Slashdot Mirror

Ever hear of a one time pad?

Of course no conversation of really big guns can be complete without a link to Gerry Bull. Kinda like Werner von Brahm for guns.

How would this Web Forms be different from the already-standardized, but not implemented by Mozilla or Opera, XForms? (Note: not the GUI toolkit for X by the same name.) After all, the W3C page says XForms is "the next generation of Web Forms"...

The "Web Forms" name is so generic that Googling it is basically useless.

Garg

These people have no idea what security means. Sure, the key is transmitted over a secure link, but "the encrypted data would then be transmitted by normal methods."

Normal methods. Meaning the ciphertext is still prone to interception by Echelon and the resulting analysis by experts. The encryption is only as strong as the cipher used.

The only truly unbreakable cipher is the one-time pad.

Why, oh why, do so many denounce warez while a conspiracy of silence remains on the subject of murdering?! Am I the sole voice crying in the wilderness??

I partly with you about the earlier post. Software will have bugs, and the dominant OS will always be a target. The First internet worm was unleashed in 1988 and attacked UNIX systems. The earlier poster has not explained why he blames "windows users" and may just be trying to troll. I wouldn't have modded it up certainly.

But -- the earlier poster could have made this point -- that Microsoft OS's are insecure by design. They create systems full of unneeded security issues for nothing more than commercial advantage. This subject was covered here a few months back.

They could not have avoided the problems we have today, but they did make them much worse. And, yes, it was foreseeable -- witness the security measures in UNIX, present long before Win 95. So, they are morally culpable.

Gerald Bull, a Canadian big gun engineer, made large guns and was killed by Israel's Mossad for daring to talk to Iraq about building a "super gun"

The Coalition to Ban Dihydrogen Monoxide has been around a long time. There's even a song about it to the tune of Battle Hymn of the Republic (aka John Brown's Body).

The DHMO song can also be found at the author's page here, but Google is probably more resistant to the Slashdot effect.

I still go there occasionally to reprint the spicy sesame beef recipe, which I started making in the mid 1980s.

It was a R-16 (aka SS-7) balistic missile that blew up, and it had nothing to do with a mission to Mars (read the postscript).

Perhaps you you refer to my post to the parent? He copied it straight from here under the heading "Is Elliptic Curve Cryptography Safe?"

Impressive, your entire paragraphs were, word for word, copied from here

Alert, Karma whore. The only thing he changed was "You may have heard arguments" to " I often hear".

You often plagerize?

When I first saw the headline I thought it was refering to the X11 GUI Toolkit (that was quite popular a few years back). XForms is a X11 toolkit that is featureful and free for non-commecial use.

Why could they have called it XMLForms or XWebForms? oh well.

Had the people who worked on this never heard of the XForms GUI library?

InterVote98 is a turnkey web service sold by Assets New Media to TV stations.
TV stations use InterVote98 to provide web-based campaign and election coverage for their viewers.

InterVote98 was a few years ahead of its time.
It didn't change the world; in fact, it's defunct.

There is some analysis at How InterVote98 Could Change the World.

Then install Bubblegum Proxypot, which is a Proxy Honeypot, doing the same thing as Spamhole but for ports 3128, 1080, 8080, etc. I'm getting hundreds of probes every day on ports 3128, trying to connect to other proxies or open relays.

Google for 'honeypot' or 'proxypot.' In fact, Security Focus ran a series of comprehensive articles on honeypots, one of which is here. There's also a huge web site devoted to nothing but honeypots at this link.

Proxypots are a variation of the honeypot idea. A proxypot pretends to be an open proxy server which, instead of actually passing traffic sent to it, simply logs what's going on and sends the actual traffic to a specific destination specified by the proxypot operator. This can be Dave Null's in-box or anywhere else said operator wants.

Details of proxypots may be found here, and here, just to name a couple.

Keep the peace(es).

Sophisticated spamware sends periodically control messages to a dropbox in hotmail/yahoo/whatever and alerts user if the open proxy appears not really working.

Open relay isn't the problem of net anymore, sophisticated spamware uses open proxies.

Open relays are these days hard to find as most smpt software ave sane defaults these days. OTOH With idiots like analogX proxy authors creating proxies with "default open world wide, not even dangerous ports closed" configuration, there is no sortage of open proxies.

If you really want to blackhole/track open proxy/relay abusers, look at BuggleGum proxypot instead. And prepare to hack it as as spamware tries to adapt the traps setup by people.

Slashdot, on the cutting edge of last year.

You'll get a bunch of solid information about this stuff and more by studying the Diceware FAQ. Highly recommended.

You fucking idiot. Seriously, why are you people so GOD DAMN STUPID?

The Internet Worm

Please at least have some rudimentary knowledge of computer history - this was 1988 so unless you're less than 15 years old you have NO excuse for this idiocy. This slashdot article is about vicious attacks by VIRUS WRITERS. You are using it as a platform to espouse your obviously ridiculous opinion about security holes in an e-mail program.

In case you don't get my point, let me hammer it home for you - the link I provided is similar in that some smart guy exploited a security flaw to propagate a virus which copied itself all over the god damn internet and shut large sections of it down. The fact that this wasn't his specific intent is irrelevant. Would you like to sue UNIX for allowing a virus to propagate?

You edgy fuckers think shoving your tired, irritating Microsoft bashes into every god damn article on Slashdot is so clever. Examine the facts, genius - if someone wants to fuck with software, they will find a way.

(1) no better system than passwords has yet been devised

Except those nifty token+PIN systems. My bank has even given me a "calculator" type thingy in which I put my ATM card, and using my normal PIN, the chip on that card will calculate the response to a challenge when I log into online banking. Pretty nifty, pretty secure. The chip will stop working after 3 attempts at a wrong PIN, and if the card is stolen, I'd report it straight away anyway. This closes the window of opportunity considerably.

Token based security systems can integrate really well into computer systems, so you end up with Single Sign On solutions, and the challenge-response protocol can run over a simple USB link, so all you have to enter is your PIN (into hardware which you carry with me, and isn't susceptible to having keyboard sniffers installed).

There are lots of vendors who sell this hardware, iButton, rsa.com, etc. etc. Pick up a random computer industry mag and they're right there in the less-than-a-page-big ads.

Note that SSH uses a similar idea for single sign on; you type in your password/phrase into an agent which decrypts your private key on your workstation, and challenge/response is used when logging in; your password is only exposed to your local workstation, not to the remote system, nor is it sent over the line in any way. You can even change keys without changing the password/phrase (and vice versa).

I saw another post here mention diceware, which is pretty nifty too; passphrases generated using dice.

Physical security is also often overlooked, on the premise that you're fucked anyway when people bring in laptops, or plug a wifi access point into your network. But physical security is the only kind of security where biometrics make any sense at all (as in; "hey, I haven't seen you here before" or; "that's not your photo on this id here.."). So if you're going for 3-out-of-3 authentication (something you know/have/are) you need physical security as well.

No security is perfect, but it doesn't have to be quite as bothersome to users. Let's say no one can log into remotely to the work LAN. That's not that inconvenient to most people, and if some one complains, sure, let them at it, and log what they're doing. The window of opporunity may be widened by a creak because a few accounts do get remote access, but no form of security is perfect anyway.

I find attack trees a useful way to present weaknesses in security; it emphasises the weakest chain in the link, but also the prerequisites to get there, and the alternatives. (For example, the CEO might well have a yellow sticky tape with his password on his monitor at home, but breaking into the CEO's home is quite hard because that house has pretty good physical security, him being the rich bastard that he is.. Whereas bribing cleaning people who come in at night to place a keyghost is cheap and effective.

Anyone sell an active noise cancelling solution that would work off a PSU power supply?

You'd think with all that power my AMD has, 1% could be used to track and cancel by white noise the offending sounds?

I figure there is more to this than there seems?
Like disturbing my brain with whitenoise.

Has someone figured out how to dump /dev/entropy into a pink/white filter to the sound device?
aka almost like here

on the web since 1995

"About "The Protocols of The Learned Elders of Zion":

"In a sentence it is a fraud, a forgery. Based upon an earlier anti-semitic tract even it appeared over 10 years previous to the "meeting" it claims to document. It was apparently written by some members of the secret police force working for the czar, in the late 19th century. See the text below for details."

This guy has a very interesting write up about chess and probability. Worth a read.

Actually, it has very little to do with Chess. Instead it's a really iffy argument against an omniscient God. Not worth a read if you're just interested in chess. If you're interested in philosphy, maybe, and then only if you're interested in a study of flawed logic and questionable assumptions.

This guy has a very interesting write up about chess and probability. Worth a read.

http://world.std.com/~mhuben/faq.html

Well then, I think we can add this to the Non-Libertarian FAQ. Which incidentally is the first thing on google that shows up when you search for "libertarian faq". I guess that probably means there are less Libertarians than there are people out there who are extremely annoyed by them.

Here's a bit of information about Toynbee tiles in D.C.: http://world.std.com/~manfre/toynbee/

The Internet worm of 1988 took advantage of stupid passwords: http://world.std.com/~franl/worm.html

Diceware definitly provides the most secure but easily remembered passwords, and even lets you make pretty exact estimates of the entropy content of your passwords, which makes all sorts of calculations simple and fun.

was written for Unix. I hope people don't forget that, but I doubt they will. The difference is most Unix people care about reliability and most people from the Microsoft camp relish viruses becuse the truth of the matter is tech support revenue is much greater than the cost of Windows.

Actually, the first worms had nothing to do with javascript or ActiveX, and existed long before them.

Never, huh?

Basically, the last time that a major non-Windows worm threatened the stability of internet was back when the majority of computers on the Internet weren't running Windows. There have been numerous worms since then for UNIX & Linux, but their market penetration has been low enough not to seriously hurt the whole internet. This is not as good of a thing as you indicate.

Not all *nix is open source (sun, sco, aix)

And lets not forget about:

The Great Worm of 15 years ago! This infected some 6000 different hosts, on an internet that was very much smaller than it is today, so percentage wise it is perhaps a bigger infection

Perhaps when windows (NT) is as old then it might be as robust as *nix in general. Remember *nix developers have had a long time to fix most of those nasty overflows :)

For all you kiddies that want to read about it, you can drool over its functions here

PassGen is a Java applet that uses keypress timing as a number seed for generating passwords.

Now it's also "the next generation of web forms". Gag me with a buzzword.

It's not as if the original XForms were unknown, either -- it comes up second in a Google search for "Xforms". These jokers should have known better.

Feh.

MS will now say "Use Linux at the risk of patent infringement suits or let us take care of it for you." This strategy could be expensive in the long run though:

I feel certain that some large company will patent some [...] crucial technique. If we assume this company has no need of any of our patents then the have a 17-year right to take as much of our profits as they want. (Bill Gates, 1991)

Of course, we could just abolish software patents and make the question moot...

LyX makes LaTeX almost useable. The latest development version (1.3.2) supports MacOS X, Windoze (via cygwin), and can use either an xforms gui or Qt. For technical writing, it really can't be beat.

benhaha says: Light is red-shifted climbing out of the gravity well.

Can you expand on this? I've never heard of this, and I can't think of anything in my 40+ years of layman's reading on physics that could be expressed this way.

Here's a few links. Google for "gravitational redshift" and you'll get lots more.

Link.
Link.

To summarize, the gravitational redshift (or blueshift, for light falling into a gravitational potential well) is a real effect. It was demonstrated by Pound and Rebka at Harvard University in 1960. They used essentially monochromatic gamma ray photon sources at the top and bottom of an elevator shaft, and measured the shift in frequency for photons traversing the shaft each direction. Kudos to Einstein--General Relativity gets another check mark.

Laughable. Join the real world one of these days. And open your mind and read a little.

Really?

Let's do the math then.

2^128 = 340,282,366,920,938,463,463,374,607,431,768,211,45 6

340,282,366,920,938,463,463,374,607,431,768,211,45 6 - 665,570,793,348,866,943,898,598 = 340,282,366,920,937,797,892,581,258,564,824,312,85 8

Doesn't seem to make a big dent

Still not convinced? How about we found out how many companies can buy 665,570,793,348,866,943,898,598 ip addresses for themselves:

340,282,366,920,938,463,463,374,607,431,768,211,45 6 / 665,570,793,348,866,943,898,598 = 511,263,971,197,990

Ok, I'll have to agree with you, that we will run out of address when 551 TRILLION companies start buying 665,570,793,348,866,943,898,598 IP addresses.

Use this for your calculations

I've said this before...

W3C cames up with XForms - The Next Generation of Web Forms in 2002, but XForms - a GUI toolkit for X has existed for a long time (initially here).

http://world.std.com/~swmcd/steven/rants/merlyn.ht ml

Boy am I glad I hadn't taken out the recycling and gotten rid of more than 1000 old business cards yet.

I have a new-found idle-time project thanks to finding out how to build business card cubes via this story :)

The World is not local to me.

Diceware looks like a nice way to generate random yet fairly memorable passphrases, for people whose typing is better than their memory. All you need is a list of 6^5 memorable words or almost-words, like the two English lists provided on that website (they've included almost-words like aaaa and 123 as well as real words, to keep the average word length down). Roll 5 dice (5D6 for roleplayers/Warhammer players :-) and pick a word from the list. Repeat until you have a strong passphrase.

Assuming an attacker knows you used Diceware and has a copy of the word list you used, a 5-word passphrase chosen like this is about as hard to brute-force as 64-bit encryption, and a 10-word passphrase is about as strong as the 128-bit symmetric encryption component of PGP.

W3C cames up with XForms - The Next Generation of Web Forms in 2002, but
XForms - a GUI toolkit for X has existed for a long time (initially here).

XS really isn't as horrible as some people make it out to be.

Posting anonymously from work, someone mod me up, okay?

But now it's GPL, so these developers have no reason to stick around

Folks, this is a very, very important point for all software developers to understand: that proprietary software doesn't just restrict user freedom, it restricts the freedom of software developers, who create, improve, understand, and fix proprietary code, to take full advantage of their acquaintance with that code.

Yes, that's only part of the equation -- trading freedom for security is not always seen as wise, and in many cases, that'd take the form of trading career and project-choice freedom for job and financial security.

But it's a factor that developers would be wise to take more carefully into account when considering proprietary vs. open-source development.

From my own point of view, having been fully involved on both sides of the fence, there's no question that my involvement with GNU Fortran (g77), a GPL'ed project, did more to enhance my marketability and career freedom than almost any combination of proprietary projects on which I worked during my 20-year-or-so software-development career (which isn't so much over as pending my deciding whether I'm bored enough to find something to do in that field again).

People might say I "got lucky" with g77, and they're partly right. But I addressed a clear, known need using my expertise (such as it was), so luck wasn't exclusively responsible.

And, after all, such "luck" (and the willingness to properly identify and address clear, known needs) is crucial to actually maintain the kind of job and financial security many people seek in the proprietary-software industry.

So while I certainly can't assure anyone that "converting" to OSS development will be a magic bullet for their careers or lives, I can assure them that sticking with developing proprietary software for others because "you can't make money developing OSS" is not the slam-dunk-correct decision many have made it out to be over the years.

But now it's GPL, so these developers have no reason to stick around