Clearly, the submitter wants to audit the code to make sure the software is not phoning home, allowing the software authors to steal his great-great-grandparents' identities.
I think that the GP was talking about theft in transit. That is, malicious action by postal workers. The problems you are experiencing sound more like carelessness than willful flaunting of your privacy. I think that opportunistic tampering with another person's mail as you describe is probably a felony, but since it is performed by a neighbor, not a USPS employee, it has little to do with whether the mail system is privatized.
If it doesn't suit my needs, I will not spend long enough on the obfuscated web site to discover that I am wasting my time.
I know it has version control. I never said it didn't. I said it was not as powerful and versatile as other version control systems.
Does Dropbox allow you to make notes on changes made to the working copy? Does it make it easy to branch and merge changes? Does it allow you to tag the repository in a certain state to make it easy to go back to it? Systems such as git, subversion, and even CVS allow you to do these things, and many "self-respecting nerds" have been using them for many times the lifetime of Dropbox. The systems I mentioned have been around for 5, 10, and 20 years, while Dropbox is barely 2 (according to their respective Wikipedia pages).
If I rely on these features for my work, and others such as cryptographically-strong assurance of my repository's integrity, then Dropbox is not going to meet my needs. Furthermore, if I don't trust my data to a company that may revoke my account without notice, then I am not even going to look for a service like this. If I am not looking for it, then why would I know what it is?
Are you confusing "self-respecting nerds" with "script kiddies"?
In addition to allowing the remote synchronization of files, Dropbox allows users to (optionally) share the repository on a page that one can browse on the web. If Dropbox pulls the rug out from under your account, the remote copy is surely gone. That means no sync, and no web access. You would surely lose the remote copy.
I think that GP meant that when you sync the files in the local folder with the server, they are copied, not moved to the remote location. Thus, while syncing and other features are lost with the account, the local copy is not obliterated.
...But I could be wrong. I have never actually used Dropbox, much less had an account terminated by them.
...isn't a botnet without a 'net connection just a worm?
Not if the controlling computer of the botnet is on the same virtual network. They might even introduce virtual servers so they can try out DDoS attacks.
As far as i know they haven't said, "under no circumstances will we ever release a general Linux client."
I think that is what bothers a lot of Linux users, including me. They are not obligated to provide a client, but there is a clear demand for one, even if it is negligible compared to other platforms. It would be really nice of them to address these requests, and explain whether they do not provide a client because they don't have the resources to develop it, or they can't broker the content for such an open platform, or whatever it is. What is their stance? We have no idea.
So what you are saying is, your OpenBSD box is running a version that is missing 60% of the timeline where edits could have been made to break this backdoor?
Regarding whether this is really the "Top" 50 passwords: Maybe I'm missing something, but if they aren't using salt, then any two users who have the same password should have the same hash, right? So even without knowing what the passwords are, it should be possible to make a list of the top 50 hashes. If a password is found for each of those, then those should constitute a list of the top 50 passwords. Am I missing something?
Of course, this ignores what someone above mentioned, that the database may be partitioned into legacy crypt hashes and more secure bcrypt ones. There could be dozens of super-weak, duplicate, recently-entered passwords in the latter set which are safe and sound! And on the other hand, the whole methodology of the article is pretty casual and imprecise, so it is hard to know what is really going on.
I agree that it is in one's best interest to keep password-protected accounts secure, because you cannot anticipate the consequences of such breaches. What do you think of systems like Wordpress with Gravatar, which creates an identity based on name and email address, and provide no authentication except those details?
Yeah, on one hand, I can see why CoderJoe took issue with it. The only way it really supported your point was empirically: that kernel developers probably see a lot of these problems, and I suppose that Linus is as aware of these things as anyone. I am a novice SCM user, at best, and I can definitely say that if I had to ask svn to show me whether my repository had been corrupted or compromised, I would not know where to start. I can easily believe that svn provides little to no assurances of such things. On the other hand, here is a short discussion on a related problem that Google unearthed for me quickly, so I think it's not hard to find examples where svn falls short.
I wonder how git catches these things; Linus talks about "knowing the hash" – I can't tell whether he means the user or the system itself; I would love to understand how git draws attention to unauthorized changes to a repository, if that is actually what is going on. That would be fascinating.
All these issues aside, I have been trying to understand git over the last few months, although I have not actually used it with an active project. In that respect, this was a very timely exposure to the video, and why I am grateful to have come upon your comment.:c)
Aside from the apparent lack of rigor in demonstrating your point (which is perfectly understandable for an audience where apparently only 10 were familiar with distributed SCM), that is an interesting talk. Thanks for sharing it.
For those in a hurry, the relevant remarks are at 10:55 and 56:15 in the video.
Whenever I am on a jury, I bring my gaming rig and a router. Then, we reach a quick decision in, say, 5 minutes in the deliberation room, and have a LAN party for a couple of days. Just to make sure it didn't look too easy.
Well, if all the fuss is about selling counterfeit goods, it would be interesting to see them forward the domains to the producers of the authentic counterparts...
A few years back, I read a rant by someone who took issue with DRM, and corresponded with representatives at the record label. Maybe they were annoyed that some CD they purchased made it super-hard for them to rip tracks to play on their MP3 player. Anyhow, they asked the company, "Why do you make it so hard to convert files?" The rep said, "Because it's illegal." The consumer rejoined, "But it wasn't back when you were distributing things on audiocassette!" The rep's reply was basically, "Oh, it was illegal back then, but we couldn't stop you."
At this point, I would expect an analogous response from ICE on why they have these powers in cyberspace: "You should not have been speaking back then, but we could not stop you from doing so!"
Yes, on the Cr-48 there will be a jailbreaking mode. Just like the Nexus One was developer-friendly. When Motorola released the Droid X with its self-destruct feature, they even said that if someone wanted to root their phone, they should get a Nexus One instead of Motorola's device. Just becuase this prototype – which is released for hacking and beta testing – has a jail-breaking mode, we don't know how consumer-grade products made by a variety of manufacturers might be locked down. I don't anticipate Google providing any stricter mandate with Chromium OS than they have with Android.
Slashdot Mirror
I know, right? My first thought was, "Awesome! Now Eclipse will be bigger and more bloated than ever!
Backed by Mormons, but that doesn't make it any less of an awesome service.
That sounds just like something a Mormon would say...
Oh, wait. :c)
Clearly, the submitter wants to audit the code to make sure the software is not phoning home, allowing the software authors to steal his great-great-grandparents' identities.
I can't tell which AC is the advertiser, but yes, this is definitely better than (for instance) the Dropbox article that popped up a couple hours ago.
I think that the GP was talking about theft in transit. That is, malicious action by postal workers. The problems you are experiencing sound more like carelessness than willful flaunting of your privacy. I think that opportunistic tampering with another person's mail as you describe is probably a felony, but since it is performed by a neighbor, not a USPS employee, it has little to do with whether the mail system is privatized.
If it doesn't suit my needs, I will not spend long enough on the obfuscated web site to discover that I am wasting my time.
I know it has version control. I never said it didn't. I said it was not as powerful and versatile as other version control systems.
Does Dropbox allow you to make notes on changes made to the working copy? Does it make it easy to branch and merge changes? Does it allow you to tag the repository in a certain state to make it easy to go back to it? Systems such as git, subversion, and even CVS allow you to do these things, and many "self-respecting nerds" have been using them for many times the lifetime of Dropbox. The systems I mentioned have been around for 5, 10, and 20 years, while Dropbox is barely 2 (according to their respective Wikipedia pages).
If I rely on these features for my work, and others such as cryptographically-strong assurance of my repository's integrity, then Dropbox is not going to meet my needs. Furthermore, if I don't trust my data to a company that may revoke my account without notice, then I am not even going to look for a service like this. If I am not looking for it, then why would I know what it is?
Are you confusing "self-respecting nerds" with "script kiddies"?
The ones who need a version control system more powerful and versatile than what Dropbox offers??
In addition to allowing the remote synchronization of files, Dropbox allows users to (optionally) share the repository on a page that one can browse on the web. If Dropbox pulls the rug out from under your account, the remote copy is surely gone. That means no sync, and no web access. You would surely lose the remote copy.
I think that GP meant that when you sync the files in the local folder with the server, they are copied, not moved to the remote location. Thus, while syncing and other features are lost with the account, the local copy is not obliterated.
...But I could be wrong. I have never actually used Dropbox, much less had an account terminated by them.
I think I saw one or two sites like that listed on this site, but there were no links, so I wasn't able to find out more.
...isn't a botnet without a 'net connection just a worm?
Not if the controlling computer of the botnet is on the same virtual network. They might even introduce virtual servers so they can try out DDoS attacks.
As far as i know they haven't said, "under no circumstances will we ever release a general Linux client."
I think that is what bothers a lot of Linux users, including me. They are not obligated to provide a client, but there is a clear demand for one, even if it is negligible compared to other platforms. It would be really nice of them to address these requests, and explain whether they do not provide a client because they don't have the resources to develop it, or they can't broker the content for such an open platform, or whatever it is. What is their stance? We have no idea.
Yeah, I feel you. But the incongruity of your comments was beckoning. :c)
So what you are saying is, your OpenBSD box is running a version that is missing 60% of the timeline where edits could have been made to break this backdoor?
Regarding whether this is really the "Top" 50 passwords: Maybe I'm missing something, but if they aren't using salt, then any two users who have the same password should have the same hash, right? So even without knowing what the passwords are, it should be possible to make a list of the top 50 hashes. If a password is found for each of those, then those should constitute a list of the top 50 passwords. Am I missing something?
Of course, this ignores what someone above mentioned, that the database may be partitioned into legacy crypt hashes and more secure bcrypt ones. There could be dozens of super-weak, duplicate, recently-entered passwords in the latter set which are safe and sound! And on the other hand, the whole methodology of the article is pretty casual and imprecise, so it is hard to know what is really going on.
I agree that it is in one's best interest to keep password-protected accounts secure, because you cannot anticipate the consequences of such breaches. What do you think of systems like Wordpress with Gravatar, which creates an identity based on name and email address, and provide no authentication except those details?
Maybe the server could handle the traffic, but 403 is their host's way of dealing with going over a periodic bandwidth limit.
As to your proposal, it seems like they are out of order. Shouldn't it be: some response, no response, slashdotters let out the magic smoke?
You should know!
Yeah, on one hand, I can see why CoderJoe took issue with it. The only way it really supported your point was empirically: that kernel developers probably see a lot of these problems, and I suppose that Linus is as aware of these things as anyone. I am a novice SCM user, at best, and I can definitely say that if I had to ask svn to show me whether my repository had been corrupted or compromised, I would not know where to start. I can easily believe that svn provides little to no assurances of such things. On the other hand, here is a short discussion on a related problem that Google unearthed for me quickly, so I think it's not hard to find examples where svn falls short.
I wonder how git catches these things; Linus talks about "knowing the hash" – I can't tell whether he means the user or the system itself; I would love to understand how git draws attention to unauthorized changes to a repository, if that is actually what is going on. That would be fascinating.
All these issues aside, I have been trying to understand git over the last few months, although I have not actually used it with an active project. In that respect, this was a very timely exposure to the video, and why I am grateful to have come upon your comment. :c)
Aside from the apparent lack of rigor in demonstrating your point (which is perfectly understandable for an audience where apparently only 10 were familiar with distributed SCM), that is an interesting talk. Thanks for sharing it.
For those in a hurry, the relevant remarks are at 10:55 and 56:15 in the video.
Yay! Another good reason to use Python!
Whenever I am on a jury, I bring my gaming rig and a router. Then, we reach a quick decision in, say, 5 minutes in the deliberation room, and have a LAN party for a couple of days. Just to make sure it didn't look too easy.
Well, if all the fuss is about selling counterfeit goods, it would be interesting to see them forward the domains to the producers of the authentic counterparts...
A few years back, I read a rant by someone who took issue with DRM, and corresponded with representatives at the record label. Maybe they were annoyed that some CD they purchased made it super-hard for them to rip tracks to play on their MP3 player. Anyhow, they asked the company, "Why do you make it so hard to convert files?" The rep said, "Because it's illegal." The consumer rejoined, "But it wasn't back when you were distributing things on audiocassette!" The rep's reply was basically, "Oh, it was illegal back then, but we couldn't stop you."
At this point, I would expect an analogous response from ICE on why they have these powers in cyberspace: "You should not have been speaking back then, but we could not stop you from doing so!"
This is exactly what we are doing right now, in my household.
Yes, on the Cr-48 there will be a jailbreaking mode. Just like the Nexus One was developer-friendly. When Motorola released the Droid X with its self-destruct feature, they even said that if someone wanted to root their phone, they should get a Nexus One instead of Motorola's device. Just becuase this prototype – which is released for hacking and beta testing – has a jail-breaking mode, we don't know how consumer-grade products made by a variety of manufacturers might be locked down. I don't anticipate Google providing any stricter mandate with Chromium OS than they have with Android.
And deciding whether you want to remap it from the search function may be even harder.