What would be the point of a check digit? The only utility of a check digit is for someone to quickly verify if a number is invalid without access to a central database. You can't prove that the number is VALID, but you can prove that it isn't -- but in this day and age, why would you ever require this ability when it's always possible to access a central database and see whether the number is assigned?
Also, the check digit is not intended to prevent forgery of numbers (the algorithms are too simple for that), they are intended to guard against data corruption. Remember, credit card check digits were invented back when credit cards were physically pressed against carbon paper to record their numbers, and the central credit agency only got called for authorization when the amounts exceeded a certain threshold -- we live in a very different world today
Then how come on of my local citizens, who spied a thief trying to steal his car, and hit said thief over the head with a bat to stop him, was arrested by the policy *on his own property*? Why is the thief now suing the homeowner for medical damages?
I think in a civilized society, we don't bash people over the head unless somebody's safety is in danger. Yes, even if they are in the process of stealing a piece of property. It's totally possible that the homeowner felt threatened of course! -- but I do not understand why a person would approach a potentially violent criminal in the process of committing a felony if he didn't have to. It's a car. Do you really want to put your life on the line in the name of justice? We pay people -- police -- to do that for us, and for good reason.
I would never attack anybody unless they physically threatened or assaulted somebody or were OBVIOUSLY about to do so, and even then only if I could not see a plausible way out of the situation. Isn't this one of the basic lessons in any self defense discipline?
His business presumably has customers. These customers are probably just as concerned with their IP as he is with his. As such, why would his customers choose to do business with a company in a country that does not respect IP?
This actually is a flaw in x86. Under the x86 segmentation model, it is impossible to transfer control from ring0 code to lower-privileged code. This is precisely to prevent this type of attack, where you can trick the kernel into calling a function inside user-controlled memory. (You can, of course, transfer control from ring0 to a less privileged ring, but it's far more deliberate process).
However, Linux doesn't really use the segmentation system all that much. Instead it relies on the paging model to enforce the user/supervisor distinction. Problem is, the x86 does NOT prevent code running from a supervisor page from transferring control to a user page. Intel's excuse for this is that "you can use segmentation to achieve that protection" but as we all know, nobody uses segmentation for shit.
Let me say this all over again. The bug is not in the kernel -- it was performing a NULL check which gcc was optimizing away. It is not a bug in gcc, because according to the ANSI C standard, NULL cannot be dereferenced, and therefore a dereference followed by a NULL-check is redundant and can be optimized. It is a bug in the kernel build system (for not setting the proper flags to tell gcc that's it's not compiling ANSI C code, it's compiling kernel code) and it is also a bug in the CPU itself (for allowing direct transfer of control from supervisor pages to user pages)
"IP loss" does not exist. At least not loss of copyright, patent, or trademark rights. If somebody infringes your IP, you sue them. I don't really see what the problem is, unless all of your IP is kept as a trade secret such that third party disclosure completely fucks you. Copyright your software, patent what's patentable, and stop being so damn paranoid.
Do you think some company could actually start up, using your software and patented methods, and steal your customers, and you won't NOTICE? Are you just completely oblivious to your own market sector or something?
I saw Moxie's talk at BlackHat. Extremely good presentation. There are three things necessary to carry out this attack:
1. You need to convince a CA to sign your CR when you have a \0 in the common name. 2. You need to target a browser or other application that uses a vulnerable certificate parser. 3. You need to be able to execute a MitM attack.
And of course, there's a weak "4":
4. You need to be able to forge the OCRP "Try later" response, which is trivial since you're already "in the middle."
As far as part #1, the CAs have been informed, and no longer will sign a CR where the common name has a \0 character. But there may be (in fact, definitely are) null-prefix certificates in the wild which were created before this issue was widely known As far as part #2, the application teams are scrambling to fix their implementations As far as part #3, the various MitM methods are well known and not specific to this attack As far as part #4, the OCRP protocol is terminally brain dead and needs to be chucked out the window, or at least revised such that all of the valid response codes require a signature payload to authenticate that the OCRP response is actually from a legitimate CA
Besides, she's probably fine. The purpose of libel law is not to stop people ranting or spouting off-hand thoughts, but rather to prevent false and malicious statements of fact.
She might be "probably fine" but I can speak with unfortunate experience, having been sued for defamation because of a formal complaint to a licensing board which was filed by my wife against a licensed professional. Yes folks, you are open to legal action by following proper procedures. This wasn't like we took out a full-page ad in the newspaper badmouthing this person, or posted garbage on a web site. This was a formal written complaint which was composed according to stated procedures of the licensing board. (The licensing board, upon hearing of this, basically said "Oh my god, we're sorry. That's tragic. But she's within her rights to do it.")
First of all, we were INCREDIBLY lucky that we had insurance which would cover our attorney's fees. We were served back in January. Since then, there have been multiple depositions my wife has had to attend, and a court date set in August, although our attorney is trying to get that pushed back.
Because this person did not hire an attorney, she herself was the interviewer in my wife's depositions. Basically, my wife was interrogated at length by the person who is suing us.
I cannot begin to describe the pain, stress, sleepless nights. On top of this, our attorney has been silent as to whether or not we have a chance of even winning this. Everybody to whom I have described the circumstances in detail, says that it is the most ridiculous thing they have ever heard. I will not, for obvious reasons, go into the details here. Suffice it to say that our complaint was completely truthful.
So maybe we'll "be fine" but in the meantime I've spent a few weeks in a row vomiting when I get up in the morning, worrying that we're going to lose our house and life savings. This has been the worst year of our lives and we have some pretty bad years to compare it against.
I advise everybody who wants to complain about anything to do one simple thing: shut the fuck up and go on about your business.
You might say that a decade and a half of old search engine technology has trained me to make computer-based queries, but damnit it works, and I don't look forward to the unwashed masses breaking it.
The unwashed masses are the ones who write the web pages. The web pages which Google's PageRank uses to figure out the relationships and rankings. Perhaps Bing can be manipulated in such and such a way, but so can Google. We all know the stories of manipulation of Google results by link spamming, Google Bombing, etc.
As long as humans are creating the content, they will be in control of how it is organized and ranked, even if this is carried out by an algorithm. Bing is no more inherently susceptible to this than any other method. I'm not defending Bing or criticizing it either. I haven't even used the thing.
Take advantage of the fact that JPEG quantized the chrominance information more aggressively at higher compression levels. Quite ridiculously so, in fact. Look at these three images. The first two are the Cb and Cr channels of a highly-compressed JPEG. The third is the luminance channel. Notice that there is WAY more information contained in the luminance channel. This effect gets more and more extreme as JPEG quality goes down.
Quantifying this is a different question. Look at the histograms of each of the three channels. The histogram of Cb and Cr is extremely sparse, with a few large peaks, but with no energy in most buckets. The luminance channel, on the other hand, has a much more detailed histogram. I leave it up to the reader to create a formula to boil this all down to a single number.
Why not find a reason to smile for real instead of faking it? I normally smile in pictures with my wife because... I'm in a picture next to my wife. If being next to your wife for a photograph isn't sufficiently pleasant to help you crack a genuine smile I wonder why you married her.
It was Hero's Quest and Might and Magic III that I was addicted to. They are actually the reason I got back into programming after dropping it as an interest for a while -- my life probably would have turned out completely different without those games. My first real forays into C programming were savegame-editor programs for those two games.
Being a teen, with no real experience, I was limited in what I could do. But I was able to alter the strings shown in Hero's Quest (of course, I changed them to obscenities) as well as hack a few of the statistics. With MMIII, I actually managed to decode almost all of the save game format, painstakingly writing down (on PAPER!) hundreds of flags, enum values, offsets. I decoded every possible item type in the game, along with their modifier flags, the offsets of the various statistics, the field where the current "time of day" was stored, etc.
These days people seem to frown on that kind of reverse engineering and hacking, preferring to call it "cracking" instead. Poo on that. My career started with that.
Because the other theory hasn't been tested, and might be wrong.
The point is that the chances that each celestial body's magnetic field is due to a unique generator are... Well, let's say that that is not what we typical see in scientific history. Similar effects are generated by similar causes, especially at planetary scales.
(I see that I've been misled by the summary, as usual. Yes, I should RTFA. But the editors should fucking WTFS in a manner resembling responsible journalism. Could currents in the oceans modulate the magnetic field? Worth investigation, I think.)
Yeah, that makes a whole hell of a lot of sense. Why not invent some brand new, goofy theory that applies only to the Earth and not to any of the other celestial bodies that we know have magnetic fields which DON'T have oceans? Has somebody never heard of Occam's Razor? Instead of one theory which works to explain all magnetic fields on all celestial bodies why not invent something stupid for no good reason?
It wasn't pea-sized the whole way down. It was probably quite a bit bigger than that initially (it would have to be to make it all the way to the surface). That's just the size it had been burned down to by the time it reached ground. It must have been moving pretty damn fast.
Actually, that's why I chose a CORNER house abutting a busy road. Visibility in multiple directions, with heavy traffic. Now, maybe it's overly optimistic to assume somebody would report it if they saw me being dragged into somebody's house... But it's better than nothing, and I did think about the safety of the situation at the time.
I can't remember why I didn't just tell the bus driver what had happened.
When I was in the 7th grade or so, I got on the wrong bus home from school. Since I would read on the bus, I didn't notice that the route was wrong until I looked up 20 minutes into the drive. I don't know why, but instead of telling the driver my situation, I just got off the bus. I had NO idea where I was. I walked several blocks one way, hoping I'd see something familiar. Failing that, I turned around and walked the other way. Still unfamiliar.
After a half hour I just walked to the nearest corner house, knocked on the door, and meekly asked to use a phone. My mom came and picked me up.
That was before everybody had a mobile phone. If I'd had one, I would have just called mom.
I find it hard to believe that a school-age child could not understand the concept of calling home if they get lost.
Seizure of all assets? And if the company is, say, 50% owned by public shareholders, you'll just screw the public by taking their money? I guess you're willing to steal money from peoples' retirement funds.
It is already illegal, because this was medical data. For allowing this data to escape, UCB is subject to civil monetary penalties under HIPAA. These penalties go at $100 per violation, which means they'd theoretically owe $16,000,000. Unfortunately, the penalty is capped at $25,000 per year, so it's going to be a drop in the bucket.
Now, if the data was compromised knowingly by an employee of the University, then that employee as well as the university would be subject to criminal fines of up to $250,000 and up to ten years prison time. But that's probably not the case here.
The RIAA might be a crew of pirates themselves, but it's not lying. I discountinued sleeping at approximately 8:00 AM this morning. That doesn't mean I won't be sleeping again later...
"Your" mailbox is the property of the Federal government. So in the case of the US mail, depositing "junk" into a mailbox is not a property rights issue, as the mailbox is not your property in the first place.
Wasting the computing resources of a privately owned computer system is a different story. That IS your property.
So, I'm supposed to twist my panties over a somewhat poor decision to hire a guy who represented a bunch of people from a slowly dying industry... Because of what? Because he got in the way of my ability to download copyrighted music? If that's the only thing that actually matters to you, then I have a fairly clear idea of your status as an ethical being -- somewhere between a monokaryote and a fungus.
The guy has announced he's going to close down fucking Guantanamo. But apparently, it's more important to you that you're able to download a couple of MP3's without being bothered by pesky copyright laws. Go buy a fucking violin, make your own music, and get a sense of perspective.
Slashdot Mirror
What would be the point of a check digit? The only utility of a check digit is for someone to quickly verify if a number is invalid without access to a central database. You can't prove that the number is VALID, but you can prove that it isn't -- but in this day and age, why would you ever require this ability when it's always possible to access a central database and see whether the number is assigned?
Also, the check digit is not intended to prevent forgery of numbers (the algorithms are too simple for that), they are intended to guard against data corruption. Remember, credit card check digits were invented back when credit cards were physically pressed against carbon paper to record their numbers, and the central credit agency only got called for authorization when the amounts exceeded a certain threshold -- we live in a very different world today
Then how come on of my local citizens, who spied a thief trying to steal his car, and hit said thief over the head with a bat to stop him, was arrested by the policy *on his own property*? Why is the thief now suing the homeowner for medical damages?
I think in a civilized society, we don't bash people over the head unless somebody's safety is in danger. Yes, even if they are in the process of stealing a piece of property. It's totally possible that the homeowner felt threatened of course! -- but I do not understand why a person would approach a potentially violent criminal in the process of committing a felony if he didn't have to. It's a car. Do you really want to put your life on the line in the name of justice? We pay people -- police -- to do that for us, and for good reason.
I would never attack anybody unless they physically threatened or assaulted somebody or were OBVIOUSLY about to do so, and even then only if I could not see a plausible way out of the situation. Isn't this one of the basic lessons in any self defense discipline?
His business presumably has customers. These customers are probably just as concerned with their IP as he is with his. As such, why would his customers choose to do business with a company in a country that does not respect IP?
This actually is a flaw in x86. Under the x86 segmentation model, it is impossible to transfer control from ring0 code to lower-privileged code. This is precisely to prevent this type of attack, where you can trick the kernel into calling a function inside user-controlled memory. (You can, of course, transfer control from ring0 to a less privileged ring, but it's far more deliberate process).
However, Linux doesn't really use the segmentation system all that much. Instead it relies on the paging model to enforce the user/supervisor distinction. Problem is, the x86 does NOT prevent code running from a supervisor page from transferring control to a user page. Intel's excuse for this is that "you can use segmentation to achieve that protection" but as we all know, nobody uses segmentation for shit.
Let me say this all over again. The bug is not in the kernel -- it was performing a NULL check which gcc was optimizing away. It is not a bug in gcc, because according to the ANSI C standard, NULL cannot be dereferenced, and therefore a dereference followed by a NULL-check is redundant and can be optimized. It is a bug in the kernel build system (for not setting the proper flags to tell gcc that's it's not compiling ANSI C code, it's compiling kernel code) and it is also a bug in the CPU itself (for allowing direct transfer of control from supervisor pages to user pages)
Remote exploit --> user shell --> local exploit --> r00ted.
Remote exploit + local root exploit == remote root exploit. Always.
Uh... because theft of IP and confidential data is not illegal?
"IP loss" does not exist. At least not loss of copyright, patent, or trademark rights. If somebody infringes your IP, you sue them. I don't really see what the problem is, unless all of your IP is kept as a trade secret such that third party disclosure completely fucks you. Copyright your software, patent what's patentable, and stop being so damn paranoid. Do you think some company could actually start up, using your software and patented methods, and steal your customers, and you won't NOTICE? Are you just completely oblivious to your own market sector or something?
I saw Moxie's talk at BlackHat. Extremely good presentation. There are three things necessary to carry out this attack:
1. You need to convince a CA to sign your CR when you have a \0 in the common name.
2. You need to target a browser or other application that uses a vulnerable certificate parser.
3. You need to be able to execute a MitM attack.
And of course, there's a weak "4":
4. You need to be able to forge the OCRP "Try later" response, which is trivial since you're already "in the middle."
As far as part #1, the CAs have been informed, and no longer will sign a CR where the common name has a \0 character. But there may be (in fact, definitely are) null-prefix certificates in the wild which were created before this issue was widely known
As far as part #2, the application teams are scrambling to fix their implementations
As far as part #3, the various MitM methods are well known and not specific to this attack
As far as part #4, the OCRP protocol is terminally brain dead and needs to be chucked out the window, or at least revised such that all of the valid response codes require a signature payload to authenticate that the OCRP response is actually from a legitimate CA
Besides, she's probably fine. The purpose of libel law is not to stop people ranting or spouting off-hand thoughts, but rather to prevent false and malicious statements of fact.
She might be "probably fine" but I can speak with unfortunate experience, having been sued for defamation because of a formal complaint to a licensing board which was filed by my wife against a licensed professional. Yes folks, you are open to legal action by following proper procedures. This wasn't like we took out a full-page ad in the newspaper badmouthing this person, or posted garbage on a web site. This was a formal written complaint which was composed according to stated procedures of the licensing board. (The licensing board, upon hearing of this, basically said "Oh my god, we're sorry. That's tragic. But she's within her rights to do it.")
First of all, we were INCREDIBLY lucky that we had insurance which would cover our attorney's fees. We were served back in January. Since then, there have been multiple depositions my wife has had to attend, and a court date set in August, although our attorney is trying to get that pushed back.
Because this person did not hire an attorney, she herself was the interviewer in my wife's depositions. Basically, my wife was interrogated at length by the person who is suing us.
I cannot begin to describe the pain, stress, sleepless nights. On top of this, our attorney has been silent as to whether or not we have a chance of even winning this. Everybody to whom I have described the circumstances in detail, says that it is the most ridiculous thing they have ever heard. I will not, for obvious reasons, go into the details here. Suffice it to say that our complaint was completely truthful.
So maybe we'll "be fine" but in the meantime I've spent a few weeks in a row vomiting when I get up in the morning, worrying that we're going to lose our house and life savings. This has been the worst year of our lives and we have some pretty bad years to compare it against.
I advise everybody who wants to complain about anything to do one simple thing: shut the fuck up and go on about your business.
You might say that a decade and a half of old search engine technology has trained me to make computer-based queries, but damnit it works, and I don't look forward to the unwashed masses breaking it.
The unwashed masses are the ones who write the web pages. The web pages which Google's PageRank uses to figure out the relationships and rankings. Perhaps Bing can be manipulated in such and such a way, but so can Google. We all know the stories of manipulation of Google results by link spamming, Google Bombing, etc.
As long as humans are creating the content, they will be in control of how it is organized and ranked, even if this is carried out by an algorithm. Bing is no more inherently susceptible to this than any other method. I'm not defending Bing or criticizing it either. I haven't even used the thing.
Take advantage of the fact that JPEG quantized the chrominance information more aggressively at higher compression levels. Quite ridiculously so, in fact. Look at these three images. The first two are the Cb and Cr channels of a highly-compressed JPEG. The third is the luminance channel. Notice that there is WAY more information contained in the luminance channel. This effect gets more and more extreme as JPEG quality goes down.
Histograms
Quantifying this is a different question. Look at the histograms of each of the three channels. The histogram of Cb and Cr is extremely sparse, with a few large peaks, but with no energy in most buckets. The luminance channel, on the other hand, has a much more detailed histogram. I leave it up to the reader to create a formula to boil this all down to a single number.
So you're a bitter SOB that the world would probably be better off without. Ok then.
Why not find a reason to smile for real instead of faking it? I normally smile in pictures with my wife because... I'm in a picture next to my wife. If being next to your wife for a photograph isn't sufficiently pleasant to help you crack a genuine smile I wonder why you married her.
It was Hero's Quest and Might and Magic III that I was addicted to. They are actually the reason I got back into programming after dropping it as an interest for a while -- my life probably would have turned out completely different without those games. My first real forays into C programming were savegame-editor programs for those two games.
Being a teen, with no real experience, I was limited in what I could do. But I was able to alter the strings shown in Hero's Quest (of course, I changed them to obscenities) as well as hack a few of the statistics. With MMIII, I actually managed to decode almost all of the save game format, painstakingly writing down (on PAPER!) hundreds of flags, enum values, offsets. I decoded every possible item type in the game, along with their modifier flags, the offsets of the various statistics, the field where the current "time of day" was stored, etc.
These days people seem to frown on that kind of reverse engineering and hacking, preferring to call it "cracking" instead. Poo on that. My career started with that.
I'm sure a lot of people will be happy with this. Now they'll be able to abuse narcotics more easily without worrying about liver damage.
Because the other theory hasn't been tested, and might be wrong.
The point is that the chances that each celestial body's magnetic field is due to a unique generator are... Well, let's say that that is not what we typical see in scientific history. Similar effects are generated by similar causes, especially at planetary scales.
(I see that I've been misled by the summary, as usual. Yes, I should RTFA. But the editors should fucking WTFS in a manner resembling responsible journalism. Could currents in the oceans modulate the magnetic field? Worth investigation, I think.)
Yeah, that makes a whole hell of a lot of sense. Why not invent some brand new, goofy theory that applies only to the Earth and not to any of the other celestial bodies that we know have magnetic fields which DON'T have oceans? Has somebody never heard of Occam's Razor? Instead of one theory which works to explain all magnetic fields on all celestial bodies why not invent something stupid for no good reason?
It wasn't pea-sized the whole way down. It was probably quite a bit bigger than that initially (it would have to be to make it all the way to the surface). That's just the size it had been burned down to by the time it reached ground. It must have been moving pretty damn fast.
Actually, that's why I chose a CORNER house abutting a busy road. Visibility in multiple directions, with heavy traffic. Now, maybe it's overly optimistic to assume somebody would report it if they saw me being dragged into somebody's house... But it's better than nothing, and I did think about the safety of the situation at the time. I can't remember why I didn't just tell the bus driver what had happened.
When I was in the 7th grade or so, I got on the wrong bus home from school. Since I would read on the bus, I didn't notice that the route was wrong until I looked up 20 minutes into the drive. I don't know why, but instead of telling the driver my situation, I just got off the bus. I had NO idea where I was. I walked several blocks one way, hoping I'd see something familiar. Failing that, I turned around and walked the other way. Still unfamiliar.
After a half hour I just walked to the nearest corner house, knocked on the door, and meekly asked to use a phone. My mom came and picked me up.
That was before everybody had a mobile phone. If I'd had one, I would have just called mom.
I find it hard to believe that a school-age child could not understand the concept of calling home if they get lost.
Seizure of all assets? And if the company is, say, 50% owned by public shareholders, you'll just screw the public by taking their money? I guess you're willing to steal money from peoples' retirement funds.
It is already illegal, because this was medical data. For allowing this data to escape, UCB is subject to civil monetary penalties under HIPAA. These penalties go at $100 per violation, which means they'd theoretically owe $16,000,000. Unfortunately, the penalty is capped at $25,000 per year, so it's going to be a drop in the bucket.
Now, if the data was compromised knowingly by an employee of the University, then that employee as well as the university would be subject to criminal fines of up to $250,000 and up to ten years prison time. But that's probably not the case here.
The RIAA might be a crew of pirates themselves, but it's not lying. I discountinued sleeping at approximately 8:00 AM this morning. That doesn't mean I won't be sleeping again later...
"Your" mailbox is the property of the Federal government. So in the case of the US mail, depositing "junk" into a mailbox is not a property rights issue, as the mailbox is not your property in the first place.
Wasting the computing resources of a privately owned computer system is a different story. That IS your property.
So, I'm supposed to twist my panties over a somewhat poor decision to hire a guy who represented a bunch of people from a slowly dying industry... Because of what? Because he got in the way of my ability to download copyrighted music? If that's the only thing that actually matters to you, then I have a fairly clear idea of your status as an ethical being -- somewhere between a monokaryote and a fungus.
The guy has announced he's going to close down fucking Guantanamo. But apparently, it's more important to you that you're able to download a couple of MP3's without being bothered by pesky copyright laws. Go buy a fucking violin, make your own music, and get a sense of perspective.