I'm not sure how you can call a box "virtually impossible to root" when they aren't using shadow passwords, and thus one could run crack on their root account.
Hell, you could run it on their boxes. Since the file is world-readable, it's probably not even illegal to do so; only illegal to use the root password once you find it.
Let me guess; you typed "startx" or something similar and accidently fired up X on their local console?
I used to have to lock boxes down to avoid that in the ISP biz; ticked me off that I had to waste the time. Then the customers would bitch when "startx" wasn't available, like that was a bad thing.
Export your freakin' display and run xterm, guys; you're not at the console.
I don't think anybody was seriously suggesting hacking these boxes ought to be done.
I, for one, was intending to complain about the lack of security (which isn't a total lack, but they're leaving out some elementary precautions) precisely BECAUSE I don't want to see some pack of script kiddies screw up a cool deal like this.
Every time I think about that little chip company that could and how much Intel has hurt them it just makes me sick!
Oh, give me a break. Can we please forget this "little chip company that could" crap?
AMD is a multi-billion dollar company (their stock is at a year-long low right now, and they STILL have over 2.75 billion in market capitalization) with a history of:
1) Filing lawsuits against other chipmakers, some of which have been regarded as frivolous by some analysts.
2) Getting lawsuits filed against them, some of which alledge infringement of other people's patents.
Look, I like AMD as much as the next guy, every single one of my home office PCs uses an AMD chip, and I'll probably buy a laptop with an AMD chip soon.
But I'm not doing it because they're some kind of Saint Chipmaker swooping in to save the industry from the evil Intel. Let's get a little perspective here, folks.
Easy, for RC5; you log what you sent to whom, and when some doofus claims the prize you demonstrate that you sent that block out to him.
Then RC5 either gives Distributed the money and blows off the dork, or Distributed sues the dork.
Now, how this can apply to SETI, I don't know; unless the doofus tries to sell his data to the Weekly World News or something, you won't detect it.
Of course, it'll be awfully hard to convince the WWN that you picked this signal up on your Bose Waveradio, and SETI just "missed it" with the big dish.
Also, there's always the fact that they can send the blocks out twice or more. It's not like there's a time limit here, a couple years difference either way in discovering alien life in the near neighborhood isn't a big deal.
"Damn, their sun went nova. If only we had known they existed six months earlier; it'd have only been 49.5 years after their sun blew up, instead of 50."
While the orthodox conclusion is that oil is decomposed creatures, there is a considerably body of opinion to the contrary, which also claims that there's a hell of a lot more of it than we think there is.
If this story were really about oil on Titan, it would support that view.
Sadly, as you seem to have missed, the story isn't about oil on Titan; the poster just made an unwarranted assumption.
but - Making an opensource program will allow you to find problems. Assume the new client will send in a false signal as a mistake if it was true, what would you do about that it nobody find it in the code? What if someone finds quicker algorithms? think about it.
Why don't you people get your facts straight before you spew this drivel?
For the record, they HAVE "thought about it".
The parts of the code that crack blocks *ARE* Open; you can download them from the distributed.net web site, using the URL given in the message TO WHICH YOU WERE REPLYING.
The closed parts are mostly the key exchange bits, and the disk buffer bits.
Nobody at distributed thinks this will prevent abuse; it simply cuts down on the NUMBER of abused blocks.
If the entire client was Open, any jackass with a C compiler and a copy of "Teach Yourself C in 53 nanoseconds" could intercept the good key or churn out crapola.
With parts of the client closed, only the folks who care to take the time to disassemble and reverse engineer can abuse the system. It's not all that hard, but a much lower number of people will bother to do it.
With the actual RC5 code Open, which it is, the off chance that somebody will find a faster way is accounted for.
Get this through your head; THERE ARE SITUATIONS WHERE CLOSED SOURCE MAKES SENSE. Not many, but they exist. Read Eric Raymond's articles some time for examples.
Just because you're using DHCP doesn't mean you're not using static IPs.
DHCP can be used to assign static IPs. Doing so also has the advantage that it forces you to keep track of which machine has what MAC address.
BTW, in response to the person who said that rebooting didn't necessarily mean you sent a new DHCP request; only if your OS is broke, bucko.
DHCP has security problems, but they're a non-issue since they're not anywhere close to the worst holes you're going to have in any TCP/IP installation. At least with DHCP-assigned static IPs you've got:
1) A correlation between MAC and IP in a handy database.
2) A user calling you bitching about his machine not working if somebody tries to pirate his IP by pirating his MAC.
Gotta wonder, though, about how the day care providers feel about it. I mentioned the idea of this to the guy who runs my kids' daycare, and he felt the employees wouldn't like feeling watched all the time.
That's ok, the new employees who replace them won't mind it.
Two children just died in Memphis in seperate daycares on the same day because a single person was tasked with monitoring too many children.
Any thinking parent would welcome this opportunity to monitor the kids. After all, it's your responsibility, not the daycare's. They're YOUR employee, and they're YOUR kids.
I suspect that those who are objecting here (as if the kids aren't being monitored anyway, by authority figures you're paying to do it) don't have kids, and are mostly kids themselves. Naughty ones, at that.
BTW; if you're planning to spend the significant ongoing cash costs of maintaining password security on this, you might as well do it right and use the Axis camservers. It makes no sense to kludge together a ricketty solution that's breaking all the time and requiring intervention, and then add passwords so you can be taking tech support phone calls from morons too.
Oh, it is also illegal to ship anything via FedEX unless it absolutely possitively has to be there overnight. If you ship a regular letter or anything else that isn't time critical via FedEX or UPS, you are commiting a federal offense.
I'd love to see them try to enforce that one. Maybe I'll challenge it.
I think that one's obvious, especially considering the fact that Darth Vader calls him "master". Always there are two; no more, no less.
Re: Darth Maul
Oh, gimme a break; he was cut in half and dropped down a 1/3 scale model of a bottomless pit. It'd be more realistic for Jar-Jar Binks to become a Jedi Master than for Maul to come back.
Re: Next Apprentice. Good question. Jet Li would be nice.
Re: Anakin's turn to the dark side
Terry Brooks pretty much gives it away in the novel.
The other day I sent a letter from Florida to California.
It took exactly 45 days.
You'll easily spend more than $8 of your time explaining to a customer why his free CD hasn't arrived at all ever. Plus it'll cost you more than 80 cents to collect the 80 cents from him.
If they shipped via USPS, they'd probably still have to charge at least $5 for the handling and the cost to collect the shipping fee.
This scheme is a total win for most game players. Most of you (I don't rent games) play these games for many days at a stretch, or rent the same old games over and over.
If you are going to fool yourself into thinking it's cheaper to rent (and for a lot of folks it isn't, you can buy used games cheap), you'll save money this way presumably.
The people it won't work for are those who rent a game once, play it for a couple of days, and then return it and never rent it again. If they don't like this model, they're free to not rent the stuff from Blockbuster.
I hate Blockbuster because their video rental model isn't a good fit for me (I'd rather pay less and keep the movie for one day), and because they tend to do stupid shit like carry "Eating Pattern" and "Gigashadow" but not "I Worship His Shadow" and "Tales from a Parallel Universe". Anime fans will tell similar stories, and Blockbuster seems completely unable to get their minds around the concept that people won't rent the last or middle part of a series without seeing the beginning or end.
However, this rental model is not like the bad part of Divx, which is the hardware change that locks you into this model whether it works for you or not.
This bitching wouldn't be happening if somebody hadn't put "Divx" in the original post.
Slashdot Mirror
I'm not sure how you can call a box "virtually impossible to root" when they aren't using shadow passwords, and thus one could run crack on their root account.
Hell, you could run it on their boxes. Since the file is world-readable, it's probably not even illegal to do so; only illegal to use the root password once you find it.
Let me guess; you typed "startx" or something similar and accidently fired up X on their local console?
I used to have to lock boxes down to avoid that in the ISP biz; ticked me off that I had to waste the time. Then the customers would bitch when "startx" wasn't available, like that was a bad thing.
Export your freakin' display and run xterm, guys; you're not at the console.
What the hell is wrong with you?
I don't think anybody was seriously suggesting hacking these boxes ought to be done.
I, for one, was intending to complain about the lack of security (which isn't a total lack, but they're leaving out some elementary precautions) precisely BECAUSE I don't want to see some pack of script kiddies screw up a cool deal like this.
Hell, they don't even use shadow passwords.
They've got some auditing going on, but if some doofus wanted to crack them it wouldn't be hard.
*I* wouldn't touch it with a ten foot pole, but there are lots of folks who would.
Every time I think about that little chip company that could and how much Intel has hurt them it just makes me sick!
Oh, give me a break. Can we please forget this "little chip company that could" crap?
AMD is a multi-billion dollar company (their stock is at a year-long low right now, and they STILL have over 2.75 billion in market capitalization) with a history of:
1) Filing lawsuits against other chipmakers, some of which have been regarded as frivolous by some analysts.
2) Getting lawsuits filed against them, some of which alledge infringement of other people's patents.
Look, I like AMD as much as the next guy, every single one of my home office PCs uses an AMD chip, and I'll probably buy a laptop with an AMD chip soon.
But I'm not doing it because they're some kind of Saint Chipmaker swooping in to save the industry from the evil Intel. Let's get a little perspective here, folks.
So can a $30 refurb Connectix B/W Quickcam, if you
do a little surgery on it.
I happen to like that "horrible" CCG. It's the only CCG I do like.
Yeah, and, if God had meant for Man to fly, we'd have been born with wings.
Who let the Luddites onto the 'net, Taco?
"grammar"
You do realize that it's impossible to write a post criticizing someone else's use of language without misusing language yourself, right?
This from somebody who pronounces "aluminum" with two "i"s and 5 syllables. :-)
I completely agree. The Orlando, FL LUG recently split into two parts, but you don't see me whining about it on /.
Join the one you like, start a new one, or shut the eff up. Linux goes on.
Easy, for RC5; you log what you sent to whom, and when some doofus claims the prize you demonstrate that you sent that block out to him.
Then RC5 either gives Distributed the money and blows off the dork, or Distributed sues the dork.
Now, how this can apply to SETI, I don't know; unless the doofus tries to sell his data to the Weekly World News or something, you won't detect it.
Of course, it'll be awfully hard to convince the WWN that you picked this signal up on your Bose Waveradio, and SETI just "missed it" with the big dish.
Also, there's always the fact that they can send the blocks out twice or more. It's not like there's a time limit here, a couple years difference either way in discovering alien life in the near neighborhood isn't a big deal.
"Damn, their sun went nova. If only we had known they existed six months earlier; it'd have only been 49.5 years after their sun blew up, instead of 50."
While the orthodox conclusion is that oil is decomposed creatures, there is a considerably body of opinion to the contrary, which also claims that there's a hell of a lot more of it than we think there is.
If this story were really about oil on Titan, it would support that view.
Sadly, as you seem to have missed, the story isn't about oil on Titan; the poster just made an unwarranted assumption.
There's an SVGALIB-based Linux version being slowly cobbled together. Look around Freshmeat and you'll find it.
but - Making an opensource program will allow you to find problems. Assume the new client will send in a false signal as a mistake if it was true, what would you do about that it nobody find it in the code? What if someone finds quicker algorithms? think about it.
Why don't you people get your facts straight before you spew this drivel?
For the record, they HAVE "thought about it".
The parts of the code that crack blocks *ARE* Open; you can download them from the distributed.net web site, using the URL given in the message TO WHICH YOU WERE REPLYING.
The closed parts are mostly the key exchange bits, and the disk buffer bits.
Nobody at distributed thinks this will prevent abuse; it simply cuts down on the NUMBER of abused blocks.
If the entire client was Open, any jackass with a C compiler and a copy of "Teach Yourself C in 53 nanoseconds" could intercept the good key or churn out crapola.
With parts of the client closed, only the folks who care to take the time to disassemble and reverse engineer can abuse the system. It's not all that hard, but a much lower number of people will bother to do it.
With the actual RC5 code Open, which it is, the off chance that somebody will find a faster way is accounted for.
Get this through your head; THERE ARE SITUATIONS WHERE CLOSED SOURCE MAKES SENSE. Not many, but they exist. Read Eric Raymond's articles some time for examples.
Just because you're using DHCP doesn't mean you're not using static IPs.
DHCP can be used to assign static IPs. Doing so also has the advantage that it forces you to keep track of which machine has what MAC address.
BTW, in response to the person who said that rebooting didn't necessarily mean you sent a new DHCP request; only if your OS is broke, bucko.
DHCP has security problems, but they're a non-issue since they're not anywhere close to the worst holes you're going to have in any TCP/IP installation. At least with DHCP-assigned static IPs you've got:
1) A correlation between MAC and IP in a handy
database.
2) A user calling you bitching about his machine
not working if somebody tries to pirate his IP by pirating his MAC.
Gotta wonder, though, about how the day care providers feel about it. I mentioned the idea of
this to the guy who runs my kids' daycare, and he felt the employees wouldn't like feeling watched all the time.
That's ok, the new employees who replace them won't mind it.
Two children just died in Memphis in seperate daycares on the same day because a single person was tasked with monitoring too many children.
Any thinking parent would welcome this opportunity to monitor the kids. After all, it's your responsibility, not the daycare's. They're YOUR employee, and they're YOUR kids.
I suspect that those who are objecting here (as if the kids aren't being monitored anyway, by authority figures you're paying to do it) don't have kids, and are mostly kids themselves. Naughty ones, at that.
BTW; if you're planning to spend the significant ongoing cash costs of maintaining password security on this, you might as well do it right and use the Axis camservers. It makes no sense to kludge together a ricketty solution that's breaking all the time and requiring intervention, and then add passwords so you can be taking tech support phone calls from morons too.
Oh, it is also illegal to ship anything via FedEX unless it absolutely possitively has to be there overnight. If you ship a regular letter or anything else that isn't time critical via FedEX or UPS, you are commiting a federal offense.
:-)
I'd love to see them try to enforce that one. Maybe I'll challenge it.
I bet my employer would back me up.
(I work for FedEx.)
Re: Darth Sidious/Senator Palpatine
:-)
I think that one's obvious, especially considering the fact that Darth Vader calls him "master". Always there are two; no more, no less.
Re: Darth Maul
Oh, gimme a break; he was cut in half and dropped down a 1/3 scale model of a bottomless pit. It'd be more realistic for Jar-Jar Binks to become a Jedi Master than for Maul to come back.
Re: Next Apprentice. Good question. Jet Li would be nice.
Re: Anakin's turn to the dark side
Terry Brooks pretty much gives it away in the novel.
Re: Clone Wars
Guess Sidious/Palpatine doesn't trust droid armies.
Maybe he'll clone Maul. There should be a few molecules of his ass DNA on Obi-Wan's boot.
https://www.mailandnews.com has been offering this service for a long time. And they do news, too.
If they're legal, the government will have to lighten up on strong crypto. This is a win for us.
It should also boost the smart card market.
"They" missed it because there's no "they", it's just my good buddy Steve Litt.
He did pretty good for one overworked guy, IMHO.
The other day I sent a letter from Florida to California.
It took exactly 45 days.
You'll easily spend more than $8 of your time explaining to a customer why his free CD hasn't arrived at all ever. Plus it'll cost you more than 80 cents to collect the 80 cents from him.
If they shipped via USPS, they'd probably still have to charge at least $5 for the handling and the cost to collect the shipping fee.
This scheme is a total win for most game players. Most of you (I don't rent games) play these games for many days at a stretch, or rent the same old games over and over.
If you are going to fool yourself into thinking it's cheaper to rent (and for a lot of folks it isn't, you can buy used games cheap), you'll save money this way presumably.
The people it won't work for are those who rent a game once, play it for a couple of days, and then return it and never rent it again. If they don't like this model, they're free to not rent the stuff from Blockbuster.
I hate Blockbuster because their video rental model isn't a good fit for me (I'd rather pay less and keep the movie for one day), and because they tend to do stupid shit like carry "Eating Pattern" and "Gigashadow" but not "I Worship His Shadow" and "Tales from a Parallel Universe". Anime fans will tell similar stories, and Blockbuster seems completely unable to get their minds around the concept that people won't rent the last or middle part of a series without seeing the beginning or end.
However, this rental model is not like the bad part of Divx, which is the hardware change that locks you into this model whether it works for you or not.
This bitching wouldn't be happening if somebody hadn't put "Divx" in the original post.
RC5 cracking sped up by something like 150% to 200% on my system when I upgraded from 2.0.36 to 2.2.1.