As I understand, OOXML is mostly a compressed XML serialization of the pre-existing DOC, XLS etc binary formats. That's why Microsoft pushes it - it's extremely compatible with MS Office by default.
Now, you can complain that this means that other office software vendors will be required to structure their stuff to fit MS's existing designs. But they already do! Lots of people here say that OpenOffice has pretty good compatibility with MS Office binary files. Why would it be so hard to adapt those existing compatibility filters to read MS Office files in a published XML format, compared to reverse-engineering MS's proprietary binary formats?
It seems to me that switching from an undocumented format to a documented format (albeit with similar structure and capabilities) is inherently going to reduce lock-in. Whether OOXML is the best format is another question. To me, OOXML seems overcomplicated (due to all the legacy support), but ODF is rather underdefined (no specification for spreadsheet formulae, wtf?)
Some good points on the directory tree support. In my work, I mostly use archival compression on files that need to be handled as a package, but I can see how other use-cases would benefit from more efficient partial extraction.
Even better, mandated support for.zip as the default compression format. LZMA is so much better, and free too.
7-zip does have a pretty horrible UI though. I can see why you might want to standardise on WinZip, but still use LZMA compression.
I also note that Firefox's crap central management support will probably also rule it out of being included in Aussie federal SOEs. Guess it'll be the latest version of IE for the government (again)...
This contest isn't all about energy efficiency, though.
The other design criteria were low noise and reduced emissions of certain types. I think airspace congestion might also have been included in the weightings?
Personally I would have thought that the emissions criteria would really be more of an engine design issue rather than aircraft design, but I'm not an aeronautical engineer.
Actually it looks like the Lockheed proposal is two-engined. I posted this comment downthread, but there's a pretty good chance it'll just get buried down there, so I thought I'd post it here too.
Here's a larger picture. Notice how the engine is mounted on a fin that does not emerge vertically from the tail of the aircraft. The engine mount comes out of the fuselage at an angle, and then curves up towards the vertical through the space occupied by the engine. If you look at the bottom of the fuselage, you can just make out the edge of a second engine's bluish cowling. It's mounted on the other side, also angled out from the aircraft, but almost completely obscured by the fuselage because of the point of view of the image.
I don't think they chose a very good camera angle for showing off the concept.
Here's a larger picture. Notice how the engine is mounted on a fin that does not emerge vertically from the tail of the aircraft. The engine mount comes out of the fuselage at an angle, and then curves up towards the vertical through the space occupied by the engine. If you look at the bottom of the fuselage, you can just make out the edge of a second engine's bluish cowling. It's mounted on the other side, also angled out from the aircraft, but largely obscured by the point of view of the image.
I don't think they chose a very good camera angle for showing off the concept.
Apparently Google has already given some or all of the sniffed data to authorities in Germany, Spain and France. I wonder why the US is causing so much more controversy?
Perhaps the US government is asking for more data (eg data from other countries) or has refused to meet conditions Google had set for the European governments, when handing over their shares of the data?
So let me see. The government is saying "Bad Google, shouldn't have collected all that data. That's private data that belongs to our citizens, not to you, even though it was broadcast in the clear. Now that we've established that only the originator should have that data.... let me have a peek! No, don't delete it - I really wanna see."
First game I played when I downloaded the bundle. (Of course, I already owned & have finished Machinarium and Braid)...
I think Revenge is a pretty good game. It does seem like there might be a bit of a spiral-of-fail issue if you don't score well enough on the early levels to buy tech, or buy the "wrong tech" (eg all the enabler techs and no actual buildings), though - your lack of tech makes it even harder to do well on the later levels.
What makes you (and half of Slashdot) think that Stuxnet was designed to primarily attack systems that are connected to the Internet?
It's not. It's designed to use multiple propagation strategies to get over air-gaps, helpfully transported by people who need to use both a) internet connected resources and b) private network resources. Once it's over the air-gap, it then spreads just fine within the private internal network. But it *does not* require sensitive assets to be on the public internet to be a genuine threat.
And how would the non-computer HMI be configured and updated when the plant needs to change the calibration on a pressure meter, or similar? Presumably by some kind of PC or engineering workstation with an "HMI Configuration" package on it? Gee, that sounds rather a lot like the kind of "PLC configuration" workstations that were the attack vector for getting into the PLCs!
It's turtles all the way down, I'm afraid. You can't implement a programmable control system without a general-purpose, insecure, infectable PC somewhere along the line. The *degree* of insecurity and infectability is variable, but I don't think there is such a thing as a secure general purpose OS on the market today - and if there *is* such a thing, there certainly isn't any PLC or HMI configuration software written for it.
And since the privileges needed to attack a PLC are the same user privileges needed to configure & program one, a well-implemented trojan might not even need privilege escalation on the engineer's workstation; they can do everything they need using his or her logon.
No. Stuxnet targeted Windows because the _specific plant that Stuxnet was designed to sabotage_ used Siemens WinCC, which is a Windows-only application.
If Stuxnet was a piece of general purpose malware written for economic or general purpose espionage reasons (like the Russian Business Network's systems or Ghostnet) then your argument would make sense. In the case of Stuxnet, which is one of the most specialized pieces of malware ever made, it targets *whatever platforms are necessary* to get at the 33+ Variable Speed Drives that it was specifically designed to sabotage. If that plant used a Linux-based control system, then Stuxnet would have been a Linux + PLC rootkit instead of a Windows + PLC rootkit.
Yeah, AV on the laptops does help - but as usual, only against known threats. When a nation state decides to gin up some custom sabotage-ware to take out your specific factory, you can count on it bypassing any and all AV until its dirty work is done.
I think it's difficult to ever be truly secure against an attack with this level of dedication. Stuxnet targeted air-gapped facilities, and appears to have succeeded in its primary mission. If anything, the failure of Stuxnet was that it spread *too much*. It's unlikely that industrial control/telemetry guys would have been able to diagnose what was actually going wrong with the centrifuges (or whatever) given how stealthy Stuxnet is. If it stayed within the target system, to which access is presumably very restricted, the "many eyes make all rootkits shallow" principle suggests that it could perhaps have stayed undetected much longer.
Stuxnet used multiple zero-day flaws to attack the Windows SCADA / PLC configuration boxes, and attacked the PLCs from there. Use of (hypothetical) Linux software for the SCADA / PLC configuration packages just means that the nation state actors would have had to find/purchase some zero day Linux flaws, rather than Windows ones. I find it hard to believe that there aren't any zero-days in Linux that would permit a similar attack vector, especially considering that the initial attack is code being run by an authenticated, logged-in user rather than a remote exploit.
AutoPlay is a disaster on Windows though. I don't why MS hasn't abandoned it completely; the benefits are just not worth the downsides.
Terrorists don't give a shit about American freedoms, budgets, and personal dignity. They want US forces out of the Middle East and freedom to impose their medieval theocracy on anyone they can reach.
So far, the score in the War on Terror is probably a Nil-all draw between Team America and Islamic ultra-conservatism.
The point is to bring a firearm with you on your trip, even if you don't need it. Then you check it in (as required) in order to benefit from the improved regulatory environment that gets triggered by the presence of the firearm.
Actually it's not sour grapes. John Sculley says that he, John Sculley, was a bad choice to run the company, and that Jobs has kicked his butt in pretty much every conceivable metric. John has nothing bad to say about Steve at all.
Re:Target is still speculation
on
Stuxnet Worms On
·
· Score: 2, Interesting
Not necessarily. The "P" in PLC stands for programmable. PLCs have a large amount of generic physical I/O (relay outputs, 4-20mA inputs, etc etc). From looking at the Stuxnet code, you *might* be able to tell that a particular output is being turned on - but without knowing what's wired into that output, you still haven't learned much. And that's a fairly blatant scenario (where Stuxnet is directly controlling PLC I/O),
If Stuxnet is doing something more subtle, it could be doing something like patching the PLC code to silently disable safety interlocks, by replacing the results of a logic calculation with a different value. It's similar to installing a NoCD crack in a game executable so that the check_for_valid_disk() function call return value is always set to TRUE, and the disk checking code never even runs. If we can only see the patch (Stuxnet's observable behaviour) but not the original executable (the PLC code) there's no way to tell exactly what Stuxnet's payload is. Even Siemens wouldn't be able to figure it out unless they had a copy of the code put into the PLC by its owners.
There are indications that the target may have been the Bushehr nuclear power plant in Iran, with the Russian contractor's USB drives being the attack vector into the plant's control systems. (Which are not on the Internet, despite the smug assumptions of so many posters earlier in this comments section.) There's enough information out in the wild now that anyone with access to the target's PLC code could verify the target. Obviously this means the attack targets will be able to prove that the trojan was targeting them, but I doubt they'll be announcing the fact to the world - unless they can trace the attackers and gain political advantage through an announcement.
It seems the evidence currently leans towards a probably Israeli or possibly US cyberwarfare attack on Iran.
why would we do it at home, where are not prohibited for texting on our phones or loading up a video game on our portable player, simply because so relic for the 20th century thinks it is rude.
You do that at the cinema during the movie? Don't you realise how distracting it is for every single person sitting behind you to have a bright little screen waving around in their peripheral vision, in an environment that's deliberately as dark as possible?
Damn right it's rude! If you don't want to watch the movie, leave. The rest of the audience paid to see the movie too, and don't need to have their experience ruined by selfish behaviour on the part of one person in the audience.
Slashdot Mirror
This confuses me.
As I understand, OOXML is mostly a compressed XML serialization of the pre-existing DOC, XLS etc binary formats. That's why Microsoft pushes it - it's extremely compatible with MS Office by default.
Now, you can complain that this means that other office software vendors will be required to structure their stuff to fit MS's existing designs. But they already do! Lots of people here say that OpenOffice has pretty good compatibility with MS Office binary files. Why would it be so hard to adapt those existing compatibility filters to read MS Office files in a published XML format, compared to reverse-engineering MS's proprietary binary formats?
It seems to me that switching from an undocumented format to a documented format (albeit with similar structure and capabilities) is inherently going to reduce lock-in. Whether OOXML is the best format is another question. To me, OOXML seems overcomplicated (due to all the legacy support), but ODF is rather underdefined (no specification for spreadsheet formulae, wtf?)
Some good points on the directory tree support. In my work, I mostly use archival compression on files that need to be handled as a package, but I can see how other use-cases would benefit from more efficient partial extraction.
Urgh.
Even better, mandated support for .zip as the default compression format. LZMA is so much better, and free too.
7-zip does have a pretty horrible UI though. I can see why you might want to standardise on WinZip, but still use LZMA compression.
I also note that Firefox's crap central management support will probably also rule it out of being included in Aussie federal SOEs. Guess it'll be the latest version of IE for the government (again)...
This contest isn't all about energy efficiency, though.
The other design criteria were low noise and reduced emissions of certain types. I think airspace congestion might also have been included in the weightings?
Personally I would have thought that the emissions criteria would really be more of an engine design issue rather than aircraft design, but I'm not an aeronautical engineer.
Actually it looks like the Lockheed proposal is two-engined. I posted this comment downthread, but there's a pretty good chance it'll just get buried down there, so I thought I'd post it here too.
Here's a larger picture. Notice how the engine is mounted on a fin that does not emerge vertically from the tail of the aircraft. The engine mount comes out of the fuselage at an angle, and then curves up towards the vertical through the space occupied by the engine. If you look at the bottom of the fuselage, you can just make out the edge of a second engine's bluish cowling. It's mounted on the other side, also angled out from the aircraft, but almost completely obscured by the fuselage because of the point of view of the image.
I don't think they chose a very good camera angle for showing off the concept.
Actually, I don't think it does.
Here's a larger picture. Notice how the engine is mounted on a fin that does not emerge vertically from the tail of the aircraft. The engine mount comes out of the fuselage at an angle, and then curves up towards the vertical through the space occupied by the engine. If you look at the bottom of the fuselage, you can just make out the edge of a second engine's bluish cowling. It's mounted on the other side, also angled out from the aircraft, but largely obscured by the point of view of the image.
I don't think they chose a very good camera angle for showing off the concept.
Apparently Google has already given some or all of the sniffed data to authorities in Germany, Spain and France. I wonder why the US is causing so much more controversy?
Perhaps the US government is asking for more data (eg data from other countries) or has refused to meet conditions Google had set for the European governments, when handing over their shares of the data?
So let me see. The government is saying "Bad Google, shouldn't have collected all that data. That's private data that belongs to our citizens, not to you, even though it was broadcast in the clear. Now that we've established that only the originator should have that data.... let me have a peek! No, don't delete it - I really wanna see."
Very consistent. Not hypocritical at all.
First game I played when I downloaded the bundle. (Of course, I already owned & have finished Machinarium and Braid)...
I think Revenge is a pretty good game. It does seem like there might be a bit of a spiral-of-fail issue if you don't score well enough on the early levels to buy tech, or buy the "wrong tech" (eg all the enabler techs and no actual buildings), though - your lack of tech makes it even harder to do well on the later levels.
Isn't Chrome a WebKit browser?
What makes you (and half of Slashdot) think that Stuxnet was designed to primarily attack systems that are connected to the Internet?
It's not. It's designed to use multiple propagation strategies to get over air-gaps, helpfully transported by people who need to use both a) internet connected resources and b) private network resources. Once it's over the air-gap, it then spreads just fine within the private internal network. But it *does not* require sensitive assets to be on the public internet to be a genuine threat.
And how would the non-computer HMI be configured and updated when the plant needs to change the calibration on a pressure meter, or similar? Presumably by some kind of PC or engineering workstation with an "HMI Configuration" package on it? Gee, that sounds rather a lot like the kind of "PLC configuration" workstations that were the attack vector for getting into the PLCs!
It's turtles all the way down, I'm afraid. You can't implement a programmable control system without a general-purpose, insecure, infectable PC somewhere along the line. The *degree* of insecurity and infectability is variable, but I don't think there is such a thing as a secure general purpose OS on the market today - and if there *is* such a thing, there certainly isn't any PLC or HMI configuration software written for it.
And since the privileges needed to attack a PLC are the same user privileges needed to configure & program one, a well-implemented trojan might not even need privilege escalation on the engineer's workstation; they can do everything they need using his or her logon.
No. Stuxnet targeted Windows because the _specific plant that Stuxnet was designed to sabotage_ used Siemens WinCC, which is a Windows-only application.
If Stuxnet was a piece of general purpose malware written for economic or general purpose espionage reasons (like the Russian Business Network's systems or Ghostnet) then your argument would make sense. In the case of Stuxnet, which is one of the most specialized pieces of malware ever made, it targets *whatever platforms are necessary* to get at the 33+ Variable Speed Drives that it was specifically designed to sabotage. If that plant used a Linux-based control system, then Stuxnet would have been a Linux + PLC rootkit instead of a Windows + PLC rootkit.
Yeah, AV on the laptops does help - but as usual, only against known threats. When a nation state decides to gin up some custom sabotage-ware to take out your specific factory, you can count on it bypassing any and all AV until its dirty work is done.
I think it's difficult to ever be truly secure against an attack with this level of dedication. Stuxnet targeted air-gapped facilities, and appears to have succeeded in its primary mission. If anything, the failure of Stuxnet was that it spread *too much*. It's unlikely that industrial control/telemetry guys would have been able to diagnose what was actually going wrong with the centrifuges (or whatever) given how stealthy Stuxnet is. If it stayed within the target system, to which access is presumably very restricted, the "many eyes make all rootkits shallow" principle suggests that it could perhaps have stayed undetected much longer.
Stuxnet used multiple zero-day flaws to attack the Windows SCADA / PLC configuration boxes, and attacked the PLCs from there. Use of (hypothetical) Linux software for the SCADA / PLC configuration packages just means that the nation state actors would have had to find/purchase some zero day Linux flaws, rather than Windows ones. I find it hard to believe that there aren't any zero-days in Linux that would permit a similar attack vector, especially considering that the initial attack is code being run by an authenticated, logged-in user rather than a remote exploit.
AutoPlay is a disaster on Windows though. I don't why MS hasn't abandoned it completely; the benefits are just not worth the downsides.
I *do* know someone with a Windows Phone 7 phone.
It was bought for them by their work.
Do I know anyone who has bought one by personal choice? Not yet...
Terrorists don't give a shit about American freedoms, budgets, and personal dignity. They want US forces out of the Middle East and freedom to impose their medieval theocracy on anyone they can reach.
So far, the score in the War on Terror is probably a Nil-all draw between Team America and Islamic ultra-conservatism.
The point is to bring a firearm with you on your trip, even if you don't need it. Then you check it in (as required) in order to benefit from the improved regulatory environment that gets triggered by the presence of the firearm.
For the money & status.
With many substances, an increase in hardness (harder to scratch) is correlated with a decrease in toughness (shatters more easily when stressed).
I wonder if that's true for gorilla glass?
Actually it's not sour grapes. John Sculley says that he, John Sculley, was a bad choice to run the company, and that Jobs has kicked his butt in pretty much every conceivable metric. John has nothing bad to say about Steve at all.
Not necessarily. The "P" in PLC stands for programmable. PLCs have a large amount of generic physical I/O (relay outputs, 4-20mA inputs, etc etc). From looking at the Stuxnet code, you *might* be able to tell that a particular output is being turned on - but without knowing what's wired into that output, you still haven't learned much. And that's a fairly blatant scenario (where Stuxnet is directly controlling PLC I/O),
If Stuxnet is doing something more subtle, it could be doing something like patching the PLC code to silently disable safety interlocks, by replacing the results of a logic calculation with a different value. It's similar to installing a NoCD crack in a game executable so that the check_for_valid_disk() function call return value is always set to TRUE, and the disk checking code never even runs. If we can only see the patch (Stuxnet's observable behaviour) but not the original executable (the PLC code) there's no way to tell exactly what Stuxnet's payload is. Even Siemens wouldn't be able to figure it out unless they had a copy of the code put into the PLC by its owners.
Yes, it's certainly a tantalising prospect.
There are indications that the target may have been the Bushehr nuclear power plant in Iran, with the Russian contractor's USB drives being the attack vector into the plant's control systems. (Which are not on the Internet, despite the smug assumptions of so many posters earlier in this comments section.) There's enough information out in the wild now that anyone with access to the target's PLC code could verify the target. Obviously this means the attack targets will be able to prove that the trojan was targeting them, but I doubt they'll be announcing the fact to the world - unless they can trace the attackers and gain political advantage through an announcement.
It seems the evidence currently leans towards a probably Israeli or possibly US cyberwarfare attack on Iran.
Sorry, does that mean they're highly in demand, or completely worthless? The data point you offer in comparison doesn't really mean anything to me.
You do that at the cinema during the movie? Don't you realise how distracting it is for every single person sitting behind you to have a bright little screen waving around in their peripheral vision, in an environment that's deliberately as dark as possible?
Damn right it's rude! If you don't want to watch the movie, leave. The rest of the audience paid to see the movie too, and don't need to have their experience ruined by selfish behaviour on the part of one person in the audience.