Facts can be measured, scaled, repeated, seen, felt, sensed, etc. Truth and falsity are terms related to the judgements we apply to both facts and non-facts. It is a fact that repeated blows to the head will cause an individual to die. Truth is that beating someone to death is bad.
Couldn't agree more. And the big problem for us, as a truth-loving species, is that truth is subjective. You and I believe that beating someone to death is bad. But a person with a different frame of reference is going to tell you that beating an adulterous woman to death is good, and that your statement is therefore false.
Facts are hard to ascertain, but science gives us a framework for attempting to do so. Truth is impossible to ascertain, because it depends on the context in which the judgement is made. Every culture and sub-culture and even family has a different framework for determining it, and the results are often incompatible. Even among Christians, every sect and order has a slightly different take on the truth.
If we have any hope of living peaceably together on this sun-blasted rock, we have to figure out how to de-prioritize our love of truth so that we can make decisions based on facts instead of beliefs.
On a 18 hour international flight, the equivalent of 360 scans.
A large dose spread out over time is less harmful than a medium dose all in one instant. No?
Also, I'm not concerned about a well-calibrated and maintained machine, operated by a competent engineer. I am fucking terrified of being told to stand in a machine that might be malfunctioning or dys-calibrated, or where the hourly government worker at the controls doesn't know what he's doing.
You can't read stories like this and then think that everything is going to work perfectly at the checkpoints. There is a long and cherished track record of stupidity in this business.
You probably have family or friends in the US who would be willing to let you install a Mac mini or SheevaPlug or some other small, efficient computer on their home ethernet network, in exchange for a few dollars per month towards their broadband bill.
You can use port forwarding and dynamic DNS for connectivity through their router, and OpenVPN to bridge the network. Unlike commercial hosting companies there is no chance that their residential IP address will be blacklisted or that they will be shut down for selling "piracy" services to large numbers of people.
Geographical content restriction is stupid and impossible to enforce. I will *never* understand why content producers want to limit the potential audience for their work, and why sponsors are so willing to go along with it.
Slashdot users have been clamoring, begging, pleading for Unicode support for years.
And we never get it.
It should have been a simple fix back in 2004 or so. By 2008 it was embarrassing. In 2012, given all the other changes and upgrades to the site, it is absolutely un-fucking believable that we have to post in Latin.
So what is the REAL reason why it has never been added? There must be a non-technical explanation for something so obvious to be broken for so long.
I've been blocking these "attacks" using a script+firewall for many years now. And I still think that, really, OpenSSH should have a configuration switch to block them internally. But BSD folks don't see it as a real threat, and they don't want to risk having actual users to get locked out of their servers. Fair enough, I guess.
So we're left with mitigation strategies. At 6 connections per minute, it's more a a nuisance than an attack, but I've seen rates as high as 200 connections per minute in the past, and there is no reason it couldn't go higher on an out-of-the-box OpenSSH configuration.
Some solutions, as others have pointed out:
- Have ssh listen on a port other than 22
- Turn on OpenSSH's internal rate limiting (MaxStartups config)
- Use key-based authentication
- Roll your own script to grep the log for failed connections, and firewall any IP addresses with 10 or more failures
A real brute-force attack would do a portscan first so putting ssh on a high port isn't much of a solution. Key-based auth is a nearly perfect solution, except that there are situations in which it is undesirable/awkward to use keys. The others just slow down the attack, which prevents the force part of brute-force.
Congestion pricing studies from a few years ago talked about 800,000 cars per day entering Manhattan. http://wirednewyork.com/forum/showthread.php?t=6044 But most of those would be the same account over and over. And the number of cars entering the other boroughs would presumably be lower than that. Certainly there is less demand for commercial parking garages outside of Manhattan.
Well good luck with that advice. Like you say, kids are smart. They know, from constant experimentation beginning in the first few months of their lives, how the world works. And how you work.
Telling them something so utterly arbitrary ("If I see you roll around I will throw Toy Story in the trash and you will never see it again.") isn't going to square with their internal models of the way things are. Maybe if a stranger did it. But not you, unless you have been making threats like that and following through on them since they were 3 months old. And if that's the case, your kids roll around on the floor because they are utterly traumatized.
But maybe he should throw Toy Story in the trash anyway, and skip the theatrics. I mean, if your kids were addicted to crack, would you keep giving them crack in order to keep them from going through withdrawals? This is just Pixar movies now, but what are they going to do when they get old enough for even better drugs?
What kind of brillionaire would walk into Slashdot HQ, take a look around, and declare "What this company REALLY needs is its own video channel!" ??
Good video is expensive to produce, expensive to host, and completely at odds with the core functionality of Slashdot (commenting on articles you didn't take the time to read). Who is this for? Advertisers? Editors who want to be famous, or like the sound of their own voices? It isn't for me, I can tell you that much.
I don't ultimately care what/. does with their money and resources, but I will miss all of you who decide you're allergic to this kind of bullshit and move on.
Oh great, that's all we need: an excuse to weaponize copyright enforcement.
I'd rather the MPAA and RIAA didn't have anti-drone drones, thank you very much. Please keep your servers in datacenters or come up with a better plan, like distributing them over millions of peoples' iPhones.
Considering that the Citicorp tower almost fell down all by itself, I'm still going with "I'm amazed it stayed up as long as it did in the first place"...
Exactly.
For those who don't know, the Citicorp tower in midtown Manhattan was discovered to be especially prone to winds from a direction that was not anticipated by the architects. They spent years doing a massive secret retrofit to stiffen the building before a) it fell over in a Nor'easter or b) the public found out and everyone moved out. Fascinating story.
Why isn't anybody talking about the change in focus away from *state-sponsored attacks*? What does that even mean in this context?
Was Sony seriously focusing on preventing militaries and intelligence agencies from attacking its infrastructure? Damn, they must have seriously pissed off some powerful people with those rootkits!
And that still doesn't explain why their security was so damn shoddy. Unless... maybe their old CSO was focused on state-sponsored attacks, but a risk analysis put the likelihood of such an attack at near zero, so they slashed their security budget. That almost makes sense...
That's a huge revenue stream for the drug companies to just ignore because "hey, it's cured!"
Big Pharma is a cancer on society. It will mutate around this setback by discovering other markets to exploit, and then continue its growth unchecked.
Or to put it another way, fewer customers dying is never a bad thing for business. Imagine how much money Merck could make by purchasing a tobacco company once this cure is in production.
Re:WTF were they smoking?
on
GitHub Hacked
·
· Score: 2
Pardon some of my ignorance but isn't the point of using "smart" frameworks that you wouldn't need to worry about that stuff since the framework should _know_ what parameters it's asking the users browser to submit?
surely there has to be a framework designed with that in mind? "serve the user this blabla page that has these blabla input boxes"-> from the response just read those.
seems that rails(and how github was using it) was moving business logic to random users computers and effectively taking them as a trusted part of the system? maybe the devs should spend more time playing online games and seeing crack cheaters.
As I understand it, Rails isn't taking just any fields that a user submits. It's actually checking the fields against the model and only assigning the ones it recognizes. So yeah, it "knows" the parameters it is seeing and they are all valid so we're good to go.
Except that there are fields in any model that the user *shouldn't* be able to change via form. And lo, there is a mechanism in Rails to flag those fields in the model so that this sort of things doesn't happen: attr_accessible flags.
But attr_accessible is simplistic, and doesn't take into account that some users can change fields that others can't. Developers *should* be marking up the model for the most restricted case and then using manual assignments for users with elevated privilege. But compared to banging out a model and dropping it in and having everything just work, that's a pain in the ass.
Unless the framework can make assumptions about how access control works (att_accessible_admin, attr_accessible_editor, attr_accessible_guest etc), there is no easy way around the problem.
It's called a battery pull. Sure, there might be a smaller battery or capacitor sitting somewhere powering the device in a stealthy manner, but that would be a concern even with your DIP switch theory--someone might put a smaller transmitter on the back of your microphone to enable signals to be sent while the DIP switch to the "real" transmitter is ostensibly disabled.
Or you just think it's a DIP switch, but it's really a thermoelectric device that uses the temperature difference between the front and back of the phone while it is in your pocket to generate a micro-current that powers a nanoscale audio recorder.
Oh I don't. Just pointing out how narrow the window is given the vastness of space and time.
Will the SETI project continue for another 3000 years? What if we're using quantum entanglement to communicate at faster than light speeds, would we even notice if a weak electromagnetic signal wandered into the neighborhood? Completely different communications gear, probably not.
So what I've learned here today is that I should ask my cloud hosting company whether they allow or encourage the use of their servers to generate bitcoin. And if they do, I should drop them for another company that doesn't.
Isn't that about the size of it? I don't want my cloud hosts to be in the same place as somebody's financial instruments, because when the burglars come looking for money they are going to give me a security nightmare at the same time.
Or maybe I should just make sure my cloud hosting company has more layers of security in place than just a password in order to gain access to ring 0.
I like the idea, but it seems to be crippled by the same optimistic streak that so many tech projects have. To put it in terms a Facebook user could understand:
Where is the Dislike button?
I admit to not reading TFA, but I've lived in California where a certain number of signatures on a petition puts some incredibly lame ideas on the ballot. Unless there is a way to balance yes votes with no votes (and people take the time to vote no!) you'll end up wasting a lot of time and money catering to the whims of ad hoc minorities while the rest of the population looks on in bewilderment and, ultimately, rejects popular democracy as unworkable.
In California, if there was a way for groups that opposed referendums to get them removed from the ballot (by collecting 4x as many signatures or something) it would be a lot more meaningful.
But 1000 years from now, observers in a planet 1000 light-years away will be receiving our current transmissions, in their very "old and inefficient" modulations.
Unfortunately, those observers will be busy working on how to make usable tools out of bronze and so our signals will pass right by. By the time they develop radio technology 3000 years later, we will either have blown ourselves into oblivion or be communicating using far more advanced technology as the parent comment suggested.
I'm a longtime Apple guy who also owns, uses, and mostly enjoys Windows Phone 7. Metro is a fresh take on what software should look like, and since Apple hasn't done any graphic innovation since 2007 I really appreciate it.
But on the desktop? Mixed in with traditional Windows applications? On your boss's computer? OMG train wreck!
Mixing two UX metaphors is an unbelievably bad idea. It's a big reason why Linux on the Desktop is a hard sell. It's why people intuitively avoid Java applications. It's why Adobe has struggled on OS X. And in all three of those cases we're talking about power users having trouble switching UX contexts.
If you do this in plain vanilla Windows you're going to have confusion on a whole new level. Grandma is not going to understand why some apps work this way and some apps work that way. Or why there are two versions of Internet Explorer. Or what happened to the Start button that I've been clicking to do *everything* for the past 15 years?
I have a lot of respect for Metro and what the team behind it is trying to do. They should just stick with a phone/tablet OS that is Metro-only all the time and not try to do this unholy mix on the desktop.
Why not make that a "residential heroin treatment center" -- give addicts a choice of inpatient, locked-door detox and treatment or to maintain their habit but live at the treatment center where they would get heroin but live under restrictive circumstances?
Some people seem to be able to manage their addiction, and given access to quality product will continue to use at the same level or even slowly reduce over time if everything else if their life is going well.
But the big problem with opiates generally is that you build up resistance. The amount that you need to take in order to get high increases over time. Also, you stop doing important things like eating and bathing, which makes it that much harder to support your habit. At a certain level your body just can't take the dosage and organs shut down.
So, you know, yes there is plenty of real estate in which to dump addicts and let them live out their addictions. But good luck finding anybody willing to pay to keep the lights on, the toilets clean, and the smack flowing in that scenario. Maybe one of these religious groups with lots of real estate but nobody left in the congregation could do it as an act of actual compassion, but that's the kind of vision that bishops never seem to have for some reason.
Slashdot Mirror
Facts can be measured, scaled, repeated, seen, felt, sensed, etc. Truth and falsity are terms related to the judgements we apply to both facts and non-facts. It is a fact that repeated blows to the head will cause an individual to die. Truth is that beating someone to death is bad.
Couldn't agree more. And the big problem for us, as a truth-loving species, is that truth is subjective. You and I believe that beating someone to death is bad. But a person with a different frame of reference is going to tell you that beating an adulterous woman to death is good, and that your statement is therefore false.
Facts are hard to ascertain, but science gives us a framework for attempting to do so. Truth is impossible to ascertain, because it depends on the context in which the judgement is made. Every culture and sub-culture and even family has a different framework for determining it, and the results are often incompatible. Even among Christians, every sect and order has a slightly different take on the truth.
If we have any hope of living peaceably together on this sun-blasted rock, we have to figure out how to de-prioritize our love of truth so that we can make decisions based on facts instead of beliefs.
Hey, fun video game idea! Play god and spread your message through an expanding collection of weak-minded by charismatic prophets.
The "securer" password has a smaller character space, which means that it's 26 possible characters to the power of the length.
I think you need to do some back of the envelope math. Which is bigger, 94^9 or 26^29?
Let us know when you've worked that out. :-p
On a 18 hour international flight, the equivalent of 360 scans.
A large dose spread out over time is less harmful than a medium dose all in one instant. No?
Also, I'm not concerned about a well-calibrated and maintained machine, operated by a competent engineer. I am fucking terrified of being told to stand in a machine that might be malfunctioning or dys-calibrated, or where the hourly government worker at the controls doesn't know what he's doing.
You can't read stories like this and then think that everything is going to work perfectly at the checkpoints. There is a long and cherished track record of stupidity in this business.
You probably have family or friends in the US who would be willing to let you install a Mac mini or SheevaPlug or some other small, efficient computer on their home ethernet network, in exchange for a few dollars per month towards their broadband bill.
You can use port forwarding and dynamic DNS for connectivity through their router, and OpenVPN to bridge the network. Unlike commercial hosting companies there is no chance that their residential IP address will be blacklisted or that they will be shut down for selling "piracy" services to large numbers of people.
Geographical content restriction is stupid and impossible to enforce. I will *never* understand why content producers want to limit the potential audience for their work, and why sponsors are so willing to go along with it.
Slashdot users have been clamoring, begging, pleading for Unicode support for years.
And we never get it.
It should have been a simple fix back in 2004 or so. By 2008 it was embarrassing. In 2012, given all the other changes and upgrades to the site, it is absolutely un-fucking believable that we have to post in Latin.
So what is the REAL reason why it has never been added? There must be a non-technical explanation for something so obvious to be broken for so long.
I've been blocking these "attacks" using a script+firewall for many years now. And I still think that, really, OpenSSH should have a configuration switch to block them internally. But BSD folks don't see it as a real threat, and they don't want to risk having actual users to get locked out of their servers. Fair enough, I guess.
So we're left with mitigation strategies. At 6 connections per minute, it's more a a nuisance than an attack, but I've seen rates as high as 200 connections per minute in the past, and there is no reason it couldn't go higher on an out-of-the-box OpenSSH configuration.
Some solutions, as others have pointed out:
- Have ssh listen on a port other than 22
- Turn on OpenSSH's internal rate limiting (MaxStartups config)
- Use key-based authentication
- Roll your own script to grep the log for failed connections, and firewall any IP addresses with 10 or more failures
A real brute-force attack would do a portscan first so putting ssh on a high port isn't much of a solution. Key-based auth is a nearly perfect solution, except that there are situations in which it is undesirable/awkward to use keys. The others just slow down the attack, which prevents the force part of brute-force.
Nope. Because if an aircraft needs shooting down, it's the Air Force who comes to play.
The police don't even have the equipment (good thing) to do the job.
Think again. The NYPD commissioner bragged on 60 minutes last year that New York's Finest have the ability to shoot down aircraft. NYC Mayor Bloomberg later confirmed the remarks. http://abcnews.go.com/Blotter/nypd-shoot-planes-weapon/story?id=14608555
Nobody will say how they would do it, though.
They also say "10 million accounts". I have a hard time seeing how 10 million different people parked in NYC in a one month period (21 Jan to 25 Feb).
Yep. Too big a number. Dwarfs the number of metered parking spots in the city, which is 62,000 according to this page: http://www.parking.org/media/overview-of-the-us-parking-industry.aspx
Congestion pricing studies from a few years ago talked about 800,000 cars per day entering Manhattan. http://wirednewyork.com/forum/showthread.php?t=6044 But most of those would be the same account over and over. And the number of cars entering the other boroughs would presumably be lower than that. Certainly there is less demand for commercial parking garages outside of Manhattan.
Well good luck with that advice. Like you say, kids are smart. They know, from constant experimentation beginning in the first few months of their lives, how the world works. And how you work.
Telling them something so utterly arbitrary ("If I see you roll around I will throw Toy Story in the trash and you will never see it again.") isn't going to square with their internal models of the way things are. Maybe if a stranger did it. But not you, unless you have been making threats like that and following through on them since they were 3 months old. And if that's the case, your kids roll around on the floor because they are utterly traumatized.
But maybe he should throw Toy Story in the trash anyway, and skip the theatrics. I mean, if your kids were addicted to crack, would you keep giving them crack in order to keep them from going through withdrawals? This is just Pixar movies now, but what are they going to do when they get old enough for even better drugs?
So the moment they fix that, the company is out of business?
The moment they fix all vulnerabilities, you won't be able to jailbreak your phone.
I wonder why they have never fixed them all, then? Perhaps it is actually a hard problem to solve...
Well, people have been saying for a couple years now that Slashdot has jumped the shark.
Nothing like a big TV icon (with rabbit ears!) to really hammer that message home, guys. Say hi to Fonzi for me!
Amen.
What kind of brillionaire would walk into Slashdot HQ, take a look around, and declare "What this company REALLY needs is its own video channel!" ??
Good video is expensive to produce, expensive to host, and completely at odds with the core functionality of Slashdot (commenting on articles you didn't take the time to read). Who is this for? Advertisers? Editors who want to be famous, or like the sound of their own voices? It isn't for me, I can tell you that much.
I don't ultimately care what /. does with their money and resources, but I will miss all of you who decide you're allergic to this kind of bullshit and move on.
Oh great, that's all we need: an excuse to weaponize copyright enforcement.
I'd rather the MPAA and RIAA didn't have anti-drone drones, thank you very much. Please keep your servers in datacenters or come up with a better plan, like distributing them over millions of peoples' iPhones.
Considering that the Citicorp tower almost fell down all by itself, I'm still going with "I'm amazed it stayed up as long as it did in the first place"...
Exactly.
For those who don't know, the Citicorp tower in midtown Manhattan was discovered to be especially prone to winds from a direction that was not anticipated by the architects. They spent years doing a massive secret retrofit to stiffen the building before a) it fell over in a Nor'easter or b) the public found out and everyone moved out. Fascinating story.
Why isn't anybody talking about the change in focus away from *state-sponsored attacks*? What does that even mean in this context?
Was Sony seriously focusing on preventing militaries and intelligence agencies from attacking its infrastructure? Damn, they must have seriously pissed off some powerful people with those rootkits!
And that still doesn't explain why their security was so damn shoddy. Unless... maybe their old CSO was focused on state-sponsored attacks, but a risk analysis put the likelihood of such an attack at near zero, so they slashed their security budget. That almost makes sense...
That's a huge revenue stream for the drug companies to just ignore because "hey, it's cured!"
Big Pharma is a cancer on society. It will mutate around this setback by discovering other markets to exploit, and then continue its growth unchecked.
Or to put it another way, fewer customers dying is never a bad thing for business. Imagine how much money Merck could make by purchasing a tobacco company once this cure is in production.
Pardon some of my ignorance but isn't the point of using "smart" frameworks that you wouldn't need to worry about that stuff since the framework should _know_ what parameters it's asking the users browser to submit?
surely there has to be a framework designed with that in mind? "serve the user this blabla page that has these blabla input boxes"-> from the response just read those.
seems that rails(and how github was using it) was moving business logic to random users computers and effectively taking them as a trusted part of the system? maybe the devs should spend more time playing online games and seeing crack cheaters.
As I understand it, Rails isn't taking just any fields that a user submits. It's actually checking the fields against the model and only assigning the ones it recognizes. So yeah, it "knows" the parameters it is seeing and they are all valid so we're good to go.
Except that there are fields in any model that the user *shouldn't* be able to change via form. And lo, there is a mechanism in Rails to flag those fields in the model so that this sort of things doesn't happen: attr_accessible flags.
But attr_accessible is simplistic, and doesn't take into account that some users can change fields that others can't. Developers *should* be marking up the model for the most restricted case and then using manual assignments for users with elevated privilege. But compared to banging out a model and dropping it in and having everything just work, that's a pain in the ass.
Unless the framework can make assumptions about how access control works (att_accessible_admin, attr_accessible_editor, attr_accessible_guest etc), there is no easy way around the problem.
It's called a battery pull. Sure, there might be a smaller battery or capacitor sitting somewhere powering the device in a stealthy manner, but that would be a concern even with your DIP switch theory--someone might put a smaller transmitter on the back of your microphone to enable signals to be sent while the DIP switch to the "real" transmitter is ostensibly disabled.
Or you just think it's a DIP switch, but it's really a thermoelectric device that uses the temperature difference between the front and back of the phone while it is in your pocket to generate a micro-current that powers a nanoscale audio recorder.
Oh I don't. Just pointing out how narrow the window is given the vastness of space and time.
Will the SETI project continue for another 3000 years? What if we're using quantum entanglement to communicate at faster than light speeds, would we even notice if a weak electromagnetic signal wandered into the neighborhood? Completely different communications gear, probably not.
So what I've learned here today is that I should ask my cloud hosting company whether they allow or encourage the use of their servers to generate bitcoin. And if they do, I should drop them for another company that doesn't.
Isn't that about the size of it? I don't want my cloud hosts to be in the same place as somebody's financial instruments, because when the burglars come looking for money they are going to give me a security nightmare at the same time.
Or maybe I should just make sure my cloud hosting company has more layers of security in place than just a password in order to gain access to ring 0.
I like the idea, but it seems to be crippled by the same optimistic streak that so many tech projects have. To put it in terms a Facebook user could understand:
Where is the Dislike button?
I admit to not reading TFA, but I've lived in California where a certain number of signatures on a petition puts some incredibly lame ideas on the ballot. Unless there is a way to balance yes votes with no votes (and people take the time to vote no!) you'll end up wasting a lot of time and money catering to the whims of ad hoc minorities while the rest of the population looks on in bewilderment and, ultimately, rejects popular democracy as unworkable.
In California, if there was a way for groups that opposed referendums to get them removed from the ballot (by collecting 4x as many signatures or something) it would be a lot more meaningful.
But 1000 years from now, observers in a planet 1000 light-years away will be receiving our current transmissions, in their very "old and inefficient" modulations.
Unfortunately, those observers will be busy working on how to make usable tools out of bronze and so our signals will pass right by. By the time they develop radio technology 3000 years later, we will either have blown ourselves into oblivion or be communicating using far more advanced technology as the parent comment suggested.
I'm a longtime Apple guy who also owns, uses, and mostly enjoys Windows Phone 7. Metro is a fresh take on what software should look like, and since Apple hasn't done any graphic innovation since 2007 I really appreciate it.
But on the desktop? Mixed in with traditional Windows applications? On your boss's computer? OMG train wreck!
Mixing two UX metaphors is an unbelievably bad idea. It's a big reason why Linux on the Desktop is a hard sell. It's why people intuitively avoid Java applications. It's why Adobe has struggled on OS X. And in all three of those cases we're talking about power users having trouble switching UX contexts.
If you do this in plain vanilla Windows you're going to have confusion on a whole new level. Grandma is not going to understand why some apps work this way and some apps work that way. Or why there are two versions of Internet Explorer. Or what happened to the Start button that I've been clicking to do *everything* for the past 15 years?
I have a lot of respect for Metro and what the team behind it is trying to do. They should just stick with a phone/tablet OS that is Metro-only all the time and not try to do this unholy mix on the desktop.
Why not make that a "residential heroin treatment center" -- give addicts a choice of inpatient, locked-door detox and treatment or to maintain their habit but live at the treatment center where they would get heroin but live under restrictive circumstances?
Some people seem to be able to manage their addiction, and given access to quality product will continue to use at the same level or even slowly reduce over time if everything else if their life is going well.
But the big problem with opiates generally is that you build up resistance. The amount that you need to take in order to get high increases over time. Also, you stop doing important things like eating and bathing, which makes it that much harder to support your habit. At a certain level your body just can't take the dosage and organs shut down.
So, you know, yes there is plenty of real estate in which to dump addicts and let them live out their addictions. But good luck finding anybody willing to pay to keep the lights on, the toilets clean, and the smack flowing in that scenario. Maybe one of these religious groups with lots of real estate but nobody left in the congregation could do it as an act of actual compassion, but that's the kind of vision that bishops never seem to have for some reason.