Slashdot Mirror
Slashback: Zoning, Linking, Fooling
Welcome to the Fantasy Hardware League Regarding our post on the allegedly upcoming Radeon 8500 MAXX, reader eyelove yu writes: "This pic is fake, as many people have suspected. HardOCP.com (on front page) quoted Rubeena Hussein of ATi as saying,'"We have no current intentions of making this or similar boards.'"
Soon we will be able to assemble an entire system created in Photoshop. Yay.
Or you could roll down the windows ... vt@home writes: "As a followup to the earlier story, here is a system that not only allows to monitor the temperature throughout the house and draw nice charts, but also does already have computer controlled vents and even allows to control the A/C unit. Basically, this is a do-it-yourself zoning system, for under $500. Of course, the source is GPLd ;)"
Next week, the sidewalks will practically be free for public use. juanfe writes: "It's not like they really had any power to enforce their previous one, but NPR modified their Terms of Use on June 27. Now, linkers do not have to submit a form asking for permission, but NPR "reserve the right to withdraw permission for any link". More commentary from others.
Nothing like hundreds of angry bloggers threatening to withhold membership contributions to their local station."
Raising a stink to the power of 10. Snarfangel writes "After seeing Yet Another Slashdot Article extolling the virtues of meretricious metrification ("Isn't it Time for Metric Time?"), I decided to fight back the only way I know how -- by subjecting an innocent website to the Slashdot effect: This site goes into great detail about the importance of being Ernst (or at least Max Karl Ernst Ludwig) Planck, especially his system of units that only depend the fundamental constants of the universe -- the speed of light, the gravitational constant, the Planck constant, and the charge of the electron. With appropriate scaling, you get a unified measurement system that is not only more logical than Le Systeme International d'Unites, but is also much better for calculating physics problems in your head.
After all, if we are going to go to all the effort to change our measurement system, why not use that same effort and get the system *right* the first time?"
On a different note, Colin LeMahieu writes "I noticed your post on metric time. I stumbled across this while looking for various computer timing related articles and found it pretty interesting. This might not be as popular as metric time, but it seems to make more sense. The whole system is based on time as a fraction of a day; it even has the scientific measurment on how to re-produce the time, as with any scientific measurement."
Yes, this is a possible. Just because you can doesn't mean you will. Anyone that attempts this "hack" will be busted ASAFP. This would require prior control over either the target computer (internal DNS cache or DNS setting) or the control over its DNS server. Either attack would be extremely difficult.
The first would require a previous hack into the Mac OS X machine. If you can do that, why go to the trouble of altering the DNS cache or DNS setting? With Mac OS X's BSD roots, its not too tuff to modify the system with root access. Pointless.
The second attack option would require you to break into a public DNS server, modify the tables, slip out and hope that your non-targets (huge numbers of Windows users) don't start complaining to the DNS admin about problems. This attack is a possibility but most likely will be noticed quickly.
This is not to excuse Apple but I think its nice that I can read in clear text with ettercap what is going on with my Mac OS X system when it contacts the "Reality Distortion Field" of the Internet. If I want to wear a tinfoil hat and put Tapioca pudding in a locked jar, I can always turn automatic Software Updates off and download the updates straight from the Apple web site.
However, it would be nice if Apple used some sort of the handshake to ensure the safety of the update. There is a myriad of options to choose from...all with benefits and deficits.
Strange women lying in ponds distributing swords is no basis for a system of government.
The fonts on the slashdot main page are extremely ugly, using Mozilla 1.0 on a Debian system. The fonts on the other slashdot pages, and on other websites, are not nearly so ugly (beyond how ugly all Unix fonts (except OS X) are). NONE of the options under the edit/preferences/appearance/fonts have any impact. Yes I am reloading the page each time. The letters are drawn screwed up, like a font that has been sized too small, except I need fonts about 20 pixels high before they actually look OK.
I haven't seen the bugtraq posting, but I've read the posting on Macslash, and nowhere does it make the claim that this attack has been proven to work. Instead, the claim is made that because Software Update uses port 80, the attack must be possible.
This is untrue. Yes, you can definitely spoof the DNS, if the circumstances are right, and the resolver doesn't support DNSSEC. I don't know if Apple's resolver supports DNSSEC. But practically every software update anybody ever downloads is downloaded in the clear over an unauthenticated connection to an FTP server or an HTTP server. This is not in itself a security hole.
The hole exists _only_ if there is no client-side authentication of what's been downloaded. The authentication needn't be done in-band - it's quite possible that the update client knows an Apple Software Update public key. The client should be doing an MD5 checksum across the entire binary and checking that against a published signature. Does the Apple Software Update client do that? I don't know. As far as I can tell, neither does the person who published this "exploit."
Until we know the answer to this question, saying that this is an exploit is kind of absurd, particularly because I don't know of _anybody_ who downloads software over HTTP+SSL. If Apple are bad guys because they don't use HTTP+SSL, so is everybody else, from Redhat to NetBSD to the ISC to HP.