I think his point was the IT department is the police, and not judge and jury. Of course, they do more than just police the virtual world of cyberspace.
Rotating passwords constantly, say, like RSA's authentication keyfobs are really the only solution. Everyone gets a new password daily, but it's written down for them. They can't share it as it'll be useless the next day or next hour, or whatever. Same if anyone manages to remember it at glancing when manager gets his keys out in the car park.
Thermorectal cryptanalysis (so named after Russian technique, I'll let you figure out the details) is the most guaranteed way to get passwords and encryption keys. Luckily this isn't often worth the time and effort, unless you are the KGB that is.
Dictionary attacking applications will often test joining of words in the dictionary these days. With and without punctuation in the middle. They'll also automatically look for common deliberate misspellings (swapping z and s for example) and automatic letter with numeral placement (3 and E).
Usually as these questions are only used if one has "forgotten their password" I prefer not to forget password and give them the pleasure of being able to recover/reset it. So I nice random stammering on the keyboard or me. Even I can beat that one.
Passwords can be attacked offline, all one needs is the hashes.... Often that's another weakpoint to fix, this is more of a problem with a shared logon server of somekind, as that's a single point to attack to get passwords.
Technically, as your employer uses that computer, it's your employers choice what runs on it. But computers you own yourself are technically your choice.
yahoo, bing, ask... are all perfectly compatible alternatives. They all do pretty much the same thing and it's legal to choose between them. If I want to open this.wmv file, legally I can not on linux, god forbid if someone stuck M$ DRM on it too.
Depends under what law, in the US no, it's not illegal. Antitrust is the term used for it in the EU courts, Microsoft have been in such a case for years. And google is under investigation. Someone should go after apple too though.
Technically they isn't many ways to be 100% dead, if we are allowing JTAG as not counting as dead, then I guess desoldering and replacing components means it not bricked either. I think most would now agree we have gone too far.
JTAG only recovery is considered bricked as it is technically one is hacking the hardware and pushing a new flash to the EEPROM straight down the chip pins. One can do this on all EEPROMS (how do you think they flash them in the factory?) however the exact interface is device dependent, there are even differences in JTAG pin arrangements even if the data format is standardized.
He still does, (figuratively, anyway, it's now a hall of fame on his website). He did it for TeX too, the key is his pricing scheme with TeX was such that the next bug would be exponentially more expensive, as that way as there were less bugs left to find so he payed more for finding them. However as TeX is now in several different implementations that aren't maintained by Knuth, he nolonger needs to worry about the TeX ones.
No, but they are more likely to let mozilla know about the exploit than stick it into the blackmarket, the fact that if they find something that gains access to mozilla's employee database or somesuch they may still screw with it, that's something else entirely.
No, someone else can weaponise it easily, have you seen the way metasploit works? It takes little common exploit and common payload and sticks them together into one weaponised exploit.
If the source is available, they'll also read through it. It's quite possible that they'll notice something someone else didn't especially if 1) they didn't write the code and 2) they know the kinds of things they are looking for. When code is not available a common step is to disassemble the code and to start to reverse engineer it.
Automatic fuzzers and exploit testers seldom provide results as 1) vendors can and generally do run such tests themselves and 2) they only test for the particular cases they are programmed to look for, not new slightly more obscure cases.
linux also has ACLs if you want to turn them on and use them, SELinux and Apparmor take it a lot further by sandboxing. We are now in features windows doesn't have without third party software.
Because Paracetamol isn't just paracetamol; it's also called acetaminophen and on occasion Panadol. Technically the proper chemical name for it is N-acetyl-p-aminophenol so why not use any of those names instead?
Paracetamol is the Official International Non-Proprietary name as given by the World Health Association (as it does for all pharmaceuticals) and is therefore perfectly valid in official international use for a pharmaceutical standpoint. The International Union for Pure and Applied Chemistry name (the official name used in chemistry, and generated according to specific rules is N-(4-hydroxyphenyl)ethanamide and is considered the official chemical name for it.
Anything with acet is the United States Adopted name and is not official in anyway on the international scale, and goes back to a naming system that chemists threw out years ago with international standardization and a chemist would only use it as a name for acetone now just because it's shorter than it's actual chemical name and doesn't include the eth carbon grouping that all other acet did it was confusing and so acet was thrown out in favour of true systematic naming.
No, it means a large number of people thought the MP3 is what it *should* sound like. Most people are use to crappy music encodes these days, so wouldn't realise higher quality encodes as it should sound like.
Doesn't help that the DAC/ADC etc are pretty poor in the common mans PC too, and the higher quality ones of those also have some awesome DSP that can help get over some of the deficiencies in the encoding. I wonder if that USB card they used allowed them to totally deactivate all DSP. My ASUS D2X allows me to do such, but most cards do not.
If it was true that people just couldn't tell the difference the results for choosing one over the other would be roughly equal.
Slashdot Mirror
I think his point was the IT department is the police, and not judge and jury. Of course, they do more than just police the virtual world of cyberspace.
Rotating passwords constantly, say, like RSA's authentication keyfobs are really the only solution. Everyone gets a new password daily, but it's written down for them. They can't share it as it'll be useless the next day or next hour, or whatever. Same if anyone manages to remember it at glancing when manager gets his keys out in the car park.
Thermorectal cryptanalysis (so named after Russian technique, I'll let you figure out the details) is the most guaranteed way to get passwords and encryption keys. Luckily this isn't often worth the time and effort, unless you are the KGB that is.
Dictionary attacking applications will often test joining of words in the dictionary these days. With and without punctuation in the middle. They'll also automatically look for common deliberate misspellings (swapping z and s for example) and automatic letter with numeral placement (3 and E).
Usually as these questions are only used if one has "forgotten their password" I prefer not to forget password and give them the pleasure of being able to recover/reset it. So I nice random stammering on the keyboard or me. Even I can beat that one.
that's where one uses other attacks to get the list of hashes.... say a little SQL injection if possible.
Passwords can be attacked offline, all one needs is the hashes.... Often that's another weakpoint to fix, this is more of a problem with a shared logon server of somekind, as that's a single point to attack to get passwords.
Technically, as your employer uses that computer, it's your employers choice what runs on it. But computers you own yourself are technically your choice.
yahoo, bing, ask... are all perfectly compatible alternatives. They all do pretty much the same thing and it's legal to choose between them. If I want to open this .wmv file, legally I can not on linux, god forbid if someone stuck M$ DRM on it too.
Depends under what law, in the US no, it's not illegal. Antitrust is the term used for it in the EU courts, Microsoft have been in such a case for years. And google is under investigation. Someone should go after apple too though.
so, swapping the CPU is a component that can't physically be swapped?
Technically they isn't many ways to be 100% dead, if we are allowing JTAG as not counting as dead, then I guess desoldering and replacing components means it not bricked either. I think most would now agree we have gone too far.
You did break the seals on the screws and void the hardware warranty ;)
JTAG only recovery is considered bricked as it is technically one is hacking the hardware and pushing a new flash to the EEPROM straight down the chip pins. One can do this on all EEPROMS (how do you think they flash them in the factory?) however the exact interface is device dependent, there are even differences in JTAG pin arrangements even if the data format is standardized.
He still does, (figuratively, anyway, it's now a hall of fame on his website). He did it for TeX too, the key is his pricing scheme with TeX was such that the next bug would be exponentially more expensive, as that way as there were less bugs left to find so he payed more for finding them. However as TeX is now in several different implementations that aren't maintained by Knuth, he nolonger needs to worry about the TeX ones.
No, but they are more likely to let mozilla know about the exploit than stick it into the blackmarket, the fact that if they find something that gains access to mozilla's employee database or somesuch they may still screw with it, that's something else entirely.
No, someone else can weaponise it easily, have you seen the way metasploit works? It takes little common exploit and common payload and sticks them together into one weaponised exploit.
If the source is available, they'll also read through it. It's quite possible that they'll notice something someone else didn't especially if 1) they didn't write the code and 2) they know the kinds of things they are looking for. When code is not available a common step is to disassemble the code and to start to reverse engineer it.
Automatic fuzzers and exploit testers seldom provide results as 1) vendors can and generally do run such tests themselves and 2) they only test for the particular cases they are programmed to look for, not new slightly more obscure cases.
Google bounty only applies to chromium, Mozilla bounty applies to all beta, rc and stable releases of all products and services.
not to mention, I can use the same phone anywhere in europe (and majority of the world). Same can't be said about the US.
linux also has ACLs if you want to turn them on and use them, SELinux and Apparmor take it a lot further by sandboxing. We are now in features windows doesn't have without third party software.
Opera ditched the ads a couple of years ago now.
Sorry "World Health Organisation" it should read. Maybe I should have used the acronyms.
Because Paracetamol isn't just paracetamol; it's also called acetaminophen and on occasion Panadol. Technically the proper chemical name for it is N-acetyl-p-aminophenol so why not use any of those names instead?
Paracetamol is the Official International Non-Proprietary name as given by the World Health Association (as it does for all pharmaceuticals) and is therefore perfectly valid in official international use for a pharmaceutical standpoint. The International Union for Pure and Applied Chemistry name (the official name used in chemistry, and generated according to specific rules is N-(4-hydroxyphenyl)ethanamide and is considered the official chemical name for it.
Anything with acet is the United States Adopted name and is not official in anyway on the international scale, and goes back to a naming system that chemists threw out years ago with international standardization and a chemist would only use it as a name for acetone now just because it's shorter than it's actual chemical name and doesn't include the eth carbon grouping that all other acet did it was confusing and so acet was thrown out in favour of true systematic naming.
No, it means a large number of people thought the MP3 is what it *should* sound like. Most people are use to crappy music encodes these days, so wouldn't realise higher quality encodes as it should sound like.
Doesn't help that the DAC/ADC etc are pretty poor in the common mans PC too, and the higher quality ones of those also have some awesome DSP that can help get over some of the deficiencies in the encoding. I wonder if that USB card they used allowed them to totally deactivate all DSP. My ASUS D2X allows me to do such, but most cards do not.
If it was true that people just couldn't tell the difference the results for choosing one over the other would be roughly equal.