Just wanted to congratulate the poster on putting a link to a coral cache instead of hammering some poor undercapable web server into the ground. Kudos to you poster!
There was a company advertising information destruction services. They had degaussing devices, and an even better option. Tom's Hardware did a story on the RSA conference and took some pictures, which you can see here: http://www.tomshardware.com/business/20050219/rsa_ conference-06.html#sem_destruction_guaranteed. If anything can do what you want, I'm guessing the hard drive shredder that they offer is just the thing.
Oh wait, you said headmouse not headcrab. My mistake...
not that useful yet...
on
SHA-1 Broken
·
· Score: 2, Interesting
I think it is important to note that (from what I've heard, I haven't seen the paper either...) this collision attack is not very "real world" useful. Their attack is focused on taking a certain number of operations to come up with two hunks of data that result in the same hash.
In my opinion, a "real world" attack would be one which given a blob which has already been hashed, would come up with another blob which results in the same hash. To my knowledge, nobody has any useful attacks in that direction yet, although some would argue based upon this research that it may just be a matter of time.
Then we of course need to get into whether that is really useful either. If I find out that
"I agree to purchase 100 units for $500"
and
"*(\D$Hw&72d98a %93di(hd eLKH%ap$#"
results in the same hash, how helpful is that to me? How is a lawyer is going to prove to a jury that I may have actually signed the garbage instead of the purchase agreement? So, there is even more work to be done to make it a useful real world attack, wherein you might take the original signed text (modified for your evil purposes), append a null character, and then add garbage until the hashes are equal--and hope the UI was poorly written and just displays up to the first null.
One feature that has been missing in Thunderbird and makes it less useful for me is the ability to sort by a text field (such as Sender or Subject) and then type something in, and have it scroll to the first matching message which starts with that. It's really handy.
To be fair, if you installed unpatched original Windows XP on a machine with no firewall, you would also be subject to many worms, exploits, etc. XP has vulnerabilities too. Fewer vulnerabilities than Windows 98, yes, but it only takes one...
Just so you know, the study was conducted by Pointsec, who make a fair bit of money selling software which encrypts the entire hard drive. So, it wasn't exactly an impartial study!
Winzip 9 does not have FIPS 140 validation. If it did, it would be on this list.
FIPS validation is intended to ensure the cryptographic mechanisms, including key management, are done properly. Validation doesn't stop every poor implementation, but it is a start.
There are validation programs in which third party laboratories test and inspect systems related to computer security. Probably the most well known of these is the FIPS 140 program, run by NIST and recognized by the US and Canada. A friendlier description is in this FAQ.
Another international validation program is the Common Criteria program. This provides an internationally accepted set of IT security requirements, policies, and procedures for testing.
Use validated software. Buy validated software. Looking at software that isn't validated? Encourage them to look into the validation process. The US government can no longer purchase cryptographic modules that are not FIPS 140 validated. Put similar rules in place at your organization.
Speaking as an employer, I will say that your pay will depend on the location of the business. Certain areas are more expensive to live than others, and jobs in those areas will usually pay better. Since the cost of living is higher, you may or may not actually end up with more money in your pocket at the end of the month...
You missed my point! How can you then call the review "next generation"? He reviews beta versions of other software, but why not of Outlook?
Outlook 2003 has some of the features that are in the other "next generation" clients which are not in Outlook 2002, including virtual folders, bayesian spam filtering to name a few. By leaving these to a mere mention in the FAQ, the author reveals his bias against software you have to pay for.
And the complaint about how expensive it is, and hard to upgrade, is just not true. You can get Outlook 2003 for less than $100.
This is not a "next-generation" email client review if it does not include Microsoft Outlook 2003. Outlook 2003 boasts a great number of features and usability enhancements over Outlook 2002/XP. By including an older version of Outlook the author is skewing the comparison significantly!
Feel free to mod me down as a troll, but the author isn't being honest with the community. Open-source folks will be better off knowing what's in the current version of commercial products, not the older versions.
I'm pretty sure that I saw these Windows being demonstrated at the Imaginarium in Epcot Center in 1997. It might have been as early as 1993 even. They had a little room set up with them, flip a switch and all of a sudden you couldn't seen out of the windows. Pretty cool. The LCD monitor technology was not included, but I remember that LCDs were what made it work...
If you're getting one for free, take what you can get... but if you are buying a drive, dual-format drives are the way to go. For an extra couple bucks, you get the ability to read/write DVD-R, DVD+R, DVD-RW, DVD+RW, and CDR/CDRWs... You can't go wrong. If +R wins in the long run, there will just be less -R media available for purchase...
According to their Balance sheet here (http://finance.yahoo.com/q/bs?s=MSFT) it seems they have roughly $50 billion in cash and short term investments. I'd say yes, they can last.
Is that really the case? Are there really that many more vulnerabilities in MS operating systems than any other?
Or, is it just that since there are so many machines running Microsoft OS's, it is just easier to find and exploit these bugs?
I have yet to be convinced that the open source model truly leads to fewer bugs and vulnerabilities. Yes, more eyes can see the code, but still these many pairs of eyes miss things. Look at sendmail for crying out loud.
Slashdot Mirror
Just wanted to congratulate the poster on putting a link to a coral cache instead of hammering some poor undercapable web server into the ground. Kudos to you poster!
I could have sworn the link in my RSS reader said "Remote-Controlled Files". I was wondering what doofus had accepted a story about FTP.
There was a company advertising information destruction services. They had degaussing devices, and an even better option. Tom's Hardware did a story on the RSA conference and took some pictures, which you can see here: http://www.tomshardware.com/business/20050219/rsa_ conference-06.html#sem_destruction_guaranteed. If anything can do what you want, I'm guessing the hard drive shredder that they offer is just the thing.
Of course, how are you going to install the driver if your mouse is shaking all over the place? :)
Oh wait, you said headmouse not headcrab. My mistake...
In my opinion, a "real world" attack would be one which given a blob which has already been hashed, would come up with another blob which results in the same hash. To my knowledge, nobody has any useful attacks in that direction yet, although some would argue based upon this research that it may just be a matter of time.
Then we of course need to get into whether that is really useful either. If I find out that and results in the same hash, how helpful is that to me? How is a lawyer is going to prove to a jury that I may have actually signed the garbage instead of the purchase agreement? So, there is even more work to be done to make it a useful real world attack, wherein you might take the original signed text (modified for your evil purposes), append a null character, and then add garbage until the hashes are equal--and hope the UI was poorly written and just displays up to the first null.
Perhaps it is another case of the dreaded tin whisker phenomenon?
Rick Brew has posted a copy of the installer on his blog. Download it from http://blogs.msdn.com/rickbrew/.
One feature that has been missing in Thunderbird and makes it less useful for me is the ability to sort by a text field (such as Sender or Subject) and then type something in, and have it scroll to the first matching message which starts with that. It's really handy.
does 0.9 have it? Will a future release?
To be fair, if you installed unpatched original Windows XP on a machine with no firewall, you would also be subject to many worms, exploits, etc. XP has vulnerabilities too. Fewer vulnerabilities than Windows 98, yes, but it only takes one...
Just so you know, the study was conducted by Pointsec, who make a fair bit of money selling software which encrypts the entire hard drive. So, it wasn't exactly an impartial study!
Winzip 9 does not have FIPS 140 validation. If it did, it would be on this list.
FIPS validation is intended to ensure the cryptographic mechanisms, including key management, are done properly. Validation doesn't stop every poor implementation, but it is a start.
There are validation programs in which third party laboratories test and inspect systems related to computer security. Probably the most well known of these is the FIPS 140 program, run by NIST and recognized by the US and Canada. A friendlier description is in this FAQ.
Another international validation program is the Common Criteria program. This provides an internationally accepted set of IT security requirements, policies, and procedures for testing.
Use validated software. Buy validated software. Looking at software that isn't validated? Encourage them to look into the validation process. The US government can no longer purchase cryptographic modules that are not FIPS 140 validated. Put similar rules in place at your organization.
Speaking as an employer, I will say that your pay will depend on the location of the business. Certain areas are more expensive to live than others, and jobs in those areas will usually pay better. Since the cost of living is higher, you may or may not actually end up with more money in your pocket at the end of the month...
Oh, and waaah, I want my karma back! I'm marked as redundant except for the fact that mine was one of the first posts. Lame!
You missed my point! How can you then call the review "next generation"? He reviews beta versions of other software, but why not of Outlook?
Outlook 2003 has some of the features that are in the other "next generation" clients which are not in Outlook 2002, including virtual folders, bayesian spam filtering to name a few. By leaving these to a mere mention in the FAQ, the author reveals his bias against software you have to pay for.
And the complaint about how expensive it is, and hard to upgrade, is just not true. You can get Outlook 2003 for less than $100.
This is not a "next-generation" email client review if it does not include Microsoft Outlook 2003. Outlook 2003 boasts a great number of features and usability enhancements over Outlook 2002/XP. By including an older version of Outlook the author is skewing the comparison significantly!
Feel free to mod me down as a troll, but the author isn't being honest with the community. Open-source folks will be better off knowing what's in the current version of commercial products, not the older versions.
With Wal-Mart hocking $200 PCs with Lindows Pre-installed you have to wonder if it might actually be the fastest growing...
I'm pretty sure that I saw these Windows being demonstrated at the Imaginarium in Epcot Center in 1997. It might have been as early as 1993 even. They had a little room set up with them, flip a switch and all of a sudden you couldn't seen out of the windows. Pretty cool. The LCD monitor technology was not included, but I remember that LCDs were what made it work...
If you're getting one for free, take what you can get... but if you are buying a drive, dual-format drives are the way to go. For an extra couple bucks, you get the ability to read/write DVD-R, DVD+R, DVD-RW, DVD+RW, and CDR/CDRWs... You can't go wrong. If +R wins in the long run, there will just be less -R media available for purchase...
I disagree - Neo isn't dead at the end... Why do you think we could see the machine city through his funky golden-light-vision? He was playing dead.
Of course that crucifixion-like pose he had while laying on his back may lead you to believe otherwise.
According to their Balance sheet here (http://finance.yahoo.com/q/bs?s=MSFT) it seems they have roughly $50 billion in cash and short term investments. I'd say yes, they can last.
It is being Geocached!
Is that really the case? Are there really that many more vulnerabilities in MS operating systems than any other?
Or, is it just that since there are so many machines running Microsoft OS's, it is just easier to find and exploit these bugs?
I have yet to be convinced that the open source model truly leads to fewer bugs and vulnerabilities. Yes, more eyes can see the code, but still these many pairs of eyes miss things. Look at sendmail for crying out loud.
O.J. is INNOCENT! It was my.... uhh.... other DNA...