I've never had a problem. At worse it puts a whole lot of unneeded paragraph breaks or misses some of them which is annoying but not unreadable especially for non-fiction. Sucks a bit more when there is a lot of dialog though as you can miss who the current speaker is.
The challenge is FDA in my experience but the problem is I'm not in the US but since the vendors want access to the US market they have to pretend that the FDA is God even if it is something that could be solved by a bit of common sense, some automated testing on the new version of the browser etc. FDA requires formal software development processes with complete documentation. The problem arises when you code something up and then realize that it could be useful in healthcare. You haven't followed the process from day one so your in for a whole lot of pain getting through certification.
Mah never got the phone in a pocket thing at least with good phones (I use a cheap free bee now so I don't care). You have nice shiny screen so you don't want it to get scratched. That rules out the keys/change pocket. I don't put anything in my back pocket because I'm both not crazy about pick pockets and b) don't want to sit my fat ass on it (both because it isn't comfortable and because said big ass is likely to break it). So that leaves the wallet pocket. That would be a pain tryng to keep the wallet (which is roughly the size of a smartphone) and said phone fitting in the pocket and getting the appropriate device out without accidentally pulling out the other one each time. So... holster or craptacularly cheap (can you feel your phone bend when you dial a number? I can:-)) phone for me.
I think they could easily get another half inch out of the screen by using more of the existing surface as a screen rather than a black/white boarder that serves no purpose on the top and bottom. Well it might serve a purpose but they might have found a way to move the unimportant things (like, you know the parts that make it a phone, microphone and speakers) off to the side rather than tying up front of device real estate.
Funny one: Worked in a IT shop a couple years ago. We got a brand new SL3000 tape library from Sun. I think the whole project cost about 250k, two fileservers (32 cores each with dual 10Gbps FCs), 5 LTO4 drives and the robot. Anyways the best was running... what for it... Windows 2000. In 2009. On a piece of Sun hardware. Fantastic.
I work in the healthcare industry now and we are stuck with Win XP sadly. A major software vendor (pretty much impossible to avoid their software since they manage our IT) only supports XP. At some point that might change but heck a few years back they wouldn't even update the browser because they were so tied up on IE 6 that critical things like patient booking wouldn't work on IE 7. This was two years after IE 7 came out but still no dice. We've been upgraded now fortunately but it was a slow process.
True that works at some level. Sandboxes can give you added things though like reasonable limits on resources. eg. Office apps should only make up to 1GB of data, anything more and the user has to grant it. Something like a webbrowser should use 300MB or less RAM, Angry birds shouldn't get more than one Core of CPU resources etc. Things interact as a system one app doing something stupid can bring the box down as systems are designed now, this shouldn't be the case.
I disagree. There is trust and then there is trust. I'm reasonably confident in apt or iOS repositories being well maintained and haven't pretty good programs in there. They are likely from a vendor that has gone through some effort to get added, so the repository owner knows how to contact them, they probably have a project page and active developers lists etc (and of course in the case of apt their code is open so can be reviewed).
That's all great. But is there program bug free? Even though they didn't maliciously try to corrupt data, what if they do it anyways? Or how about bad design? If it leads the user into thinking the app works a way it doesn't than it might as well be a virus (eg. to me at least a lot of programs are really obnoxious in how they try to weasel a google or yahoo toolbar onto your browser, try to reset your home page Yeah because the first thing I want to do everytime I use my webbrowser is look at your crummy apps webpage etc). They usually give you away out of this but they make you read fine print for each click to filter out the unrelated random crap they add to the install process. Some even try to do this on upgrades, which is insane: what makes you think my answer has changed since the last time? But back to the original point: I can trust that you aren't trying to screw up my computer but I still shouldn't have to give you the keys to the kingdom, I should be able to run your app in its own little island without having to do anything out of the ordinary (sudo, run as etc) and if your app wants more permissions it should ask me (ideally its attempt is captured by the OS and the OS manages my security preferences for me, a la UAC (UAC might be a flawed implementation/user experience but it is at least the right location for this kind of lock down I think)).
Yep. A big one is to make the mail server an open relay. It will then forward along emails that come from a botnet and if the server is trusted a lot of messages might get through to recipients inboxes. Sure it will be found out quickly (hopefully) but spam campaigns can be really quick, a decent hardware server can send out 100k + emails an hour and if you fire off your campaign at say 2am on a Saturday chances are you'll get 6hrs+ of spammy goodness before someone comes in and fixes it. You also can move around targets so you spam a known Ironport customer for a while, and then hit one that uses a different vendors antispam network etc, so you have all the time it takes each of the different appliance/blacklist groups to get around to blocking you. P.S. I'm not a spammer I just worked in the antispam industry for a while and find the cat and mouse game interesting both sociologically and technologically.
I think there is a fundamental flaw in the assumptions here though. You can't trust a package just because it happened to get added to Debian or Apples repositories. It does probably mean someone, probably a large number of someones and tools have been used to check the app which is a good thing. But you still shouldn't have to fully trust or fully not trust (by not downloading) an app. Just because I install Firefox doesn't mean I want it to be able to access everything I can on my computer. Apps should be installed in a sandbox and only allowed outside of the box when a user grants them access. That way for example the user can say "wait a minute why does Angry Birds want to access my email account?" Or "why is Google Desktop trying to send my data back to the mothership?" There is a lot of cool FOSS software out there I like to try, but it shouldn't mean that I'm giving bob@coolhacker.org "full trust" on my system because I want to see if his text editor is really as cool as it looks and more than I should be giving full trust to some random app that landed in a deb package on debian.org. The old rule: trust but verify holds.
I think you might be wrong. Servers are a nice target because they are often trusted. If you want to make a botnet not work efficiently you can throttle the port 25 traffic on your home users. Normal people won't notice because their 20 emails an hour will still go through quickly but the bot trying to pump out 100+ messages a second will. But if you hijack a mail server? First off you could read everyones email, second is it is highly likely that there is trust relationships between that mail server and domain controllers, and external mail servers. Any black list will probably be a lot slower to block a mailserver properly authenticated as ford-mailserv-1 than some random IP from AT & Ts home DSL pool and when they finally do start blocking mail from there you have the added hacker props of being someone that blocked mail from a hundred thousand users.
And what happens when one of the "run what ever you want" apps uploads everything to Facebook? A true sandbox shouldn't be able to see anything not in the sandbox so the app should start up and see an empty folder, you can create files and do stuff with them but once the sandbox is destroyed (application closes or user logs out) away goes the sandbox files.
You could for example have two splits in a user account: user.data access and user.app access(which could be a tree of access rights for each app). Applications start in app access if they want something that isn't already in their access list than something like a UAC prompt comes up and asks the user if that is what they want to do.
Argh. No "running sounds" for me please. What is one of the things you learn when you first go out of the house as a kid? Look both ways. If pedestrians (and I'm one of them I don't drive) don't look both ways who's to blame? As electric becomes more common peoples behaviors will change and people will use their eyes more rather than just relying on being able to hear a car coming on a quiet street. After all what if the noise maker on the car breaks? The only way to be sure nothing is coming is to look to see if something is coming.
Also, I look forward to a day when you could own a house next to a freeway and have no noise enter your house. To me the reduction in noise pollution is as big a factor as the reduction in carbon. The sound of cars is an annoying constant drone that I'd be happy to do away with.
I think the goal is that even if it is compromised but they haven't realized it yet at least it will only be at most X days before it is changed again. Changing the password frequently removes some of the risk/incentive to hack it in that you as the hacker would have to know what you want and it would have to already exist. It also makes the hacking problem harder since you have to be able to cycle through the key combinations in X days not in an infinite number of days, so after the password reset you don't know if something you already tried is now the password or not, you pretty much have to start all over again. Once you've cracked the password you can't just camp out and see every engineering drawing that the company is working on forever. I realize in most cases this doesn't matter the hacker will be more than happy to grab the easy stuff first and see what is useful or use the password to delete/otherwise disrupt things. But an enemy camping on a whole collection of passwords and bringing whole systems down.
At a larger scale: say your China and you are hacking power plant passwords to be able to shut them off (not blow them up). If the passwords are cycled frequently you likely will always have some passwords you've cracked and some you haven't, but the chances that you'll get a sufficient subset of the passwords cracked so you could completely bring the power grid down in a geographical area is remote.
A password difficult enough not to get cracked is a password difficult enough that it can't be remembered. Smart card and relatively simple password is probably better but that costs money (readers and cards but also lost time because "I left my card at home") where as password complexity requirements are just a simple software configuration away.
Things that need external service technicians often have very simple passwords. For example I work in health care and I know of at least two major companies who's components have the same login for every site for administrator access. You probably as a customer could insist on changing it but the vast majority of sites don't. So need to give someone some radiation? You know the password. That said it isn't going to affect a whole community but the 30-100 patients that get treated before the problem is detected? Very doable. Similarly wifi routers from ISPs almost always have a default password most people I know change the WPA key but don't touch the admin account password. So anyone allowed into the network (or who can plug a network cable into the back of the box for a couple minutes) can take it over pretty easy. Not a real big deal I realize because if they change the password to login (since they don't know yours presumably that is what they would do to get internet access) you'd realize it isn't working and work to set it back. But if you are running a wired network primarily but it is a wifi device could be an issue.
Yep I agree. The chinese might not be buying debt directly because they probably are buying some derivative equivalent since they too have to offset the affect of all the US dollars floating around buying products from them. That said I realize they muck with the exchange rate but still I bet they do a little to a lot to get in the ballpark of their artificial exchange rate with normal means (buying debt, buying another nations debt + options on the currency you want to want, eg buy a euro bond options on US dollar so that your hedged against the US dollar and your investments will move opposite of the US chinese exchange rate (at least are likely to).
Hmm I'm not really sure why you couldn't just replace a ICBMs payload with a conventional warhead. I think the reason is more people won't see it coming so you can go boom before they know you are coming and their allies will know once it has gone boom that you aren't using nukes. Versus lob something up on a ballistic tranjectory and everyone goes nuts saying the US is doing a missile test/attack and the guy you're going after hearing about it in time to get out of the way, or someone lobbing something back.
Yep, Titan IIs could launch the M53 nuke (8850lbs ~4200kg). The later ones Titan III, and I believe it was the Titan IV on Star Trek (that is the one with the side rockets I think) were used primarily for "scientific research" (US spy satellites):-) but also launched NASA interplanetary probes. I don't think they were kept in silos for just "quick launch" although that would help of course. But it also gives some level of concealment, not just "you can't see my missiles" but more importantly "you can't see that I'm getting my missiles ready", and once fueled you wouldn't want to move them around a lot so fill them up where you fire them made a lot of sense.
All they would have to do is put some poison in the sweet and sour and we are all doomed. Perhaps the US could threaten China with some of the bombs they spent last years money on, "hey give us more money like you did last year or you'll be our proving ground for some of these here bombs". The thing is the fed gobbled up a bunch of debt and the ratings agencies are on the verge of downgrading the debt. If they did the US would either
1) Inflate their way out of debt.
2) Have to borrow at higher and higher amounts a la Greece.
Higher risk -> higher interest rates-> hire borrowing costs -> more risk -> higher interest needed to justify investment etc until someone bails you out. But the problem is no ones big enough to bail out the US, europe would be the best bet but they got their own crap to deal with.
How our bomb is heading to you on a different flightpath, don't panic you'll die from a conventional explosion not a nuclear one. First off who's saying the warhead has to be conventional. Second: if you start bombing me and I have nukes why wouldn't I retaliate with nukes especially if they are the only devices I own that have enough range to hit the cowards that shot at me first?
Slashdot Mirror
I've never had a problem. At worse it puts a whole lot of unneeded paragraph breaks or misses some of them which is annoying but not unreadable especially for non-fiction. Sucks a bit more when there is a lot of dialog though as you can miss who the current speaker is.
No just my balls are so large they take up most the room in the crotch area.
The challenge is FDA in my experience but the problem is I'm not in the US but since the vendors want access to the US market they have to pretend that the FDA is God even if it is something that could be solved by a bit of common sense, some automated testing on the new version of the browser etc. FDA requires formal software development processes with complete documentation. The problem arises when you code something up and then realize that it could be useful in healthcare. You haven't followed the process from day one so your in for a whole lot of pain getting through certification.
Mah never got the phone in a pocket thing at least with good phones (I use a cheap free bee now so I don't care). You have nice shiny screen so you don't want it to get scratched. That rules out the keys/change pocket. I don't put anything in my back pocket because I'm both not crazy about pick pockets and b) don't want to sit my fat ass on it (both because it isn't comfortable and because said big ass is likely to break it). So that leaves the wallet pocket. That would be a pain tryng to keep the wallet (which is roughly the size of a smartphone) and said phone fitting in the pocket and getting the appropriate device out without accidentally pulling out the other one each time. So ... holster or craptacularly cheap (can you feel your phone bend when you dial a number? I can :-)) phone for me.
I think they could easily get another half inch out of the screen by using more of the existing surface as a screen rather than a black/white boarder that serves no purpose on the top and bottom. Well it might serve a purpose but they might have found a way to move the unimportant things (like, you know the parts that make it a phone, microphone and speakers) off to the side rather than tying up front of device real estate.
That's not what your mother said ... booya :-)
I work in the healthcare industry now and we are stuck with Win XP sadly. A major software vendor (pretty much impossible to avoid their software since they manage our IT) only supports XP. At some point that might change but heck a few years back they wouldn't even update the browser because they were so tied up on IE 6 that critical things like patient booking wouldn't work on IE 7. This was two years after IE 7 came out but still no dice. We've been upgraded now fortunately but it was a slow process.
True that works at some level. Sandboxes can give you added things though like reasonable limits on resources. eg. Office apps should only make up to 1GB of data, anything more and the user has to grant it. Something like a webbrowser should use 300MB or less RAM, Angry birds shouldn't get more than one Core of CPU resources etc. Things interact as a system one app doing something stupid can bring the box down as systems are designed now, this shouldn't be the case.
That's all great. But is there program bug free? Even though they didn't maliciously try to corrupt data, what if they do it anyways? Or how about bad design? If it leads the user into thinking the app works a way it doesn't than it might as well be a virus (eg. to me at least a lot of programs are really obnoxious in how they try to weasel a google or yahoo toolbar onto your browser, try to reset your home page Yeah because the first thing I want to do everytime I use my webbrowser is look at your crummy apps webpage etc). They usually give you away out of this but they make you read fine print for each click to filter out the unrelated random crap they add to the install process. Some even try to do this on upgrades, which is insane: what makes you think my answer has changed since the last time? But back to the original point: I can trust that you aren't trying to screw up my computer but I still shouldn't have to give you the keys to the kingdom, I should be able to run your app in its own little island without having to do anything out of the ordinary (sudo, run as etc) and if your app wants more permissions it should ask me (ideally its attempt is captured by the OS and the OS manages my security preferences for me, a la UAC (UAC might be a flawed implementation/user experience but it is at least the right location for this kind of lock down I think)).
Yep. A big one is to make the mail server an open relay. It will then forward along emails that come from a botnet and if the server is trusted a lot of messages might get through to recipients inboxes. Sure it will be found out quickly (hopefully) but spam campaigns can be really quick, a decent hardware server can send out 100k + emails an hour and if you fire off your campaign at say 2am on a Saturday chances are you'll get 6hrs+ of spammy goodness before someone comes in and fixes it. You also can move around targets so you spam a known Ironport customer for a while, and then hit one that uses a different vendors antispam network etc, so you have all the time it takes each of the different appliance/blacklist groups to get around to blocking you. P.S. I'm not a spammer I just worked in the antispam industry for a while and find the cat and mouse game interesting both sociologically and technologically.
I think there is a fundamental flaw in the assumptions here though. You can't trust a package just because it happened to get added to Debian or Apples repositories. It does probably mean someone, probably a large number of someones and tools have been used to check the app which is a good thing. But you still shouldn't have to fully trust or fully not trust (by not downloading) an app. Just because I install Firefox doesn't mean I want it to be able to access everything I can on my computer. Apps should be installed in a sandbox and only allowed outside of the box when a user grants them access. That way for example the user can say "wait a minute why does Angry Birds want to access my email account?" Or "why is Google Desktop trying to send my data back to the mothership?" There is a lot of cool FOSS software out there I like to try, but it shouldn't mean that I'm giving bob@coolhacker.org "full trust" on my system because I want to see if his text editor is really as cool as it looks and more than I should be giving full trust to some random app that landed in a deb package on debian.org. The old rule: trust but verify holds.
I think you might be wrong. Servers are a nice target because they are often trusted. If you want to make a botnet not work efficiently you can throttle the port 25 traffic on your home users. Normal people won't notice because their 20 emails an hour will still go through quickly but the bot trying to pump out 100+ messages a second will. But if you hijack a mail server? First off you could read everyones email, second is it is highly likely that there is trust relationships between that mail server and domain controllers, and external mail servers. Any black list will probably be a lot slower to block a mailserver properly authenticated as ford-mailserv-1 than some random IP from AT & Ts home DSL pool and when they finally do start blocking mail from there you have the added hacker props of being someone that blocked mail from a hundred thousand users.
And what happens when one of the "run what ever you want" apps uploads everything to Facebook? A true sandbox shouldn't be able to see anything not in the sandbox so the app should start up and see an empty folder, you can create files and do stuff with them but once the sandbox is destroyed (application closes or user logs out) away goes the sandbox files.
You could have it so it is per folder, or per file type. So a user could say "allow this app to access my photos" and be done with it.
You could for example have two splits in a user account: user.data access and user.app access(which could be a tree of access rights for each app). Applications start in app access if they want something that isn't already in their access list than something like a UAC prompt comes up and asks the user if that is what they want to do.
Also, I look forward to a day when you could own a house next to a freeway and have no noise enter your house. To me the reduction in noise pollution is as big a factor as the reduction in carbon. The sound of cars is an annoying constant drone that I'd be happy to do away with.
At a larger scale: say your China and you are hacking power plant passwords to be able to shut them off (not blow them up). If the passwords are cycled frequently you likely will always have some passwords you've cracked and some you haven't, but the chances that you'll get a sufficient subset of the passwords cracked so you could completely bring the power grid down in a geographical area is remote.
A password difficult enough not to get cracked is a password difficult enough that it can't be remembered. Smart card and relatively simple password is probably better but that costs money (readers and cards but also lost time because "I left my card at home") where as password complexity requirements are just a simple software configuration away.
Things that need external service technicians often have very simple passwords. For example I work in health care and I know of at least two major companies who's components have the same login for every site for administrator access. You probably as a customer could insist on changing it but the vast majority of sites don't. So need to give someone some radiation? You know the password. That said it isn't going to affect a whole community but the 30-100 patients that get treated before the problem is detected? Very doable. Similarly wifi routers from ISPs almost always have a default password most people I know change the WPA key but don't touch the admin account password. So anyone allowed into the network (or who can plug a network cable into the back of the box for a couple minutes) can take it over pretty easy. Not a real big deal I realize because if they change the password to login (since they don't know yours presumably that is what they would do to get internet access) you'd realize it isn't working and work to set it back. But if you are running a wired network primarily but it is a wifi device could be an issue.
Yep I agree. The chinese might not be buying debt directly because they probably are buying some derivative equivalent since they too have to offset the affect of all the US dollars floating around buying products from them. That said I realize they muck with the exchange rate but still I bet they do a little to a lot to get in the ballpark of their artificial exchange rate with normal means (buying debt, buying another nations debt + options on the currency you want to want, eg buy a euro bond options on US dollar so that your hedged against the US dollar and your investments will move opposite of the US chinese exchange rate (at least are likely to).
Hmm I'm not really sure why you couldn't just replace a ICBMs payload with a conventional warhead. I think the reason is more people won't see it coming so you can go boom before they know you are coming and their allies will know once it has gone boom that you aren't using nukes. Versus lob something up on a ballistic tranjectory and everyone goes nuts saying the US is doing a missile test/attack and the guy you're going after hearing about it in time to get out of the way, or someone lobbing something back.
Yep, Titan IIs could launch the M53 nuke (8850lbs ~4200kg). The later ones Titan III, and I believe it was the Titan IV on Star Trek (that is the one with the side rockets I think) were used primarily for "scientific research" (US spy satellites) :-) but also launched NASA interplanetary probes. I don't think they were kept in silos for just "quick launch" although that would help of course. But it also gives some level of concealment, not just "you can't see my missiles" but more importantly "you can't see that I'm getting my missiles ready", and once fueled you wouldn't want to move them around a lot so fill them up where you fire them made a lot of sense.
1) Inflate their way out of debt.
2) Have to borrow at higher and higher amounts a la Greece.
Higher risk -> higher interest rates-> hire borrowing costs -> more risk -> higher interest needed to justify investment etc until someone bails you out. But the problem is no ones big enough to bail out the US, europe would be the best bet but they got their own crap to deal with.
How our bomb is heading to you on a different flightpath, don't panic you'll die from a conventional explosion not a nuclear one. First off who's saying the warhead has to be conventional. Second: if you start bombing me and I have nukes why wouldn't I retaliate with nukes especially if they are the only devices I own that have enough range to hit the cowards that shot at me first?
it isn't just the tests throwing softballs at the kids now is it?