Back when you had to outwit a potato before you could eat it. Back when you had to be smarter than the tigers and lions trying to eat you.
Now, I'm supposed to be happy that a kid who can't out-fight an irregular verb on a job application is "smarter" than a kid 20 years ago? Well, at least he can tell me the cheat codes for the coolest games.
But seriously, I think this guy's major points are proven right here on Slashdot. A high percentage of the readers of Slashdot, relative to the general population, are video game players. I would also say that compared to other message boards I see around the internet there are more intelligent posts here.
The question is how do you define "intelligent posts"?
Take this to a political forum and you'll see what I mean. The "intelligent posts" usually are the ones you agree with while the uninformed idiots are usually the ones you disagree with.
But that's just human nature.
Personally, I know people who love playing video games who have trouble with basic troubleshooting on that same computer.
If such were the case, wouldn't we see more baseball players with advanced math or physics degrees because they have experience with velocity and curves and such?
When Google first started, they had an easy way to measure "quality". The more pages that referenced your page, the higher your page was ranked.
That kind of fell apart when all the "blog" sites started (not personal websites, the kind where anyone can enter anything and anyone can start one).
So, all Google needs to do to get back to "quality" is to stop counting any pages from those hosting sites.
Unfortunately, this is seen as "elitist" amongst some who believe that their site should be referenced and not just sites that have paid for a domain name, etc.
The thing I'm not seeing in Sun's model is anything about the applications. Are they off-the-shelf? Who installs them? Who maintains them? What OS's are available? What security is available? How can I make sure that no one else sees my data?
We've already been through with with the Application Service Providers (ASP's) and there are still a few out there making money by providing Internet access to their apps, running on their servers, storing and processing your data. Payroll is an easy app for that.
Find out what is connected to what and how. More than 90% of the "network problems" I encounter are basic cable issues.
Remember, when a NIC is connected to a switch, they only auto-negotiate if both are set to auto-negotiate. If someone sets them to a certain configuration, but doesn't get pair correctly matched, you will have a lot more collisions and such.
Make sure that your collision domain is setup correctly. Pay attention to the length of the cables. This is where the physical map comes in. You can check each section to make sure it's good. Then move to the next.
Bill Clinton did not balance the budget, the Republican Majority balanced it. In fact, Bill Clinton vetoed the budget causing the longest shutdown of the federal government. He then went on to sign it as he was practically forced into.
No. Clinton's budget was argued over and eventually passed.
If it was, as you state, because of the Republicans, then why do we have the biggest debt ever when The White House, the Senate and the House are all Republican controlled?
Your's is not an attempt to "history correction" but at "re-writing history".
I remember techs who used to tap into the phones at work and listen to personal calls. It was easy to do, but they needed physical access to the telco closet.
What are the limitations of the technology that is being deployed?
Can someone "tap" a connection remotely?
Wouldn't this easily be defeated by using encrypted connections all the time?
There is nothing stopping any company currently running a SCO OS from also running a Linux OS and looking at migrating right now.
There's no need to transition them with mySQL on SCO to get them to use mySQL on Linux.
If anything, it would be easier to do 1 migration straight to a 100% Linux system than to make 2 migrations (one from old database to mySQL on SCO and the other from mySQL on SCO to mySQL on Linux).
So, SCO gives money to MySQL AB to "develop" mySQL on SCO's platform. This has already happened.
Later, SCO pulls MySQL AB into court over "violations" and "disputes" over who owns what rights to what code and how that code can be distributed... (see SCO's current case against IBM).
Then it all comes down to the judge and the contracts. And MySQL AB having to cough up everything for YEARS for the discovery phase of the trial.
So, an error in a contract... or the wrong bit of code ending up in the wrong release... and then there's a problem. MySQL AB loses the case and all of a sudden SCO owns the code to MySQL (as an asset).
This will be a HUGE flash... but will suffer as soon as their back end servers are crushed under the weight of all the new "blogs" created.
I'm posting this from Flock right now. It doesn't even have a "stop" button, but it does have an option "blog editor".
It didn't offer to auto-import my FireFox bookmarks, but it did offer to import IE (on Windows).
I think this will be all about how much stress their servers can handle... before they attempt to sell-out to some bigger company. It's all about the bandwidth, baby.
The video card it emulates is pretty low end. It's acceptable for the old SimCity games (I've tried them) but not for any modern shooter.
There is also the problem where you're still sharing your CPU with the virtual machine so you may experience pauses in the game. Not really noticable with strategy and turn based games, but it may be a problem with shooters.
The good news is that you can load up different Windows versions for different games (you do still have the licenses, right?). So you can run Win95 or Win98 or Win2K or WinXP if you want.
DOS works okay for most games, but the VMWare sound emulation doesn't match any of the old 1980's-era games that I tried.
However, security is not a binary condition (you're either totally secure or wide open), it's relative.
No, I don't see how it can be described as "relative".
If it were so, you could move from "secure" to "insecure"... not through anything you did or did not do... but just because everyone improved their "security" beyond your's.
That's kind of like saying "I don't have to lock my doors, as long as my neighbors don't shut their doors".
This is also the principle behind car alarms: there are car alarms that can be defeated, some more easily than others, but the main point of a car alarm is to make my car a more difficult/less attractive target than the one next to it.
No, the principle is that a loud alarm will go off. There is a visual notification of this (the flashing light on the dash) so that the criminal doesn't smash first, then discover the alarm.
But that will not help if you leave valuables in plain sight.
Not to mention that a man-in-the-middle attack is far harder to achieve than sending out a phishing mail or doing a brute-force attack against a weak password.
Almost every phishing site out there is already a man-in-the-middle attack, just not in real-time.
Since so many phishing attacks succeed, it would seem that man-in-the-middle is not as difficult as you believe.
Similarily, what does a Smartcard authentication system over https do for you, as opposed to a simple username and password over https?
It raises the bar, while also making people without a Smartcard more attractive targets.
Not really. It just moves it from the current not-in-real-time attack to requiring a real-time attack. These can still be automated so all it requires is some effort on the evil programmer's part.
You can't get my PIN (you'd also need a keystroke logger on my computer for that) and even if you had it, unless you also stole my Smartcard you'd still be SOL.
The PIN is captured the same way it is right now. A phishing site.
The smart card code is captured the same way. A phishing site.
Where I work, we use Smartcards and PINs for authentication to our network, in addition to a userid and a high-quality password that must be changed regularly and may not closely resemble the old one.
That is where you work. That is not the Internet.
Assuming they stole a card and got inside the building and found a computer in an isolated place and put the card in, they'd still need the PIN, and brute-forcing it would take a while because it's 6 digits minimum (mine is longer). Of course, you also only get a few tries before the PIN is disabled.
Why not just install a key-logger on your computer?
In both cases, our network is made far more secure by using Smartcards and PINs.
That is where you work. That is not the Internet. Where you work, people would start calling the IT department if the authentication server suddenly stopped working because someone had setup a different one to collect your PIN's.
It is not only the accepted wisdom that "something you have and something you know" is far more secure than a username/password-only system, it is just plain correct.
No. It is only more secure on a network you control.
Once you get onto the Internet, the fact that both forms of identification are travelling over the same channel means that a man-in-the-middle attack becomes a lot easier and harder to detect.
Many banks in Europe have been using one-time PADs for years; it's about time US banks are getting with the program on security, and disappointing that they're only doing it because somebody made them.
Seriously, SSL and SSH2 are not easy to do a man in the middle attack on that is undectable.
Actually, it is. Unless you know specifically how to check that the site you are connected to is associated with the site you want to connect to.
More to the point, to do a man in the middle attack, you actually have to be in the middle. J. Random Hax0r can't do it, it has to be someone with access to a link that your connection passes through. That's much harder.
No. You're wrong. Here's an example:
Your computer -connects to- Evil computer -connects to- Bank
Now, given how many phishing attacks succeed, getting the average person to connect to the Evil computer seems to be pretty easy. Then the Evil computer forwards the connection info to the bank computer.
Your data -> Evil computer -> bank site Man-in-the-middle
I worry about man-in-the-middle attacks for encrypted channels like not at all. Anyone who has the ability to compramise a major network provider to do that, probably has better thigns to do than go after my info.
Again, once you understand them, you will will see how easy they are to setup.
Almost every current phishing site already IS a man-in-the-middle site.
Just because it isn't in real-time does not mean it isn't a man-in-the-middle attack.
I can get an SSL certificate to BankSecurity.com (change "Bank" to your bank's name). So no pop-up will kick in. But the site will not be what the user thinks it is.
With IPv6, the bank would send you a random 512 digit number, encrypted with your password+IP_address. Since the man-in-the-middle would not have the same IP address as you, or your password, he would not be able to use that connection for his own transactions.
But a trojan key-logger would still be able to collect your keystrokes and defeat it. In order to defeat keyloggers AND man-in-the-middle attacks, you need to use an entirely different channel, pre-configured, to validate the transaction.
Or use the above IPv6 scenario with the key fob to prevent the key-logger from capturing your password.
If the fraudster can get a trojan on your machine, he can collect your keystrokes, including the answers to those questions and then he will be able to "validate" fraudulent transactions as if he were you.
If the fraudster can get a trojan onto your machine, it could record all the keystrokes that you use. Including the login to your email to get the key to validate the transaction.
Because BOTH methods of identification will be travelling over the SAME channel (your Internet connection), this will still be subject to man-in-the-middle attacks.
But because it will be a cool "encryption" key, people will not know that they aren't "secure".
The only way to improve the security is to use a different channel (example: the bank calls your phone to have you verify the transaction) -or- The site relays the information to you using your IP address as part of the encryption (this won't work with NAT/PAT/Masquerading, but will be feasible with IPv6).
Agencies should therefore "begin to evaluate office applications that support the OpenDocument specification to migrate from applications that use proprietary document formats. As of January 1, 2007 all agencies within the Executive Department will be required to: (1) Use office applications that provide conformance with the OpenDocument format, and (2) Configure the applications to save office documents in OpenDocument format by default."
They've already thought of that and included it in the requirements.
Since you have to go to a specific web page, with a specific browser... and the only thing that will happen is that your browser will crash... is "attack" the correct term for this kind of behaviour?
If you crash your car into a tree, did that tree "attack" you?
If you crash your car when driving over ice, did that ice "attack" you?
If you drive your car off a bridge and into a lake, did that lake "attack" you?
Since you cannot use your car immediately after a crashes, are trees considered a DoS exploit?
Back when you had to outwit a potato before you could eat it. Back when you had to be smarter than the tigers and lions trying to eat you.
Now, I'm supposed to be happy that a kid who can't out-fight an irregular verb on a job application is "smarter" than a kid 20 years ago? Well, at least he can tell me the cheat codes for the coolest games.
Take this to a political forum and you'll see what I mean. The "intelligent posts" usually are the ones you agree with while the uninformed idiots are usually the ones you disagree with.
But that's just human nature.
Personally, I know people who love playing video games who have trouble with basic troubleshooting on that same computer.
If such were the case, wouldn't we see more baseball players with advanced math or physics degrees because they have experience with velocity and curves and such?
When Google first started, they had an easy way to measure "quality". The more pages that referenced your page, the higher your page was ranked.
That kind of fell apart when all the "blog" sites started (not personal websites, the kind where anyone can enter anything and anyone can start one).
So, all Google needs to do to get back to "quality" is to stop counting any pages from those hosting sites.
Unfortunately, this is seen as "elitist" amongst some who believe that their site should be referenced and not just sites that have paid for a domain name, etc.
People don't buy a computer to run a processor.
People want to run applications.
The thing I'm not seeing in Sun's model is anything about the applications. Are they off-the-shelf? Who installs them? Who maintains them? What OS's are available? What security is available? How can I make sure that no one else sees my data?
We've already been through with with the Application Service Providers (ASP's) and there are still a few out there making money by providing Internet access to their apps, running on their servers, storing and processing your data. Payroll is an easy app for that.
I think Sun is missing part of the equation.
Find out what is connected to what and how. More than 90% of the "network problems" I encounter are basic cable issues.
Remember, when a NIC is connected to a switch, they only auto-negotiate if both are set to auto-negotiate. If someone sets them to a certain configuration, but doesn't get pair correctly matched, you will have a lot more collisions and such.
Make sure that your collision domain is setup correctly. Pay attention to the length of the cables. This is where the physical map comes in. You can check each section to make sure it's good. Then move to the next.
Start at the physical layer and work your way up.
If it was, as you state, because of the Republicans, then why do we have the biggest debt ever when The White House, the Senate and the House are all Republican controlled?
Your's is not an attempt to "history correction" but at "re-writing history".
For a lot of jobs (websites), they aren't needed. MySQL is very easy to implement and integrate with your site.
Really, no one is talking about taking the Internet away from the US.
.xxx TLD, nor will we for many years.
What is in question is what nation/organization should have the final say over the domain assignments, creation and so forth.
Because the US is still in control, we do not have the
I remember techs who used to tap into the phones at work and listen to personal calls. It was easy to do, but they needed physical access to the telco closet.
What are the limitations of the technology that is being deployed?
Can someone "tap" a connection remotely?
Wouldn't this easily be defeated by using encrypted connections all the time?
There is nothing stopping any company currently running a SCO OS from also running a Linux OS and looking at migrating right now.
There's no need to transition them with mySQL on SCO to get them to use mySQL on Linux.
If anything, it would be easier to do 1 migration straight to a 100% Linux system than to make 2 migrations (one from old database to mySQL on SCO and the other from mySQL on SCO to mySQL on Linux).
So, SCO gives money to MySQL AB to "develop" mySQL on SCO's platform. This has already happened.
... (see SCO's current case against IBM).
... or the wrong bit of code ending up in the wrong release ... and then there's a problem. MySQL AB loses the case and all of a sudden SCO owns the code to MySQL (as an asset).
Later, SCO pulls MySQL AB into court over "violations" and "disputes" over who owns what rights to what code and how that code can be distributed
Then it all comes down to the judge and the contracts. And MySQL AB having to cough up everything for YEARS for the discovery phase of the trial.
So, an error in a contract
This will be a HUGE flash ... but will suffer as soon as their back end servers are crushed under the weight of all the new "blogs" created.
... before they attempt to sell-out to some bigger company. It's all about the bandwidth, baby.
I'm posting this from Flock right now. It doesn't even have a "stop" button, but it does have an option "blog editor".
It didn't offer to auto-import my FireFox bookmarks, but it did offer to import IE (on Windows).
I think this will be all about how much stress their servers can handle
The video card it emulates is pretty low end. It's acceptable for the old SimCity games (I've tried them) but not for any modern shooter.
There is also the problem where you're still sharing your CPU with the virtual machine so you may experience pauses in the game. Not really noticable with strategy and turn based games, but it may be a problem with shooters.
The good news is that you can load up different Windows versions for different games (you do still have the licenses, right?). So you can run Win95 or Win98 or Win2K or WinXP if you want.
DOS works okay for most games, but the VMWare sound emulation doesn't match any of the old 1980's-era games that I tried.
Two channels is the only way to go.
Once again, the evidence that relying upon a single channel for all the authentication is a bad idea.
... and most people would never know. Even the really smart ones who read /.
A trojan can assist a man-in-the-middle attack
Encryption fobs won't help.
Smart cards won't help.
One time pads won't help.
Not as long as all the authentication information is passing over the Internet. You need a second channel for final authorization.
No, I don't see how it can be described as "relative".
... not through anything you did or did not do ... but just because everyone improved their "security" beyond your's.
If it were so, you could move from "secure" to "insecure"
That's kind of like saying "I don't have to lock my doors, as long as my neighbors don't shut their doors".
No, the principle is that a loud alarm will go off. There is a visual notification of this (the flashing light on the dash) so that the criminal doesn't smash first, then discover the alarm.
But that will not help if you leave valuables in plain sight.
Almost every phishing site out there is already a man-in-the-middle attack, just not in real-time.
Since so many phishing attacks succeed, it would seem that man-in-the-middle is not as difficult as you believe.
Not really. It just moves it from the current not-in-real-time attack to requiring a real-time attack. These can still be automated so all it requires is some effort on the evil programmer's part.
The PIN is captured the same way it is right now. A phishing site.
The smart card code is captured the same way. A phishing site.
That is where you work. That is not the Internet.
Why not just install a key-logger on your computer?
That is where you work. That is not the Internet. Where you work, people would start calling the IT department if the authentication server suddenly stopped working because someone had setup a different one to collect your PIN's.
No. It is only more secure on a network you control.
Once you get onto the Internet, the fact that both forms of identification are travelling over the same channel means that a man-in-the-middle attack becomes a lot easier and harder to detect.
Yes they have. But, again, becau
Your computer
-connects to-
Evil computer
-connects to-
Bank
Now, given how many phishing attacks succeed, getting the average person to connect to the Evil computer seems to be pretty easy. Then the Evil computer forwards the connection info to the bank computer.
Your data -> Evil computer -> bank site
Man-in-the-middleAgain, once you understand them, you will will see how easy they are to setup.
Almost every current phishing site already IS a man-in-the-middle site.
Just because it isn't in real-time does not mean it isn't a man-in-the-middle attack.
I can get an SSL certificate to BankSecurity.com (change "Bank" to your bank's name). So no pop-up will kick in. But the site will not be what the user thinks it is.
With IPv6, the bank would send you a random 512 digit number, encrypted with your password+IP_address. Since the man-in-the-middle would not have the same IP address as you, or your password, he would not be able to use that connection for his own transactions.
But a trojan key-logger would still be able to collect your keystrokes and defeat it. In order to defeat keyloggers AND man-in-the-middle attacks, you need to use an entirely different channel, pre-configured, to validate the transaction.
Or use the above IPv6 scenario with the key fob to prevent the key-logger from capturing your password.
If the fraudster can get a trojan on your machine, he can collect your keystrokes, including the answers to those questions and then he will be able to "validate" fraudulent transactions as if he were you.
If the fraudster can get a trojan onto your machine, it could record all the keystrokes that you use. Including the login to your email to get the key to validate the transaction.
Because BOTH methods of identification will be travelling over the SAME channel (your Internet connection), this will still be subject to man-in-the-middle attacks.
But because it will be a cool "encryption" key, people will not know that they aren't "secure".
The only way to improve the security is to use a different channel (example: the bank calls your phone to have you verify the transaction)
-or-
The site relays the information to you using your IP address as part of the encryption (this won't work with NAT/PAT/Masquerading, but will be feasible with IPv6).
Or did you miss George's statement that he believed it should be taught as well?
1 school district would be funny.
2 would be funny.
20 school districts and it stops being funny and is really a reflection of our national ignorance of science.
They've already thought of that and included it in the requirements.
Since you have to go to a specific web page, with a specific browser ... and the only thing that will happen is that your browser will crash ... is "attack" the correct term for this kind of behaviour?
If you crash your car into a tree, did that tree "attack" you?
If you crash your car when driving over ice, did that ice "attack" you?
If you drive your car off a bridge and into a lake, did that lake "attack" you?
Since you cannot use your car immediately after a crashes, are trees considered a DoS exploit?