You're correct that hashing the password isn't secure. (Although it is more secure than sending the password directly, because then it doesn't potentially compromise all those other accounts where you use the same password.) However, it's easy to fix this vulnerability. The server sends the client a random value which must be hashed along with the password, and the server compares by hashing that same random value and the client's password. This is impossible to spoof, and sniffing the connection in either direction doesn't give you the password or anything else of use.
> but only if they're on the same unswitched subnet, Wrong. DHCP discovery packets are broadcast and pass through switches; in fact, they even pass through appropriately-configured routers.
You're right, my bad. I shouldn't have said 'unswitched'. But you still have to be on the same subnet, or at least on a network where DHCP packets from the target machine can be recieved and sent.
> only if things are set up just so, Wrong. This exploits a hole in the default configuration.
No, that's not correct. It is true that you can set up a root account on the machine with the default configuration, but then you can't actually do anything with that account, because ssh is not turned on by default, nor is any other service you could use. You either need physical access to the machine or a service like ssh turned on. Either one counts as "set up just so".
> and only if they're very lucky? No luck required. It's a simple race condition, so all that's needed is to slow down the DHCP server that would respond (piece of cake - since you're on the network, you can suck up all the leases, or hammer it with discover packets) so that your packet can beat it.
You need luck. First you need to be in a position to grab and resond to the DHCP requests. Second, you need to have access to the target machine, either via ssh or physically. Third, you have to actually be there and ready when the machine does a DHCP request, which isn't all that often.
You could probably compromise a machine or two in a lab full of Macs, since the combination of machines will be sending DHCP lease renewal requests reasonably often. Then you get to hunt through the room and figure out which machine you got root on. And somehow this has to make more sense than just showing up with an OS install CD and using that to reset the administrator password.
No, you do need luck.
Jeez, I can't get over you Apple zealots. Go ahead and discount the issue, but don't spread lies to make it seem less serious.
Yeah, it's not like the same thing ever happens with Linux fans whenever a Linux vulnerability comes out, or with Windows fans (if we have any on slashdot...) when Windows vulnerabilities show up. The fact of the matter is that for most users, this vulnerability is impossible to exploit. In the cases where you can exploit the vulnerability, most of the time you'll have physical access to the machine and you will therefore have easier ways to gain unauthorized root. Not to say that this isn't a problem, it is, but it's not an enormous problem.
If you do want to implement e-mail, it's very simple. You don't need a local MTA; SMTP is very simple, and a server will accept a message for a user at its domain, no matter where you're connecting from. (Or nearly so....)
So all you have to do is know the SMTP server for your e-mail address, and a bit of scripting with netcat does the rest. Just make a file with:
helo phone_home@domain.blah mail from:phone_home@domain.blah rcpt to:phone_home@domain.blah data Subject: subject
contents go here . quit
Then you can send it with 'nc smtp.isp.blah 25 file'.
I do this for my phone-home program. It doesn't send mail by default, but it checks a private page on my web site. If it finds the right command on that page, then it will send e-mail. I can also have it execute commands and open up an ssh tunnel so I can ssh in.
Of course, like a dumbass, I don't have an easy way for them to get online unless they have a wireless network. Do you have a suggestion for how to do that without having a password-free admin account? I don't want random people to be able to do nastiness on my machine.
Your cable provider doesn't have a monopoly on internet service. They don't even have a monopoly on high-speed internet service. Don't believe me? Buy a satellite system, a wireless system, or something from the phone company. They may not sell you DSL, but they're surely sell you a nice T1 and let you do whatever you want with it.
Oh, but cable is the cheapest. Poor guy, the cheapest broadband service you can find doesn't let you run servers. I honestly do sympathize and think that they should let you. But they are not by any means a monopoly.
Until that contract is issued, I wouldn't have to explain the idea or the secrets of the idea. A non-disclosure agreement and a binding contract are really all you need to protect the idea (as is obvious from one of the links I posted in my original message).
This is precisely what happened before patents, and exactly why the entire patent system was invented in the first place. People would get good ideas, and try to sell them. But they can't disclose the idea, because then they don't get rewarded. They also can't find a buyer, because they can't explain the idea well enough to prospective buyers without giving the idea away. Thus, the good idea dies with the person who came up with it.
Lots and lots of inventions were lost in exactly this way. Many people would rather die with their invention a secret than have somebody else make a fortune out of it. The key component to a patent is that it is required to publish a full specification of the invention, enough so that a knowledgeable person could build it, in return for the patent. This way, even if the inventor has a heart attack or is hit by a bus or every city where his multinational conglomerate has offices is hit by gigantic rocks from outer space, the invention is not lost.
The simple fact of the matter is that, like copyrights, patents are fundamentally good ideas; it's the implementations that are broken. Both were originally conceived not as a way to let people make money, but as an aid to society, to promote invention and creativity. The problem now is that it's gone too far towards giving people money. Scale back the terms of copyrights and patents, examine them more thoroughly, make people pay (more) for them, etc., and you can fix the system. It's not necessary to destroy it.
We've hit a new low on slashdot. First, we had people who didn't read the article. Then we had people who didn't even read the summary. Now we have somebody who apparently didn't even read the frigging headline.
Yes, the headline. Right there in the title bar of the window. "Swedish Student Partly Solves 16th Hilbert Problem". Your "objection" is part of the article, summary, and headline.
Which category is it in if they can take over the machine, but only if they're on the same unswitched subnet, only if things are set up just so, and only if they're very lucky?
Yeah, it's not like Chinese companies don't already have this exact same problem when dealing with postal addresses. And it's not like they have it solved by having the Chinese post office understand Romanized addresses.
You solved the problem in your post; get two domains. Not too hard.
Your comment would make sense if I hadn't ever watched Farscape. But in fact I watched Farscape fairly religiously for about two years. The difference between us is not that you watched Farscape and I didn't; the difference is that I have the maturity not to blow up any time somebody I don't even know makes a joke at the expense of something I like. It is possible to both like a show and not go crazy every time somebody makes a bad comment about it.
Is this why all those morons keep talking about the "deep philosophical questions" in The Matrix? Every time I see that, I don't know whether to laugh or cry.
Video packets have to be delivered in a timely manner. Most streaming protocols, like video, audio, and gaming, use UDP, not TCP, because, to paraphrase a pioneer in realtime internet gaming, it's easier to write code to recover from lost packets than it is to write code that can travel back in time to deliever one that arrived late.
The trouble with TCP is that it will deliver all of your packets, but it will never deliver one out of order. This means that if a packet gets dropped in the middle of the stream, until it's detected and successfully resent, the stream stops. To effectively deal with this, you need buffering greater than the maximum amount of time a resend can take, which is often several seconds. People are ok with waiting a few seconds for an internet radio station to start playing, but imagine hitting play on your DVD player and not having anything happen for five seconds.
Any audio or video codec that's used for streaming will be engineered to deal with lost packets. If a packet doesn't arrive, no big deal, the picture or sound degrades slightly, and that's it. If a lot of packets fail to arrive, the picture and sound will degrade, but gracefully. A TCP-based system will have a perfect picture right up until the point where it takes longer to resend a packet than the available buffering, where it will simply fail, and the video will pause until it can get buffered back up again.
Historical data is nice, but not terribly fine-grained. I don't think a climate model based on once-a-year temperature and precipitation records like you find in glaciers is going to be all that great. Even disregarding that, it's like successfully predicting the weather for ten weeks, and then saying everything works and you can certainly predict the weather for one more week with good accuracy. Lots of things could change in that last week. We have lots of indications that climate can change rapidly as well, so there's no reason to believe our models are particularly accurate in that respect.
I have no vested interest in global warming being true or false. But I do get tired of "the sky is falling", when, first, we still don't know why it's happening, second, we have no idea if it's normal, and third, we have no idea if it's a good thing or a bad thing. If you can point me to some good, reliable data that shows conclusively that it's overwhelmingly caused by human activity, and it's going to be a bad thing when it arrives, I'd love to see it.
It's not propaganda, it's truth. Open the client manager, edit the wireless profile, tick the WEP box, enter the key (double-check it), and voila, it can't see anything on the network!
Too bad it took MS that long. I bought a Mac and an airport base station in 1999, and they worked together flawlessly.
Also, I'm running my network with WEP off (but it only allows MAC addresses that are on my list, not perfect, but at least better than nothing) because my girlfriend's XP laptop refuses to connect to the encrypted network, no matter what I do.
Correction: we can't predict the weather, and we simply don't know whether or not we can predict the climate. Your statement is completely ridiculous; we've been seriously trying to predict the climate for, what ten years? These are predictions that are supposed to be for decades or centuries into the future. None of these things have come remotely close to being tested yet. The closest any of them have come to being tested is running several different simulations on the same data and seeing how well they match.
Yeah, right. I gave that same excuse to my boss yesterday when he asked why his e-mail wasn't working. Do they really think we're going to believe something that lame?
And to extend that logic, after the Son of God Himself descends from heaven and rescues the ship, you can complain that it's all waterlogged and scratched and it was better with the old captain.
Get real. Both the editors and story submitters splatter their personal opinions all over everything they write. But of course this only bothers you when they do it to your favorite show, right? Take a deep breath and remember that it's just pixels on your screen....
I've never noticed that the countdown starts over. When I submit too fast, and get the notice, I just hit back and then submit again and it goes through. Is this a new change?
Umm, there already exists a futures market for personal theats to life and limb, it's called insurance. Although kidnap and murder insurance is somewhat rare, health and life insurance is extremely common. Typically the payoff is different, the insurance companies collect when people don't get ill or die, but they're still betting on it.
Slashdot Mirror
Real World scenario 3 (for those too paranoid to try 1, and too nice to try 2):
1) Report it to the company (anonymously).
2) See if they fix it.
3) If they don't fix it within X days, report it to the public (anonymously).
You're correct that hashing the password isn't secure. (Although it is more secure than sending the password directly, because then it doesn't potentially compromise all those other accounts where you use the same password.) However, it's easy to fix this vulnerability. The server sends the client a random value which must be hashed along with the password, and the server compares by hashing that same random value and the client's password. This is impossible to spoof, and sniffing the connection in either direction doesn't give you the password or anything else of use.
> but only if they're on the same unswitched subnet,
Wrong. DHCP discovery packets are broadcast and pass through
switches; in fact, they even pass through appropriately-configured
routers.
You're right, my bad. I shouldn't have said 'unswitched'. But you still have to be on the same subnet, or at least on a network where DHCP packets from the target machine can be recieved and sent.
> only if things are set up just so,
Wrong. This exploits a hole in the default configuration.
No, that's not correct. It is true that you can set up a root account on the machine with the default configuration, but then you can't actually do anything with that account, because ssh is not turned on by default, nor is any other service you could use. You either need physical access to the machine or a service like ssh turned on. Either one counts as "set up just so".
> and only if they're very lucky?
No luck required. It's a simple race condition, so all that's needed
is to slow down the DHCP server that would respond (piece of cake -
since you're on the network, you can suck up all the leases, or hammer
it with discover packets) so that your packet can beat it.
You need luck. First you need to be in a position to grab and resond to the DHCP requests. Second, you need to have access to the target machine, either via ssh or physically. Third, you have to actually be there and ready when the machine does a DHCP request, which isn't all that often.
You could probably compromise a machine or two in a lab full of Macs, since the combination of machines will be sending DHCP lease renewal requests reasonably often. Then you get to hunt through the room and figure out which machine you got root on. And somehow this has to make more sense than just showing up with an OS install CD and using that to reset the administrator password.
No, you do need luck.
Jeez, I can't get over you Apple zealots. Go ahead and discount the
issue, but don't spread lies to make it seem less serious.
Yeah, it's not like the same thing ever happens with Linux fans whenever a Linux vulnerability comes out, or with Windows fans (if we have any on slashdot...) when Windows vulnerabilities show up. The fact of the matter is that for most users, this vulnerability is impossible to exploit. In the cases where you can exploit the vulnerability, most of the time you'll have physical access to the machine and you will therefore have easier ways to gain unauthorized root. Not to say that this isn't a problem, it is, but it's not an enormous problem.
If you do want to implement e-mail, it's very simple. You don't need a local MTA; SMTP is very simple, and a server will accept a message for a user at its domain, no matter where you're connecting from. (Or nearly so....)
So all you have to do is know the SMTP server for your e-mail address, and a bit of scripting with netcat does the rest. Just make a file with:
helo phone_home@domain.blah
mail from:phone_home@domain.blah
rcpt to:phone_home@domain.blah
data
Subject: subject
contents go here
.
quit
Then you can send it with 'nc smtp.isp.blah 25 file'.
I do this for my phone-home program. It doesn't send mail by default, but it checks a private page on my web site. If it finds the right command on that page, then it will send e-mail. I can also have it execute commands and open up an ssh tunnel so I can ssh in.
Of course, like a dumbass, I don't have an easy way for them to get online unless they have a wireless network. Do you have a suggestion for how to do that without having a password-free admin account? I don't want random people to be able to do nastiness on my machine.
More like, why would they come on slashdot and exercise circular thinking and assumptions when they can go to work and get paid for it?
Your cable provider doesn't have a monopoly on internet service. They don't even have a monopoly on high-speed internet service. Don't believe me? Buy a satellite system, a wireless system, or something from the phone company. They may not sell you DSL, but they're surely sell you a nice T1 and let you do whatever you want with it.
Oh, but cable is the cheapest. Poor guy, the cheapest broadband service you can find doesn't let you run servers. I honestly do sympathize and think that they should let you. But they are not by any means a monopoly.
Until that contract is issued, I wouldn't have to explain the idea or the secrets of the idea. A non-disclosure agreement and a binding contract are really all you need to protect the idea (as is obvious from one of the links I posted in my original message).
This is precisely what happened before patents, and exactly why the entire patent system was invented in the first place. People would get good ideas, and try to sell them. But they can't disclose the idea, because then they don't get rewarded. They also can't find a buyer, because they can't explain the idea well enough to prospective buyers without giving the idea away. Thus, the good idea dies with the person who came up with it.
Lots and lots of inventions were lost in exactly this way. Many people would rather die with their invention a secret than have somebody else make a fortune out of it. The key component to a patent is that it is required to publish a full specification of the invention, enough so that a knowledgeable person could build it, in return for the patent. This way, even if the inventor has a heart attack or is hit by a bus or every city where his multinational conglomerate has offices is hit by gigantic rocks from outer space, the invention is not lost.
The simple fact of the matter is that, like copyrights, patents are fundamentally good ideas; it's the implementations that are broken. Both were originally conceived not as a way to let people make money, but as an aid to society, to promote invention and creativity. The problem now is that it's gone too far towards giving people money. Scale back the terms of copyrights and patents, examine them more thoroughly, make people pay (more) for them, etc., and you can fix the system. It's not necessary to destroy it.
We've hit a new low on slashdot. First, we had people who didn't read the article. Then we had people who didn't even read the summary. Now we have somebody who apparently didn't even read the frigging headline.
Yes, the headline. Right there in the title bar of the window. "Swedish Student Partly Solves 16th Hilbert Problem". Your "objection" is part of the article, summary, and headline.
Which category is it in if they can take over the machine, but only if they're on the same unswitched subnet, only if things are set up just so, and only if they're very lucky?
Yeah, it's not like Chinese companies don't already have this exact same problem when dealing with postal addresses. And it's not like they have it solved by having the Chinese post office understand Romanized addresses.
You solved the problem in your post; get two domains. Not too hard.
Panther has been out for, what, a month? Good to know the Mac is still worth copying, at least....
Your comment would make sense if I hadn't ever watched Farscape. But in fact I watched Farscape fairly religiously for about two years. The difference between us is not that you watched Farscape and I didn't; the difference is that I have the maturity not to blow up any time somebody I don't even know makes a joke at the expense of something I like. It is possible to both like a show and not go crazy every time somebody makes a bad comment about it.
Is this why all those morons keep talking about the "deep philosophical questions" in The Matrix? Every time I see that, I don't know whether to laugh or cry.
Video packets have to be delivered in a timely manner. Most streaming protocols, like video, audio, and gaming, use UDP, not TCP, because, to paraphrase a pioneer in realtime internet gaming, it's easier to write code to recover from lost packets than it is to write code that can travel back in time to deliever one that arrived late.
The trouble with TCP is that it will deliver all of your packets, but it will never deliver one out of order. This means that if a packet gets dropped in the middle of the stream, until it's detected and successfully resent, the stream stops. To effectively deal with this, you need buffering greater than the maximum amount of time a resend can take, which is often several seconds. People are ok with waiting a few seconds for an internet radio station to start playing, but imagine hitting play on your DVD player and not having anything happen for five seconds.
Any audio or video codec that's used for streaming will be engineered to deal with lost packets. If a packet doesn't arrive, no big deal, the picture or sound degrades slightly, and that's it. If a lot of packets fail to arrive, the picture and sound will degrade, but gracefully. A TCP-based system will have a perfect picture right up until the point where it takes longer to resend a packet than the available buffering, where it will simply fail, and the video will pause until it can get buffered back up again.
Historical data is nice, but not terribly fine-grained. I don't think a climate model based on once-a-year temperature and precipitation records like you find in glaciers is going to be all that great. Even disregarding that, it's like successfully predicting the weather for ten weeks, and then saying everything works and you can certainly predict the weather for one more week with good accuracy. Lots of things could change in that last week. We have lots of indications that climate can change rapidly as well, so there's no reason to believe our models are particularly accurate in that respect.
I have no vested interest in global warming being true or false. But I do get tired of "the sky is falling", when, first, we still don't know why it's happening, second, we have no idea if it's normal, and third, we have no idea if it's a good thing or a bad thing. If you can point me to some good, reliable data that shows conclusively that it's overwhelmingly caused by human activity, and it's going to be a bad thing when it arrives, I'd love to see it.
It's not propaganda, it's truth. Open the client manager, edit the wireless profile, tick the WEP box, enter the key (double-check it), and voila, it can't see anything on the network!
Too bad it took MS that long. I bought a Mac and an airport base station in 1999, and they worked together flawlessly.
Also, I'm running my network with WEP off (but it only allows MAC addresses that are on my list, not perfect, but at least better than nothing) because my girlfriend's XP laptop refuses to connect to the encrypted network, no matter what I do.
Correction: we can't predict the weather, and we simply don't know whether or not we can predict the climate. Your statement is completely ridiculous; we've been seriously trying to predict the climate for, what ten years? These are predictions that are supposed to be for decades or centuries into the future. None of these things have come remotely close to being tested yet. The closest any of them have come to being tested is running several different simulations on the same data and seeing how well they match.
Yeah, this really is horrible. It's almost as bad as buying a general-purpose computer just to play games on it!
4. Could the default comment-submission mode be changed to "plain old text" instead of "html-formatted"?
I don't know what you're doing, but my default comment-submission mode is and has always been, as far as I can remember, Plain Old Text.
Yeah, right. I gave that same excuse to my boss yesterday when he asked why his e-mail wasn't working. Do they really think we're going to believe something that lame?
And to extend that logic, after the Son of God Himself descends from heaven and rescues the ship, you can complain that it's all waterlogged and scratched and it was better with the old captain.
Get real. Both the editors and story submitters splatter their personal opinions all over everything they write. But of course this only bothers you when they do it to your favorite show, right? Take a deep breath and remember that it's just pixels on your screen....
I've never noticed that the countdown starts over. When I submit too fast, and get the notice, I just hit back and then submit again and it goes through. Is this a new change?
Umm, there already exists a futures market for personal theats to life and limb, it's called insurance. Although kidnap and murder insurance is somewhat rare, health and life insurance is extremely common. Typically the payoff is different, the insurance companies collect when people don't get ill or die, but they're still betting on it.