CPU instruction sets are a moot point. Vertex Shader instructions pass through the drivers first. OpenGL 2.0 will include a shading language which is hardware independent. The drivers will then convert this independent shading language into the machine language for their respective GPU/VPU.
You can find a bit of info on the OpenGL 2.0 shading language over at 3DLabs' white papers section. There is also quite a bit more information on OpenGL 2.0 there as well.
Hardware manufacturers also get copies of alpha builds to play with long before any beta testing occurs. M$ does whatever it can to ensure that there is a library of titles for their latest version of DX available the day it is released to the public.
Also keep in mind hardware manufacturers have a lot of input into the new features implemented in DX and M$ is more than happy to bring them in to consult as the production progresses.
It would not surprise me if the 3DLabs people have had alpha copies of DX9 to play with for a few months now.
Perhaps a standard could be developed that defines some way (an XML document perhaps) applications can have a defined "Expiration" date. Then a separate management tool that is aware of how to extract this information can do routine system checks and notify the sysadmin of "expired" software. This way software doesn't just stop when the expiration date hits.
I think this has many uses, perhaps less in the/. community which is seems comprised of people who keep up to date on security advisories, but for the laze or (as is often the case) the very busy sysadmin, I think this would be a very useful feature.
The method that defines a software's expiration date would have to include a URI or some other set of instructions on how to obtain the latest version. This method should also have available a "final version" or "never expires" option for software that is no longer being maintained or the developer has claimed as bug free (in a perfect world anyways).
This could be implemented at the system level (a kernel module) rather than as a 3rd party tool. However the kernel module would need to be able to ignore software that doesn't support this since unless the implementation is _really_ easy, most programmers won't perform this extra step on tiny apps or scripts.
There's also the potential (if implemented at the system level) for noticeable increase in CPU usage (if it's examining every file).
This could also play into the hands of IDSes as well. This "expiration date" could also carry some sort of CRC or authentication data as well. Might be a nifty way to tack on a system to authorize the execution of an application. But things start to get bloated as features are added on.
I enjoyed reading an article from mainstream media that, for once, gets it almost right when it comes to the entertainment industry's attempts to manipulate and encroach on the rights of consumers.
I say "almost" because I don't feel turning the story into an angle for the Republicans is the correct way to go about this. I think this approach gives the appearance that Republicans should approach this case with an eye for strengthening their political power rather than to show their concerns for the consumers (the "little guys"). This article would probably turn away a significant number of readers who would invalidate the article in their minds as some sort of Republican "propaganda".
Also, I don't think enough information was conveyed regarding what exactly the SSSCA does, except that it has something to do with "computer laws". By putting such a broad generalization on the SSSCA you water down the effect the article has on the readers. In the past several laws have come to pass which many individuals and organizations within the technology industry have vehemently fought against and lost when the safety of children or safety from terrorism was made as a major point behind the bill. This is not happening with the SSSCA, however there's been such a saturation of computer laws dealing with terrorism and child safety in the past that the general public will probably gloss over any new story on the subject. To most individuals it's just another story on their local news to ignore.
Perhaps that this article appears on FOXNews.com is something like preaching to the converted? At any rate, I think this story could have focused more on what the SSSCA is and why it's bad for consumers, rather than just telling the reader that it's so.
I think getting more information out to the general public, in terms they can understand, is really the only way to approach the SSSCA and other such acts.
He puts out an okay manga (a little too cliched and too close to the typical "AH! My Goddess" and "Hand Maid May" type of stories about some lonesome geek for it to be a "great" manga)
But anyways...
How is it that Piro can rant on what amounts to his personal weblog and people take notice?
First off, he doesn't cover the.com bombs at all! He only covers one specific model of offering a service for free and then turning it pay afterwards.
I don't even think that was (is) a business model to begin with. It was more a necessity after banner ads became obviously ineffective. Once you start losing revenue on a free service it's pretty obvious that you simply start charging for that service. Just look at Something Awful. Lowtax didn't charge for forum access initially, but after the whole eFront debacle and the realization that banner ads don't work, he had to turn it over to a pay site.
This wasn't a planned business model. It was the result of the necessity to recoup some lost revenue.
So right off Piro is dead wrong.
And then it all of a sudden turns into his own little time-machine going back to the days of his first 3x3 eyes web site and then goes into a (farily arrogant) rant about "Oh, I CREATE I don't copy".
Give me a break. This shouldn't even have made it on/.
I'm thinking Hemos was suffering from a mid-morning hangover when he put this through. There is _NOTHING_ worthwhile about this rant by Piro. Nothing that makes me THINK or QUESTION about the subject of the.COM failure. It isn't well organized or presented in a clear fashion.
You want some GOOD writing on the subject, go check out disenchanted.com and stop feeding your brain this Internet junk food crap.
If the private key is generated based off of an e-mail address, what's to stop someone from d/ling the key generator and running that with a few other e-mail addresses to decipher an encrypted document?
If the key generator server has some sort of secret value that it uses to compute the keys with, what happens if that server is cracked.
If this one piece of information is discovered, it breaks all encrypted documents using the keys that key generator server issued.
There is also the issue of trust in the administrator(s) of the key generator server. Since they have access to the secret data used to generate the private key, they can decrypt any document encrypted with this method.
Is it just me or does that not sound all that secure.
Is this the type of backdoor crypto scheme the government seems to be going after?
I mean, GnuPG is available to the world because it's available on servers outside of the U.S. and as such not affected by U.S. export laws.
So if the U.S. does pass a law regarding crypto backdoors, wouldn't this apply only to the U.S. and thus the crypto is still going to be available to people outside of the U.S.? Won't that then leave us at a disadvantage?
And what about mobile phones with the different crypto schemes. Weak as they may be, there's still no backdoor in them.
And what about DES or AES? These are standards that the government created. What happens to them?
There have been a lot of discussions on this topic over the past couple of years on several security mailing lists that I either belong to or frequently browse the archives of.
While it is certainly possible to do so and it would solve some headaches and the irony of it all would make for a great story, it's just not something that should be done.
System administrators need to learn that they must actively protect their system by keeping up to date on patches as well as taking other steps (IDS,Firewall,Log Monitors,Ect..) to keep their systems secure.
By creating a counter-worm system administrators are not being taught the hard lessons learned when their system is attacked and infected. Administrators either start to rely on counter-worms or they simply never become aware that their system was comprimised because the counter-worm has already patched things up. Counter-worms do not promote good administrator habits and is only helping to promote the PROBLEM (lazy/unaware sysadmins) rather than the SOLUTION (education and motivation to keep a system protected).
And there's another reason that I just mentioned. What happens when a counter-worm patches up a hole before a systems administrator sees it? It's possible that after the initial infection by the worm, the system was further comprimised by other crackers. But the counter-worm wouldn't investigate such possibilities, instead it just patches the initial hole. Any new backdoors implanted by crackers AFTER the initial infection would go undetected.
This can't be more obvious than with Code Red II. Sure if you become infected, you can delete root.exe and explorer.exe and patch up your IIS system. But what about what went on between the intial infection and when you patch the system? If the web server log files have been erased or altered in any way, you have nothing to go on to tell you what was done to your system. The final solution becomes a full format and reinstall of the system from a (hopefully) clean backup.
Counter-worms are only counter-productive to the security of computer systems and the Internet. And I haven't even begun to touch upon the legal and ethical problems of using a system without authorization. Not every system administrator out there is going to be happy that you're rooting around their system after it was r00ted. Some (MOST) are going to suspect you did more harm than good. I've had personal experience with this and know it to be a fact.
So stay away from writing counter-worms. Instead write an article informing people about the dangers and what to do to fix the problem. Send it to a local paper, send it to an online forum or magazine. You'll do far more good that way than by launching your own counter-worm.
I imagine now in addition to the living room cam, bedroom cam, and bathroom cam, they'll have to have a colon cam.
Not really, no. The battery life on the camera does not last long enough to allow the pill to reach the colon. On the typical human it takes about 48 hours or so for cycle of food digestion to complete itself. The battery life on the pill camera is much shorter than that, I believe only a couple of hours.
This is an interesting story in more ways than one, especially the tech behind the pill. That's a video camera, transmitter, and battery all inside of a pill! I can't even begin to count the possibilities and benefits that can arise from that kind of technology.
Maybe toss a miniature motor into it and turn it into a sort of remote-control submarine that doctors could use to examine a baby while it's still in the womb.
Or perhaps if you combine the technology used to charge up the battery on the new artifical heart with the technology of the pill and perhaps we'll see a pill make it all the way through the system, broadcasting as it goes. The question then becomes, is that something we really want to se?!
I hate to give AOL credit, but they deserve it. They are one of the few major ISPs that I see doing it the way it should be, that is, if you share the opinion that the Internet needs to be reconstructed to better facilitate business.
AOL, while offering a connection to the not-always-stable Internet, also has its own internal network through which customers receive data from a more reliable or stable source. When doing business over AOL, doing a web cast from an AOL server to an AOL user, you have that direct line that bypasses any of the Internet and it's unfortunate congestion.
Why can't more companies do this? That is, build AROUND the Internet, or build to the side of the Internet and offer as part of their service an Internet connection.
Redesigning the Intenet, besides being nearly impossible, is going to cost quite a substantial amount of money, and who is going to pay for it? The major ISPs (who will then pass it onto the customers). The point being, why pour money into a redesigning of the Internet when you can use the same resources to build your own network that can offer great service and speed and at the same time, allows for these companies to keep control of their own space without having to share it with other corporations. Administration becomes a bit easier since both the client and the server are the responsibility of a single entity, network sniffing becomes a thing of the past, and all those other evil cracker stories the media likes to propagate.
Then, as several of this attached networks start to show up, companies could create partnerships between each other and interconnect themselves with some large "pipes" and allow for cross-network communication without the need of using some sort of unstable, unreliable public network.
Leave the Internet to those who enjoy it. Keep it free. Just make a copy of it and package it as your own. Isn't that what companies do anyways?
Using Project Mayo as an example, we see that we don't need to rely on big corporations to feed us what the new multimedia format is going to be. Microsoft, in their actions, are just going to get more developers into working on new, open, and hopefully free multimedia formats which will have a better compression than current technology. It's not a step back, it's Microsoft unwittingly pushing us, as developers, forward.
Also, Microsoft's limitation is only in their own MP3 codec which will come bundled with XP. Using other mp3 codecs will allow users to continue creating MP3s in higher-quality format.
On a side note, the world of Windows XP is getting more and more darker, in my own eyes. With subscription-based license and now active attempts to stop MP3 files from being produced on XP, I can't help but ask when will Microsoft's attempt to control what I do with my own computer end?
Ultimately, it's going to make me move to alternative OSes as the solution rather than continuing my use of any Microsoft product.
If only we could get the *NIX world to pick a defacto GUI standard, then 9/10ths of my reasons for not moving to Linux or one of the BSDs already would be eliminated.
The other 1/10th taken care of already with the announcement of Tribes 2 for Linux shipping.;)
-
"There is no off position on the genius switch." --Dave Letterman
-
When are we going to start seeing mainstream 3D interfaces? With the increase in 3D card tech (NVIDIA) and solid 3D programming libs supported on multiple platforms (OpenGL) why are we still using 2D interfaces?
Furthermore, why is information still being represented as mere text on the screen? Frame it in any fancy "window" you want, I'm still reading text off a screen, just as I did when I was working with command prompts 15 years ago.
Besides the 3D tech advancing dramatically, what about speech recognition, better audio file compression, ect... Audio, just like 3D tech, is being treated as a fancy extra rather than something that should play an intricate part in the GUI.
We do have 5 senses afterall. And the only one GUIs play up to GUIs don't use very well.
I'll bite my lip at going off on the potential of M$'s chrome before they canned that idea.
But come off it all you GUI "innovaters". When the hell do you let go of point & click and maybe look torwards "speak and move" or some other crappy buzz phrase that they love to quote.
3D environment with speech recognition. It's doable NOW, it's BEEN doable for a while. When the hell are we going to start seeing it?!
And I haven't even gone off on text-to-speech translators.
Let's start using more than text and flat images!
-
"There is no off position on the genius switch." --Dave Letterman
-
Just an FYI this notion of the "MS Outlook Virus of the Month Club" bit.
Exchange is EASILY configured to filter out atachments with certain filenames (.vbs,.shs, ect..)
OR
Through 3rd-party software you can actually have Exchange scan *EVERY* e-mail attachment for viruses, worms, ect..
Also when you mention uptime I think there's other factors involved. I personally work with an exchange 2000 server that, with the exception of the intentional lockout from receiving outside mail during the whole Love Bug debacle, service pack upgrades, power outages and other similar times when the cause of downtime was OUTSIDE of anything relating to the software or hardware of the server, has ALWAYS been up. Yes that's correct, we're talking a good 2+ years of uptime with no crashing.
I believe this is because we have a stock install of NT 4 with _NO_ extra services/servers/ect.. running in the background. I think a lot of exchange servers that crash is largely due to others servers/services running on the exchange server.
One box, one purpose, it's rock solid.
And we've been testing an Exchange 2000 box running Win2k on a new Dell that's run without any problems thus far. However it's server load hasn't been realistic yet. That'll only happen when we get it into production. But so far I haven't found any problems with Exchange, so long as you're a person who knows what you're doing in the configuration and administration of the machine.
-
"There is no off position on the genius switch." --Dave Letterman
-
Of course people have these "nightmare stories" about how Exchange causes service interruptions and what not, but of course no one is asking if it really was Exchange in the first place. 99.9% of the stability of Exchange is based upon having a competent server administrator. I'm sorry to say but a good 3/4ths of NT administrators I've interacted with have been completely lacking. So before you blow up on Exchange, ask if it could be poor Adminstration.
I think that Microsoft products in general are becomming increasingly popular and this is giving rise to newcommers trying to hop on the bandwagon to secure a future with a big paycheck but who don't get MSCE certified then blame the software, not themselves, when things go wrong.
You must also look at the popularity of the software and the availability of 3rd party software. Very few companies will develop their own software solutions but rather purchase them from 3rd party vendors. This is where Microsoft products get a lot of their strength. If you want some sort of virus filtering mechanism for Exchange you have easily 50 or so separate companies with software checked out and ready to go. I don't think this is so on a *NIX based platform. I don't think the software selection is there.
Also support is a HUGE concern as well. If you have a problem with Exchange you have a team of several hundred techs (all MSCE certified themselves) ready to help you get your Exchange server going. Aside from that there are several 3rd party support companies as well that help you setup and administer your Exchange server. On a *NIX based system, if you're running some sort of open-source package you found on the Internet, nine times out of ten all that's available for support are "user forums" where administrators just talk to each other about what MIGHT be the problem and solution. With a fully trained tech support staff you can get definite answers much easier (and usually faster as well).
Also I think the IT industry has a rather quick turnaround time. You're usually in and out within a couple years at these kinds of administration jobs. So you need a product that's going to be well supported and well documented so that a new guy to replace the old administrator won't be in the dark about such things as what patches are installed, what "personal" touches were put into the system, ect... that you would get with a *NIX based platform.
And notice I haven't even touched upon base features because I don't even have to.
Stability, not in just software but in tech support and "longevity" of the company are key factors in picking your server platform. Microsoft wins out in all these catagories. And 3rd party software is much more prevalent and available than any *NIX system.
These are corporations we're talking about folks. Not universities.
-
"There is no off position on the genius switch." --Dave Letterman
-
...if the RIAA doesn't do it first.
The feelings are the same all around. Why should I, the consumer, pay money so that other consumers can eat up my bandwidth downloading songs that I have. The whole basis for Napster is the user's willingness to share their files. But if Napster implements a pay to use type service, people might pay, but they won't share their music. Ultimately Napster will die.
What's happened here is that Napster in itself was a great idea. But great so long as it remains free. Some people saw Napster, namely Shawn's uncle, as a chance for profit without really thinking things through.
Maybe there's another way to make money off of Napster, but charging its users is not the right way. Perhaps a premium service, one in which users are required to be above a minimum bandwidth and to host a minimum number of files, perhaps then I'd pay, as long as I was guaranteed a certain quality of service. But there is no guarantee with Napster's quality of service right now. The only reason Napster is doing so great is because everyone fears it's going offline soon so they're hoarding.
Blah.
-
"There is no off position on the genius switch." --Dave Letterman
-
I may just not be following the article correctly, however the encryption of the IP address may make the system open to yet another DoS.
Straight from the article: "
Authentication of the Client's IP, prior to the committment of any connection resources, provides all of the benefits of Connection Management Deferral with none of the liabilities."
If I follow this right, the encrypted data in the ACK packet will be decrypted before anything else. So a flood of ACK packets would still work since the system would go through the process of decrypting each packet, eating up CPU time, ect... before it checks to see if the source address is an address it wants to talk with.
Still, spoofed IP packets will still work. The only thing keeping them from not working is the ability for the attacker to get the SSN value (since the attacker would specify the CSN itself). However, as TCP/IP fingerprinting techniques have shown, older Microsoft products just start at 1 every time. So getting the SSN isn't that hard.
Even still, with random SSN values, spoofed packets could still work, however the attacker and the spoofed client would need to be on the same network so the attacking machine can sniff the SSN value and respond before the spoofed client has a chance to respond with an RST command. It makes the investigation of such attacks a little easier, but still not foolproof.
And hell, if an attacker doesn't even care about his real IP address being discovered, SYN attacks could still work.
-
"There is no off position on the genius switch." --Dave Letterman
-
Programmers free from liability can also hurt us.
on
Hacker Crackdown?
·
· Score: 1
Say I write a program, and I put a backdoor or a trojan in it. Thousands of people download this program and eurika, I'm now in control of all those machines.
It isn't my fault the user ran the program. I just wrote it.
So now what? If we did have laws that protected programmers from liability issues then there would be no grounds for programmers of these types of programs to be disciplined.
Now Microsoft or whoever else can add all the backdoors they want without fear of being sued over it. Of course there could be public outcry, bad publicity, and so on but how much would that really hurt the company?
-
"There is no off position on the genius switch." --Dave Letterman
-
you need a place to store records on each user's karma. this would mean a centralized server. which might not be a good idea since it probably means that every user's IP would at some point go across it, and thus, be loggable. and once u can match IP to username, you get the same bit as napster and the RIAA, meaning you can be ordered to deliver user records and so on.
- "There is no off position on the genius switch." --Dave Letterman -
the "force local IP to" option under Gnutella is for computers with more than one IP address, such as web servers with multiple web sites and so on.
it is impossible, under 95 and 98, to spoof an IP unless you get really low level, bypass winsock itself, and talk to the network adapter directly. It's a pain in the ass. Although there are network adapter services out there you can install (like installing TCP/IP or IPX) that make it possible to edit TCP/IP headers
Under Win2000 tho, it IS possible to spoof IPs using that IP_HRDCL flag (i think that's how u spell it, heh).
I've got no clue about Windows ME. My guess is it's the same as 95 and 98. but i don't know.
- "There is no off position on the genius switch." --Dave Letterman -
How is this good? If the receiver is known and not the sender, you're still just as bad off as you are now. NetPD could just serve files up, and still tag the people who are downloading the files. Which, in all reality, it's the people who download that are at the most risk of being nailed for copyright infringement since the person serving the files may very well own copies of the CD that the music came from, in which case MP3s are legit. BLEH.
- "There is no off position on the genius switch." --Dave Letterman -
This is _NOT_ about how secure a message is. This has NOTHING to do with one-time-pads (OTPs). It's about using existing pads that, when combined with a "key" pad of sorts, produces some desired data. This method is being used to HIDE THE ORIGIN OF THE MESSAGE and is NOT at all about securing the data. In fact, it's quite the opposite. The system is about making data more available. It's about making everyone view the data. But without having anyone know who is behind the post.
The only real hole behind all of this is that IP #s can be tracked. A repository could open in "good faith" but keep track of all pads that are uploaded. When a "key" pad is identified, it pulls out the IP that submitted it, (along with a date and time, and maybe even a MAC address), and now the origin of the data can be found out... to a certain extent.
- "There is no off position on the genius switch." --Dave Letterman -
Slashdot Mirror
CPU instruction sets are a moot point. Vertex Shader instructions pass through the drivers first. OpenGL 2.0 will include a shading language which is hardware independent. The drivers will then convert this independent shading language into the machine language for their respective GPU/VPU.
You can find a bit of info on the OpenGL 2.0 shading language over at
3DLabs' white papers section. There is also quite a bit more information on OpenGL 2.0 there as well.
Hardware manufacturers also get copies of alpha builds to play with long before any beta testing occurs. M$ does whatever it can to ensure that there is a library of titles for their latest version of DX available the day it is released to the public.
Also keep in mind hardware manufacturers have a lot of input into the new features implemented in DX and M$ is more than happy to bring them in to consult as the production progresses.
It would not surprise me if the 3DLabs people have had alpha copies of DX9 to play with for a few months now.
Perhaps a standard could be developed that defines some way (an XML document perhaps) applications can have a defined "Expiration" date. Then a separate management tool that is aware of how to extract this information can do routine system checks and notify the sysadmin of "expired" software. This way software doesn't just stop when the expiration date hits.
/. community which is seems comprised of people who keep up to date on security advisories, but for the laze or (as is often the case) the very busy sysadmin, I think this would be a very useful feature.
I think this has many uses, perhaps less in the
The method that defines a software's expiration date would have to include a URI or some other set of instructions on how to obtain the latest version. This method should also have available a "final version" or "never expires" option for software that is no longer being maintained or the developer has claimed as bug free (in a perfect world anyways).
This could be implemented at the system level (a kernel module) rather than as a 3rd party tool. However the kernel module would need to be able to ignore software that doesn't support this since unless the implementation is _really_ easy, most programmers won't perform this extra step on tiny apps or scripts.
There's also the potential (if implemented at the system level) for noticeable increase in CPU usage (if it's examining every file).
This could also play into the hands of IDSes as well. This "expiration date" could also carry some sort of CRC or authentication data as well. Might be a nifty way to tack on a system to authorize the execution of an application. But things start to get bloated as features are added on.
-B
I enjoyed reading an article from mainstream media that, for once, gets it almost right when it comes to the entertainment industry's attempts to manipulate and encroach on the rights of consumers.
I say "almost" because I don't feel turning the story into an angle for the Republicans is the correct way to go about this. I think this approach gives the appearance that Republicans should approach this case with an eye for strengthening their political power rather than to show their concerns for the consumers (the "little guys"). This article would probably turn away a significant number of readers who would invalidate the article in their minds as some sort of Republican "propaganda".
Also, I don't think enough information was conveyed regarding what exactly the SSSCA does, except that it has something to do with "computer laws". By putting such a broad generalization on the SSSCA you water down the effect the article has on the readers. In the past several laws have come to pass which many individuals and organizations within the technology industry have vehemently fought against and lost when the safety of children or safety from terrorism was made as a major point behind the bill. This is not happening with the SSSCA, however there's been such a saturation of computer laws dealing with terrorism and child safety in the past that the general public will probably gloss over any new story on the subject. To most individuals it's just another story on their local news to ignore.
Perhaps that this article appears on FOXNews.com is something like preaching to the converted? At any rate, I think this story could have focused more on what the SSSCA is and why it's bad for consumers, rather than just telling the reader that it's so.
I think getting more information out to the general public, in terms they can understand, is really the only way to approach the SSSCA and other such acts.
He puts out an okay manga (a little too cliched and too close to the typical "AH! My Goddess" and "Hand Maid May" type of stories about some lonesome geek for it to be a "great" manga)
.com bombs at all! He only covers one specific model of offering a service for free and then turning it pay afterwards.
/.
.COM failure. It isn't well organized or presented in a clear fashion.
But anyways...
How is it that Piro can rant on what amounts to his personal weblog and people take notice?
First off, he doesn't cover the
I don't even think that was (is) a business model to begin with. It was more a necessity after banner ads became obviously ineffective. Once you start losing revenue on a free service it's pretty obvious that you simply start charging for that service. Just look at Something Awful. Lowtax didn't charge for forum access initially, but after the whole eFront debacle and the realization that banner ads don't work, he had to turn it over to a pay site.
This wasn't a planned business model. It was the result of the necessity to recoup some lost revenue.
So right off Piro is dead wrong.
And then it all of a sudden turns into his own little time-machine going back to the days of his first 3x3 eyes web site and then goes into a (farily arrogant) rant about "Oh, I CREATE I don't copy".
Give me a break. This shouldn't even have made it on
I'm thinking Hemos was suffering from a mid-morning hangover when he put this through. There is _NOTHING_ worthwhile about this rant by Piro. Nothing that makes me THINK or QUESTION about the subject of the
You want some GOOD writing on the subject, go check out disenchanted.com and stop feeding your brain this Internet junk food crap.
If the private key is generated based off of an e-mail address, what's to stop someone from d/ling the key generator and running that with a few other e-mail addresses to decipher an encrypted document?
If the key generator server has some sort of secret value that it uses to compute the keys with, what happens if that server is cracked.
If this one piece of information is discovered, it breaks all encrypted documents using the keys that key generator server issued.
There is also the issue of trust in the administrator(s) of the key generator server. Since they have access to the secret data used to generate the private key, they can decrypt any document encrypted with this method.
Is it just me or does that not sound all that secure.
Is this the type of backdoor crypto scheme the government seems to be going after?
I mean, GnuPG is available to the world because it's available on servers outside of the U.S. and as such not affected by U.S. export laws.
So if the U.S. does pass a law regarding crypto backdoors, wouldn't this apply only to the U.S. and thus the crypto is still going to be available to people outside of the U.S.? Won't that then leave us at a disadvantage?
And what about mobile phones with the different crypto schemes. Weak as they may be, there's still no backdoor in them.
And what about DES or AES? These are standards that the government created. What happens to them?
This can only harm the U.S.
There have been a lot of discussions on this topic over the past couple of years on several security mailing lists that I either belong to or frequently browse the archives of. While it is certainly possible to do so and it would solve some headaches and the irony of it all would make for a great story, it's just not something that should be done. System administrators need to learn that they must actively protect their system by keeping up to date on patches as well as taking other steps (IDS,Firewall,Log Monitors,Ect..) to keep their systems secure. By creating a counter-worm system administrators are not being taught the hard lessons learned when their system is attacked and infected. Administrators either start to rely on counter-worms or they simply never become aware that their system was comprimised because the counter-worm has already patched things up. Counter-worms do not promote good administrator habits and is only helping to promote the PROBLEM (lazy/unaware sysadmins) rather than the SOLUTION (education and motivation to keep a system protected). And there's another reason that I just mentioned. What happens when a counter-worm patches up a hole before a systems administrator sees it? It's possible that after the initial infection by the worm, the system was further comprimised by other crackers. But the counter-worm wouldn't investigate such possibilities, instead it just patches the initial hole. Any new backdoors implanted by crackers AFTER the initial infection would go undetected. This can't be more obvious than with Code Red II. Sure if you become infected, you can delete root.exe and explorer.exe and patch up your IIS system. But what about what went on between the intial infection and when you patch the system? If the web server log files have been erased or altered in any way, you have nothing to go on to tell you what was done to your system. The final solution becomes a full format and reinstall of the system from a (hopefully) clean backup. Counter-worms are only counter-productive to the security of computer systems and the Internet. And I haven't even begun to touch upon the legal and ethical problems of using a system without authorization. Not every system administrator out there is going to be happy that you're rooting around their system after it was r00ted. Some (MOST) are going to suspect you did more harm than good. I've had personal experience with this and know it to be a fact. So stay away from writing counter-worms. Instead write an article informing people about the dangers and what to do to fix the problem. Send it to a local paper, send it to an online forum or magazine. You'll do far more good that way than by launching your own counter-worm.
I imagine now in addition to the living room cam, bedroom cam, and bathroom cam, they'll have to have a colon cam. Not really, no. The battery life on the camera does not last long enough to allow the pill to reach the colon. On the typical human it takes about 48 hours or so for cycle of food digestion to complete itself. The battery life on the pill camera is much shorter than that, I believe only a couple of hours. This is an interesting story in more ways than one, especially the tech behind the pill. That's a video camera, transmitter, and battery all inside of a pill! I can't even begin to count the possibilities and benefits that can arise from that kind of technology. Maybe toss a miniature motor into it and turn it into a sort of remote-control submarine that doctors could use to examine a baby while it's still in the womb. Or perhaps if you combine the technology used to charge up the battery on the new artifical heart with the technology of the pill and perhaps we'll see a pill make it all the way through the system, broadcasting as it goes. The question then becomes, is that something we really want to se?!
I hate to give AOL credit, but they deserve it. They are one of the few major ISPs that I see doing it the way it should be, that is, if you share the opinion that the Internet needs to be reconstructed to better facilitate business. AOL, while offering a connection to the not-always-stable Internet, also has its own internal network through which customers receive data from a more reliable or stable source. When doing business over AOL, doing a web cast from an AOL server to an AOL user, you have that direct line that bypasses any of the Internet and it's unfortunate congestion. Why can't more companies do this? That is, build AROUND the Internet, or build to the side of the Internet and offer as part of their service an Internet connection. Redesigning the Intenet, besides being nearly impossible, is going to cost quite a substantial amount of money, and who is going to pay for it? The major ISPs (who will then pass it onto the customers). The point being, why pour money into a redesigning of the Internet when you can use the same resources to build your own network that can offer great service and speed and at the same time, allows for these companies to keep control of their own space without having to share it with other corporations. Administration becomes a bit easier since both the client and the server are the responsibility of a single entity, network sniffing becomes a thing of the past, and all those other evil cracker stories the media likes to propagate. Then, as several of this attached networks start to show up, companies could create partnerships between each other and interconnect themselves with some large "pipes" and allow for cross-network communication without the need of using some sort of unstable, unreliable public network. Leave the Internet to those who enjoy it. Keep it free. Just make a copy of it and package it as your own. Isn't that what companies do anyways?
What you say only applies to commercial products that include content encoded with DivX.
If you're making money off a product encoded with DivX then I wouldn't consider such terms ridicuous at all.
If you're making encodings for private or non-commercial use, there's absolutely no requirement to provide such markings or notices.
The full license may be viewed here.
-
"There is no off position on the genius switch." --Dave Letterman
-
Using Project Mayo as an example, we see that we don't need to rely on big corporations to feed us what the new multimedia format is going to be. Microsoft, in their actions, are just going to get more developers into working on new, open, and hopefully free multimedia formats which will have a better compression than current technology. It's not a step back, it's Microsoft unwittingly pushing us, as developers, forward.
;)
Also, Microsoft's limitation is only in their own MP3 codec which will come bundled with XP. Using other mp3 codecs will allow users to continue creating MP3s in higher-quality format.
On a side note, the world of Windows XP is getting more and more darker, in my own eyes. With subscription-based license and now active attempts to stop MP3 files from being produced on XP, I can't help but ask when will Microsoft's attempt to control what I do with my own computer end?
Ultimately, it's going to make me move to alternative OSes as the solution rather than continuing my use of any Microsoft product.
If only we could get the *NIX world to pick a defacto GUI standard, then 9/10ths of my reasons for not moving to Linux or one of the BSDs already would be eliminated.
The other 1/10th taken care of already with the announcement of Tribes 2 for Linux shipping.
-
"There is no off position on the genius switch." --Dave Letterman
-
When are we going to start seeing mainstream 3D interfaces? With the increase in 3D card tech (NVIDIA) and solid 3D programming libs supported on multiple platforms (OpenGL) why are we still using 2D interfaces? Furthermore, why is information still being represented as mere text on the screen? Frame it in any fancy "window" you want, I'm still reading text off a screen, just as I did when I was working with command prompts 15 years ago. Besides the 3D tech advancing dramatically, what about speech recognition, better audio file compression, ect... Audio, just like 3D tech, is being treated as a fancy extra rather than something that should play an intricate part in the GUI. We do have 5 senses afterall. And the only one GUIs play up to GUIs don't use very well. I'll bite my lip at going off on the potential of M$'s chrome before they canned that idea. But come off it all you GUI "innovaters". When the hell do you let go of point & click and maybe look torwards "speak and move" or some other crappy buzz phrase that they love to quote. 3D environment with speech recognition. It's doable NOW, it's BEEN doable for a while. When the hell are we going to start seeing it?! And I haven't even gone off on text-to-speech translators. Let's start using more than text and flat images!
-
"There is no off position on the genius switch." --Dave Letterman
-
Exchange is EASILY configured to filter out atachments with certain filenames (.vbs, .shs, ect..)
OR
Through 3rd-party software you can actually have Exchange scan *EVERY* e-mail attachment for viruses, worms, ect..
Also when you mention uptime I think there's other factors involved. I personally work with an exchange 2000 server that, with the exception of the intentional lockout from receiving outside mail during the whole Love Bug debacle, service pack upgrades, power outages and other similar times when the cause of downtime was OUTSIDE of anything relating to the software or hardware of the server, has ALWAYS been up. Yes that's correct, we're talking a good 2+ years of uptime with no crashing.
I believe this is because we have a stock install of NT 4 with _NO_ extra services/servers/ect.. running in the background. I think a lot of exchange servers that crash is largely due to others servers/services running on the exchange server.
One box, one purpose, it's rock solid.
And we've been testing an Exchange 2000 box running Win2k on a new Dell that's run without any problems thus far. However it's server load hasn't been realistic yet. That'll only happen when we get it into production. But so far I haven't found any problems with Exchange, so long as you're a person who knows what you're doing in the configuration and administration of the machine.
-
"There is no off position on the genius switch." --Dave Letterman
-
I think that Microsoft products in general are becomming increasingly popular and this is giving rise to newcommers trying to hop on the bandwagon to secure a future with a big paycheck but who don't get MSCE certified then blame the software, not themselves, when things go wrong.
You must also look at the popularity of the software and the availability of 3rd party software. Very few companies will develop their own software solutions but rather purchase them from 3rd party vendors. This is where Microsoft products get a lot of their strength. If you want some sort of virus filtering mechanism for Exchange you have easily 50 or so separate companies with software checked out and ready to go. I don't think this is so on a *NIX based platform. I don't think the software selection is there.
Also support is a HUGE concern as well. If you have a problem with Exchange you have a team of several hundred techs (all MSCE certified themselves) ready to help you get your Exchange server going. Aside from that there are several 3rd party support companies as well that help you setup and administer your Exchange server. On a *NIX based system, if you're running some sort of open-source package you found on the Internet, nine times out of ten all that's available for support are "user forums" where administrators just talk to each other about what MIGHT be the problem and solution. With a fully trained tech support staff you can get definite answers much easier (and usually faster as well).
Also I think the IT industry has a rather quick turnaround time. You're usually in and out within a couple years at these kinds of administration jobs. So you need a product that's going to be well supported and well documented so that a new guy to replace the old administrator won't be in the dark about such things as what patches are installed, what "personal" touches were put into the system, ect... that you would get with a *NIX based platform.
And notice I haven't even touched upon base features because I don't even have to.
Stability, not in just software but in tech support and "longevity" of the company are key factors in picking your server platform. Microsoft wins out in all these catagories. And 3rd party software is much more prevalent and available than any *NIX system.
These are corporations we're talking about folks. Not universities.
-
"There is no off position on the genius switch." --Dave Letterman
-
...that way we can put any unlicensed racist in jail, or at least fine them heavily. Heh.
-
"There is no off position on the genius switch." --Dave Letterman
-
Patent the structure and operation of a democratic government.
-
"There is no off position on the genius switch." --Dave Letterman
-
...if the RIAA doesn't do it first. The feelings are the same all around. Why should I, the consumer, pay money so that other consumers can eat up my bandwidth downloading songs that I have. The whole basis for Napster is the user's willingness to share their files. But if Napster implements a pay to use type service, people might pay, but they won't share their music. Ultimately Napster will die. What's happened here is that Napster in itself was a great idea. But great so long as it remains free. Some people saw Napster, namely Shawn's uncle, as a chance for profit without really thinking things through. Maybe there's another way to make money off of Napster, but charging its users is not the right way. Perhaps a premium service, one in which users are required to be above a minimum bandwidth and to host a minimum number of files, perhaps then I'd pay, as long as I was guaranteed a certain quality of service. But there is no guarantee with Napster's quality of service right now. The only reason Napster is doing so great is because everyone fears it's going offline soon so they're hoarding. Blah.
-
"There is no off position on the genius switch." --Dave Letterman
-
the guy's a troll. and he gets a 3? sheesh.
-
"There is no off position on the genius switch." --Dave Letterman
-
Straight from the article:
" Authentication of the Client's IP, prior to the committment of any connection resources, provides all of the benefits of Connection Management Deferral with none of the liabilities."
If I follow this right, the encrypted data in the ACK packet will be decrypted before anything else. So a flood of ACK packets would still work since the system would go through the process of decrypting each packet, eating up CPU time, ect... before it checks to see if the source address is an address it wants to talk with.
Still, spoofed IP packets will still work. The only thing keeping them from not working is the ability for the attacker to get the SSN value (since the attacker would specify the CSN itself). However, as TCP/IP fingerprinting techniques have shown, older Microsoft products just start at 1 every time. So getting the SSN isn't that hard.
Even still, with random SSN values, spoofed packets could still work, however the attacker and the spoofed client would need to be on the same network so the attacking machine can sniff the SSN value and respond before the spoofed client has a chance to respond with an RST command. It makes the investigation of such attacks a little easier, but still not foolproof.
And hell, if an attacker doesn't even care about his real IP address being discovered, SYN attacks could still work.
-
"There is no off position on the genius switch." --Dave Letterman
-
It isn't my fault the user ran the program. I just wrote it.
So now what? If we did have laws that protected programmers from liability issues then there would be no grounds for programmers of these types of programs to be disciplined.
Now Microsoft or whoever else can add all the backdoors they want without fear of being sued over it. Of course there could be public outcry, bad publicity, and so on but how much would that really hurt the company?
-
"There is no off position on the genius switch." --Dave Letterman
-
you need a place to store records on each user's karma. this would mean a centralized server. which might not be a good idea since it probably means that every user's IP would at some point go across it, and thus, be loggable. and once u can match IP to username, you get the same bit as napster and the RIAA, meaning you can be ordered to deliver user records and so on.
-
"There is no off position on the genius switch." --Dave Letterman
-
it is impossible, under 95 and 98, to spoof an IP unless you get really low level, bypass winsock itself, and talk to the network adapter directly. It's a pain in the ass. Although there are network adapter services out there you can install (like installing TCP/IP or IPX) that make it possible to edit TCP/IP headers
Under Win2000 tho, it IS possible to spoof IPs using that IP_HRDCL flag (i think that's how u spell it, heh).
I've got no clue about Windows ME. My guess is it's the same as 95 and 98. but i don't know.
-
"There is no off position on the genius switch." --Dave Letterman
-
How is this good? If the receiver is known and not the sender, you're still just as bad off as you are now. NetPD could just serve files up, and still tag the people who are downloading the files. Which, in all reality, it's the people who download that are at the most risk of being nailed for copyright infringement since the person serving the files may very well own copies of the CD that the music came from, in which case MP3s are legit. BLEH.
-
"There is no off position on the genius switch." --Dave Letterman
-
The only real hole behind all of this is that IP #s can be tracked. A repository could open in "good faith" but keep track of all pads that are uploaded. When a "key" pad is identified, it pulls out the IP that submitted it, (along with a date and time, and maybe even a MAC address), and now the origin of the data can be found out... to a certain extent.
-
"There is no off position on the genius switch." --Dave Letterman
-