You have not dealt with academentia from a system managements perspective I guess. If you had you would have heard the phrase: "I am a professor and you are not even a PhD, you will not tell me what to do".
If SP2 has introduced as standard blocking execution based on ADS data, it has to be uniform across the OS. The fact that CMD does not do the check means that the check is not on kernel level. It is a userland check, most likely in explorer libraries which are universally used by MSFT software at the moment. This means that there is likely to be a way to do this without asking and this protection is not likely to apply to any 3rd party executables that do not rely on IE. This also means that SP2 enforces the use IE to access filesystem and launch executables
So MSFT did one of its usual stunts - it decreased the security of the system, screwed the competition while getting some publicity of for a security feature. Good marketing...
They are. They do not do any hardware besides ES nowdays though. They are mostly a contracting/outsourcing house now and a pretty big one. Banks love them as they are the only ones to be able to deliver the required "workforce flexibility" and costs. They used to do it by formally employing people in countries with low taxation rate and weak labour laws and shifting them between assignments in different EU countries at a rate that allows them to claim that they do not work permanently in the countries in question. This loophole has now been closed in most EU countries so they are using other similar ones.
Basically they are the ultimate IT opportunist. Nothing amazing in the fact that they have done a 180 degrees turn if a few bucks required it. It is business as usual. Move along.
it proves that it is computationally feasible with today's computing resources to calculate a second different string or dataset that hashes to the same value as the origin
Important note - with a guaranteed lower number of operations. Instead of 2^64 (SHA0) they used a method that always delivers 2^51. While neither one of these is within Joe Average computing power, the difference may bring a message into the cracking range of people who are in possession of "heavy computational artillery".
Err... dunno about him, but his wife is a black belt.
Also, do not forget that he is not an American and the "sportiness" of the geeks is quite different across the Atlantic. The ones from this side tend to be considerably more dangerous (even without guns).
If you look at their rotor blades there is no way in hell they can be rotated to a proper speed for lift off by anything short of at least several kw engine. These blades are huge, thick profile and with HUGE drag. There is simply no way a human can spin and keep them rotating for 1 minute at a speed sufficient for liftoff.
1. Java does not have support for DNS in its main classes as recent as 1.4.x (need to look at 1.5). As such it is not suitable for any more complex network software period
2. Java network interface support is not platform independent. As a result any application that needs to bind to a specific interface on a multihomed machine needs to have external config or to be platform dependant which largely defeats the idea of using java in first place.
6-24h. That has been the case with all MSFT software releases in Eastern Europe. The question is that they are not going to waste their effort anyway. They will simply generate a few more keys for the real XP, XPpro to replace the ones that MSFT has blacklisted in SP2.
Patent stakes out your right to solely exploit your invention for commercial purposes. This was the original idea behind patents. It has been lost over the years.
In fact it has been lost for 100+ years now. AFAIK the first to start the practice of filing/buying patents and shelving them for purely defensive purposes was Dupont in the beginning of the 20th century. They patented and shelved numerous inventions which prolonged tire life so that they could continue generating revenue by selling loads of quickly wearing tires.
Methinks that patents that are not being used must be declared void same as trademarks after 2 years. Use it or lose it. If you do not defend it for a specific period of time or if you defend it selectively you should lose the right to profit from it full stop.
If there will be any targets blown up they will be more then one and they will be blown up by friendly fire, not terrorists. Patriot missiles, with fire permit at sectors of civilian airspace including the approach sector for Athens airport and no IFF on all planes (not that it helped in the gulf). Nope, thank you. This will be one even I will definitely stay as far away from as I can.
That is besides the fact that the batteries were bought entirely as a result of drowning the relevant officials in bribes. Good advert for Raytheon. In fact perfect advert for Raytheon because with all the fleet and fighter jet deployment the Patriots can be simply turned off and used for advertisement only.
Actually, the fact that the Greeks have decided on using S300 for all sites that do not have navy and air cover (Thesaloniki and all other cities with out-of-Athens events) kind'a confirms my suspicion on this one.
It is the same with the rest of the surveilanse and security. About 10% of it is for real, the rest is an advert for arms companies. Same as on the Olympic stadium. It is all about advertising merchandise. Missiles instead of Cola and gunships instead of Gatorade. And that is for the even that was supposed to be a symbol of world piece. Fsck... Screw this Olympics. I am not even watching it...
That is correct. But phone companies are considered a utility and are regulated. So they cannot just change their contracts overnight. They have to clear any changes (often even price changes) with the relevant regulator. This is not the case as far as VOIP providers are concerned and will continue not to be the case until they are exempt from the normal telecommunication regulatory regime. So this VONAGE behavior is a direct consequence of it not having to concent to telecoms regulations which is something which 80%+ of the slashdot crowd supports. And now they scream murder... Go figure...
Passwords have been considered an overly weak form of auth for anything important for many years now. If you want to have proper auth use something that is based on strong crypto (x509 certs, RSA/DSA keys, etc) and the password is not a password, it is passphrase. This requires stealing the private key in order to authenticate, which raises the stakes considerably.
Best practice is to double layer it by using x509 or RSA/DSA for authenticating a machine followed time password using the cert to select the correct sequence.
There are bundled implementations which do this. SecureID is a good example - AFAIK it is based on some form of RSA keys and one of the RC algorithms. Unfortunately the private part is stored at both ends which run the same crypto transform to reach the same result using the time as an IV. There are better (to be more exact - correctly designed) implementations from other vendors as well which use REAL public/private crypto.
Unfortunately very few of them work under anything but windows, which has its explanation. No matter how much do I dislike Microsh**t, it has a standartized crypto framework and if you want to replace the default shite with proper auth you can do it. You can cleanly introduce certificates, hardware extensions, you name it. You can even do it by means that are clearly in the DIY category.
Linux does not have it and it is a logical result from the many years during which crypto was excluded as a matter of policy from the mainline kernel. Thanks god it is over now, so we might see proper auth framework for linux sometimes in the future.
Yep, right, tell it to all those afganys, iraqis, ethipians, etc. Well, there is an important correction here - they do it for an AK47 where jamming it this way takes aaaaaaaaaaaaa lot of effort. You may be right as far as MXX where X=1-16 is concerned.
Repeat after me: there is no need for a car to be an SUV to be a 4x4. In fact an SUV is disadvantaged compared to a 4x4 conventional car. In order to make it sellable its ground clearance is relatively low compared to a real offroader like Fourtrack, County, Santana, etc. It is often (Honda H1) lower then the clearance on many normal cars. In fact there are whole generations of french cars (Citroen GSA, Xantia, 5) which at the highest setting of the suspension pressure (you can vary it on the fly) exceed the ground clearance on nearly any SUV on the market.
Coming back to the 4x4. If you really need 4x4 (mountains, snow, shite city cervices like in the UK, etc) there are plenty of real cars that have a 4x4 option. It is just that many of them are not advertised very widely:
Golf - starts a 4x4 this autumn Volvo (conventional, not the penis extender) has had a 4x4 starting from around 340 Daihatsu - always has at least one 4x4 conventional car model. These are also the only 4x4 can do up to 60+ MPG Fiat - Panda, there are also 4x4 models for other vehicles Seat - had a 4x4 in the 90-es GM/Subaru/Suzuki - 4x4 variants for many cars, some built only in 4x4 versions Hyundai - H1 which has larger boot and seating space then any SUV on the market.
So on, so fourth. In other words if you need a 4x4 which has the same (or better) off/badroad capabilities as an SUV there are plenty of normal vehicles to chose from. You buy an SUV only to extend your p*** and it has about the same effect as spamverized pills.
1. Serious problems with logging. In fact from the point of view of people spoiled by the sendmail and exim level of logging the Exchange logging sucks rocks through a thin straw
2. Joint server/client limitation (to some extent it is an Outlook problem) that one mailbox is limited to 2G. Dunno if that is still the case in 2003, but 2000 + Outlook screws your mail magestically once you hit 2G limit. F.E. My mailbox is currently around 5G. It is on courier + imap + mozilla which are quite happy trucking along with it. If it was on Exchange + Outlook it would have been corrupted long ago.
3. Loses mail with no trace if left to send versus slow senders on a congested network. No bounce is returned to the user. Basically if you are using Exchange 2000 (dunno about 2003) without a front-end relay you will have to learn to live with the fact that some mail will be lost. Probability depends on many things varying from around 0.01 to 0.5%. Combined with the wonderful logging this becomes really entertaining for the support people.
4. Similarly, loses mail with no trace when receiving it on a SMTP channel (not exchange). Once again while the probability for this to happen is not very high, it still happens often enough for it to be a business problem. I have seen it on 5.x, I have seen it on 2000 as well. As anecdotal as it may sound, I have nearly lost my residence status in the country I worked a few years ago because the company exchange server lost all the documents which HR had to use for the work permit application.
5. Basically, it is a very good groupware and SME solution for internal communcation. That is what it has been designed for and it is not going anywhere without a redesign and splitting into components (which MSFT is not willing to do for political reasons) or external systems to assist it.
Based on experience in dealing with it, on its own it is not suitable for business use if you need full record of all of your email transactions with customers and other people who do not communicate with Exchange. If you are doing any business by email I would suggest to look into something else or use it in a combination with a good mail relay (sendmail, exim, postfix) which has proper logging and audit trail of what was sent, when, where and how. Exim 4 is possibly the best as it is the easiest one to implement copying all mails in transit to a suitable audit store (besides the exellent logging).
Do you have an idea how close you are to the truth?
The mission is a complete lunacy. Their booster stage docks to Soyuz on its front and acceleration commences with the austronaughts hanging on the belts in their seats in the direction opposite to the normal. Even if the spacecraft survives, you will not. You will have your neck broken even prior to the "Return to Earth" phase.
You are absolutely correct. If you look at the internal surface of a major vein you will notice that it it is uneven. It does not allow blood to flow back and this works properly only with a pulse flow. It will not work properly with a constant flow. So people who rely entirely on a device like this will be prone to various vein problems - varicose veins, cirrose like vena portalis deformities, etc. So devices like this cannot replace a heart 100%. At the same time they may be enough to provide assistance for a week or failing heart (this is what these guys are claiming to do anyway). While on the subject, continuous exposure of blood to a strong magnetic field is not something that has been investigated and there may be some long term problems associated with it.
These evaluations are evaluations on procedures in handling data. They are not evaluations on system breakability and security against unauthorized break-in as such. They are evaluations on suitability of a system to handle confidential data according to some predefined requirements.
Basically a EAL or Orange book certified system will not allow casual transfer of data from a higher security level to a lower security level. That is the core of the qualification concept. All the stuff about admin roles, etc is just fluff oriented towards managing the concept and the granularity to which it is managed.
After the wave of buffer overrun hacks that followed the publishing of Alef1's paper "Smashing the Stack for Fun and Profit" in 1996 I had a conversation with the security head of a bank-to-bank transfer house head of security. We were discussing what can we do about intrusions like this. His first suggestion was to raise the security level to B1 or higher. At which point I had to point to him that all intrusions were circumventing the security mechanisms, not breaking through a problem in them so the Orange Book level of security did not bloody matter at all.
On a similar note, Old SCO OpenServer 3.x which had C2 certification was quite hard to hack in its normal mode of operation. Raising the system to C2 and the enabling of roles required to do so made the system a walkthrough. It took me around 5 minutes to get root on it by doing casual operations, no real hacking involved.
Same here. Used to run Linux on Alpha. Oldest 64 bit workstation OS out there. Available for the last 8+ years. The only problem was the complete lack of power management and the hovercraft levels of fan noise (55+db). Performancewise it used to wipe the floor with any Intel machine 5 years ago. In fact for some tasks it will still deliver very reasonable performance by todays standards.
80 billion from where? You have based your predictions on UN population increase statistics from before the AIDS when there were countries like Cuba which were spouting 4.8% annual growth (number from the mid-70ies).
This is no longer the case. All these countries now have negative growth as the fertile population is dying of AIDS and TB faster then it grows, mainland China is also being hit by AIDS and is on its way towards negative growth, so on so fourth, leaving only Muslim countries and India with a positive growth for the time being.
Where exactly do you see this population increase? Decrease in about 10 years if infection rates remain the same - more likely.
Slashdot Mirror
You have not dealt with academentia from a system managements perspective I guess. If you had you would have heard the phrase: "I am a professor and you are not even a PhD, you will not tell me what to do".
In btw, I am speaking out of experience here.
Minor problem here. What if Intel takes their prerelease specs and implements them again (just like with the Xeon 64bit extensions)?
It is different in the sense that:
If SP2 has introduced as standard blocking execution based on ADS data, it has to be uniform across the OS. The fact that CMD does not do the check means that the check is not on kernel level. It is a userland check, most likely in explorer libraries which are universally used by MSFT software at the moment. This means that there is likely to be a way to do this without asking and this protection is not likely to apply to any 3rd party executables that do not rely on IE. This also means that SP2 enforces the use IE to access filesystem and launch executables
So MSFT did one of its usual stunts - it decreased the security of the system, screwed the competition while getting some publicity of for a security feature. Good marketing...
They are. They do not do any hardware besides ES nowdays though. They are mostly a contracting/outsourcing house now and a pretty big one. Banks love them as they are the only ones to be able to deliver the required "workforce flexibility" and costs. They used to do it by formally employing people in countries with low taxation rate and weak labour laws and shifting them between assignments in different EU countries at a rate that allows them to claim that they do not work permanently in the countries in question. This loophole has now been closed in most EU countries so they are using other similar ones.
Basically they are the ultimate IT opportunist. Nothing amazing in the fact that they have done a 180 degrees turn if a few bucks required it. It is business as usual. Move along.
Important note - with a guaranteed lower number of operations. Instead of 2^64 (SHA0) they used a method that always delivers 2^51. While neither one of these is within Joe Average computing power, the difference may bring a message into the cracking range of people who are in possession of "heavy computational artillery".
Err... dunno about him, but his wife is a black belt.
Also, do not forget that he is not an American and the "sportiness" of the geeks is quite different across the Atlantic. The ones from this side tend to be considerably more dangerous (even without guns).
If you look at their rotor blades there is no way in hell they can be rotated to a proper speed for lift off by anything short of at least several kw engine. These blades are huge, thick profile and with HUGE drag. There is simply no way a human can spin and keep them rotating for 1 minute at a speed sufficient for liftoff.
You missed a few:
1. Java does not have support for DNS in its main classes as recent as 1.4.x (need to look at 1.5). As such it is not suitable for any more complex network software period
2. Java network interface support is not platform independent. As a result any application that needs to bind to a specific interface on a multihomed machine needs to have external config or to be platform dependant which largely defeats the idea of using java in first place.
So on, so fourth.
6-24h. That has been the case with all MSFT software releases in Eastern Europe. The question is that they are not going to waste their effort anyway. They will simply generate a few more keys for the real XP, XPpro to replace the ones that MSFT has blacklisted in SP2.
This: http://www.newtechusa.com/ppi/main.asp
In fact I imagine it quite clearly. Dopamine deficiency has been clearly linked to Parkinsons decease. So which medicine should Billy be taking? Agh?
Disagree.
Patent stakes out your right to solely exploit your invention for commercial purposes. This was the original idea behind patents. It has been lost over the years.
In fact it has been lost for 100+ years now. AFAIK the first to start the practice of filing/buying patents and shelving them for purely defensive purposes was Dupont in the beginning of the 20th century. They patented and shelved numerous inventions which prolonged tire life so that they could continue generating revenue by selling loads of quickly wearing tires.
Methinks that patents that are not being used must be declared void same as trademarks after 2 years. Use it or lose it. If you do not defend it for a specific period of time or if you defend it selectively you should lose the right to profit from it full stop.
There is an exellent russian saying:
Dengi ne pahnut.
Translated into English:
Money does not smell.
If there will be any targets blown up they will be more then one and they will be blown up by friendly fire, not terrorists. Patriot missiles, with fire permit at sectors of civilian airspace including the approach sector for Athens airport and no IFF on all planes (not that it helped in the gulf). Nope, thank you. This will be one even I will definitely stay as far away from as I can.
That is besides the fact that the batteries were bought entirely as a result of drowning the relevant officials in bribes. Good advert for Raytheon. In fact perfect advert for Raytheon because with all the fleet and fighter jet deployment the Patriots can be simply turned off and used for advertisement only.
Actually, the fact that the Greeks have decided on using S300 for all sites that do not have navy and air cover (Thesaloniki and all other cities with out-of-Athens events) kind'a confirms my suspicion on this one.
It is the same with the rest of the surveilanse and security. About 10% of it is for real, the rest is an advert for arms companies. Same as on the Olympic stadium. It is all about advertising merchandise. Missiles instead of Cola and gunships instead of Gatorade. And that is for the even that was supposed to be a symbol of world piece. Fsck... Screw this Olympics. I am not even watching it...
Non event? Ever though what is the US emergency telephone number?
That is correct. But phone companies are considered a utility and are regulated. So they cannot just change their contracts overnight. They have to clear any changes (often even price changes) with the relevant regulator. This is not the case as far as VOIP providers are concerned and will continue not to be the case until they are exempt from the normal telecommunication regulatory regime. So this VONAGE behavior is a direct consequence of it not having to concent to telecoms regulations which is something which 80%+ of the slashdot crowd supports. And now they scream murder... Go figure...
Passwords have been considered an overly weak form of auth for anything important for many years now. If you want to have proper auth use something that is based on strong crypto (x509 certs, RSA/DSA keys, etc) and the password is not a password, it is passphrase. This requires stealing the private key in order to authenticate, which raises the stakes considerably.
Best practice is to double layer it by using x509 or RSA/DSA for authenticating a machine followed time password using the cert to select the correct sequence.
There are bundled implementations which do this. SecureID is a good example - AFAIK it is based on some form of RSA keys and one of the RC algorithms. Unfortunately the private part is stored at both ends which run the same crypto transform to reach the same result using the time as an IV. There are better (to be more exact - correctly designed) implementations from other vendors as well which use REAL public/private crypto.
Unfortunately very few of them work under anything but windows, which has its explanation. No matter how much do I dislike Microsh**t, it has a standartized crypto framework and if you want to replace the default shite with proper auth you can do it. You can cleanly introduce certificates, hardware extensions, you name it. You can even do it by means that are clearly in the DIY category.
Linux does not have it and it is a logical result from the many years during which crypto was excluded as a matter of policy from the mainline kernel. Thanks god it is over now, so we might see proper auth framework for linux sometimes in the future.
Yep, right, tell it to all those afganys, iraqis, ethipians, etc. Well, there is an important correction here - they do it for an AK47 where jamming it this way takes aaaaaaaaaaaaa lot of effort. You may be right as far as MXX where X=1-16 is concerned.
Repeat after me: there is no need for a car to be an SUV to be a 4x4. In fact an SUV is disadvantaged compared to a 4x4 conventional car. In order to make it sellable its ground clearance is relatively low compared to a real offroader like Fourtrack, County, Santana, etc. It is often (Honda H1) lower then the clearance on many normal cars. In fact there are whole generations of french cars (Citroen GSA, Xantia, 5) which at the highest setting of the suspension pressure (you can vary it on the fly) exceed the ground clearance on nearly any SUV on the market.
Coming back to the 4x4. If you really need 4x4 (mountains, snow, shite city cervices like in the UK, etc) there are plenty of real cars that have a 4x4 option. It is just that many of them are not advertised very widely:
Golf - starts a 4x4 this autumn
Volvo (conventional, not the penis extender) has had a 4x4 starting from around 340
Daihatsu - always has at least one 4x4 conventional car model. These are also the only 4x4 can do up to 60+ MPG
Fiat - Panda, there are also 4x4 models for other vehicles
Seat - had a 4x4 in the 90-es
GM/Subaru/Suzuki - 4x4 variants for many cars, some built only in 4x4 versions
Hyundai - H1 which has larger boot and seating space then any SUV on the market.
So on, so fourth. In other words if you need a 4x4 which has the same (or better) off/badroad capabilities as an SUV there are plenty of normal vehicles to chose from. You buy an SUV only to extend your p***
and it has about the same effect as spamverized pills.
You missed a few:
1. Serious problems with logging. In fact from the point of view of people spoiled by the sendmail and exim level of logging the Exchange logging sucks rocks through a thin straw
2. Joint server/client limitation (to some extent it is an Outlook problem) that one mailbox is limited to 2G. Dunno if that is still the case in 2003, but 2000 + Outlook screws your mail magestically once you hit 2G limit. F.E. My mailbox is currently around 5G. It is on courier + imap + mozilla which are quite happy trucking along with it. If it was on Exchange + Outlook it would have been corrupted long ago.
3. Loses mail with no trace if left to send versus slow senders on a congested network. No bounce is returned to the user. Basically if you are using Exchange 2000 (dunno about 2003) without a front-end relay you will have to learn to live with the fact that some mail will be lost. Probability depends on many things varying from around 0.01 to 0.5%. Combined with the wonderful logging this becomes really entertaining for the support people.
4. Similarly, loses mail with no trace when receiving it on a SMTP channel (not exchange). Once again while the probability for this to happen is not very high, it still happens often enough for it to be a business problem. I have seen it on 5.x, I have seen it on 2000 as well. As anecdotal as it may sound, I have nearly lost my residence status in the country I worked a few years ago because the company exchange server lost all the documents which HR had to use for the work permit application.
5. Basically, it is a very good groupware and SME solution for internal communcation. That is what it has been designed for and it is not going anywhere without a redesign and splitting into components (which MSFT is not willing to do for political reasons) or external systems to assist it.
Based on experience in dealing with it, on its own it is not suitable for business use if you need full record of all of your email transactions with customers and other people who do not communicate with Exchange. If you are doing any business by email I would suggest to look into something else or use it in a combination with a good mail relay (sendmail, exim, postfix) which has proper logging and audit trail of what was sent, when, where and how. Exim 4 is possibly the best as it is the easiest one to implement copying all mails in transit to a suitable audit store (besides the exellent logging).
Do you have an idea how close you are to the truth?
The mission is a complete lunacy. Their booster stage docks to Soyuz on its front and acceleration commences with the austronaughts hanging on the belts in their seats in the direction opposite to the normal. Even if the spacecraft survives, you will not. You will have your neck broken even prior to the "Return to Earth" phase.
These people really nead a clue.
You are absolutely correct. If you look at the internal surface of a major vein you will notice that it it is uneven. It does not allow blood to flow back and this works properly only with a pulse flow. It will not work properly with a constant flow. So people who rely entirely on a device like this will be prone to various vein problems - varicose veins, cirrose like vena portalis deformities, etc. So devices like this cannot replace a heart 100%. At the same time they may be enough to provide assistance for a week or failing heart (this is what these guys are claiming to do anyway).
While on the subject, continuous exposure of blood to a strong magnetic field is not something that has been investigated and there may be some long term problems associated with it.
These evaluations are evaluations on procedures in handling data. They are not evaluations on system breakability and security against unauthorized break-in as such. They are evaluations on suitability of a system to handle confidential data according to some predefined requirements.
Basically a EAL or Orange book certified system will not allow casual transfer of data from a higher security level to a lower security level. That is the core of the qualification concept. All the stuff about admin roles, etc is just fluff oriented towards managing the concept and the granularity to which it is managed.
After the wave of buffer overrun hacks that followed the publishing of Alef1's paper "Smashing the Stack for Fun and Profit" in 1996 I had a conversation with the security head of a bank-to-bank transfer house head of security. We were discussing what can we do about intrusions like this. His first suggestion was to raise the security level to B1 or higher. At which point I had to point to him that all intrusions were circumventing the security mechanisms, not breaking through a problem in them so the Orange Book level of security did not bloody matter at all.
On a similar note, Old SCO OpenServer 3.x which had C2 certification was quite hard to hack in its normal mode of operation. Raising the system to C2 and the enabling of roles required to do so made the system a walkthrough. It took me around 5 minutes to get root on it by doing casual operations, no real hacking involved.
Same here. Used to run Linux on Alpha. Oldest 64 bit workstation OS out there. Available for the last 8+ years. The only problem was the complete lack of power management and the hovercraft levels of fan noise (55+db). Performancewise it used to wipe the floor with any Intel machine 5 years ago. In fact for some tasks it will still deliver very reasonable performance by todays standards.
80 billion from where? You have based your predictions on UN population increase statistics from before the AIDS when there were countries like Cuba which were spouting 4.8% annual growth (number from the mid-70ies).
This is no longer the case. All these countries now have negative growth as the fertile population is dying of AIDS and TB faster then it grows, mainland China is also being hit by AIDS and is on its way towards negative growth, so on so fourth, leaving only Muslim countries and India with a positive growth for the time being.
Where exactly do you see this population increase? Decrease in about 10 years if infection rates remain the same - more likely.