Rather than putzing around with a second debit card on a second account, why not just keep $50 in cash on you at all times, or alternatively, a credit card?
I don't trust myself with a credit card, for one. I have enough liquidity that I can cover pretty much any day-to-day emergency without having to go into debt over it. I do keep around $40 on me, for those places I go to that don't take a card, but that's less and less.
Oh, absolutely. What I meant by "legit system dialog" isn't that its legit in the security sense, just that it's guaranteed not to be a simple subterfuge set up by another normal user on the system like the parent post described. That's where trust comes into play: you have to trust the system (and its ability to keep the trusted path unmolested), but not necessarily the other users of the system.
You keep your spending money in your primary account?
My main checking account, yes. My main savings account doesn't have debit card access, and I have a secondary checking account with my nest egg in it and a debit card just in case something happens to the debit card for my main checking account (so I don't get stranded at a resturant without a means to pay, for instance).
The future of money is already here...
on
The Future of Money
·
· Score: 4, Interesting
what kind of money you'll be putting into vending machines 25 years from now
I already rely on cash only as much as absolutely necessary. With a debit card, I can pay for any credit card transaction directly out of my checking account, and more and more places are accepting credit cards every day. Hell, in bigger cities, you can even use a credit card in places like a Jack in the Box drive thru. In 25 years it'll be even more pervasive.
Some places now are even supporting debit cards directly and require me to enter my PIN... all the better, that extra layer of security is a little comforting. If my card is ever stolen though, I'm limited in liability to $50, thanks to credit card laws that apply even though it technically isn't a credit card, and I keep a little nest egg tucked away in an unrelated account to tide me over while the bank tracks down and fixes any unauthorized use of my main account.
Sure, it's not exactly a model of privacy since every purchase I make is logged on my account, but I consider the security of my money more important as a real issue than the nebulous fear that someone, somewhere is going to exploit the fact that I like buying cheeseburgers for lunch.
When he "logged out" he didn't really log out but he put up a fake password prompt. The next person would log in, but it would say "password incorrect," store the password, log the original guy out, and show the real login prompt.
Don't think you're safe on a multiuser system either.
A Windows-based multiuser system would be safe from this sort of attack. Windows servers can be set to require the user to hit the system key combination, Ctrl-Alt-Del, before entering their login information. Ctrl-Alt-Del is not trappable in any fashion by any userspace program and can be set to always transfer control to the system. If you're on a Windows server and you hit Ctrl-Alt-Del, you can be absolutely sure that the window that pops up next is a legit system dialog.
What the hell are you supposed to do when someone decides to be an ass and demagnetize your card? Does your money just vanish since you can't scan it and it carries no identifying information?
How's that any worse than when someone decides to be an ass and burn your cash? I'd hardly call it a "fatal flaw" since it's no worse than the alternative in that respect.
Would you rather have a system where they can track your purchases, but provides security for your money, or one that protects your anonymity but doesn't guarantee your money? You can't really have it both ways.
Oh, and your liability as an OSS developer is fundamentally different from that of a company selling software
I'm afraid I disagree. Legal recedent points firmly in the direction that the law doesn't care whether you're doing something for profit or if you're doing it gratis when it comes to determining liability, especially when it comes to professional services.
A doctor can be held liable if he, out of the goodness of his heart without expectation of compensation, assists at an accident scene, and through his actions someone is injured or dies. A lawyer can be held liable if he, as a friendly gesture without being paid, gives someone bad legal advice.
There's absolutely no reason to believe that programming would be treated any differently by the courts.
We need to put blame where blame belongs, and that is the company that orginated this faulty and shoddy product
I disagree completely on the fact that holding Microsoft responsible would be a chilling precedent that would effectively squelch software development, because all software has bugs.
Would you contribute to Open Source projects if you knew that any bug you write, no matter how obscure and unintentional, might become a liability to you? Would getting your name in the changelog of the kernel be worth putting your financial future at risk?
Oh, and it doesn't matter who discovers the bug. Even if it's discovered before its exploited and you issue a patch for it (as Microsoft did in this case, I might add), you think the software author should still be held liable? Even thought you did your part and fixed the bug? Isn't it the sysadmin's fault at that point?
Homestar Runner is being slashdotted? Just what we need... they just got through a month of having server trouble due to increasing traffic, and now with all the new viewers they're going to get by being mentioned here, looks like we'll be in for another month of slow page loads on Mondays.
That said, Strong Bad emails have quickly become a weekly tradition in the office. We all gather around every Monday to see the newest installment, and we're rarely disappointed. If the Brothers Chaps don't end up with a TV show before too long, I'll be surprised.
Look at webservers, however. Apache is twice as popular as IIS, and yet there are several times more security issues with IIS than with Apache. That can not be explained by relative obscurity.
That can be explained by the fact that IIS and Apache are entirely different types of software. IIS is not simply a web server. IIS provides a whole host of services, and with one exception that I can think of (Unicode ".."), all of the IIS vulnerabilities reported so far are due to the extra services, such as the network print services, not due to the web server itself.
If you want a fair comparison, compare IIS against an installation of Apache with a whole bunch of CGI scripts and Apache Modules to do all sorts of system administration tasks.
Now, granted, all those extra services IIS provides should really be off by default, but for their part, Microsoft provides a checklist of things you should do to secure IIS if you're interested in security even in the least. If you'd followed their checklist, none of the recent IIS security problems would have affected you.
I don't think you can solely blame admins for not patching. Some blame HAS to fall on the coders who left the hole open in the first place.
Bullshit. All software has bugs. All software. Even Open Source software. Even high profile Open Source software that has many more eyes looking over the code than normal. Even that brand new Linux kernel you just installed has security holes in it. I guarantee it.
Bugs are a part of software. When you install anything, you need to take that into account: when holes are discovered, they get patched. If you fail to patch, the fault lies directly on you. Microsoft did their part.
Someone should do a parody site of AICN and call it Isn't it Cool. And run the same news Harry runs, but with corrected grammar, spelling, and a good design.
I've already condensed all the useful information from AICN into an easily navigable site. Check it out here.
"People can't "pirate" subs, gyros, or muffulettas."
the gauntlet is thrown.
Head on over to opensandwich.sourceforge.net. It's a new P2P (Plate to Plate) sandwich sharing application. You can search by bread type, meat type, album, and condiments. It's still in beta though, so be sure to check the sandwiches you download before consumption!
When are these people going to learn that if they spend 6 months developing a technology to "protect" their copyrighted info, it will take 6 days (if that) for someone to defeat it?
Congratulations on missing the point entirely. The RIAA does not believe they can stop file sharing, and they're right. What they're doing, though, is waging a war of attrition. Napster was immensely popular to the point where it was mainstream. The RIAA banked on the fact that if they took out Napster, two things would happen (and have happened):
Some people threw up their hands and simply accepted that there was no more file sharing at all, even if only for a while. This arguably happened since none of the second-generation P2P providers have claimed user numbers as large as Napster did in it's heyday. Obviously people will start buying into newer P2P programs over time, but mainstream does not follow the cutting edge.
There are multiple replacements for Napster. This is true, as today there is Gnutella (yeech), Kazaa, WinMX, and whatever else is out there today. The userbase is now fragmented which means that on any given P2P app, the selection is less diverse, which reduces the value of P2P.
They intend to bludgeon P2P into irrelevance, not into non-existance. By attempting to tear apart Kazaa like they did with Napster, they further their goals in that arena, and by undermining confidence in non-centralized P2P networks, they're furthering their goals in that area.
They expect everything for free and delivered on a gold plate. Pffft!
Perhaps they expect that because that's what evangelists been saying that's what Open Source software delivers? I certainly don't recall Eric Raymond touring the world to spout off the virtues of "your choice from a vast collection of free (as in beer and speech) software that is stuck in perpetual alpha or beta".
After all, who could resist attacking another country to show off our nice Blueberry bombers, using our new Raspberry radar technology, and firing off our arsenal of iNuke X 10.2 ICBMs (with leopard print warheads). Military tech has been stuck in the same putrid earthy shades of green and brown for far too long!
Just gotta wonder how well those translucent plastic helmets will protect the heads of our soldiers....
and despite how nice the screenshots look, there's no animation. chess boards are more exciting
I downloaded Falcon's Eye just yesterday, coincidentally enough, after seeing it on the GNU Win II site from yesterday's story here on Slashdot.
Even without animation, I find I enjoy the graphical interface much more than a text-based interface, or even the "official" tile-based interface to Nethack. I was never really able to get into the game up until now.... and now I can't put it down.
Someone should really take Nethack and make it truly 3d.
The point of Palladium is that you will not longer have "root" access to your own machine.
I know I'll never buy a PC like that. No matter what kind of "cool" applications it has. Even if it means I have to stay with my current computer as it fades into obsolescence. There's a line in the sand that I won't cross, and being deemed too untrustworthy to use my own computer to its full potential is over that line.
I can only hope that other techies feel strongly enough about the issue to vote with their wallets similarly. If Palladium sufficiently disgusts the early adopter market, it won't have the momentum to propel it into the mass market, and then from there, into ubiquity. It happened with Divx, hopefully lightning will strike twice. And most importantly, it'll give Microsoft and other supporters of Palladium a nice stark reminder that their customers, the people they make profit from, are the end-users, not the content cartels.
Slashdot Mirror
Rather than putzing around with a second debit card on a second account, why not just keep $50 in cash on you at all times, or alternatively, a credit card?
I don't trust myself with a credit card, for one. I have enough liquidity that I can cover pretty much any day-to-day emergency without having to go into debt over it. I do keep around $40 on me, for those places I go to that don't take a card, but that's less and less.
From what I understand, Python is mainly used for server side scripting.
These days, so is Java.
If the system is compromised all bets are off.
Oh, absolutely. What I meant by "legit system dialog" isn't that its legit in the security sense, just that it's guaranteed not to be a simple subterfuge set up by another normal user on the system like the parent post described. That's where trust comes into play: you have to trust the system (and its ability to keep the trusted path unmolested), but not necessarily the other users of the system.
You keep your spending money in your primary account?
My main checking account, yes. My main savings account doesn't have debit card access, and I have a secondary checking account with my nest egg in it and a debit card just in case something happens to the debit card for my main checking account (so I don't get stranded at a resturant without a means to pay, for instance).
what kind of money you'll be putting into vending machines 25 years from now
I already rely on cash only as much as absolutely necessary. With a debit card, I can pay for any credit card transaction directly out of my checking account, and more and more places are accepting credit cards every day. Hell, in bigger cities, you can even use a credit card in places like a Jack in the Box drive thru. In 25 years it'll be even more pervasive.
Some places now are even supporting debit cards directly and require me to enter my PIN... all the better, that extra layer of security is a little comforting. If my card is ever stolen though, I'm limited in liability to $50, thanks to credit card laws that apply even though it technically isn't a credit card, and I keep a little nest egg tucked away in an unrelated account to tide me over while the bank tracks down and fixes any unauthorized use of my main account.
Sure, it's not exactly a model of privacy since every purchase I make is logged on my account, but I consider the security of my money more important as a real issue than the nebulous fear that someone, somewhere is going to exploit the fact that I like buying cheeseburgers for lunch.
When he "logged out" he didn't really log out but he put up a fake password prompt. The next person would log in, but it would say "password incorrect," store the password, log the original guy out, and show the real login prompt.
Don't think you're safe on a multiuser system either.
A Windows-based multiuser system would be safe from this sort of attack. Windows servers can be set to require the user to hit the system key combination, Ctrl-Alt-Del, before entering their login information. Ctrl-Alt-Del is not trappable in any fashion by any userspace program and can be set to always transfer control to the system. If you're on a Windows server and you hit Ctrl-Alt-Del, you can be absolutely sure that the window that pops up next is a legit system dialog.
What the hell are you supposed to do when someone decides to be an ass and demagnetize your card? Does your money just vanish since you can't scan it and it carries no identifying information?
How's that any worse than when someone decides to be an ass and burn your cash? I'd hardly call it a "fatal flaw" since it's no worse than the alternative in that respect.
Would you rather have a system where they can track your purchases, but provides security for your money, or one that protects your anonymity but doesn't guarantee your money? You can't really have it both ways.
ground-breaking paper was simply signed with the initials "CM, Renfrew"
CM obviously stands for CowboyMeal, which is CowboyNeal's pen name.
Oh, and your liability as an OSS developer is fundamentally different from that of a company selling software
I'm afraid I disagree. Legal recedent points firmly in the direction that the law doesn't care whether you're doing something for profit or if you're doing it gratis when it comes to determining liability, especially when it comes to professional services.
A doctor can be held liable if he, out of the goodness of his heart without expectation of compensation, assists at an accident scene, and through his actions someone is injured or dies. A lawyer can be held liable if he, as a friendly gesture without being paid, gives someone bad legal advice.
There's absolutely no reason to believe that programming would be treated any differently by the courts.
We need to put blame where blame belongs, and that is the company that orginated this faulty and shoddy product
I disagree completely on the fact that holding Microsoft responsible would be a chilling precedent that would effectively squelch software development, because all software has bugs.
Would you contribute to Open Source projects if you knew that any bug you write, no matter how obscure and unintentional, might become a liability to you? Would getting your name in the changelog of the kernel be worth putting your financial future at risk?
Oh, and it doesn't matter who discovers the bug. Even if it's discovered before its exploited and you issue a patch for it (as Microsoft did in this case, I might add), you think the software author should still be held liable? Even thought you did your part and fixed the bug? Isn't it the sysadmin's fault at that point?
Homestar Runner is being slashdotted? Just what we need... they just got through a month of having server trouble due to increasing traffic, and now with all the new viewers they're going to get by being mentioned here, looks like we'll be in for another month of slow page loads on Mondays.
That said, Strong Bad emails have quickly become a weekly tradition in the office. We all gather around every Monday to see the newest installment, and we're rarely disappointed. If the Brothers Chaps don't end up with a TV show before too long, I'll be surprised.
Look at webservers, however. Apache is twice as popular as IIS, and yet there are several times more security issues with IIS than with Apache. That can not be explained by relative obscurity.
That can be explained by the fact that IIS and Apache are entirely different types of software. IIS is not simply a web server. IIS provides a whole host of services, and with one exception that I can think of (Unicode ".."), all of the IIS vulnerabilities reported so far are due to the extra services, such as the network print services, not due to the web server itself.
If you want a fair comparison, compare IIS against an installation of Apache with a whole bunch of CGI scripts and Apache Modules to do all sorts of system administration tasks.
Now, granted, all those extra services IIS provides should really be off by default, but for their part, Microsoft provides a checklist of things you should do to secure IIS if you're interested in security even in the least. If you'd followed their checklist, none of the recent IIS security problems would have affected you.
I don't think you can solely blame admins for not patching. Some blame HAS to fall on the coders who left the hole open in the first place.
Bullshit. All software has bugs. All software . Even Open Source software. Even high profile Open Source software that has many more eyes looking over the code than normal. Even that brand new Linux kernel you just installed has security holes in it. I guarantee it.
Bugs are a part of software. When you install anything, you need to take that into account: when holes are discovered, they get patched. If you fail to patch, the fault lies directly on you. Microsoft did their part.
...and if you don't have DVT, you aren't trying hard enough.
Someone should do a parody site of AICN and call it Isn't it Cool. And run the same news Harry runs, but with corrected grammar, spelling, and a good design.
I've already condensed all the useful information from AICN into an easily navigable site. Check it out here.
"People can't "pirate" subs, gyros, or muffulettas."
the gauntlet is thrown.
Head on over to opensandwich.sourceforge.net. It's a new P2P (Plate to Plate) sandwich sharing application. You can search by bread type, meat type, album, and condiments. It's still in beta though, so be sure to check the sandwiches you download before consumption!
How would you feel if the servers you get open-source applications from were made unusable because someone attacked the network they were hosted on?
:p
I'd hardly call VA's lack of a business plan an "attack" on SourceForge.
Congratulations on missing the point entirely. The RIAA does not believe they can stop file sharing, and they're right. What they're doing, though, is waging a war of attrition. Napster was immensely popular to the point where it was mainstream. The RIAA banked on the fact that if they took out Napster, two things would happen (and have happened):
They intend to bludgeon P2P into irrelevance, not into non-existance. By attempting to tear apart Kazaa like they did with Napster, they further their goals in that arena, and by undermining confidence in non-centralized P2P networks, they're furthering their goals in that area.
They expect everything for free and delivered on a gold plate. Pffft!
Perhaps they expect that because that's what evangelists been saying that's what Open Source software delivers? I certainly don't recall Eric Raymond touring the world to spout off the virtues of "your choice from a vast collection of free (as in beer and speech) software that is stuck in perpetual alpha or beta".
Dittus tailors each coalition and grassroots program to help our clients run a successful campaign.
You know Corporate America has reached a new high (low?) when you can outsource a grassroots campaign.
After all, who could resist attacking another country to show off our nice Blueberry bombers, using our new Raspberry radar technology, and firing off our arsenal of iNuke X 10.2 ICBMs (with leopard print warheads). Military tech has been stuck in the same putrid earthy shades of green and brown for far too long!
Just gotta wonder how well those translucent plastic helmets will protect the heads of our soldiers....
That's exactly what I do on my website's forums and it works like a charm.
and despite how nice the screenshots look, there's no animation. chess boards are more exciting
.... and now I can't put it down.
I downloaded Falcon's Eye just yesterday, coincidentally enough, after seeing it on the GNU Win II site from yesterday's story here on Slashdot.
Even without animation, I find I enjoy the graphical interface much more than a text-based interface, or even the "official" tile-based interface to Nethack. I was never really able to get into the game up until now
Someone should really take Nethack and make it truly 3d.
When I was benchmarking web servers in *1994*, servers could handle 100,000/hr, which is only about 30/sec.
But this is a Java-based server we're talking about.
I know I'll never buy a PC like that. No matter what kind of "cool" applications it has. Even if it means I have to stay with my current computer as it fades into obsolescence. There's a line in the sand that I won't cross, and being deemed too untrustworthy to use my own computer to its full potential is over that line.
I can only hope that other techies feel strongly enough about the issue to vote with their wallets similarly. If Palladium sufficiently disgusts the early adopter market, it won't have the momentum to propel it into the mass market, and then from there, into ubiquity. It happened with Divx, hopefully lightning will strike twice. And most importantly, it'll give Microsoft and other supporters of Palladium a nice stark reminder that their customers, the people they make profit from, are the end-users, not the content cartels.