The only way to be safe is to block all the evil characters and let the digits through
What are you talking about? Digits are the worst offenders! Look at how many viruses have spread solely through the distribution of 0's and 1's! Imagine the mayhem if the bigger digits start cutting in on the action!@
Of what use is a new anti-counterfit bill if they don't recall the old, easily counterfitted ones? Counterfitters won't even try to adjust to the new bills if the old ones are still in circulation and legal tender - there's just no reason to.
Sure there is. When's the last time you saw an old $20 in general circulation? They may still be legal tender, but they're rapidly becoming rare... so much so that you notice them when you see them nowadays.
As a counterfeiter trying to pass your bills off on others, added scrutiny is something you want to avoid.
The problem with truly random data is that you can't really be sure. That four pages of the letter 's' could very well be what starts out the "monkey at a computer" random stream.
The article makes it sound like this is to prevent those web pages that make themselves full screen and look just like a desktop, but honestly how often is this tactic even used?
When it comes to security, you should account for all the possibilities for circumventing it, not just the most common ones.
Though I have to wonder about the way they're going about doing all this. Windows already has a whole security infrastructure around the concept of desktops as securable objects, why not just use the existing Trusted Path keystroke (Ctrl-Alt-Del) to offer an option to switch to a "secure" desktop where only secure applications can be run?
Okay, what happens when someone sends spam "from" someone on your whitelist?
It would get through, of course -- but that requires spammers to know who's on my whitelist, and I don't publish my whitelist. Security via obscurity works quite well in this case.
Nothing's perfect, of course, since an Outlook email virus might be a vector for delivering spam via trusted relationships (operating on the theory that if I'm in someone's Outlook Address Book, odds are higher that they're conversed with me via email and are therefore in my whitelist), but if that becomes a problem from someone on my whitelist, I can take them back off the whitelist and require a C/R from that person for every email.
So you have to email all your friends and family before they can email you? How else can somebody get on your whitelist?
Challenge/Response. If someone not on my whitelist sends me an email, they get an automated challenge email they need to reply to before their original message will get delivered. They're also added to the whitelist when they reply. The challenge message comes with a cryptographically created Reply-to address which verifies that they're actually responding to the challenge and not just trying to circumvent it.
Once this gets widescale usage, the spammers will simply start responding to the challenges (after all, it's not like that couldn't be easily automated).
In order to send responses to the challenges, it means the spammer has to provide at least a valid return address, and dedicate resources to responding to those requests (even if it is automated). It raises the cost of sending spam, and increases accountability due to the valid return address requirement, which is the best we can hope for with a SMTP-based solution for the time being. It's not perfect, but nothing is.
That's right. Better to have never tried at all than to try and fail, I always say.
Better to not lull yourself into a false sense of security beneath your ABM blanket and make people try firing missiles at you, hoping they won't land, I always say.
Mind you, 100meg+ demos aren't very EASY to transfer nowadays, much less with the terrible state of sites like FilePlanet, etc. (Has anyone considered a positive use of P2P to split such large files over several clients?)...
This is entirely different to a public body's decision-making process. There, it is other people's money that is being spent. The choice should not be merely what's best for that body, but what's best for the people who are funding that body. It could be argued that the public should have a right to use software that they have funded.
It could also be argued that's simply idealistic nonsense with plenty of precedent of counterexamples to the "my tax dollars paid for it, so I should be able to use it" line of reasoning. Simply put, there's nothing that suggests you should have an expectation that you're somehow entitled to what your tax dollars are being spent on.
The only problem is that I can't get a Tivo. Could someone fill me in on the current state of DVRs that can currently, or will soon, hook up to my internet connection?
TiVo, with the most recent software update to 4.0, which is being rolled out to customers now, officially supports doing their "daily call" via a USB Ethernet adapter.
Although, unlike sex, I can just about guarantee the first time with a TiVo will be great.
And, as you can see from this thread, nobody has posted that they have a TiVo and don't love it. The fanaticism is justified, as this is truly a lifestyle-altering device.
I got my TiVo just over a month ago. Now, I don't know what I'd do without it. When I get home from work, I can spend the evening watching what I want on TV, instead of what just happens to be on at the time. In fact, I've discovered (well, actually TiVo suggested to me) a couple programs that it turns out I like quite a lot, and I catch every episode, and I have no clue what time they're on, and I only know what channel they're on because TiVo stores the channel's logo in the program listing. My only complaint is that I want another one now to resolve some scheduling conflicts (though TiVo generally does a good job at managing those itself when one of the programs is on a cable station that replays their shows throughout the day).
Would you hire a convicted embezzler to keep track of your savings account?
Would you hire a rapist to babysit your daughter?
Why would you hire a former cracker to secure your network, when there are plenty of non ex-convicts with similar or better experience for the job? How well-versed on current, relevant technology do you think someone who spent the last 7 years of their life in prison and prohibited from touching a computer is? Sure, social engineering never changes, but that's only part of your security infrastructure.
It's like the gov't spying on your mail by opening them all in the post office.
Hardly. If you're not using encryption, it's like the government spying on your mail by reading your postcards.
The network is not to be trusted. This is nothing new. This is a fundamental fact. That's why SSH is preferred over Telnet. If you want privacy, it's up to you, not your ISP, to provide it for yourself.
More Coders = More Bugs More Bugs = More Tech Support Guys More Tech Support Guys = More Confused People More Confused People = More Montiors with fist sized holes in them
So it stands to reason that now would be a good time to invest in monitor companies.
Slashdot Mirror
The only way to be safe is to block all the evil characters and let the digits through
What are you talking about? Digits are the worst offenders! Look at how many viruses have spread solely through the distribution of 0's and 1's! Imagine the mayhem if the bigger digits start cutting in on the action!@
Two things:
This would effectively destroy IP rights of all seed companies.
Those are the risks you take when you try to patent life.
The new two-cent coins are easy to lose, so be careful.
Sure, but you could store as many of your new pennies in your pocket as you wanted and you'd never run out of room!
Of what use is a new anti-counterfit bill if they don't recall the old, easily counterfitted ones? Counterfitters won't even try to adjust to the new bills if the old ones are still in circulation and legal tender - there's just no reason to.
Sure there is. When's the last time you saw an old $20 in general circulation? They may still be legal tender, but they're rapidly becoming rare... so much so that you notice them when you see them nowadays.
As a counterfeiter trying to pass your bills off on others, added scrutiny is something you want to avoid.
To hell with Mozilla... when's the next release of Mozilla Firebird?
Well, actually MS is now traded on the NYSE
No, it's not. It's part of the DJIA (which is merely an average of a bunch of unrelated stocks), but it's still traded on the NASDAQ market.
four pages worth of the letter 's.'
The problem with truly random data is that you can't really be sure. That four pages of the letter 's' could very well be what starts out the "monkey at a computer" random stream.
It's cracker dammit...
Look, just because he's a white hat, you don't have to be racist about it.
The article makes it sound like this is to prevent those web pages that make themselves full screen and look just like a desktop, but honestly how often is this tactic even used?
When it comes to security, you should account for all the possibilities for circumventing it, not just the most common ones.
Though I have to wonder about the way they're going about doing all this. Windows already has a whole security infrastructure around the concept of desktops as securable objects, why not just use the existing Trusted Path keystroke (Ctrl-Alt-Del) to offer an option to switch to a "secure" desktop where only secure applications can be run?
Okay, what happens when someone sends spam "from" someone on your whitelist?
It would get through, of course -- but that requires spammers to know who's on my whitelist, and I don't publish my whitelist. Security via obscurity works quite well in this case.
Nothing's perfect, of course, since an Outlook email virus might be a vector for delivering spam via trusted relationships (operating on the theory that if I'm in someone's Outlook Address Book, odds are higher that they're conversed with me via email and are therefore in my whitelist), but if that becomes a problem from someone on my whitelist, I can take them back off the whitelist and require a C/R from that person for every email.
So you have to email all your friends and family before they can email you? How else can somebody get on your whitelist?
Challenge/Response. If someone not on my whitelist sends me an email, they get an automated challenge email they need to reply to before their original message will get delivered. They're also added to the whitelist when they reply. The challenge message comes with a cryptographically created Reply-to address which verifies that they're actually responding to the challenge and not just trying to circumvent it.
Once this gets widescale usage, the spammers will simply start responding to the challenges (after all, it's not like that couldn't be easily automated).
In order to send responses to the challenges, it means the spammer has to provide at least a valid return address, and dedicate resources to responding to those requests (even if it is automated). It raises the cost of sending spam, and increases accountability due to the valid return address requirement, which is the best we can hope for with a SMTP-based solution for the time being. It's not perfect, but nothing is.
How do two people with challenge and response communicate?
My C/R setup (TMDA) automatically put anyone I send email to on my whitelist; therefore I'd get their challenge message.
That's right. Better to have never tried at all than to try and fail, I always say.
Better to not lull yourself into a false sense of security beneath your ABM blanket and make people try firing missiles at you, hoping they won't land, I always say.
Mind you, 100meg+ demos aren't very EASY to transfer nowadays, much less with the terrible state of sites like FilePlanet, etc. (Has anyone considered a positive use of P2P to split such large files over several clients?)...
BitTorrent?
This is entirely different to a public body's decision-making process. There, it is other people's money that is being spent. The choice should not be merely what's best for that body, but what's best for the people who are funding that body. It could be argued that the public should have a right to use software that they have funded.
It could also be argued that's simply idealistic nonsense with plenty of precedent of counterexamples to the "my tax dollars paid for it, so I should be able to use it" line of reasoning. Simply put, there's nothing that suggests you should have an expectation that you're somehow entitled to what your tax dollars are being spent on.
And the death rates for AIDS is 100 % percent.
The death rates for people who drink water is also 100%. Every person that has consumed water will die.
The only problem is that I can't get a Tivo. Could someone fill me in on the current state of DVRs that can currently, or will soon, hook up to my internet connection?
TiVo, with the most recent software update to 4.0, which is being rolled out to customers now, officially supports doing their "daily call" via a USB Ethernet adapter.
I wonder what really made him quit?
He finished his job. The Internet is now secure. Thanks, Howard Schmidt!
Although, unlike sex, I can just about guarantee the first time with a TiVo will be great.
And, as you can see from this thread, nobody has posted that they have a TiVo and don't love it. The fanaticism is justified, as this is truly a lifestyle-altering device.
I got my TiVo just over a month ago. Now, I don't know what I'd do without it. When I get home from work, I can spend the evening watching what I want on TV, instead of what just happens to be on at the time. In fact, I've discovered (well, actually TiVo suggested to me) a couple programs that it turns out I like quite a lot, and I catch every episode, and I have no clue what time they're on, and I only know what channel they're on because TiVo stores the channel's logo in the program listing. My only complaint is that I want another one now to resolve some scheduling conflicts (though TiVo generally does a good job at managing those itself when one of the programs is on a cable station that replays their shows throughout the day).
As time approaches infinity, the number of software projects named Firebird also approaches infinity.
It's ok though because they'll all still be different projects, so nobody will get confused.
Would you hire a convicted embezzler to keep track of your savings account?
Would you hire a rapist to babysit your daughter?
Why would you hire a former cracker to secure your network, when there are plenty of non ex-convicts with similar or better experience for the job? How well-versed on current, relevant technology do you think someone who spent the last 7 years of their life in prison and prohibited from touching a computer is? Sure, social engineering never changes, but that's only part of your security infrastructure.
It's like the gov't spying on your mail by opening them all in the post office.
Hardly. If you're not using encryption, it's like the government spying on your mail by reading your postcards.
The network is not to be trusted. This is nothing new. This is a fundamental fact. That's why SSH is preferred over Telnet. If you want privacy, it's up to you, not your ISP, to provide it for yourself.
More Coders = More Bugs More Bugs = More Tech Support Guys More Tech Support Guys = More Confused People More Confused People = More Montiors with fist sized holes in them
So it stands to reason that now would be a good time to invest in monitor companies.