the current regulatory environment.

No, Apple is not trying to replicate iTunes' success.

Agreed - the browser marketshare thing is just a front for getting millions of people to beta test their application development framework - YellowBox for Windows is back. Next year you can have real applications on the iPhone (and Mac, and Windows).

and it would be trivial to remove this data from your songs.

If that becomes a problem they can use audio watermarking on the files. Modern watermarking algorithms are less lossy than the compression algorithms (no perceptual quality loss).

Well, then, perhaps somebody can mail the researcher this thread tomorrow and see if we can't generate more than 34 insightful responses for him. Hey, we want this guy to have good data and make appropriate conclusions from it.

I posted this entry on my blog the other day - as a small developer unable to compete with massive patent portfolios, I believe that Patents + GPL3 is the only way for Open Source to weather the patent storm.

But its too correct (according to the summary, I didn't RTFA). Something else has to be behind this, given american politics.

It's grandstanding. The FCC was saying this a month ago. When you have the people and the FCC saying the same thing and the legislature hasn't done squat (or anti-squat) then the legislature has to grandstand and "somebody" has to be to blame.

But its too correct (according to the summary, I didn't RTFA). Something else has to be behind this, given american politics.

It's grandstanding. The FCC was saying this a month ago. When you have the people and the FCC saying the same thing and the legislature hasn't done squat (or anti-squat) then the legislature has to grandstand and "somebody" has to be to blame.

Many religions have missionaries. Most of them, the missionaries are as obnoxious, if not more so, than the religion itself. And, in many cases, the religion seems to survive in spite of their missionaries.

Sometimes they are - sometimes they're happy to convince others by living a virtuous life. I'm unlikely to be convinced by either, but I'd be happy to have lunch with the latter type, but not the former.

Here's a memorial blog post about a friend of mine who recently passed who could have been considered an Apple missionary, of the latter type. In that post I asked many of the same questions that the OP did, and there's a nice picture of plates of six-colored Apple cookies that friends made in her honor. Windows users, at that.

Interestingly, along your line of inquiry, keeping up with the latest Apple news and products seemed to offer her comfort as her health declined, not unlike some people use religion.

YouTube and AtomFilms are better anyway...

Just wait a couple months until they cancel you for using the 'competition'.

Does this really make sense to anybody? Has the business market shown any real preference for the Windows Mobile platform over, say, RIM's BlackBerry?

It's just lip-service to their Microsoft commitments. Jeff Hawkins said that the only reason there's a 700w is they thought they wouldn't get a PalmOS 5 license back from Access.

Now they have and the iPhone is positioned to clobber Palm. But the iPhone is crippled by Cingular and Palm already has Verizon as a customer, so if they really do ship this year they'll have at least a year and a half to stomp on the iPhone.

I think the idiots have been flushed out of Palm. I've heard more good things from them this week then I have since 1997. Yes, I'm marginally giddy.

Another advantage of the higher bitrates is the ability to slip in watermarking.

I wrote about this a few weeks ago - current watermarking techniques are not significant with regard to quality compared with lossy compression.

Watermarking is a real solution to piracy - it enables Copyright Law to be the default mechanism for handing these problems, just like in the Old Days, before the Dark Times, before the DMCA.

To summarize my thesis: Watermarking solves piracy, DRM is about forced repurchasing. Links and more there.

But it's not clear where to go from there, since free copying tends to encourage exactly one pricing model: give it away. It may be the only model, given how ineffective DRM is compared to the old "press it into vinyl" model.

Copyright law still protects the artists' work. I'd hate to see that go away given how well the GPL has worked.

So the problem in digital duplication is figuring out who violated Copyright law. There's an easy solution to that - watermarking. I wrote about this a few weeks ago - watermarking technology is such that it's robust and does not impair quality for lossily-compressed music. I'm not about to violate copyright law with the music I buy online, but the current DRM schemes aren't about copying, they're about control. I lost a disk with my iTunes Library on it just after purchasing a song, and I had to re-purchase it again, I couldn't just download it again, and that's where the real money is - repurchasing. Ironically, it's the only time I've used iTunes since JHymn stopped working. Yeah, I'm only out $1 extra, but the principle sucks. Lala has a much better model.

Executive summary: Watermarking combined with Copyright Law is an effect copy control measure, but DRM is about repurchasing, not preventing copying.

Was the coal burned in power plants to power Googles server farms?

hydro