Given that certain versions of the OS have certain known security vulnerabilities, I fail to see the distinction between guessing the OS version and finding the vulnerabilities.
Revealing my OS version allows nothing that couldn't already be done. Try again.
Revealing your password also allows nothing that couldn't already be done. After all, somebody just has to guess it (which appears to be your argument as to why revealing the OS version doesn't hurt anything).
I am talking about revealing your OS version does not make you less secure, and that is factual.
Sure, in some sort of fucked up abstract sense that has nothing to do with reality, that's factual.
Replace "OS version" with "password" in your statement. Are you claiming that revealing your password doesn't make you less secure? After all, it's just a fact which you keep secret hoping nobody else will figure it out.
There is no additional security in pretending to be secure, cause anyone who wants to can just check if he's lying or not.
You need to take a course in logic. You're talking about A => B, where I am arguing about the claim that !A => !B. These are logically distinct claims. Your arguments are irrelevant to the discussion, because we aren't even discussing the same thing.
Let's try a hypothetical situation, since you're apparently incapable of reasoning in the abstract.
Johnny installs InsecureOS 1.0. Outwardly, this OS appears to be a FreeBSD box, but that's just a farce.
Which of the following options should Johnny select?
1. Tell everybody that he is, in fact, running InsecureOS 1.0.
2. Shut the fuck up and maintain the FreeBSD farce.
3. Install a better OS.
Clearly, the right choice is option 3, but let's just arbitrarily cross that option out. Now, which is the best choice?
It is a fact that revealing certain aspects of a system makes it easier to crack. Is there any logical connection between that fact and the concept of security through obscurity? Only to people who can't think straight.
You don't seem to be able to make the distinction between these two ideas:
1. Obscurity IS security.
2. Obscurity ENHANCES security.
If we presumed to start with, oh, say random passwords between 1 and 100 characters, without duplication, then we most certainly have cut things down much more than 1/95.
There seems to be this belief that searching a keyspace randomly has a better chance of finding a password than searching it sequentially. Assuming the password is reasonably random, this is false. A random search is no better or worse than a sequential one, in terms of the per-trial probability of a hit.
However, the sequential search can possibly be optimized since we are only changing one digit of the password per iteration. Assuming certain properties of the password hashing function (namely, that it is a prefix hash), this can GREATLY speed up the computation of the hash.
(eg: picture of toast, rhymes with ghost, ghosts are scary, scary rhymes with hairy, hairy has five letres, thereforce that block represents the number 5, see?)
Or, you could skip all that bollocks and notice that toast, ghost, scary, and hairy all are spelled with five letters...
26 character letters, numbers, symbols password. My machine usually has a 30 day uptime average, so I have to type it once a month - no biggy.
You only type it once a month, and yet you remember it? To me, that indicates that either 1) It is based on some memorable information, which could potentially be acquired by an attacker and used to guess your password, or 2) It's written down somewhere.
I've also considered a setup quite similar to yours... At the time, the thing standing in the way was a lack of open source VPN software that was supported on Linux, Windows, and Mac OS X. Now that OpenVPN exists, I can use that. Cool!
Thanks for letting us know you have a 30 character password. That'll be much easier to crack than having to deal with 1 - 29 and 31 - infinity length password.
Yeah, yeah, you're joking...
Telling us that the password is 30 characters doesn't risk much. There are only 1 + 95 + 95^2 + 95^3 +... + 95^29 possible passwords less than 30 characters long. Compared to 95^30 possible 30-character passwords, this is only slightly more than 1/95th of the available password space. In other words, he's only reduced the computational effort by somewhere around 1 part in 95. This is peanuts.
You do more damage simply by revealing what version of the operating system you are using, than by revealing how many characters long your password is, especially when that number is 30.
Yes... WinAmp tried very hard to look like a physical device that never even existed.
Does a word processing program have a picture of a typewriter that you have to click on in order to type characters? So why the fuck does an MP3 player have to look like a stereo deck?
Any facility which has ever received federal money (which is 99.9% of them) may not perform stem cell research. Want to do stem cell research? You have to build a new facility, from scratch, using non-federal funds.
That centrifuge from the old bio lab that was used to prepare blood samples from monkeys? You can't use that for stem cell research because it was paid for, back in 1993, from federal grant money.
So you see, this is a de facto ban on all stem cell research, because essentially ALL research facilities have received federal funding of one type or another in the past. In order to legally do the research, you must do everything absolutely, fucking positively from scratch.
Why would they announce this? Surely they don't want to risk a complete disaster in front of a global audience. I would have thought that the initial flights would be completely secret (of course, the intelligence communities would know about it through their spies, but not the general public).
Either China is supremely confident that this is going to work, or they've already done manned testing without making it public.
I'd make a small wager that these are not, in fact, the first two Chinese to fly into space on a Chinese rocket. Perhaps it's happened before, but in secret...
There wasn't even a LOT of wire, so it probably didn't provide too much current.
Actually, you've got it backwards. Coils with fewer turns can supply more current than coils with more turns, but at a lower voltage. More turns == more voltage, less current. Fewer turns == lower voltage, higher current.
For the purpose of charging a battery, the only concern is voltage. You have to have at least battery voltage in order to get current to flow into the battery. So ideally, you want to use as few turns as necessary to achieve the desired voltage (over-volting the battery is pointless and destructive).
"Code" encompasses more than.c files..c files, properly written, are amazingly portable. The surrounding structure of makefiles, build tools, and libraries hardly ever is, OTOH.
I have no doubt that once I get the build environment working, I'll have very few, if any, changes to make to the code base proper. But the build environment can't just be discounted as if it doesn't exist. For large projects, especially those which have been evolving organically for over a decade (as this one has), they are nearly as complex as the code itself, require their own testing (aside from tests of the "real" code base), and are far more platform-specific.
Yeah, this bugs me
on
The Know-It-All
·
· Score: 2, Insightful
Sometimes people who meet me think I'm an asshole because I like to quote random facts. They think I'm trying to "show off" how smart I am.
First of all, knowing a bunch of facts is not equivalent to being smart. Second of all, I am not doing it to impress you, I'm doing it because I like random facts and I want to share something with you that I enjoy. Every once in a while, I encounter somebody else who also knows a bunch of random stuff, and we end up having really fun conversations.
People also seem to think it's magic. It isn't magic, it's about reading stuff. When I was little, when I was in the bathroom I would read the ingredient lists off the back of shampoo bottles. Did you know that most shampoos contain a compound called methylchloroisothiazolinone? I have no idea what it is, but I remember how to spell it:-)
My mom bought me a periodic table placemat. I stared at that thing every morning while eating my cereal for two years. Now I know every chemical element by name, symbol, and atomic number. I'm no genius, I just stared at a placemat for hours.
Re:Read it backwards...
on
The Know-It-All
·
· Score: 2, Funny
Sounds like good advice, but it won't protect you from grammatical errors.
Sentence in this error an is there that tell you can? It studying without?
Certainly. First, let me say that most of the differences revolve around the compilers and libraries on the systems. As I said before, the code itself runs pretty much unmodified, but the build processes are significantly different.
Some compilers require an explicit "-ansi" switch to properly compile ANSI code. HP7v8 requires the magical compiler flags "+DA1.0 +DS1.0". On Solaris, we need to add a "-Xc" flag.
The situation is complicated by the fact that we do two Solaris builds. One build is done with the native compiler, the other uses GCC. As you might expect, these require slightly different flags.
Some platforms need a "ranlib" program to build the library indexes in the.a files. Some platforms have this functionality built into the ar utility.
On Solaris, we need to link against libsunmath.a instead of the traditional libm.a. Solaris also required linker flags "-lw -lresolv -lsocket -lnsl -ldl", other platforms do not.
Don't even get me started on the difficulty of doing static/dynamic builds (we do both types) on each of the various platforms. Some of the platforms have GNU binutils. Some do not. Some are remote. Some of the platforms we compile on don't even BELONG to us (we build on the customer's system).
Did I mention that this thing works on VMS and OS/390 also? And that it depends on Motif?
I never suggested it was difficult. But portability has to be written in. You can't just stick to POSIX and assume everything will work properly. POSIX is a nice standard, but nobody follows it precisely.
Furthermore, the software I'm talking about makes heavy use of the FPU, so we need to account for all the little differences between architectures as far as floating point math. Yes, IEEE is supposed to standardize these things, but in practice there are little differences which become significant. The fact that you believe otherwise only proves that you have little real world experience.
Yeah, it's there. But you're thinking like a Linux user, not a developer:-) My job is more than just getting the thing to compile and run. I need to get it packaged up in a way suitable for endusers. We don't want to explain to our users how to get the X server running. They need to be able to just click and have the thing work.
Like I said, I'm in the middle of the project right now, so I don't know if it will be easy or hard. But I think you're jumping to the conclusion that it'll be a piece of cake just a LITTLE too soon...
It's unfortunate, but people who have only been exposed to Linux really have no clue about cross-UNIX portability. Yeah, UNIX systems are all similar, but you can RARELY take a piece of code developed on one system and just compile it magically on another.
It's much less work than, say, porting a UNIX project to run on Windows, but it's definitely much more complicated than just copying the source code to the Mac and typing "make."
Given that certain versions of the OS have certain known security vulnerabilities, I fail to see the distinction between guessing the OS version and finding the vulnerabilities.
Revealing your password also allows nothing that couldn't already be done. After all, somebody just has to guess it (which appears to be your argument as to why revealing the OS version doesn't hurt anything).
Sure, in some sort of fucked up abstract sense that has nothing to do with reality, that's factual.
Replace "OS version" with "password" in your statement. Are you claiming that revealing your password doesn't make you less secure? After all, it's just a fact which you keep secret hoping nobody else will figure it out.
ifdown eth0
You need to take a course in logic. You're talking about A => B, where I am arguing about the claim that !A => !B. These are logically distinct claims. Your arguments are irrelevant to the discussion, because we aren't even discussing the same thing.
Johnny installs InsecureOS 1.0. Outwardly, this OS appears to be a FreeBSD box, but that's just a farce.
Which of the following options should Johnny select?
1. Tell everybody that he is, in fact, running InsecureOS 1.0.
2. Shut the fuck up and maintain the FreeBSD farce.
3. Install a better OS.
Clearly, the right choice is option 3, but let's just arbitrarily cross that option out. Now, which is the best choice?
It is a fact that revealing certain aspects of a system makes it easier to crack. Is there any logical connection between that fact and the concept of security through obscurity? Only to people who can't think straight.
You don't seem to be able to make the distinction between these two ideas:
1. Obscurity IS security.
2. Obscurity ENHANCES security.
There seems to be this belief that searching a keyspace randomly has a better chance of finding a password than searching it sequentially. Assuming the password is reasonably random, this is false. A random search is no better or worse than a sequential one, in terms of the per-trial probability of a hit.
However, the sequential search can possibly be optimized since we are only changing one digit of the password per iteration. Assuming certain properties of the password hashing function (namely, that it is a prefix hash), this can GREATLY speed up the computation of the hash.
Given the choice between revealing the OS version and not revealing it, a wise person would choose not to. Your machismo is inappropriate.
Does that mean that we rely on that obscurity to maintain security? Of course the fuck not.
Or, you could skip all that bollocks and notice that toast, ghost, scary, and hairy all are spelled with five letters...
You only type it once a month, and yet you remember it? To me, that indicates that either 1) It is based on some memorable information, which could potentially be acquired by an attacker and used to guess your password, or 2) It's written down somewhere.
So which is it? :-)
I've also considered a setup quite similar to yours... At the time, the thing standing in the way was a lack of open source VPN software that was supported on Linux, Windows, and Mac OS X. Now that OpenVPN exists, I can use that. Cool!
Thanks for the clarification. It appears the situation is not as hopeless as it seemed at first...
In other words, you rely on obscurity.
Yeah, yeah, you're joking...
Telling us that the password is 30 characters doesn't risk much. There are only 1 + 95 + 95^2 + 95^3 + ... + 95^29 possible passwords less than 30 characters long. Compared to 95^30 possible 30-character passwords, this is only slightly more than 1/95th of the available password space. In other words, he's only reduced the computational effort by somewhere around 1 part in 95. This is peanuts.
You do more damage simply by revealing what version of the operating system you are using, than by revealing how many characters long your password is, especially when that number is 30.
Does a word processing program have a picture of a typewriter that you have to click on in order to type characters? So why the fuck does an MP3 player have to look like a stereo deck?
Any facility which has ever received federal money (which is 99.9% of them) may not perform stem cell research. Want to do stem cell research? You have to build a new facility, from scratch, using non-federal funds.
That centrifuge from the old bio lab that was used to prepare blood samples from monkeys? You can't use that for stem cell research because it was paid for, back in 1993, from federal grant money.
So you see, this is a de facto ban on all stem cell research, because essentially ALL research facilities have received federal funding of one type or another in the past. In order to legally do the research, you must do everything absolutely, fucking positively from scratch.
Either China is supremely confident that this is going to work, or they've already done manned testing without making it public.
I'd make a small wager that these are not, in fact, the first two Chinese to fly into space on a Chinese rocket. Perhaps it's happened before, but in secret...
Actually, you've got it backwards. Coils with fewer turns can supply more current than coils with more turns, but at a lower voltage. More turns == more voltage, less current. Fewer turns == lower voltage, higher current.
For the purpose of charging a battery, the only concern is voltage. You have to have at least battery voltage in order to get current to flow into the battery. So ideally, you want to use as few turns as necessary to achieve the desired voltage (over-volting the battery is pointless and destructive).
I have no doubt that once I get the build environment working, I'll have very few, if any, changes to make to the code base proper. But the build environment can't just be discounted as if it doesn't exist. For large projects, especially those which have been evolving organically for over a decade (as this one has), they are nearly as complex as the code itself, require their own testing (aside from tests of the "real" code base), and are far more platform-specific.
First of all, knowing a bunch of facts is not equivalent to being smart. Second of all, I am not doing it to impress you, I'm doing it because I like random facts and I want to share something with you that I enjoy. Every once in a while, I encounter somebody else who also knows a bunch of random stuff, and we end up having really fun conversations.
People also seem to think it's magic. It isn't magic, it's about reading stuff. When I was little, when I was in the bathroom I would read the ingredient lists off the back of shampoo bottles. Did you know that most shampoos contain a compound called methylchloroisothiazolinone? I have no idea what it is, but I remember how to spell it :-)
My mom bought me a periodic table placemat. I stared at that thing every morning while eating my cereal for two years. Now I know every chemical element by name, symbol, and atomic number. I'm no genius, I just stared at a placemat for hours.
Sentence in this error an is there that tell you can? It studying without?
Some compilers require an explicit "-ansi" switch to properly compile ANSI code. HP7v8 requires the magical compiler flags "+DA1.0 +DS1.0". On Solaris, we need to add a "-Xc" flag.
The situation is complicated by the fact that we do two Solaris builds. One build is done with the native compiler, the other uses GCC. As you might expect, these require slightly different flags.
Some platforms need a "ranlib" program to build the library indexes in the .a files. Some platforms have this functionality built into the ar utility.
On Solaris, we need to link against libsunmath.a instead of the traditional libm.a. Solaris also required linker flags "-lw -lresolv -lsocket -lnsl -ldl", other platforms do not.
Don't even get me started on the difficulty of doing static/dynamic builds (we do both types) on each of the various platforms. Some of the platforms have GNU binutils. Some do not. Some are remote. Some of the platforms we compile on don't even BELONG to us (we build on the customer's system).
Did I mention that this thing works on VMS and OS/390 also? And that it depends on Motif?
Furthermore, the software I'm talking about makes heavy use of the FPU, so we need to account for all the little differences between architectures as far as floating point math. Yes, IEEE is supposed to standardize these things, but in practice there are little differences which become significant. The fact that you believe otherwise only proves that you have little real world experience.
Like I said, I'm in the middle of the project right now, so I don't know if it will be easy or hard. But I think you're jumping to the conclusion that it'll be a piece of cake just a LITTLE too soon...
It's much less work than, say, porting a UNIX project to run on Windows, but it's definitely much more complicated than just copying the source code to the Mac and typing "make."