Well, for most of these buffer overflow exploits, you can just send a really long string and watch your program core dump. There's no need to work out exactly how to turn that into an exploit, though people do have fun doing it, and they have a right to publish their findings. Maybe if the community didn't encourage it so much?
I'm glad to see internet battles being fought on internet terms. Technological problems need technological solutions (ie, MAPS RBL but NOT spam legislation). Now, it's up to you to decide whether file sharing / piracy is a "problem", but if they do try this, then it's likely that we will see improved technology to deal with it (freenet?).
By posting all these messages, you've revealed that you are probably trying to hide something. But that's precisely what steganography is supposed to avoid. Now you've raised the heat on yourself, and you might as well be sending encrypted messages (along with perhaps some random noise) in the clear.
I think it takes more than half a brain. Some of those statistical stega ("stego"?) detectors are pretty clever, and I would imagine that my first try would be caught. I think you'd need to at least sit down and do statistical analysis in order to write a successful tool.
Before you berate the clueless programmers, let's see your solution...
The "optional static typing" that lisp and scheme have are not the same as what you have in ML. One obvious difference is that the types are inferred in ML, so that you have to write down even less type information than, say, C. ML also has a more sophisticated type system than the annotations supported in some lisp and scheme implementations. (Recursive types come to mind.)
The "more powerful than them all" argument isn't very compelling. It would be nearly trivial to write a lisp interpreter in ML (modulo libraries). Does that mean that since Lisp "encompasses all languages", and lisp is easily implementable in ML, that ML is the clear winner? No, that's silly. Instead, it is the ease with which we can express clear and efficient programs that we should judge the power of a programming language.
I know a lot of big academic (erstwhile) lisp shops, such as CMU, have transitioned away from lisp to ML and relatives. Some of the reasons we might give are:
- Sophisticated type systems, catching most bugs before your program is run, ensuring safety, etc.
- Much more efficient (http://www.bagley.org/~doug/shootout/craps.shtml) , partly due to compilation strategies using types
- Increased modularity and abstraction
- Pattern matching, (subjectively) more natural syntax
In fact, I'm one of those people. I've been scoffed at by lisp fans, but most had never used ML. But I have an open mind, so, in the face of more "modern" languages, what advantages do lisp and scheme offer? Do you think that these advantages are fundamentally impossible to achieve in a typed setting?
Good luck. Let's use 128 bit keys. That's only 16 bytes, so it's practically nothing to transfer.
There are 2^128 possible keys.
Let's say you could have your client send one billion packets per second, and that you had a million clients. That's about 2^20 * 2^30 = 2^50 keys per second. Now, let's run that for a billion seconds (32 years). You've tried 2^80 keys. That is only 1/281,474,976,710,656 of the total keyspace.
How could you expect to get random collisions with such odds?
Look, it says right in my post that I don't like the idea of DRM. I also hint that I don't think it's feasible. Why are you attacking me like I'm a proponent? The poster of this story asked for ways that DRM could be used to benefit the consumer. I think this is a legitimate one.
The people who are saying that DRM could "obviously" never work for this are also not thinking very hard. What if:
I send the various bits of my information to buy.com, encrypted in such a way that they cannot read it. However, they CAN send the data to the post office / UPS (for shipping), my credit card company (for billing), etc.
Maybe:
I encrypt a random number, buy.com's unique ID, and my postal address with the post office's public key. I send this to Amazon.
Amazon can now verify with the post office that this is a real address, and ask the post office to ship a package to me, without them ever knowing what my address actually is. The post office will reject the message if it says buy.com inside but comes from amazon, which prevents anyone who steals this information from using it. The post office might use the random number to reject future uses by amazon, so that they can only send me that first package and nothing ever again.
Now, I'm not saying that's feasible or foolproof. But at least it has no deficiencies as obvious as "they could just write it down". Some DRM is more clever than you think.
One thing DRM might do is enable me to share my personal information privately with one entity, without fear that the entity could share it with others. (That is, if DRM could work.)
That might be good, but I'm much happier with the world we live in now!
I think this is a troll, but I think I should at least be a voice of dissent...
Lots of people, including me, work on software or do research for free, and don't mind when companies profit from our code or ideas. Mainly, this is because we believe that there is a great deal more work necessary to turn code or research into a product, and that work is primarily very tedious. I like the idea of a company using my code (I don't know of any who do, but I would) because they do work that otherwise wouldn't get done.
Second, I actually think the Windows UI is pretty good. More importantly, it is standard, which means that I can use KDE without reading any documentation. Regardless of how it might revolutionize the world (I don't think it would; the UI is pretty superficial and pretty subjective), new users are not going to switch to linux if they have to learn a lot just to use the UI.
So, I'm not saying that your opinion is wrong, but that asserting it as an "obvious" truth is.
Regardless of whether I support bombings or not, I don't understand why it is important for me to "support" my country. Why does it need my support?
I think what we need are a lot of smart people thinking about things. Why should we put our views on hold and agree with the government's rhetoric? We shouldn't be actively trying to thwart the war effort, but making our ideas known is important. Diversity of opinion is what keeps the government in check.
I said it's time to move on from C *and* C++, not from C *to* C++.;) I agree with you, C++ is an absolute horrorshow.
I don't think Java is the best choice out there, but it is orders of magnitude better than C++. (As for speed, see http://www.bagley.org/~doug/shootout/craps.shtml) It may not actually be as fast as C++ or C, but I say that's fast enough.
OK, that's fair -- I suppose the corporate machine is typically slower at responding to a bug than the free software community. (Though, if you read bugtraq, you'll know that there have frequently been cases of much longer delays in commercial and free software alike!)
However, I think a better metric than how quickly things are patched is the number of holes in the default install. Most users don't install patches, anyway, so this is what really matters for them.
I know it's popular to bash Powerpoint, but I have to say that's one product without any acceptable replacements on the linux side. ("Impress" does not.;)) Have you just never given any presentations that you needed to develop rapidly, or do you have some secret?
Not to burst your bubble, but don't forget that Redhat (and many other linux distributions) install with numerous remote root holes. The solution problem is not germane to Microsoft. (You might successfully argue it is a result of poor administration, though.)
What makes us think that Open Office and Star Office are immune from similar attacks, or things like buffer overflows?
I like free software, but I think it's just urban legend that software not written by microsoft is somehow magically secure. (Witness: BIND, wu_ftpd, sendmail, rpc.*, etc...)
It's time to move on from C and C++. (Take a look at the sans top 20 list of exploits, and tell me how many of those items would be there if we used modern, safe languages!) Security, portability, and code reuse are vital for building robust large systems. Please, no more C compilers, and no more C!
YES, please: more ways to browse with the keyboard
on
Mouse Gestures in Mozilla
·
· Score: 3, Interesting
This is a fun feature, and I'm sure people will get a kick out of it. But gestures don't seem like a good "expert" way to browse -- the keyboard offers faster, more accurate input. And you are absolutely right about the RSI: since I started using my keyboard for almost everything (except web browsing, ah..) my wrist problems have gotten much better.
What I'd really like to see is more ways to browse with the keyboard. I don't have any ideas in particular (being able to use the arrows to move around in a spatial way instead of tabbing through links in order would be a plus), but I would definitely learn and use any system that's better than what I've got now.
It's too bad misguided people somehow think that C is a good language to write security-critical network apps in. In fact, it's very nearly the worst language to write such apps in.
The fact of being automatically buffer-overflow free alone should make people drool over the prospect of using a high-level, safe language. Not to mention better productivity, code reuse, and even sometimes performance.
What mindset drives this crazy practice?
Re:ok, make your case objectively?
on
VIM 6.0 is Out
·
· Score: 2
I dunno, it's pretty nice to use in NTemacs to edit files on a unix machine. I use it a lot. I would like to see scp-mode, though...
Re:ok, make your case objectively?
on
VIM 6.0 is Out
·
· Score: 2
It is a big deal. But my computer is really fast, emacs loads in less than a second, and I can use gnuclient if I really need that extra speed. (Anyway, you can just leave emacs open, even using it as a shell...)
But otherwise, emacs seems more powerful. Nobody can come up with features of vi which aren't in emacs?
Slashdot Mirror
Well, for most of these buffer overflow exploits, you can just send a really long string and watch your program core dump. There's no need to work out exactly how to turn that into an exploit, though people do have fun doing it, and they have a right to publish their findings. Maybe if the community didn't encourage it so much?
I'm glad to see internet battles being fought on internet terms. Technological problems need technological solutions (ie, MAPS RBL but NOT spam legislation). Now, it's up to you to decide whether file sharing / piracy is a "problem", but if they do try this, then it's likely that we will see improved technology to deal with it (freenet?).
Bring it on, I say!
By posting all these messages, you've revealed that you are probably trying to hide something. But that's precisely what steganography is supposed to avoid. Now you've raised the heat on yourself, and you might as well be sending encrypted messages (along with perhaps some random noise) in the clear.
I agree. I've lost lots of Maxtor and WD drives at home and at work.
I am liking the Seagate 30.6 gig Barracuda II drives now, but who knows...
I think it takes more than half a brain. Some of those statistical stega ("stego"?) detectors are pretty clever, and I would imagine that my first try would be caught. I think you'd need to at least sit down and do statistical analysis in order to write a successful tool.
Before you berate the clueless programmers, let's see your solution...
x86 machine code?
The "optional static typing" that lisp and scheme have are not the same as what you have in ML. One obvious difference is that the types are inferred in ML, so that you have to write down even less type information than, say, C. ML also has a more sophisticated type system than the annotations supported in some lisp and scheme implementations. (Recursive types come to mind.)
The "more powerful than them all" argument isn't very compelling. It would be nearly trivial to write a lisp interpreter in ML (modulo libraries). Does that mean that since Lisp "encompasses all languages", and lisp is easily implementable in ML, that ML is the clear winner? No, that's silly. Instead, it is the ease with which we can express clear and efficient programs that we should judge the power of a programming language.
Funny, but the award was for techno-entrepreneurial achievement in social/economic well-being.
I know a lot of big academic (erstwhile) lisp shops, such as CMU, have transitioned away from lisp to ML and relatives. Some of the reasons we might give are:
- Sophisticated type systems, catching most bugs before your program is run, ensuring safety, etc.) , partly due to compilation strategies using types
- Much more efficient (http://www.bagley.org/~doug/shootout/craps.shtml
- Increased modularity and abstraction
- Pattern matching, (subjectively) more natural syntax
In fact, I'm one of those people. I've been scoffed at by lisp fans, but most had never used ML. But I have an open mind, so, in the face of more "modern" languages, what advantages do lisp and scheme offer? Do you think that these advantages are fundamentally impossible to achieve in a typed setting?
Good luck. Let's use 128 bit keys. That's only 16 bytes, so it's practically nothing to transfer.
There are 2^128 possible keys.
Let's say you could have your client send one billion packets per second, and that you had a million clients. That's about 2^20 * 2^30 = 2^50 keys per second. Now, let's run that for a billion seconds (32 years). You've tried 2^80 keys. That is only 1/281,474,976,710,656 of the total keyspace.
How could you expect to get random collisions with such odds?
Look, it says right in my post that I don't like the idea of DRM. I also hint that I don't think it's feasible. Why are you attacking me like I'm a proponent? The poster of this story asked for ways that DRM could be used to benefit the consumer. I think this is a legitimate one.
The people who are saying that DRM could "obviously" never work for this are also not thinking very hard. What if:
I send the various bits of my information to buy.com, encrypted in such a way that they cannot read it. However, they CAN send the data to the post office / UPS (for shipping), my credit card company (for billing), etc.
Maybe:
I encrypt a random number, buy.com's unique ID, and my postal address with the post office's public key. I send this to Amazon.
Amazon can now verify with the post office that this is a real address, and ask the post office to ship a package to me, without them ever knowing what my address actually is. The post office will reject the message if it says buy.com inside but comes from amazon, which prevents anyone who steals this information from using it. The post office might use the random number to reject future uses by amazon, so that they can only send me that first package and nothing ever again.
Now, I'm not saying that's feasible or foolproof. But at least it has no deficiencies as obvious as "they could just write it down". Some DRM is more clever than you think.
One thing DRM might do is enable me to share my personal information privately with one entity, without fear that the entity could share it with others. (That is, if DRM could work.)
That might be good, but I'm much happier with the world we live in now!
I think this is a troll, but I think I should at least be a voice of dissent...
Lots of people, including me, work on software or do research for free, and don't mind when companies profit from our code or ideas. Mainly, this is because we believe that there is a great deal more work necessary to turn code or research into a product, and that work is primarily very tedious. I like the idea of a company using my code (I don't know of any who do, but I would) because they do work that otherwise wouldn't get done.
Second, I actually think the Windows UI is pretty good. More importantly, it is standard, which means that I can use KDE without reading any documentation. Regardless of how it might revolutionize the world (I don't think it would; the UI is pretty superficial and pretty subjective), new users are not going to switch to linux if they have to learn a lot just to use the UI.
So, I'm not saying that your opinion is wrong, but that asserting it as an "obvious" truth is.
Regardless of whether I support bombings or not, I don't understand why it is important for me to "support" my country. Why does it need my support?
I think what we need are a lot of smart people thinking about things. Why should we put our views on hold and agree with the government's rhetoric? We shouldn't be actively trying to thwart the war effort, but making our ideas known is important. Diversity of opinion is what keeps the government in check.
I said it's time to move on from C *and* C++, not from C *to* C++.
I don't think Java is the best choice out there, but it is orders of magnitude better than C++. (As for speed, see http://www.bagley.org/~doug/shootout/craps.shtml) It may not actually be as fast as C++ or C, but I say that's fast enough.
OK, that's fair -- I suppose the corporate machine is typically slower at responding to a bug than the free software community. (Though, if you read bugtraq, you'll know that there have frequently been cases of much longer delays in commercial and free software alike!)
However, I think a better metric than how quickly things are patched is the number of holes in the default install. Most users don't install patches, anyway, so this is what really matters for them.
I know it's popular to bash Powerpoint, but I have to say that's one product without any acceptable replacements on the linux side. ("Impress" does not.
Not to burst your bubble, but don't forget that Redhat (and many other linux distributions) install with numerous remote root holes. The solution problem is not germane to Microsoft. (You might successfully argue it is a result of poor administration, though.)
What makes us think that Open Office and Star Office are immune from similar attacks, or things like buffer overflows?
I like free software, but I think it's just urban legend that software not written by microsoft is somehow magically secure. (Witness: BIND, wu_ftpd, sendmail, rpc.*, etc...)
It's time to move on from C and C++. (Take a look at the sans top 20 list of exploits, and tell me how many of those items would be there if we used modern, safe languages!) Security, portability, and code reuse are vital for building robust large systems. Please, no more C compilers, and no more C!
This is a fun feature, and I'm sure people will get a kick out of it. But gestures don't seem like a good "expert" way to browse -- the keyboard offers faster, more accurate input. And you are absolutely right about the RSI: since I started using my keyboard for almost everything (except web browsing, ah..) my wrist problems have gotten much better.
What I'd really like to see is more ways to browse with the keyboard. I don't have any ideas in particular (being able to use the arrows to move around in a spatial way instead of tabbing through links in order would be a plus), but I would definitely learn and use any system that's better than what I've got now.
Everybody knows that water conducts electricity very well, crazy man!
You should use something less conductive, like isopropyl alcohol or gasoline.
It's too bad misguided people somehow think that C is a good language to write security-critical network apps in. In fact, it's very nearly the worst language to write such apps in.
The fact of being automatically buffer-overflow free alone should make people drool over the prospect of using a high-level, safe language. Not to mention better productivity, code reuse, and even sometimes performance.
What mindset drives this crazy practice?
I dunno, it's pretty nice to use in NTemacs to edit files on a unix machine. I use it a lot. I would like to see scp-mode, though...
It is a big deal. But my computer is really fast, emacs loads in less than a second, and I can use gnuclient if I really need that extra speed. (Anyway, you can just leave emacs open, even using it as a shell...)
But otherwise, emacs seems more powerful. Nobody can come up with features of vi which aren't in emacs?