Nah, we might want to send some people to space and still have them come back.
It makes for a better contrast to the ones we'd like to send to space one-way, plus allows a "suspense" bit in the show where a winner waits to see if it's "winner" or winner.:)
You know, in all the DK games I've ever played, and cartoons I've watched, I never noticed if he had any genitalia. I've never looked for it, so it very well may be there, but if it's not... care to retract your statement?
Retract his statement? If he's telling the truth, he's already got "full retraction" where it counts, what more do you want?
I emailed two different contact emails of the bank about the problem and included the certificate fingerprints, and both replied and said things were OK. Since both said things were OK, I have more leverage on the bank if stuff happens (which I doubt will of course).
For that matter, what if it'd been the first time you requested the cert? Why would it be less trustworthy?
There's a difference between: a) Going to meet someone and deciding whether to do business with him for the first time. b) Going to meet someone you have been doing business with for months (with no probs) and the person at this particular meeting doesn't resemble the person you've been doing business with, but claims he is from the same company, and deciding whether to do business with him.
What do you do at this point? Think about it for a while and shrug and accept that person anyway? Or contact the company via two different listed contacts (local HQ and head office ) and have both say "yeah he's the new guy, he looks like the photo you sent".
Learn what tools are available and what they are for. Certificate Patrol is not for a), it's for b).
No surprise phishers etc are having an easy life...
Re:Still the gold standard of long-supported relea
on
Red Hat Releases RHEL 6
·
· Score: 2, Insightful
Some hackers might find security holes in the software you use (e.g. apache, bind, php etc).
Then if Redhat still supports it, you get your RPM updates from them.
Saves you the hassle of getting RedHat's SRPMs, backporting the patches, compiling, testing, fixing/working around any probs, rolling out the RPMs to your internal RPM updates repo.
That's why some people pay extra for "Enterprise" hardware. Basically the vendor keeps old stock/parts around for years so they can fix/replace the old hardware.
Then you can run your old software on it for years without rocking the boat.
Even if companies start virtualizing stuff, VMs might not work so well when your new virtualizing software doesn't provide the same virtual hardware. So you'd have to run old virtualizing software on new hardware:).
"WPA and WPA2 use keys derived from an EAPOL handshake to encrypt traffic. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic. You can use the display filter eapol to locate EAPOL packets in your capture. "
So if all four handshake packets are there (there are ways to help ensure you see them;) ), you can crack WPA2 PSK, today with wireshark.
So Mr "Senior Security Advisor at Sophos Canada" doesn't know what he's talking about. It's not so simple as just typing "free" (since no username is mentioned, I think he means the very broken PSK modes and not the less broken Enterprise modes).
So use TLS/HTTPS over wifi. Why should the Wifi standard solve a problem that's already been solved
Solved already? Really? The last I checked "zillions" of sites don't support https. Slashdot for instance.
Some people can tunnel or VPN everything to a trusted gateway, but how many cafe users can do that? So the problem is NOT solved.
I hope you can figure out for yourself the difference between someone sniffing/exploiting traffic at a cafe, and someone doing it at the ISP or peering level.
Wifi only has to be as secure as a wired network
Yes, but it's _far_ from as secure at the moment. So they have failed.
1) It's harder to "sniff" a wired network that a wireless one. You need a free port for the former and you need to do stuff like mac-flooding (which can be detected). Or you need super duper Tempest stuff.
2) It's easier to set up a wired network where devices plugged into one port cannot snoop traffic from devices in another port. You could do this by either using what Cisco calls "port security" (other vendors have their own terms for it), or do "per port VLANs".
I was in the "hotel internet" line for a while, and we configured our switches so that guests plugged into a port could only talk to our gateway server. So guests using the wired connections were protected from other guests. They might not be protected from the NSA/CIA/KGB/FBI once their traffic leaves our control, but that's arguably beyond our responsibility.
Whereas wireless connections didn't allow us to protect guests from each other (at least while making it easy for guests to still use the system).
I am well aware that wireless connections can be DoSed more easily than wired connections, so no matter how much crypto you have, it's still jammable, but that would be a different threat level. Guests could still plug in to the wired port, lose the convenience, but still do their stuff.
FWIW: if a guest plugs into a wired port and intentionally/unintentionally tries to mess with the system we can usually figure out where that guest is, call the guest up and usually resolve things, even if we are in a different continent.
Thing is he left out the part where there are two different modes of WPA2.
One (WPA2 PSK) where if everyone has the same password, it's still not secure (know the same key, sniff a session's 4 way handshake, and you can decrypt that session's traffic).
Basically the WiFi standards bunch screwed up. So I actually blame them for a lot of the problems. So many years and they still haven't got WiFi to the level of TLS/HTTPS.
HTTPS doesn't solve the "stupid user problem", or the "browsers not warning users of changed CAs", but at least the tech/standard isn't that crap, it's more a people problem.
There are all sorts of ways brains can malfunction or function suboptimally. I've heard of cases where people get brain damage and seem very functional except they can no longer easily learn from mistakes. Or have no fear of losses: http://news.bbc.co.uk/2/hi/8504605.stm
The problem the State and people around you have is at which point does it become right to take your freedom away from you? By the time you are far gone enough, all your money could be gone.
Because most people aren't wise with managing their money (me included). So it's hard to tell the difference:).
I've seen parents give their money and property to their eldest son who then screws them (kicks them out of the house), and in the end its the daughter (who got nothing from the parents) who takes care of them.
So it's very messy. After all, you might "in sound mind and body" decide to give it all to your beloved cat (or porn-star), and not to your "good for nothing children and grandchildren". And you'd do the same thing even if you had the same brain function as when you were in your 20s.
Can you give an example of an Oracle issue that you solved with Metalink in 10 minutes, that a similar scale problem with Postgresql wouldn't be solved with a Google search? Or for the hairy things, wouldn't be solved by an email to the postgresql mailing list? The postgresql developers seem very responsive to me (assuming your email is reasonable and descriptive - and even so I've seen useful replies to pretty crappy emails:) ).
That said, from the Vendor's perspective, artificial scarcity is a good thing for them. Tons of companies are still willing to pay to access stuff that the vendor intentionally keeps from them. Customers even think it's a feature:). So unless it starts hurting the vendors, it's a viable business strategy. Good also are training and certification schemes - which can be more expensive when technical info about your product is so restricted.
I disagree with the AC that you are a retard. But I have to comment on this:
Because I work with closed source software from a vendor that gives me access to Technical Reference Manuals, complete descriptions of all fields and behaviors of the tables? Is it because I enjoy having full access to the pl/sql code in triggers, stored procedures, workflows, forms and reports, which I can then modify to my own purposes and business objectives of my company?
A lot of companies/people seem to think that's one of the benefits of closed source software, you get to pay for the privilege of accessing some "Knowledgebase" (with "Technical Reference Manuals", FAQs, HOWTOs, whitepapers etc) and get "Support" etc.
When the fact is with stuff like Postgresql, you often don't need all that because you get to 1) See the technical details and similar stuff for free 2) Post a question on a mailing list, to which the developers reply without any marketing/PR bullshit involved.
I've dealt with OSS and closed source stuff. And there've been many times with the latter that they ask $$$ for access to find out something that would be found by Google if it was OSS.
As of 2007, the top 1% of households (the upper class) owned 34.6% of all privately held wealth, and the next 19% (the managerial, professional, and small business stratum) had 50.5%, which means that just 20% of the people owned a remarkable 85%, leaving only 15% of the wealth for the bottom 80% (wage and salary workers). In terms of financial wealth (total net worth minus the value of one's home), the top 1% of households had an even greater share: 42.7%.
Assuming that he really got swindled which is a big IF...
Then that means they got him didn't they? After all, how many computer repair geeks would really concoct such a outlandish scheme to swindle him of that much money?
At most they'd overcharge him a few thousands for a new PC with the works, copying data over, and they'd probably get away with that.
You seem wedded to this system, I am not sure why - what's so great about our current way of handling elections? Give me some arguments in favor of it.
Who said I was? Assuming that voters actually want to change the system, you do realize that to change the system you have to change the leaders right? So what's your plan? Keep voting for Twiddledee and Twiddledum because "Game Theory" says so? They'll NEVER change the system because it is working well for them. What I'm talking about are very long shots, but they've a higher chance of changing stuff than "vote for The Two Parties".
As for game theory, I am well aware of that game theory. That method is optimal if you assume there is going to be only one election ever (e.g. one iteration/cycle). Look up "Signalling".
If you can't wait for multiple elections, what you could do is create a way to have lots of voters do "pseudo-elections" before the actual election, so that they can work things out. Those pseudo elections do not have to be "First Past The Post". That way voters might be able to find out whether some 3rd party actually has a chance at all. Once they've done that, they can proceed to try to game the system however they see fit.
FWIW it's not even my country. I'm only bothered because the USA is the most powerful nation in the world, and has a habit "influencing" other countries (whether forcibly or not). So whoever rules the USA often affects us a fair bit (in contrast whoever rules Iraq or North Korea won't really affect us that much).
Slashdot Mirror
Nah, we might want to send some people to space and still have them come back.
:)
It makes for a better contrast to the ones we'd like to send to space one-way, plus allows a "suspense" bit in the show where a winner waits to see if it's "winner" or winner.
You know, in all the DK games I've ever played, and cartoons I've watched, I never noticed if he had any genitalia. I've never looked for it, so it very well may be there, but if it's not... care to retract your statement?
Retract his statement? If he's telling the truth, he's already got "full retraction" where it counts, what more do you want?
Or the "specialists" just want to be paid more ;).
I'd rather send some of them to orbit. A good reality TV show might be "Vote Them Off The Planet". With one-way and two-way options.
Even if they don't actually use the ticket, it could still be worth watching the interviews after.
I emailed two different contact emails of the bank about the problem and included the certificate fingerprints, and both replied and said things were OK. Since both said things were OK, I have more leverage on the bank if stuff happens (which I doubt will of course).
For that matter, what if it'd been the first time you requested the cert? Why would it be less trustworthy?
There's a difference between:
a) Going to meet someone and deciding whether to do business with him for the first time.
b) Going to meet someone you have been doing business with for months (with no probs) and the person at this particular meeting doesn't resemble the person you've been doing business with, but claims he is from the same company, and deciding whether to do business with him.
What do you do at this point? Think about it for a while and shrug and accept that person anyway? Or contact the company via two different listed contacts (local HQ and head office ) and have both say "yeah he's the new guy, he looks like the photo you sent".
Learn what tools are available and what they are for. Certificate Patrol is not for a), it's for b).
No surprise phishers etc are having an easy life...
Some hackers might find security holes in the software you use (e.g. apache, bind, php etc).
Then if Redhat still supports it, you get your RPM updates from them.
Saves you the hassle of getting RedHat's SRPMs, backporting the patches, compiling, testing, fixing/working around any probs, rolling out the RPMs to your internal RPM updates repo.
That's why some people pay extra for "Enterprise" hardware. Basically the vendor keeps old stock/parts around for years so they can fix/replace the old hardware.
:).
Then you can run your old software on it for years without rocking the boat.
Even if companies start virtualizing stuff, VMs might not work so well when your new virtualizing software doesn't provide the same virtual hardware. So you'd have to run old virtualizing software on new hardware
To be fair, TLS/SSL has been around for a lot longer - 15 or so years.
I know, that's what makes it even more damning, and why I'm so disgusted by the state of "wifi security".
Because they screwed up: http://wiki.wireshark.org/HowToDecrypt802.11
"WPA and WPA2 use keys derived from an EAPOL handshake to encrypt traffic. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic. You can use the display filter eapol to locate EAPOL packets in your capture. "
So if all four handshake packets are there (there are ways to help ensure you see them ;) ), you can crack WPA2 PSK, today with wireshark.
And both the PSK and "Enterprise" mode are apparently vulnerable to this: http://www.airtightnetworks.com/wpa2-hole196
So Mr "Senior Security Advisor at Sophos Canada" doesn't know what he's talking about. It's not so simple as just typing "free" (since no username is mentioned, I think he means the very broken PSK modes and not the less broken Enterprise modes).
I blame the WiFi standards bunch.
So use TLS/HTTPS over wifi. Why should the Wifi standard solve a problem that's already been solved
Solved already? Really? The last I checked "zillions" of sites don't support https. Slashdot for instance.
Some people can tunnel or VPN everything to a trusted gateway, but how many cafe users can do that? So the problem is NOT solved.
I hope you can figure out for yourself the difference between someone sniffing/exploiting traffic at a cafe, and someone doing it at the ISP or peering level.
Wifi only has to be as secure as a wired network
Yes, but it's _far_ from as secure at the moment. So they have failed.
1) It's harder to "sniff" a wired network that a wireless one. You need a free port for the former and you need to do stuff like mac-flooding (which can be detected). Or you need super duper Tempest stuff.
2) It's easier to set up a wired network where devices plugged into one port cannot snoop traffic from devices in another port. You could do this by either using what Cisco calls "port security" (other vendors have their own terms for it), or do "per port VLANs".
I was in the "hotel internet" line for a while, and we configured our switches so that guests plugged into a port could only talk to our gateway server. So guests using the wired connections were protected from other guests. They might not be protected from the NSA/CIA/KGB/FBI once their traffic leaves our control, but that's arguably beyond our responsibility.
Whereas wireless connections didn't allow us to protect guests from each other (at least while making it easy for guests to still use the system).
I am well aware that wireless connections can be DoSed more easily than wired connections, so no matter how much crypto you have, it's still jammable, but that would be a different threat level. Guests could still plug in to the wired port, lose the convenience, but still do their stuff.
FWIW: if a guest plugs into a wired port and intentionally/unintentionally tries to mess with the system we can usually figure out where that guest is, call the guest up and usually resolve things, even if we are in a different continent.
Use firefox and the certificate patrol plugin.
You cannot trust all CAs for everything.
You can trust some CAs for some things (you don't have much choice if you want to use https with your bank anyway).
So certificate patrol warns you if your bank cert one day appears to be signed by a different authority.
My bank changed their cert and CA one day, and certificate patrol warned me when that happened.
Because certs from "trusted by default" organizations are ridiculously expensive.
Some are free:
http://www.startssl.com/?app=1
http://www.startssl.com/?app=39
The Startcom CA cert appears to be installed in current versions of Firefox, Google Chrome and IE.
Yeah I've suggested this before him, but at least I got that part right[1] :).
http://slashdot.org/comments.pl?sid=1578784&cid=31437480
http://it.slashdot.org/comments.pl?sid=457132&cid=22455074
It's quite sad "Sophos Researcher" doesn't seem to know how broken WiFi security is.
[1] Somewhat right anyway - seems like the "secure" mode I mentioned in those posts might not be that secure: http://wifinetnews.com/archives/2010/07/researchers_hints_8021x_wpa2_flaw.html
Blame the WiFi standards bunch, they can't seem to get stuff right. Why didn't they just copy ideas from SSL or SSH?
I've suggested this before a few times: http://it.slashdot.org/comments.pl?sid=457132&cid=22455074
Thing is he left out the part where there are two different modes of WPA2.
One (WPA2 PSK) where if everyone has the same password, it's still not secure (know the same key, sniff a session's 4 way handshake, and you can decrypt that session's traffic).
And one (the other WPA2) where it's supposedly more secure, but apparently still has problems: http://wifinetnews.com/archives/2010/07/researchers_hints_8021x_wpa2_flaw.html
Yeah, not so simple for Starbucks to get right...
Basically the WiFi standards bunch screwed up. So I actually blame them for a lot of the problems. So many years and they still haven't got WiFi to the level of TLS/HTTPS.
HTTPS doesn't solve the "stupid user problem", or the "browsers not warning users of changed CAs", but at least the tech/standard isn't that crap, it's more a people problem.
There are all sorts of ways brains can malfunction or function suboptimally. I've heard of cases where people get brain damage and seem very functional except they can no longer easily learn from mistakes. Or have no fear of losses: http://news.bbc.co.uk/2/hi/8504605.stm
The problem the State and people around you have is at which point does it become right to take your freedom away from you? By the time you are far gone enough, all your money could be gone.
Because most people aren't wise with managing their money (me included). So it's hard to tell the difference :).
I've seen parents give their money and property to their eldest son who then screws them (kicks them out of the house), and in the end its the daughter (who got nothing from the parents) who takes care of them.
So it's very messy. After all, you might "in sound mind and body" decide to give it all to your beloved cat (or porn-star), and not to your "good for nothing children and grandchildren". And you'd do the same thing even if you had the same brain function as when you were in your 20s.
I don't have any experience with Oracle support.
:) ).
:). So unless it starts hurting the vendors, it's a viable business strategy. Good also are training and certification schemes - which can be more expensive when technical info about your product is so restricted.
Can you give an example of an Oracle issue that you solved with Metalink in 10 minutes, that a similar scale problem with Postgresql wouldn't be solved with a Google search? Or for the hairy things, wouldn't be solved by an email to the postgresql mailing list? The postgresql developers seem very responsive to me (assuming your email is reasonable and descriptive - and even so I've seen useful replies to pretty crappy emails
That said, from the Vendor's perspective, artificial scarcity is a good thing for them. Tons of companies are still willing to pay to access stuff that the vendor intentionally keeps from them. Customers even think it's a feature
I disagree with the AC that you are a retard. But I have to comment on this:
Because I work with closed source software from a vendor that gives me access to Technical Reference Manuals, complete descriptions of all fields and behaviors of the tables? Is it because I enjoy having full access to the pl/sql code in triggers, stored procedures, workflows, forms and reports, which I can then modify to my own purposes and business objectives of my company?
A lot of companies/people seem to think that's one of the benefits of closed source software, you get to pay for the privilege of accessing some "Knowledgebase" (with "Technical Reference Manuals", FAQs, HOWTOs, whitepapers etc) and get "Support" etc.
When the fact is with stuff like Postgresql, you often don't need all that because you get to
1) See the technical details and similar stuff for free
2) Post a question on a mailing list, to which the developers reply without any marketing/PR bullshit involved.
I've dealt with OSS and closed source stuff. And there've been many times with the latter that they ask $$$ for access to find out something that would be found by Google if it was OSS.
I'm sure that's what the _filthy_ rich tell themselves from time to time :).
http://sociology.ucsc.edu/whorulesamerica/power/wealth.html
As of 2007, the top 1% of households (the upper class) owned 34.6% of all privately held wealth, and the next 19% (the managerial, professional, and small business stratum) had 50.5%, which means that just 20% of the people owned a remarkable 85%, leaving only 15% of the wealth for the bottom 80% (wage and salary workers). In terms of financial wealth (total net worth minus the value of one's home), the top 1% of households had an even greater share: 42.7%.
What makes you so confident your mind will work that well with half your brain gone? Or when you've got dementia?
Have you ever seen what happens to people who get age-onset dementia? The changes in behaviour are often very significant.
Might make sense if you're not really using that particular half of your brain in the first place, but that'll be a rare case.
Assuming that he really got swindled which is a big IF...
Then that means they got him didn't they? After all, how many computer repair geeks would really concoct such a outlandish scheme to swindle him of that much money?
At most they'd overcharge him a few thousands for a new PC with the works, copying data over, and they'd probably get away with that.
There wouldn't be much wasted space in an SSD for a Macbook Air.
SSDs in 2.5"-3.5" HDD form factors on the other hand...
That makes no sense. I'm very very sure the Chinese military (and the rest of the world[1]) are already well aware that:
1) The US is perfectly capable of launching ICBMs.
2) The US is capable of unilaterally starting wars (and lying about the reasons).
That's why the Chinese military are building up their missile and nuke tech in the first place.
[1] At least the parts that could conceivably be worth an ICBM.
You seem wedded to this system, I am not sure why - what's so great about our current way of handling elections? Give me some arguments in favor of it.
Who said I was? Assuming that voters actually want to change the system, you do realize that to change the system you have to change the leaders right? So what's your plan? Keep voting for Twiddledee and Twiddledum because "Game Theory" says so? They'll NEVER change the system because it is working well for them. What I'm talking about are very long shots, but they've a higher chance of changing stuff than "vote for The Two Parties".
As for game theory, I am well aware of that game theory. That method is optimal if you assume there is going to be only one election ever (e.g. one iteration/cycle). Look up "Signalling".
If you can't wait for multiple elections, what you could do is create a way to have lots of voters do "pseudo-elections" before the actual election, so that they can work things out. Those pseudo elections do not have to be "First Past The Post". That way voters might be able to find out whether some 3rd party actually has a chance at all. Once they've done that, they can proceed to try to game the system however they see fit.
FWIW it's not even my country. I'm only bothered because the USA is the most powerful nation in the world, and has a habit "influencing" other countries (whether forcibly or not). So whoever rules the USA often affects us a fair bit (in contrast whoever rules Iraq or North Korea won't really affect us that much).
That and Bush got reelected...
Or big capacitors, so that the SSD can do better write buffering and other fancy performance tricks without losing data just because the power fails.
1) Prophet!
2) Breed like rabbits, and successfully brainwash most of your children.
3) Democracy.