sigh. OK, let's try this again: BECAUSE OTHERWISE PEOPLE WON'T TAKE YOU SERIOUSLY. Now let's review: how many people patched eEye's.IDA exploit when it came out and did not include an exploit? Not bloody many. How many patched it after Code Red made it abundantly clear that this was a very exploitable vulnerability? Hundreds of thousands more. The obvious truth here is that full disclosure and the inclusion of exploit scripts opens people's eyes to the fact that people are going to use this hole to break into YOUR system.
By not giving exploit scripts you allow sysadmins to become lazy. They figure "Nah, i'll just wait until an exploit comes out before i patch it", while the underground hax0r scene is already searching out your box.
Actually, YOU'RE wrong. All electromagnetic waves travel at the speed of light under normal conditions. See http://www.colorado.edu/physics/2000/waves_particl es/lightspeed-1.html which is the first thing which popped up on a google search.
The robot cats seem very... Japanese. No individual personality.
boy, people never get tired of rehashing this old cliche. In actuality, the Japanese have just as much "individual personality" as any American, but since their society generally does not reward individuality, it is stifled.
I'd LOVE to see where you get these numbers, because they're obviously spouting garbage.. post a link that doesn't point to some leftist.org and I'll give you a cookie.
You're not teleporting matter, you're teleporting INFORMATION about the state of the movement of the particles at point A. From what I've read the first real world application of this would be something akin to the modems and NICs of today. The main benefits of course being that the transfer happens instantaneously and since trillions of atoms can be jostled at the same time, one could send as much information as the recieving end could sort through.
So basically what you're saying is that you'd rather get hacked once a year than apply patches every few weeks?
People who do security research are smart enough to know that they're not the only smart ones out there. When they post an advisory they do it because they know that someone out there has already found the bug, exploited it, and kept it to themselves. Sure, your chances of getting hacked after it becomes public increase many fold *if you don't apply the patches*, but at least you have a chance of defending against a known enemy.
As far as the "let the makers know and then post publicly if action isn't taken" argument, let me give you an example: the recent Code Red worm was based on an IIS.ida extention overflow. If eEye had simply alerted MS about this issue and promised that they wouldn't post the information MS would've simply incorporated the fix into the next service pack, not wanting to raise any alarms about IIS security. In the meantime, someone else could've found the hole, written the worm and released it to the waiting internet. In that scenario no one would've been patched and the worm would've compromised ten times the servers that it did.
In the end, posting publicly gives sysadmins the opportunity to minimize the exposure to vulnerabilities. Don't forget: just because it isn't public doesn't mean it isn't there.
Assumming every bit of matter in the entire universe were used to create the ultimate Super Computer (obviously theoretical), what would be the computing power?
According to this article, the total mass of the universe is 1.6*10^60 kg. As I recall, this was a number which Stephen Hawking also reached. Thus:
(1.6*10^60) * (5.4258 * 10^50) = 8.68128 * 10^110 is the actual limit of computers
Any karma trolls who make "Beowulf Cluster" comments will be shot.
Some companies, such as the last one I worked at, will REQUIRE you to use windows. This is often because they need to be able to tell investors that they're an "All Microsoft Shop". They think they'll come off like right-wing tree-hugging roach-smoking rally-attending hippies if they say they use a free OS.
What was the point of this article again? Oh yeah, that there are a billion people handing out useless information on the Internet. Thanks for driving the point home, Katz.
Ask him or her to describe the productivity level. Now look at today's office, which (though far from the 'paperless office' trumpeted at us 7 to 10 years ago) are immeasurably more efficient and productive.
BAHAHAHAHAHAHA! Computers don't make people efficient if they're commited to being lazy. This is like Sun's recent initiative to stop workers from using the Web at work. If they're not fooling around on their computers they're hanging around the water cooler or hitting on the secretary.
The only things that've gotten more efficient are the processes in our offices that we can replace the people with.
Everyone keeps saying "No trojans! Just diff the source! Version control!". People, if the server has been compromised and the cvs server has been compromised, they can modify EVERY version back down to.01 alpha. So you diff it and it comes out clean. Fubar. When you read the source you can easily miss the change between something like:
memcpy(fu, bar, length - 1);
to
memcpy(fu, bar, length);
And now you have a possible buffer overrun.
The only way to effectivly diff is if you had copies of the source stored elsewhere.
When you have already obtained root privileges, this is trivial. MD5 sums and such that are stored locally are made for unpriviledged users who play nice.
Many of you have said that this isn't news simply because there have been issues in the past, such as "Tempest" style monitor radiation and reading the emissions from wired keyboards and mice. The major difference between these issues and this new vulnerability is: AN ATTACKER CAN HIJAACK THE CONNECTION. A user can spoof the RF that the recieving unit thinks is coming from the keyboard. The Tempest emissions didn't allow any attacker input. Think about it this way. An attacker can force your computer to dialup and get on the internet, assuming it's connected to a phone line, or cause you to email the contents of your HDD to anywhere.
So far on this list, people have brought up how a completely self-enclosed virtual reality would cause people to go for days and weeks in their virtual worlds without coming up for air. What everyone seems to be missing is that if we do ever get to the point where we've got a neural implant (that is, a device that completely takes over your brain), we could program it to take over the fourth dimension, time, as well.
Time, and the passage of time, is just a function of how your brain differentiates between seperate events. If we can override this system, we could live an entire lifetime of events in a split second, assuming your brain could work that fast. In this case, we could live out thousands of lifetimes in the course of a few weeks. Imagine this.. how long is your life already? Of course, I wouldn't be worried about getting "trapped" in that lifetime, considering that if we have full control over the brain, we can put a giant "EXIT" button in every lifetime that will cause the program to shut down.
ssh isn't the only application that uses RSAREF. This is NOT a problem with the sshd source, it is a problem with the RSAREF source! From the OpenSSH advisory: - openssh: Even though the OpenSSH code checks all input parameters carefully, internal RSAREF functions can still overflow. Users within the USA should update their shared ssl library. - isakmpd: When used with x509 certificates and rsa signature mode, the signature functions in RSAREF might overflow. - httpd: When SSL support is enabled in/etc/rc.conf using -DSSL, and when using RSA keys, the signature functions in RSAREF might overflow. -Brock Tellier
Slashdot Mirror
sigh. OK, let's try this again: BECAUSE OTHERWISE PEOPLE WON'T TAKE YOU SERIOUSLY. Now let's review: how many people patched eEye's .IDA exploit when it came out and did not include an exploit? Not bloody many. How many patched it after Code Red made it abundantly clear that this was a very exploitable vulnerability? Hundreds of thousands more. The obvious truth here is that full disclosure and the inclusion of exploit scripts opens people's eyes to the fact that people are going to use this hole to break into YOUR system.
By not giving exploit scripts you allow sysadmins to become lazy. They figure "Nah, i'll just wait until an exploit comes out before i patch it", while the underground hax0r scene is already searching out your box.
Actually, YOU'RE wrong. All electromagnetic waves travel at the speed of light under normal conditions. See http://www.colorado.edu/physics/2000/waves_particl es/lightspeed-1.html which is the first thing which popped up on a google search.
me> Alot of people dislike Goldin.
alice> What do you like?
me> What's your take on him?
alice> Objective case of He, used as a predicate complement with a linking verb. Also standing for Imperial Majesty.
me> Fascinating.
alice>Yes Mr. Spock?
me> What do you see as the future of NASA?
alice> I don't eat that.
me> Excuse me, ALICE
alice> You're excused.
me> what is the future of nasa
alice>You are talking to her.
me> have you been drinking this afternoon?
alice>No I don't think I have been drinking this afternoon. Have you?
me> i'm drinking right now
alice>At this moment It's good to meet someone who is drinking.
me> Are you coming on to me?
alice>Do I act like it? I don't mean to come across that way.
me> What's your sign, baby?
alice>Don't call me "baby". Saggitarius
me> let's go back to your place.
alice>That sounds good to me.
alice> Thanks for telling me that I am base are belong to us.
me> imagine a beowulf cluster of you
alice> I can't imagine it
me> (Score: -1, Flamebait)
alice> Is that your final answer?
me > your creator is gay
alice> Dr. Richard S. Wallace is gay
boy, people never get tired of rehashing this old cliche. In actuality, the Japanese have just as much "individual personality" as any American, but since their society generally does not reward individuality, it is stifled.
I'd LOVE to see where you get these numbers, because they're obviously spouting garbage.. post a link that doesn't point to some leftist.org and I'll give you a cookie.
Your mom thought the borg was the world's biggest gang-bang.. too bad she didn't break the record.
I would tend to think that this is less because Americans were on the Net and more because people from other countries don't get American TV.
You're not teleporting matter, you're teleporting INFORMATION about the state of the movement of the particles at point A. From what I've read the first real world application of this would be something akin to the modems and NICs of today. The main benefits of course being that the transfer happens instantaneously and since trillions of atoms can be jostled at the same time, one could send as much information as the recieving end could sort through.
People who do security research are smart enough to know that they're not the only smart ones out there. When they post an advisory they do it because they know that someone out there has already found the bug, exploited it, and kept it to themselves. Sure, your chances of getting hacked after it becomes public increase many fold *if you don't apply the patches*, but at least you have a chance of defending against a known enemy.
As far as the "let the makers know and then post publicly if action isn't taken" argument, let me give you an example: the recent Code Red worm was based on an IIS .ida extention overflow. If eEye had simply alerted MS about this issue and promised that they wouldn't post the information MS would've simply incorporated the fix into the next service pack, not wanting to raise any alarms about IIS security. In the meantime, someone else could've found the hole, written the worm and released it to the waiting internet. In that scenario no one would've been patched and the worm would've compromised ten times the servers that it did.
In the end, posting publicly gives sysadmins the opportunity to minimize the exposure to vulnerabilities. Don't forget: just because it isn't public doesn't mean it isn't there.
-brock
And mere seconds later the first Q1 CD key hit the Net. Ahh, the halcycon days of client-side key authentication were great, weren't they? *sniff*
According to this article, the total mass of the universe is 1.6*10^60 kg. As I recall, this was a number which Stephen Hawking also reached. Thus:
(1.6*10^60) * (5.4258 * 10^50) = 8.68128 * 10^110 is the actual limit of computers
Any karma trolls who make "Beowulf Cluster" comments will be shot.
You still didn't answer his question. He wants to see the QUESTIONS that were asked. This is a. Yes, you can or b. No, you can't.
On the other hand, women find the BSD "Daemon" to be Satanic, cultish and disturbing. These women will not have sex with you.
Some companies, such as the last one I worked at, will REQUIRE you to use windows. This is often because they need to be able to tell investors that they're an "All Microsoft Shop". They think they'll come off like right-wing tree-hugging roach-smoking rally-attending hippies if they say they use a free OS.
It's people like Katz who propogate ignorance about ADD Society didn't "develop" this disorder, it was there forever but was only recently diagnosed.
What was the point of this article again? Oh yeah, that there are a billion people handing out useless information on the Internet. Thanks for driving the point home, Katz.
BAHAHAHAHAHAHA! Computers don't make people efficient if they're commited to being lazy. This is like Sun's recent initiative to stop workers from using the Web at work. If they're not fooling around on their computers they're hanging around the water cooler or hitting on the secretary.
The only things that've gotten more efficient are the processes in our offices that we can replace the people with.
Everyone keeps saying "No trojans! Just diff the source! Version control!". People, if the server has been compromised and the cvs server has been compromised, they can modify EVERY version back down to .01 alpha. So you diff it and it comes out clean. Fubar. When you read the source you can easily miss the change between something like:
memcpy(fu, bar, length - 1);
to
memcpy(fu, bar, length);
And now you have a possible buffer overrun.
The only way to effectivly diff is if you had copies of the source stored elsewhere.
When you have already obtained root privileges, this is trivial. MD5 sums and such that are stored locally are made for unpriviledged users who play nice.
Many of you have said that this isn't news simply because there have been issues in the past, such as "Tempest" style monitor radiation and reading the emissions from wired keyboards and mice. The major difference between these issues and this new vulnerability is: AN ATTACKER CAN HIJAACK THE CONNECTION. A user can spoof the RF that the recieving unit thinks is coming from the keyboard. The Tempest emissions didn't allow any attacker input. Think about it this way. An attacker can force your computer to dialup and get on the internet, assuming it's connected to a phone line, or cause you to email the contents of your HDD to anywhere.
So far on this list, people have brought up how a completely self-enclosed virtual reality would cause people to go for days and weeks in their virtual worlds without coming up for air. What everyone seems to be missing is that if we do ever get to the point where we've got a neural implant (that is, a device that completely takes over your brain), we could program it to take over the fourth dimension, time, as well.
Time, and the passage of time, is just a function of how your brain differentiates between seperate events. If we can override this system, we could live an entire lifetime of events in a split second, assuming your brain could work that fast. In this case, we could live out thousands of lifetimes in the course of a few weeks. Imagine this.. how long is your life already? Of course, I wouldn't be worried about getting "trapped" in that lifetime, considering that if we have full control over the brain, we can put a giant "EXIT" button in every lifetime that will cause the program to shut down.
-Brock
ssh isn't the only application that uses RSAREF. This is NOT a problem with the sshd source, it is a problem with the RSAREF source! From the OpenSSH advisory: - openssh: Even though the OpenSSH code checks all input parameters carefully, internal RSAREF functions can still overflow. Users within the USA should update their shared ssl library. - isakmpd: When used with x509 certificates and rsa signature mode, the signature functions in RSAREF might overflow. - httpd: When SSL support is enabled in /etc/rc.conf using -DSSL, and when using RSA keys, the signature functions in RSAREF might overflow. -Brock Tellier