By definition, Centos lags behind Red Hat on patches. They work very hard to make that window as small as they can, but sometimes it drags out longer than you'd like it to for a critical system. Some researchers will wait for Red Hat to release a patch before posting about a vulnerability. Not so many will wait for Centos. So the window where there's an announced flaw without a patch is, necessarily, larger with Centos than Red Hat.
As someone who sometimes gets paid to break into "internal" systems, I would like to encourage this mentality. The farther behind "internal" systems get on patches, the easier it is for me to demonstrate success.
Especially on any kind of absolute scale, when the amounts get so large. It's easier if you consider it in relation to other large governmental expenditures. Fox News (which tends to under-estimate war cost, IMO) has estimated the cost of the Iraq war at >$700B. How does the ISS stack up to that in terms of value to the world? Is it worth about 1/7 of that? More? Less? I'm not sure it stacks up as well against every other possible use of $100B, but I'd personally much rather have another 6 space stations than what we've gotten in exchange for our other $600B spent on war.
Then when your email gets to google, it's stored unencrypted, google reads the contents of the email and displays advertising based on those contents. (Aside: that bit of the OP was funny. Because while google's customer service reps don't read email themselves, the system does, and you often get ads on your gmail pages that say "you could be doing better than...") At that point a rule in your intended recipient's gmail configuration could, accidentally or intentionally, forward that message to another server, to which google will make an unencrypted connection and where the message will, a second time, be stored unencrypted.
Though they're improvements over the old status quo, https and POP/IMAP/SMTP-TLS are not substitutes for encrypted email.
The driver is not specifically for the wind. That's the same chip used in cheap USB wireless adapters like this one and RealTek has been providing their OS X driver for some time. The driver and associated utility do not work very well, FWIW, and I don't suggest trying to use them with a Mac unless you really have no other option.
If people are too stupid and like to listen to their SALESman instead of forking over $200 to a real-estate lawyer (that's what it costed my parents 2 years ago) to review and make clear the paperwork to them then that's their own fault.
I'm not arguing with this; you're right on. I was simply disputing the notion put forth by the post I was responding to. geekmux said that if these legal agreements had teeth, people would read them and offered as an example the notion that people generally read the paperwork that they have to sign when they purchase a home. I maintain that the current financial mess is due, in part, to the fact that people don't read legalese even when not doing so can have dire consequences. So giving these agreements more teeth would be of little help in getting people to read and adhere to them:-/
Why is it when we ask people to read through a 2-page user policy, they skip through and don't even bother reading to just sign it, yet those same people will sit down and pour through 3 inches of legal documents for 4 hours when buying a home?
If you want real security, then clearly explain the issues.
Bullshit. If you want real Security, enforce the punishment. Yes, it's that simple, and is also the answer to my previous question.
People read through 3 inches of legal docs when buying a home because they know damn well they could get burned legally.
Name the last time someone you know got fired for breaking a Security policy, or losing a laptop and not following protocol properly to report the company confidential data loss.
I thought so.
'Nuff said.
The current problems which are being, at least partially, blamed on deceptive lending practices in the mortgage industry would suggest that many people do not actually read through the legal documents they sign when they purchase a home. Do you think that for these deceptive loans, the stack of legal documents did not contain the truth? Of course it did. It was just buried in a pile of legalese, and people simply went with what the nice broker told them.
No, no, surely we don't get geek credit for starting with a 9600 baud modem. My first was a 2400 baud (US Robotics, maybe?), and I even used (but never owned) a 300 baud modem. I remember how blazing fast 14400 baud seemed when I first got my hands on it.
Heh. We probably started about the same time... the first modem I purchased was a 2400 baud modem ("Prometheus" I think), and I used but never owned a 1200 baud model. 9600 was just particularly memorable because it was obsoleted *so* immediately after what was, for me, a substantial purchase.
I don't know that I'd say the difference is exactly fundamental. Sure, if you're talking about weaknesses a cipher, a general attack on might apply to any protocol that uses that particular algorithm. It's not just a cipher algorithm, though; getting secure key exchange right is a hard problem. You want the protocol you've selected for doing so to have been vetted by as many people for as long a time as possible. VPNs have been around for a great deal longer than these new wireless schemes, and more people have spent more time attacking them.
I simply don't see enough benefit (to having some wifi-specific scheme) to offset the risk that designing and implementing some new protocol introduces new weaknesses. In addition to that, I see that configuring your client to think your wifi adapter is a safe LAN rather than an untrusted network carries significant risk if you ever take that client to a public hotspot. Having some wifi-specific scheme makes that behavior more appealing to some people. Having your OS assume a wifi adapter is on a hostile network and the LAN is only over the VPN is by contrast much safer.
Attacks only get better, not worse. The right thing to do, IMO, is treat this as a warning. We need to stop trying to concoct schemes that are specific to wifi and just treat wireless media as untrusted. Harden the clients. Don't let them act like they're on a trusted local network until they're on your VPN. Besides getting more thoroughly vetted crypto, this leaves your road warriors in a much better position when they sign on in coffee houses, airports and hotels.
Sigh. I'm sure I'm not the only one here... I distinctly remember purchasing my first 9600bps modem. (A real Hayes, no less! I sent them a large manilla SASE and they shipped me the AT command manual for no charge.) I spent a few months mowing every lawn I could to raise the funds for it. Exactly a week after I got it installed and found a couple local BBSes I could connect to at 9600, Hayes shipped the very first 14400bps modem.
Apart from the nature and amount of labor involved in raising funds, that's been a pattern for so many equipment purchases since. That was the very first time I bought something so close to the release of the new shiny, though:-)
They offer certs with domain validation for free. There are gentle attempts to upsell you to higher levels of validation, but their domain validated certificates work without errors. Look here.
If you want certs that are validated to your business' identity (instead of just your domain) and don't indicate in the DN that they were free, there is a small charge.
They introduced per-keyboard control of the modifiers in OS X 10.5. If yours and CmdrTaco's comments are any indicator, though, they did not make this easy enough to find.
And considering that this article was submitted by "BritishColumbian" I'm amazed he/she didn't consider their own country, which has some very good privacy protection.
Don't you see the benefit in hosting somewhere that's not under the jurisdiction of your government, even if you think their laws are relatively good? It seems an activist might.
If the drives are IDE/ATA/SATA, this works well and is a better idea than rotating them through an enclosure. (I find that the captive cables in USB drive enclosures are not very robust. This does not share that problem.)
The problem is that in some jurisdictions, the Public Domain isn't forever. What that means is that you can take a work in the Public Domain, make a tiny change (which might be as subtle as changing the author's name to yours) and copyright the derivative work. But there's more: you can then go after anyone using the original PD work, claiming they violated your copyright.
I call bullshit. Got any documentation of a case where a copyright holder on a derivative work has "gone after anyone using the original PD work" and won? In some jurisdictions you can "go after" anyone for anything you can concoct. Doesn't mean you can win.
I am intrigued by your ideas and would like to subscribe to your newsletter...
Anyway, how well-defined are the "many services"? Well enough that the/. crowd can't find a workable shell under which to move the pea? (Why yes, that *is* a challenge, to be met by/.ers and defended against by asshat-sympathizing lawyers.);=)
Actually, I need to correct myself. I just caught the late news (the situation has been changing rapidly up until about 4 hours before the law was signed) and it seems that computer services and real estate transfers were the only newly taxable services that got left in the final package. I'm not a Maryland resident, but live nearby and have been hearing a ton about this on the radio during my commutes. IT Operations, custom programming, systems integration, support services, disaster recovery services, hardware/software installation and computer repair all made it in. Landscaping, car washes, arcades, banking services, and management consulting all had better lobbies and got removed at the eleventh hour. Those were on the table when I heard the report yesterday. Perhaps an enterprising/.er could cast their computer services as simple tools of a management consulting business and get through that way? Or maybe server management software could qualify as an arcade by requiring you to defeat a boss every time you want to view a log?
Really, why should the test be the user's reply to a question? If you can install your rootkit on the users machine simply because they've visited your website, and you believe your users visit websites that are not yours, other sites can and probably have installed their rootkits. So what you should really do is quietly test to see if you can install your super secure rootkit, and, if so, do it. If you can't install it, they're probably safe to do business with.
Seriously, using user behavior to assess security risk isn't a dumb idea. But the way this essay frames it is just silly. With the number of assumptions he's made (about user behavior, having a super "rootkit" that can defeat all others, etc.) he might as well go the whole nine and just own everyone he can.
That would already require payment of the sales tax if purchased in state or the use tax if purchased out of state. The sales tax is being raised to 6% too. The big change is that many services (the main one of interest to the/. crowd being this one) are now being taxed as if they were goods for sale. So all you'd be doing is introducing extra effort for the same tax treatment.
My point was simply that those don't need to be the devices used for the communication. You could be transferring the encrypted message via offline means to a box that's never been online or left your control for decryption. Now how you can be sure that a box that's never been online or left your control doesn't have a rootkit may or may not be an open question, depending on how you constructed it... the fact remains that you don't need any trust in the communications equipment. Even if you want to claim that the risk is still not zero, it's a very different risk than any strategy that requires you to trust your long distance communication equipment.
So basically what you're saying is that you cannot send a message long distance with %100 assurance that it is secure. So either don't send sensitive information long distances, or live with the fact that they may be intercepted. Right?
I don't know what OP was trying to say, but your statement is wrong. You don't want to place your trust in the communications medium. Transmit a token out of band that you can use to establish trust. One example of this would be encryption keys. You and I meet in person, exchange keys, then use those keys to establish a secured channel over an untrusted medium. If this is infeasible, we can do accomplish the same thing transitively. Anyone remember key signing parties?
So? Granting them the right to use it in "a commercial setting" doesn't extend to them any guarantee that he's the only party they need permission from in order to use the image for advertising. In fact, if you read the license in question, the photographer specifically disclaims having such permission:
5. Representations, Warranties and Disclaimer UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU. 6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
So while the photographer gave permission for "commercial use," (e.g. you could use it in a magazine story and sell that magazine; that requires no permission from the person in the photo) he did not imply that you have permission from the subject of the photo to use it for purposes (e.g. product endorsement) that require such permission.
If the court finds Virgin liable, then they are opening a huge legal issue in regard to all non-signed contract licenses, including the GPL.
Not at all. The licensor gave all the necessary permissions that were his to give. Certain uses require the user to go get more permission from other parties as well. It'd be the same if you implemented someone else's patented method in GPL'd code. Even though you can give the rights to your copyrighted implementation of the patent, the patent rights aren't yours to assign. If I then use your code under the terms of the GPL, the patent holders could come find me and the GPL wouldn't be a defense. Just go try to sell a program that uses LAME without a license to the MP3 patents and see:). That doesn't make the GPL broken at all.
Or at least asking them for the source. It's a common misconception that a GPLd app must be accompanied by source code. The company only has to make it available upon request.
It needs to be accompanied by a written offer for the source if it isn't accompanied by source.
Slashdot Mirror
By definition, Centos lags behind Red Hat on patches. They work very hard to make that window as small as they can, but sometimes it drags out longer than you'd like it to for a critical system. Some researchers will wait for Red Hat to release a patch before posting about a vulnerability. Not so many will wait for Centos. So the window where there's an announced flaw without a patch is, necessarily, larger with Centos than Red Hat.
As someone who sometimes gets paid to break into "internal" systems, I would like to encourage this mentality. The farther behind "internal" systems get on patches, the easier it is for me to demonstrate success.
And now the source is there:
http://growl.info/documentation/developer/growl-source-install.php
Especially on any kind of absolute scale, when the amounts get so large. It's easier if you consider it in relation to other large governmental expenditures. Fox News (which tends to under-estimate war cost, IMO) has estimated the cost of the Iraq war at >$700B. How does the ISS stack up to that in terms of value to the world? Is it worth about 1/7 of that? More? Less? I'm not sure it stacks up as well against every other possible use of $100B, but I'd personally much rather have another 6 space stations than what we've gotten in exchange for our other $600B spent on war.
Then when your email gets to google, it's stored unencrypted, google reads the contents of the email and displays advertising based on those contents. (Aside: that bit of the OP was funny. Because while google's customer service reps don't read email themselves, the system does, and you often get ads on your gmail pages that say "you could be doing better than ...") At that point a rule in your intended recipient's gmail configuration could, accidentally or intentionally, forward that message to another server, to which google will make an unencrypted connection and where the message will, a second time, be stored unencrypted.
Though they're improvements over the old status quo, https and POP/IMAP/SMTP-TLS are not substitutes for encrypted email.
The driver is not specifically for the wind. That's the same chip used in cheap USB wireless adapters like this one and RealTek has been providing their OS X driver for some time. The driver and associated utility do not work very well, FWIW, and I don't suggest trying to use them with a Mac unless you really have no other option.
I'm not arguing with this; you're right on. I was simply disputing the notion put forth by the post I was responding to. geekmux said that if these legal agreements had teeth, people would read them and offered as an example the notion that people generally read the paperwork that they have to sign when they purchase a home. I maintain that the current financial mess is due, in part, to the fact that people don't read legalese even when not doing so can have dire consequences. So giving these agreements more teeth would be of little help in getting people to read and adhere to them :-/
Why is it when we ask people to read through a 2-page user policy, they skip through and don't even bother reading to just sign it, yet those same people will sit down and pour through 3 inches of legal documents for 4 hours when buying a home?
If you want real security, then clearly explain the issues.
Bullshit. If you want real Security, enforce the punishment. Yes, it's that simple, and is also the answer to my previous question.
People read through 3 inches of legal docs when buying a home because they know damn well they could get burned legally.
Name the last time someone you know got fired for breaking a Security policy, or losing a laptop and not following protocol properly to report the company confidential data loss.
I thought so.
'Nuff said.
The current problems which are being, at least partially, blamed on deceptive lending practices in the mortgage industry would suggest that many people do not actually read through the legal documents they sign when they purchase a home. Do you think that for these deceptive loans, the stack of legal documents did not contain the truth? Of course it did. It was just buried in a pile of legalese, and people simply went with what the nice broker told them.
No, no, surely we don't get geek credit for starting with a 9600 baud modem. My first was a 2400 baud (US Robotics, maybe?), and I even used (but never owned) a 300 baud modem. I remember how blazing fast 14400 baud seemed when I first got my hands on it.
Heh. We probably started about the same time... the first modem I purchased was a 2400 baud modem ("Prometheus" I think), and I used but never owned a 1200 baud model. 9600 was just particularly memorable because it was obsoleted *so* immediately after what was, for me, a substantial purchase.
We need to stop trying to concoct schemes that are specific to wifi and just treat all media as untrusted.
There, fixed that for you. What makes you think wired networking is secure?
Men with guns, usually ;-). But I agree with your point, and don't generally consider the condition of being wired sufficient access control.
I don't know that I'd say the difference is exactly fundamental. Sure, if you're talking about weaknesses a cipher, a general attack on might apply to any protocol that uses that particular algorithm. It's not just a cipher algorithm, though; getting secure key exchange right is a hard problem. You want the protocol you've selected for doing so to have been vetted by as many people for as long a time as possible. VPNs have been around for a great deal longer than these new wireless schemes, and more people have spent more time attacking them.
I simply don't see enough benefit (to having some wifi-specific scheme) to offset the risk that designing and implementing some new protocol introduces new weaknesses. In addition to that, I see that configuring your client to think your wifi adapter is a safe LAN rather than an untrusted network carries significant risk if you ever take that client to a public hotspot. Having some wifi-specific scheme makes that behavior more appealing to some people. Having your OS assume a wifi adapter is on a hostile network and the LAN is only over the VPN is by contrast much safer.
Attacks only get better, not worse. The right thing to do, IMO, is treat this as a warning. We need to stop trying to concoct schemes that are specific to wifi and just treat wireless media as untrusted. Harden the clients. Don't let them act like they're on a trusted local network until they're on your VPN. Besides getting more thoroughly vetted crypto, this leaves your road warriors in a much better position when they sign on in coffee houses, airports and hotels.
Sigh. I'm sure I'm not the only one here... I distinctly remember purchasing my first 9600bps modem. (A real Hayes, no less! I sent them a large manilla SASE and they shipped me the AT command manual for no charge.) I spent a few months mowing every lawn I could to raise the funds for it. Exactly a week after I got it installed and found a couple local BBSes I could connect to at 9600, Hayes shipped the very first 14400bps modem.
Apart from the nature and amount of labor involved in raising funds, that's been a pattern for so many equipment purchases since. That was the very first time I bought something so close to the release of the new shiny, though :-)
They offer certs with domain validation for free. There are gentle attempts to upsell you to higher levels of validation, but their domain validated certificates work without errors. Look here.
If you want certs that are validated to your business' identity (instead of just your domain) and don't indicate in the DN that they were free, there is a small charge.
They introduced per-keyboard control of the modifiers in OS X 10.5. If yours and CmdrTaco's comments are any indicator, though, they did not make this easy enough to find.
Don't you see the benefit in hosting somewhere that's not under the jurisdiction of your government, even if you think their laws are relatively good? It seems an activist might.
If the drives are IDE/ATA/SATA, this works well and is a better idea than rotating them through an enclosure. (I find that the captive cables in USB drive enclosures are not very robust. This does not share that problem.)
The problem is that in some jurisdictions, the Public Domain isn't forever. What that means is that you can take a work in the Public Domain, make a tiny change (which might be as subtle as changing the author's name to yours) and copyright the derivative work. But there's more: you can then go after anyone using the original PD work, claiming they violated your copyright. I call bullshit. Got any documentation of a case where a copyright holder on a derivative work has "gone after anyone using the original PD work" and won? In some jurisdictions you can "go after" anyone for anything you can concoct. Doesn't mean you can win.
I am intrigued by your ideas and would like to subscribe to your newsletter...
/. crowd can't find a workable shell under which to move the pea? (Why yes, that *is* a challenge, to be met by /.ers and defended against by asshat-sympathizing lawyers.) ;=)
/.er could cast their computer services as simple tools of a management consulting business and get through that way? Or maybe server management software could qualify as an arcade by requiring you to defeat a boss every time you want to view a log?
Anyway, how well-defined are the "many services"? Well enough that the
Actually, I need to correct myself. I just caught the late news (the situation has been changing rapidly up until about 4 hours before the law was signed) and it seems that computer services and real estate transfers were the only newly taxable services that got left in the final package. I'm not a Maryland resident, but live nearby and have been hearing a ton about this on the radio during my commutes. IT Operations, custom programming, systems integration, support services, disaster recovery services, hardware/software installation and computer repair all made it in. Landscaping, car washes, arcades, banking services, and management consulting all had better lobbies and got removed at the eleventh hour. Those were on the table when I heard the report yesterday. Perhaps an enterprising
Really, why should the test be the user's reply to a question? If you can install your rootkit on the users machine simply because they've visited your website, and you believe your users visit websites that are not yours, other sites can and probably have installed their rootkits. So what you should really do is quietly test to see if you can install your super secure rootkit, and, if so, do it. If you can't install it, they're probably safe to do business with.
Seriously, using user behavior to assess security risk isn't a dumb idea. But the way this essay frames it is just silly. With the number of assumptions he's made (about user behavior, having a super "rootkit" that can defeat all others, etc.) he might as well go the whole nine and just own everyone he can.
That would already require payment of the sales tax if purchased in state or the use tax if purchased out of state. The sales tax is being raised to 6% too. The big change is that many services (the main one of interest to the /. crowd being this one) are now being taxed as if they were goods for sale. So all you'd be doing is introducing extra effort for the same tax treatment.
My point was simply that those don't need to be the devices used for the communication. You could be transferring the encrypted message via offline means to a box that's never been online or left your control for decryption. Now how you can be sure that a box that's never been online or left your control doesn't have a rootkit may or may not be an open question, depending on how you constructed it... the fact remains that you don't need any trust in the communications equipment. Even if you want to claim that the risk is still not zero, it's a very different risk than any strategy that requires you to trust your long distance communication equipment.
So basically what you're saying is that you cannot send a message long distance with %100 assurance that it is secure. So either don't send sensitive information long distances, or live with the fact that they may be intercepted. Right?
I don't know what OP was trying to say, but your statement is wrong. You don't want to place your trust in the communications medium. Transmit a token out of band that you can use to establish trust. One example of this would be encryption keys. You and I meet in person, exchange keys, then use those keys to establish a secured channel over an untrusted medium. If this is infeasible, we can do accomplish the same thing transitively. Anyone remember key signing parties?
So while the photographer gave permission for "commercial use," (e.g. you could use it in a magazine story and sell that magazine; that requires no permission from the person in the photo) he did not imply that you have permission from the subject of the photo to use it for purposes (e.g. product endorsement) that require such permission.Not at all. The licensor gave all the necessary permissions that were his to give. Certain uses require the user to go get more permission from other parties as well. It'd be the same if you implemented someone else's patented method in GPL'd code. Even though you can give the rights to your copyrighted implementation of the patent, the patent rights aren't yours to assign. If I then use your code under the terms of the GPL, the patent holders could come find me and the GPL wouldn't be a defense. Just go try to sell a program that uses LAME without a license to the MP3 patents and see
It needs to be accompanied by a written offer for the source if it isn't accompanied by source.