Yeah - as with the solution DVDJon came up with way back when. In that case a professor (MIT?) came up with a prime number which when compiled generated the DVD crack executable. Which put the judge in a position of saying that the prime number itself belonged to the DVD consortium under DMCA.
We just need to find a mathematical tru-ism that corresponds to this key.:)
I'll second this - I have a technical/software background but not much A/V. I tried to get Windows 7 Pro to serve movies to Playstation 3. Not fun. PS3 can see the machine but getting the folders, permissions and all that right was beyond me. I actually gave it an hour on two separate occasions. Probably easy but not for me.
I found a simple java PS3 OSS project that I got running in 15 minutes. It lets me configure a bunch of stuff that ought to be easy anywhere (like: from which folders can movies be read, how much bandwidth should be allowed over the wire). I know WM7 can do all this but I couldn't figure it out - the UI felt like a GM car controls (oblig car analogy satisfied).
Can't you just compare your compiler binary with a known good source? If they're different and they should be the same then the warning bells go off. And it seems like borrowing a gc binary from someplace far away from your codebase and toolchain and trusted ought to be a simple way to boot strap back into safe territory?
JRuby had a number of performance advantages (and some disadvantages) over Ruby 1.8.x when I last looked, but looking again now, I can see that Ruby 1.9 has killed it in terms of optimizations on some basic test cases: http://programmingzen.com/2007/12/03/the-great-ruby-shootout/
"Ruby 1.9.2 RC2 and JRuby 1.5.1 are almost joint first place for fastest Ruby implementation"
But my point was mostly that if you're already running an enterprise Java stack then running Jruby could offer a lot of conveniences and hackability to integrate into the rest of the tool chain.. But we're both speculating on all this.
You're totally right - I forgot about all those perlism (cabalistic characters) in Ruby. I'm not going to thank you for reminding me but thanks for the correction.
FCC is a congressional commission, so in effect it is an arm of Congress. Congress can certainly de-fund it but it can also change how it manages it. It is different from how it works between Congress and NTIA/Commerce which is an executive branch agency..
We'll see how things play in the next House, but Rockefeller was head of the committee which administers FCC and has been largely supportive of NN so far as best as I can tell. So why Genachowski didn't go further with support of two other commissioners and the head of the committee who manages him, I have no idea.
Everyone I've heard discuss this at policy level (business, FCC and consumer advocates like Public Knowledge) seems to agree that "reasonable network management" exemptions are ok in a net netural policy, so I think your language needs a little more nuance, but I agree that from a principled perspective you've got it right.
I didn't say the message queue was in Ruby. I do believe that they are still using Ruby in parts of their stack, and the blog article you cite seems to support that. And though the blog doesn't indicate it, if they are using Java heavily for their queue, then I'd bet that they are using Jruby for where they are implementing Ruby still b/c regular ruby interpreter blows. If they already have enterprise java running in their environment then Jruby is a natural fit.
A great example of the pain induced when a spec itself is incompletely or insecurely designed. Hard to fix. Towards the bottom of the article the authors provide a great solution that can be implemented without loss of backward compatibility. Probably how the spec should have been designed anyway.
Great read - thanks for the reference.
The ssl fixed key vulnerability is remediated by WPA2, but you could then have your ARP poisoned by Hole196 which gets you into exactly the same hot water as if a cracker sniffs your ssl traffic and then takes over your router, poisoning your DNS addresses in DHCP, or similar.
Good point on the braces thing.. But I could never get past the concept of white space is significant in Python. For the very trivial reason that I use unindented code for debugging inside functions and it makes it very easy to scan quickly down a page to remove that debugging code when it's no longer in use. Totally trivial but also totally integral to how I like to work and python forces me to abandon it.. At least I couldn't figure out how to work around.
You sound like you know python and I wonder if you have any reflections on whether I'm a ninny, have a reasonable point, or other..:)
Am I being overly pedantic to say that I think it's Perl semantics that Ruby copied not Perl syntax? Perl syntax as OP says includes "cabalistic symbols" and other gnarly hard to read 5 minutes after you wrote it stuff..
Smalltalk syntax on the other hand is clean and easy to read. Ruby has replicated some of smalltalk's semantics as well (ie. everything is an object) and they designed the syntax so that moving from Perl is not a big cognitive leap, but I don't really see Perl and Ruby having similar syntax in a significant way.
Not really disagreeing with you per se, but wanted to throw these observations into the mix.
Yes but which one of those jobs would a programmer want? Perl is highly in demand - that's great. But if I'm an above average programmer do I want to work in the bowels of a bank, figuring out 10 year old perl parsing of bank transactions or work on a shiny new Ruby web app, where they have super smart co-workers, a ping pong table, free soft drinks and happy hour twice a month? Quantity of job listings shouldn't be the only measure to drive language to learn and which jobs to apply for..
I'm not suggesting that's what you're saying, I'm simply trying to add on an additional layer to the analysis.
I don't have first hand knowledge but I'd be willing to bet that Twitter is using Jruby to help manage the transition. It's pretty rock solid in my experience and gives you the main benefits of Ruby without the crappy-ass interpreter that Matz and co can't make run right (it has painfully slow start up and doesn't parse all that well inline as compared to other similar languages such as python).
offtopic.. I love the language but hate the implementation.. Zed Shaw sang a song about this at his last Ruby conference ever. The chorus was "Matz don't patch."
Doesn't twitter use Ruby to some significant extent? I think they used to run the whole thing on Ruby but as they got big, they had to back that off as it was wasting too many cpu cycles parsing. I've read that their bottom end runs a lot of C now but the interface still has Ruby bits I think? Anyone has current knowledge?
In theory you're right, but I have a significant amount experience with Ruby gems and and I have to agree with the OP's assertion that there's a ton of crappy quality software modules out there for Ruby. Granted it's not just b/c Ruby permits monkey patching and other "quirky" programming techniques. I personally love to have those techniques available to me (debugging things is *so* much easier sometimes with a monkey patch).
Even some of the "core" libraries that ship with Ruby are total BS. Take REXML just for examples. It *appears* to be a robust XML parsing library and it ships with Ruby (or it did last time I looked). What a piece of junk - I had to rip it out after I had too many problems with it (chewing up memory, inconsistent implementation, not adhering to xml specs) and after talking it around, I'm not the only one. The net utilities are also pretty much BS. Gzip? I ended up shelling out to gzip b/c the tools just fail at random for no reason (and to top it off, the discussion forums talk about the failures/bugs but no one fixes them - I tried to get into the code to do it myself but as OP says, the monkey patch nonsense makes the code hard to get started on - faster just to shell out to a tool I know works).
I ended having to rewrite the XML pieces I needed by hand and it works fine -- and that proves your point. There's nothing inherent about Ruby that prevents decent code. It's just that there's a lot (a lot!) of half-baked junk out there masquerading as quality software libs./rantoff
This is such a good point. I've cracked into numerous routers at behest of friends who owned the routers. Better than doing a factory reset b/c then all the other settings are lost, I just look up the default password off the web and use that. I've yet to find a non-techie who's adjusted this setting.
You can poison their DNS b/c you can now sniff Alice's router admin login, and then get into the router and edit the DNS settings. Now with poisoned DNS when Alice thinks she's talking to Paypal or her bank (or her root key certifier) she's really talking to Carol - not Bob. When DNS is poisoned you're basically screwed in terms of security. The attacker owns you and if they're good you'll never know unless you look at your DNS settings and can recognize the correct settings, which is pretty deep down the well of obscurity..
If your wifi network is secured with WPA then I think HTTP traffic is encrypted to the router, no? And WPA isn't subject to this vulnerability b/c it has it's own user-generated encryption key, right? So this is only a problem if you're running an open wi-fi network (or using WEP ugh). Am I missing something?
Buy a Linksys WRT54g v1-4 for $30 on Ebay. Flash it with DD-wrt and you're good to go. Is there a big feature of your router you're trying to keep (like N, gigabit lan or something)?
Thanks for this post. Could you explain why TFA says that DD-WRT routers are affected by this? If they behave as you describe (which is how I thought they behaved) why does the article indicate they are vulnerable to the static ssl key problem? Thanks for any info.
Yeah really. The only moderately plausible attack vector that I can see is this:
1) I run an unencrypted wi-fi network at home 2) I connect to my router to administer it via https thinking that is secure 3) Anon listens to the wi-fi network and can unwind the https session giving them access to the router. 4) Profit? I guess they can mod the settings and do something nasty - maybe redirect DNS to give them power over what I think are root key certs etc.
This is just about you and her having a pre-existing agreement about this, whether spoken or implied. If I take a nap in the park and wake up with some bum giving me a hummer, it's definitely rape.
That's true, but only *sometimes.* Sometimes it is not worth securing the network on the inside b/c the danger of folks breaking in and messing around is not very high. Always assuming that internal penetration must be accounted for is a bad assumption. Examining when/where it's a good or bad assumption *is* always a good idea.
This may seem pedantic, but I run across networks which are over-designed fairly often. It doesn't meaningfully increase the owner's network security and it means that money can't be spent on something else more valuable to the owner. It also needlessly limits what the users of the network can accomplish, reducing productivity and innovation.
If OTOH you're saying that one should always undertake good, solid network design principles, such as expose as little as possible onto the network, then that seems reasonable. Handling every network design problem with the constraint that it must be equally penetration-resistant *from the inside* can needlessly drive up costs without significant benefit *in some cases.*
I agree with you but I could see a middle ground. It would be nice to offer a working clean/free OS that would be easy for folks to innovate on without worrying about licenses. Then it would *also* be nice to have a non-free, more highly functional version of same OS. Does anyone know if they are providing both? If so, this is a non-story.
Slashdot Mirror
This thread is taking all the oxygen out of the discussion. Please stop.
Yeah - as with the solution DVDJon came up with way back when. In that case a professor (MIT?) came up with a prime number which when compiled generated the DVD crack executable. Which put the judge in a position of saying that the prime number itself belonged to the DVD consortium under DMCA.
We just need to find a mathematical tru-ism that corresponds to this key. :)
I'll second this - I have a technical/software background but not much A/V. I tried to get Windows 7 Pro to serve movies to Playstation 3. Not fun. PS3 can see the machine but getting the folders, permissions and all that right was beyond me. I actually gave it an hour on two separate occasions. Probably easy but not for me.
I found a simple java PS3 OSS project that I got running in 15 minutes. It lets me configure a bunch of stuff that ought to be easy anywhere (like: from which folders can movies be read, how much bandwidth should be allowed over the wire). I know WM7 can do all this but I couldn't figure it out - the UI felt like a GM car controls (oblig car analogy satisfied).
Can't you just compare your compiler binary with a known good source? If they're different and they should be the same then the warning bells go off. And it seems like borrowing a gc binary from someplace far away from your codebase and toolchain and trusted ought to be a simple way to boot strap back into safe territory?
JRuby had a number of performance advantages (and some disadvantages) over Ruby 1.8.x when I last looked, but looking again now, I can see that Ruby 1.9 has killed it in terms of optimizations on some basic test cases: http://programmingzen.com/2007/12/03/the-great-ruby-shootout/
http://www.rubyinside.com/the-2010-ruby-implementation-performance-shootout-3554.html
"Ruby 1.9.2 RC2 and JRuby 1.5.1 are almost joint first place for fastest Ruby implementation"
But my point was mostly that if you're already running an enterprise Java stack then running Jruby could offer a lot of conveniences and hackability to integrate into the rest of the tool chain.. But we're both speculating on all this.
Thanks for the civil dialog!
You're totally right - I forgot about all those perlism (cabalistic characters) in Ruby. I'm not going to thank you for reminding me but thanks for the correction.
FCC is a congressional commission, so in effect it is an arm of Congress. Congress can certainly de-fund it but it can also change how it manages it. It is different from how it works between Congress and NTIA/Commerce which is an executive branch agency..
We'll see how things play in the next House, but Rockefeller was head of the committee which administers FCC and has been largely supportive of NN so far as best as I can tell. So why Genachowski didn't go further with support of two other commissioners and the head of the committee who manages him, I have no idea.
Everyone I've heard discuss this at policy level (business, FCC and consumer advocates like Public Knowledge) seems to agree that "reasonable network management" exemptions are ok in a net netural policy, so I think your language needs a little more nuance, but I agree that from a principled perspective you've got it right.
I didn't say the message queue was in Ruby. I do believe that they are still using Ruby in parts of their stack, and the blog article you cite seems to support that. And though the blog doesn't indicate it, if they are using Java heavily for their queue, then I'd bet that they are using Jruby for where they are implementing Ruby still b/c regular ruby interpreter blows. If they already have enterprise java running in their environment then Jruby is a natural fit.
Thanks for the ref on Scala - interesting tech.
Thanks. Nice reference. I was not aware of Hole196. Great reading: http://www.airtightnetworks.com/wpa2-hole196
A great example of the pain induced when a spec itself is incompletely or insecurely designed. Hard to fix. Towards the bottom of the article the authors provide a great solution that can be implemented without loss of backward compatibility. Probably how the spec should have been designed anyway.
Great read - thanks for the reference.
The ssl fixed key vulnerability is remediated by WPA2, but you could then have your ARP poisoned by Hole196 which gets you into exactly the same hot water as if a cracker sniffs your ssl traffic and then takes over your router, poisoning your DNS addresses in DHCP, or similar.
Good point on the braces thing.. But I could never get past the concept of white space is significant in Python. For the very trivial reason that I use unindented code for debugging inside functions and it makes it very easy to scan quickly down a page to remove that debugging code when it's no longer in use. Totally trivial but also totally integral to how I like to work and python forces me to abandon it.. At least I couldn't figure out how to work around.
You sound like you know python and I wonder if you have any reflections on whether I'm a ninny, have a reasonable point, or other.. :)
Am I being overly pedantic to say that I think it's Perl semantics that Ruby copied not Perl syntax? Perl syntax as OP says includes "cabalistic symbols" and other gnarly hard to read 5 minutes after you wrote it stuff..
Smalltalk syntax on the other hand is clean and easy to read. Ruby has replicated some of smalltalk's semantics as well (ie. everything is an object) and they designed the syntax so that moving from Perl is not a big cognitive leap, but I don't really see Perl and Ruby having similar syntax in a significant way.
Not really disagreeing with you per se, but wanted to throw these observations into the mix.
Yes but which one of those jobs would a programmer want? Perl is highly in demand - that's great. But if I'm an above average programmer do I want to work in the bowels of a bank, figuring out 10 year old perl parsing of bank transactions or work on a shiny new Ruby web app, where they have super smart co-workers, a ping pong table, free soft drinks and happy hour twice a month? Quantity of job listings shouldn't be the only measure to drive language to learn and which jobs to apply for..
I'm not suggesting that's what you're saying, I'm simply trying to add on an additional layer to the analysis.
I don't have first hand knowledge but I'd be willing to bet that Twitter is using Jruby to help manage the transition. It's pretty rock solid in my experience and gives you the main benefits of Ruby without the crappy-ass interpreter that Matz and co can't make run right (it has painfully slow start up and doesn't parse all that well inline as compared to other similar languages such as python).
offtopic..
I love the language but hate the implementation.. Zed Shaw sang a song about this at his last Ruby conference ever. The chorus was "Matz don't patch."
Doesn't twitter use Ruby to some significant extent? I think they used to run the whole thing on Ruby but as they got big, they had to back that off as it was wasting too many cpu cycles parsing. I've read that their bottom end runs a lot of C now but the interface still has Ruby bits I think? Anyone has current knowledge?
In theory you're right, but I have a significant amount experience with Ruby gems and and I have to agree with the OP's assertion that there's a ton of crappy quality software modules out there for Ruby. Granted it's not just b/c Ruby permits monkey patching and other "quirky" programming techniques. I personally love to have those techniques available to me (debugging things is *so* much easier sometimes with a monkey patch).
Even some of the "core" libraries that ship with Ruby are total BS. Take REXML just for examples. It *appears* to be a robust XML parsing library and it ships with Ruby (or it did last time I looked). What a piece of junk - I had to rip it out after I had too many problems with it (chewing up memory, inconsistent implementation, not adhering to xml specs) and after talking it around, I'm not the only one. The net utilities are also pretty much BS. Gzip? I ended up shelling out to gzip b/c the tools just fail at random for no reason (and to top it off, the discussion forums talk about the failures/bugs but no one fixes them - I tried to get into the code to do it myself but as OP says, the monkey patch nonsense makes the code hard to get started on - faster just to shell out to a tool I know works).
I ended having to rewrite the XML pieces I needed by hand and it works fine -- and that proves your point. There's nothing inherent about Ruby that prevents decent code. It's just that there's a lot (a lot!) of half-baked junk out there masquerading as quality software libs. /rantoff
This is such a good point. I've cracked into numerous routers at behest of friends who owned the routers. Better than doing a factory reset b/c then all the other settings are lost, I just look up the default password off the web and use that. I've yet to find a non-techie who's adjusted this setting.
You can poison their DNS b/c you can now sniff Alice's router admin login, and then get into the router and edit the DNS settings. Now with poisoned DNS when Alice thinks she's talking to Paypal or her bank (or her root key certifier) she's really talking to Carol - not Bob. When DNS is poisoned you're basically screwed in terms of security. The attacker owns you and if they're good you'll never know unless you look at your DNS settings and can recognize the correct settings, which is pretty deep down the well of obscurity..
If your wifi network is secured with WPA then I think HTTP traffic is encrypted to the router, no? And WPA isn't subject to this vulnerability b/c it has it's own user-generated encryption key, right? So this is only a problem if you're running an open wi-fi network (or using WEP ugh). Am I missing something?
Buy a Linksys WRT54g v1-4 for $30 on Ebay. Flash it with DD-wrt and you're good to go. Is there a big feature of your router you're trying to keep (like N, gigabit lan or something)?
Thanks for this post. Could you explain why TFA says that DD-WRT routers are affected by this? If they behave as you describe (which is how I thought they behaved) why does the article indicate they are vulnerable to the static ssl key problem? Thanks for any info.
Yeah really. The only moderately plausible attack vector that I can see is this:
1) I run an unencrypted wi-fi network at home
2) I connect to my router to administer it via https thinking that is secure
3) Anon listens to the wi-fi network and can unwind the https session giving them access to the router.
4) Profit? I guess they can mod the settings and do something nasty - maybe redirect DNS to give them power over what I think are root key certs etc.
This is just about you and her having a pre-existing agreement about this, whether spoken or implied. If I take a nap in the park and wake up with some bum giving me a hummer, it's definitely rape.
That's true, but only *sometimes.* Sometimes it is not worth securing the network on the inside b/c the danger of folks breaking in and messing around is not very high. Always assuming that internal penetration must be accounted for is a bad assumption. Examining when/where it's a good or bad assumption *is* always a good idea.
This may seem pedantic, but I run across networks which are over-designed fairly often. It doesn't meaningfully increase the owner's network security and it means that money can't be spent on something else more valuable to the owner. It also needlessly limits what the users of the network can accomplish, reducing productivity and innovation.
If OTOH you're saying that one should always undertake good, solid network design principles, such as expose as little as possible onto the network, then that seems reasonable. Handling every network design problem with the constraint that it must be equally penetration-resistant *from the inside* can needlessly drive up costs without significant benefit *in some cases.*
I agree with you but I could see a middle ground. It would be nice to offer a working clean/free OS that would be easy for folks to innovate on without worrying about licenses. Then it would *also* be nice to have a non-free, more highly functional version of same OS. Does anyone know if they are providing both? If so, this is a non-story.