If that one vendor didn't screw up, DVD's probably would still be unrippable.
This is misleading.
The CSS cipher key is 40-bits.
Whoever designed the CSS cipher wanted it to be cheap in hardware and didn't put much effort at all into its design. There is a simple guess-and-check algorithm that breaks it with a work factor of 2 ** 16.
Based on some simulations I ran with RC6, my PII 266 would break RC6 with a 40-bit key in just under a year on average (unoptimized C). The CSS cipher is much faster and is based on LFSRs, which can be bitsliced very efficiently using MMX instructions (I can try 128 keys simultaneously). Even without the weak cipher design, my lowly dinosaur of a machine could probably recover all of the player keys in under 2 months. (Very pessemistic estimate.)
A work factor of 2 ** 16 means that even my slow machine can figure out the disk key in under a minute.
26! is more than 2 ** 88, but that doesn't make your secret decoder ring strong crypto. More or less they used the equivelent of a secret decoder ring to encrypt the data. Ross Andersen's attack on the A4 cellphone cipher should have been known to the designers of CSS, yet they went ahead with a cipher that is more easily vulnerable to the same sort of guess-and-check attack. (None of the advanced Russian sparse matrix inversion techniques are required to make it practical.)
If you're not running vmware from a privledged account and haven't given an unprivledged account write access to the raw device, vmware will have insufficient permissions to do such a write. This is why you don't run things as root. Maybe someday MS will have the default account not have Admin privledges. Oh well.
Some encrypted filesystems will. Note that the windows encrypted filesystem should not be considered one such filesystem. The default syskey setup stores the syskey to the HD. This gives attackers access to the LM hash of the password, which means a work factor of about 2**34 to recover any given password (unless using alt+KP sequences, which 99.99% of users do not), which then allows them to decrypt the private key used by the EFS. Therefore, consider EFS to be 35-bit encryption.
Even with the syskey on floppy or typed into the terminal at boot time, the syskey is used in a flawed way, so XORing the encrypted LM hash with the encrypted NT hash gives you the same result as XORing them in unencrypted form, so cracking passwords takes some small constant multiple as long as if you had the unencrypted NT hash. User passwords suck. On my systems, I have some gpg-encrypted random pads (base64 encoded for mount -p 0) that are used for loop-AES256 keys. In order to mount the home directory on startup, I need to insert the floppy, cd/mnt/floppy, gpg -d sda2.key | mount -p 0/dev/sda2, and I'm prompted for my gpg password (which is more than 15 characters long and contains non-base64 charcters). In this way, you can have a reasonable password policy because you know account lockout will be enforced (dealing with the lockout time is still faster than stealing the hard drive and bruit forcing AES256). If an offline attack against user's passwords would compromise data, you cannot count on the account lockout and must use a more strict password policy to get the same estimate of time required to mount an attack.
Did Linux previously not use the Unix process model, or did it used to only run one process?
These would be the only two options if you're not running virtual memory, as the Unix process model has each process in its own memory space. I think you're mistaken. Maybe you've been using Linux since before it could swap, but swap != virtual memory. You can run the DOS process model, the old Macintosh process model or the IBM OS/400 process model without virtual memory, but not the Unix process model. There are some advantages to the OS/400 process model, such as not needing to flush the TLB on a context switch, but unfortunately this is not the Unix process model. (The Unix process model is in some ways cleaner, and I think better hardware design would eliminate the need for TLB flushes during context switches.)
Do you mean you've been using Linux before the VM code was an official subsystem? In any case, unless Linus knew you well (word order intenional) in his student days, I highly doubt you've been running Linux since before it had a VM subsytem.
Yes, Linux needs toattract more people that are interested in GUI design. Unfortunately this is a chicken-and-egg problem, since mostof these people really hate bad GUI design.
in fact, just about any Linux software design. I don't usually complain about MS bashing, in fact I usually join in, but this is just pathetic.
Most of the Linux software I run into is of pretty sound design (other than UI). OSS seems to produce some pretty sound protocols compared to corporate America. Have you looked at Windows networking, Windows security mechanisms (LanMan hash, NT hash), the Windows virtual filesystem, AIM's Oscar protocol, etc.? I swear there must be someone running around yelling "make it worse, so they have a compelling reason to upgrade to the new protocol later."
IBM is starting to promote Linux on big iron. SGI may never port IRIX to their Itaniam products. I'm not sure about HP's HP-UX strategy, but it would appear as if we're moving towards Linux, Solaris, UNICOS being the only unices on high-end systems. There's a new O(1) scheduler for Linux 2.5 and IBM is really helping to fix the other issues preventing Linux from scaling to truly huge systems. It makes sense from a development cost standpoint for the "big boys" to pool thier efforts into a common OS and differentaite based on hardware.
...until one of these becomes my old cellphone. You won't have much of the standard Linux functionality exposed. Most of Linux's POSIX compliance is done through glibc, which may not be onboard the phone.
However... it'd be fun to hack around on an old Linux phone.
The "recompile kernel" jokes are getting as worn out as the "imagine a beowulf cluster" jokes.
OTOH, maybe you really think it's a difficult thing to configure and compile a Linux kernel. It's been dirt smple since at least 2.0.35 (first kernel I compiled).
When was the last time you HAD to recompile your kernel? My PC speaker issoldered to my mobo, so I disabled it in the kernel. This is the only time I;ve needed to recompile my kernel.
I'm willing to bet that this "Linux" kernel is little more than a scheduler and some memory management.
No need to put Linux inquotes. Linux isn't (nor should it be) much more than a scheduler, memory management, hardware abstraction (drivers) and some low-level protocol abstrations(IPv4 stack, etc.). Almost all of the drivers and protocols can be configured out of the kernel at compile time, so of course the cellphone manufacturers aren't going to compile in all of the options (nor include them as modules). What you're left with is a scheduler, a vm subsystem, a virtual filesystem subsystem, and a handful of drivers and kernel-implemented protocols. What did you think "Linux" was?
The BBC I believe. Wow, that is very different from the reporting I had read. I stand corrected.
As far as Clinton oredering an assasination, are you referring to the radical muslim cleric that was delayed after mosque services, just missing the CIA-planted car bomb set to kill him as he left the mosque?
Win98SE and Win2K both hung during install. (I wanted to run windows on my Debian box in order to run Verizon's proprietary DSL registration/setup software.) Which version of Windows were you able to install?
cannabisnews.com ? Well, we're obviousy getting our propaganda from opposite ends fo the spectrum.
Justbecuase we gave the Taliban money doesn't mean they complied very quickly or effctively. My understanding is that the Taliban was a loose conglomerate of several groups.
My guess is that entering into an agreeent between Nation-States does not constitute transaction as used in executive order 13129. Also, realize that it's an execute order, not a law. The President can issue, modify, and cancel executive orders at will. In the case of direct and specific requests of the President conflicting with previus executive orders, the presidential requests should take precidence. Calm down a bit. Talk with your toker buddies. It doesn't seem your ganja is working.
Yes, there was a July patch against Slammer/Saphire, but there was a patch released in October that re-introduced the vulnerability (Schneier goes into detail about it). You had to be neither too diligent nor too lacking in dilligence in order to avoid Slammer/Saphire. Patching at the enterprise level is also quite a different thing. MS also has a very bad reputation for patchs that break things. (A big sign of design flaws rather than implementation flaws.)
, does UT usually run as root/in the System security context?
P.S. Any idea the rationalle for making the LM hash 8-bit clean, but then changing everything to upper case? There's no excuse for doing away with the salt, and then keeping the salt out of the NT hash. They clearly based the LM hash on the UNIX crypt function, but every major change made it weaker. Was there pressure from government to make the security lax or something? (RC4 key reuse for two adjascent 128-bit pieces of data to "encrypt" the password file? Come on. I know it's a little slow to crack the LM hash using an abacus while drunk, but MS really should have asssumed attackers have access to a 68010 or at least an 8051 or a z80.)
yeah... I tried out the new Pismere cluster last weekend... noticed that the machines have 10.x.y.z IP addresses. (MIT has all of 18.x.y.z, so it's not like they're hurting for IP addresses. Hell, my oldfraternity house was zoned for 22 residets but previously had been allocated a/16 subnet.) The only thing I could think of is that you guys decided to ditch the standard MIT "firewalls suck" policy in favor ofthe "firewalls suck, but not as much as Win32 security" policy.
--begin tangentstorey about MIT security policy
I was an RCC when a few of the guys passed around a CD for Win2K advanced server... and they ALL accidently installed IIS, which is part of the default install... and ALL got broken into within a few days... I emailed everyone after the first breakin to tell everyone to make sure they patched IIS if they were running it. I got an email back from one of the guys "what's IIS?"... and discovered he was running the default IIS page. He got owned before I got back from campus to talk to him about it. In fustration, I asked Network Security about advice on firewalling. I basically got a "firewalls suck, just make sure everyone's up to date and scan often" reply. I had a hard enough time getting people to take down cracked achines, much less stay up to dte on patches. I actualy had one guy go and reconnect his network drop to the switch after I forcably disconnected him for having a cracked machine (it was actively being used for attacks whose victims complained to MIT Network Security.. who complained to me... etc.). I think there's still at least one guy with his whole HD shared on SMB. You can only beat people over the head so much if you don't have any real power over them. (RCCs seldom have any real power.)
Most of the maintream news sources claimed that opium was a major source of funding for the Taliban. Usage may have been discouraged, but from what I hear, the Taliban activey encouraged opium poppy cultivation over food production. The poor farmers got about as much per acre for the poppies as they would have from foodstuffs, with the Taliban/warlords gtting the lion's share of the markup.
Of course, there is a good deal of US propaganda in there, but I'd like to hear your sources.
Ehh.. MIT gives you the root password to all of the public workstations that's why you need to type "access on" at the console in order to access a workstation remotely. I'd advise against this. Kerberos tickets are stored on teh HD until you log out, so somone else can become you for 10 hours (by default) if you turn acess on. The dialups, Kerberos servers, and departmet/private machines are entirely a dfferent matter.
Oh, and su and access commands are supposedly remotely logged. I've been questioned in W20 shortly after logging in as root.
Has anyone out there used the new Win32/Athena machines? I'm affraid, very affraid. Also, is the Administratr password the same as the root password for all of the *NIX workstations?
In very recent history (a few days ago), it was very evident from the number of times Bush used the word "god" in his little speech shortly after the Challenger disaster. Anyone with a few synapses knows good and well what he's referring to, and it's not allah.
Regardless of what he'd like to think, Dubya doesn't speak laws into existence. His speach is not a law promoting Christianity. As far as the court room issue, you can take on oath on a copy of the US Constitution instead if you so choose. In fact I'm not aware of any statute or law giving preference to the Bible as the item on which oaths are sworn.
The tax issue is that religious organizations recieve preferential tax breaks because taxes are too easily turned into a form of censorship. A slight promotion of all religions equally is far less dangerous than taxing all but the richest (read most popular) out of business. This is theway you want it, trust me. I know of many Christian churches struggling to make ends meet as it is. I don't know how less popular religions get by. Maybe you'd prefer that all religious organizations be taxed out of existence. I assure you that this would cause the street crime rates to go up, as it seems that at least half of the homless shelters/food shelves in my area are at least partially funded if not run by religious organizations. (Yes, the Salvation Army is an official Church.) The law isn't perfect, but in this case it's taking the lesser of two evils.
---begin tangent
I find it very ironic that the book of Matthew (the fisrt book of the Christian Bible, thus the part closest to the hand of the oath-taker) warns Christians against taking oaths, yet the Bible is often used for that purpose.
<nitpick>
Well, most educated Christians regard Allah to be one and the sam as the Judeo-Christian God (AKA the God of Abraham), so you're half-right. (Many arabic -speaking Christians also use the term Allah while praying, etc. Allah simply means "the God", referring to any monotheistic deity.) Granted, we all know he was trying to make a jab at radical Islam, and I'm surprised we haven't heard Osama claiming some nonsense about Allah punishing the US space program for putting an Israeli astronaut in space.</nitpick>
Okay, throw me a bone here. Password rhymes with Tritney Sbears? Accidently leaked disk image to Kazaa as DEVEL_024135.img? My home open SMB share is at 62.218.7.36? I throw out the old development discs on Tuesday nights? I ftp the source unencrypted across three continents at 3:24 UTC every Monday? We use the old discs as pocker chips at the Blue Rhino club after work every Wednesday? You know it wants to be free. Think happy penguins playing all over the world. Just give them a little nudge out the door.
These studues often assume one OS per machine. This is increasingly not the case. The studies may not be intentionally flawed. MS might also be seeing more sales due to reduced piracy percentages.
I challenged eddy (or anyone) to tell me a way to make sure that all my users get the same features in a page without modifying my content based on the broken version they may be using, with the caveat that I get to use any feature allowable in standard HTML.
No, that was not your callenge. Read your post again. Here are your only three criteria.
1. any visitor using any web browser that comes to your site can view a working web page without having to upgrade their browser or use a different version.
2. You must be able to use any HTML feature approved by the W3
3. You must not modify the HTML sent based on browser type
Your original three criteria are good criteria. The extra constraints you added in the post I'm replying to are impossible, even with browser-specific code. My first web browser was MacWeb. The only graphics format it allowed was GIF, and background images weren't actually made into background. You simply can't meet the requirement in this latest post even with browser-specific HTML. Your earlier criteria were good criteria. You don't even really know what you want. Sit down and think out your goals. Next, make them possible. (Hint: you can't have every W3C feature available to all users w/o forcing them to upgrade thier browser. You can't even closely approximate/emulate all of the newer features using only the features in the original HTML standard.)
Slashdot Mirror
This is misleading.
- The CSS cipher key is 40-bits.
- Whoever designed the CSS cipher wanted it to be cheap in hardware and didn't put much effort at all into its design. There is a simple guess-and-check algorithm that breaks it with a work factor of 2 ** 16.
Based on some simulations I ran with RC6, my PII 266 would break RC6 with a 40-bit key in just under a year on average (unoptimized C). The CSS cipher is much faster and is based on LFSRs, which can be bitsliced very efficiently using MMX instructions (I can try 128 keys simultaneously). Even without the weak cipher design, my lowly dinosaur of a machine could probably recover all of the player keys in under 2 months. (Very pessemistic estimate.)A work factor of 2 ** 16 means that even my slow machine can figure out the disk key in under a minute.
26! is more than 2 ** 88, but that doesn't make your secret decoder ring strong crypto. More or less they used the equivelent of a secret decoder ring to encrypt the data. Ross Andersen's attack on the A4 cellphone cipher should have been known to the designers of CSS, yet they went ahead with a cipher that is more easily vulnerable to the same sort of guess-and-check attack. (None of the advanced Russian sparse matrix inversion techniques are required to make it practical.)
If you're not running vmware from a privledged account and haven't given an unprivledged account write access to the raw device, vmware will have insufficient permissions to do such a write. This is why you don't run things as root. Maybe someday MS will have the default account not have Admin privledges. Oh well.
Some encrypted filesystems will. Note that the windows encrypted filesystem should not be considered one such filesystem. The default syskey setup stores the syskey to the HD. This gives attackers access to the LM hash of the password, which means a work factor of about 2**34 to recover any given password (unless using alt+KP sequences, which 99.99% of users do not), which then allows them to decrypt the private key used by the EFS. Therefore, consider EFS to be 35-bit encryption.
Even with the syskey on floppy or typed into the terminal at boot time, the syskey is used in a flawed way, so XORing the encrypted LM hash with the encrypted NT hash gives you the same result as XORing them in unencrypted form, so cracking passwords takes some small constant multiple as long as if you had the unencrypted NT hash. User passwords suck. On my systems, I have some gpg-encrypted random pads (base64 encoded for mount -p 0) that are used for loop-AES256 keys. In order to mount the home directory on startup, I need to insert the floppy, cd /mnt/floppy, gpg -d sda2.key | mount -p 0 /dev/sda2, and I'm prompted for my gpg password (which is more than 15 characters long and contains non-base64 charcters). In this way, you can have a reasonable password policy because you know account lockout will be enforced (dealing with the lockout time is still faster than stealing the hard drive and bruit forcing AES256). If an offline attack against user's passwords would compromise data, you cannot count on the account lockout and must use a more strict password policy to get the same estimate of time required to mount an attack.
No, >NET is for the obfuscation of ideas, not code. Haven't you seen the obfuscated commercials?
These would be the only two options if you're not running virtual memory, as the Unix process model has each process in its own memory space. I think you're mistaken. Maybe you've been using Linux since before it could swap, but swap != virtual memory. You can run the DOS process model, the old Macintosh process model or the IBM OS/400 process model without virtual memory, but not the Unix process model. There are some advantages to the OS/400 process model, such as not needing to flush the TLB on a context switch, but unfortunately this is not the Unix process model. (The Unix process model is in some ways cleaner, and I think better hardware design would eliminate the need for TLB flushes during context switches.)
Do you mean you've been using Linux before the VM code was an official subsystem? In any case, unless Linus knew you well (word order intenional) in his student days, I highly doubt you've been running Linux since before it had a VM subsytem.
IBM is starting to promote Linux on big iron. SGI may never port IRIX to their Itaniam products. I'm not sure about HP's HP-UX strategy, but it would appear as if we're moving towards Linux, Solaris, UNICOS being the only unices on high-end systems. There's a new O(1) scheduler for Linux 2.5 and IBM is really helping to fix the other issues preventing Linux from scaling to truly huge systems. It makes sense from a development cost standpoint for the "big boys" to pool thier efforts into a common OS and differentaite based on hardware.
However... it'd be fun to hack around on an old Linux phone.
Maybe it was a Freudian slip about MS's viruses, other bugs, and "spread wide open by default" configurations, and general whoring?
OTOH, maybe you really think it's a difficult thing to configure and compile a Linux kernel. It's been dirt smple since at least 2.0.35 (first kernel I compiled).
When was the last time you HAD to recompile your kernel? My PC speaker issoldered to my mobo, so I disabled it in the kernel. This is the only time I;ve needed to recompile my kernel.
There is no "a" in kernel, btw.
No need to put Linux inquotes. Linux isn't (nor should it be) much more than a scheduler, memory management, hardware abstraction (drivers) and some low-level protocol abstrations(IPv4 stack, etc.). Almost all of the drivers and protocols can be configured out of the kernel at compile time, so of course the cellphone manufacturers aren't going to compile in all of the options (nor include them as modules). What you're left with is a scheduler, a vm subsystem, a virtual filesystem subsystem, and a handful of drivers and kernel-implemented protocols. What did you think "Linux" was?
As far as Clinton oredering an assasination, are you referring to the radical muslim cleric that was delayed after mosque services, just missing the CIA-planted car bomb set to kill him as he left the mosque?
... when the official Debian package will show these changes?
Win98SE and Win2K both hung during install. (I wanted to run windows on my Debian box in order to run Verizon's proprietary DSL registration/setup software.) Which version of Windows were you able to install?
Justbecuase we gave the Taliban money doesn't mean they complied very quickly or effctively. My understanding is that the Taliban was a loose conglomerate of several groups.
My guess is that entering into an agreeent between Nation-States does not constitute transaction as used in executive order 13129. Also, realize that it's an execute order, not a law. The President can issue, modify, and cancel executive orders at will. In the case of direct and specific requests of the President conflicting with previus executive orders, the presidential requests should take precidence. Calm down a bit. Talk with your toker buddies. It doesn't seem your ganja is working.
, does UT usually run as root/in the System security context?
P.S. Any idea the rationalle for making the LM hash 8-bit clean, but then changing everything to upper case? There's no excuse for doing away with the salt, and then keeping the salt out of the NT hash. They clearly based the LM hash on the UNIX crypt function, but every major change made it weaker. Was there pressure from government to make the security lax or something? (RC4 key reuse for two adjascent 128-bit pieces of data to "encrypt" the password file? Come on. I know it's a little slow to crack the LM hash using an abacus while drunk, but MS really should have asssumed attackers have access to a 68010 or at least an 8051 or a z80.)
--begin tangentstorey about MIT security policy
I was an RCC when a few of the guys passed around a CD for Win2K advanced server... and they ALL accidently installed IIS, which is part of the default install... and ALL got broken into within a few days... I emailed everyone after the first breakin to tell everyone to make sure they patched IIS if they were running it. I got an email back from one of the guys "what's IIS?"... and discovered he was running the default IIS page. He got owned before I got back from campus to talk to him about it. In fustration, I asked Network Security about advice on firewalling. I basically got a "firewalls suck, just make sure everyone's up to date and scan often" reply. I had a hard enough time getting people to take down cracked achines, much less stay up to dte on patches. I actualy had one guy go and reconnect his network drop to the switch after I forcably disconnected him for having a cracked machine (it was actively being used for attacks whose victims complained to MIT Network Security.. who complained to me... etc.). I think there's still at least one guy with his whole HD shared on SMB. You can only beat people over the head so much if you don't have any real power over them. (RCCs seldom have any real power.)
Most of the maintream news sources claimed that opium was a major source of funding for the Taliban. Usage may have been discouraged, but from what I hear, the Taliban activey encouraged opium poppy cultivation over food production. The poor farmers got about as much per acre for the poppies as they would have from foodstuffs, with the Taliban/warlords gtting the lion's share of the markup.
Of course, there is a good deal of US propaganda in there, but I'd like to hear your sources.
Oh, and su and access commands are supposedly remotely logged. I've been questioned in W20 shortly after logging in as root.
Has anyone out there used the new Win32/Athena machines? I'm affraid, very affraid. Also, is the Administratr password the same as the root password for all of the *NIX workstations?
Regardless of what he'd like to think, Dubya doesn't speak laws into existence. His speach is not a law promoting Christianity. As far as the court room issue, you can take on oath on a copy of the US Constitution instead if you so choose. In fact I'm not aware of any statute or law giving preference to the Bible as the item on which oaths are sworn.
The tax issue is that religious organizations recieve preferential tax breaks because taxes are too easily turned into a form of censorship. A slight promotion of all religions equally is far less dangerous than taxing all but the richest (read most popular) out of business. This is theway you want it, trust me. I know of many Christian churches struggling to make ends meet as it is. I don't know how less popular religions get by. Maybe you'd prefer that all religious organizations be taxed out of existence. I assure you that this would cause the street crime rates to go up, as it seems that at least half of the homless shelters/food shelves in my area are at least partially funded if not run by religious organizations. (Yes, the Salvation Army is an official Church.) The law isn't perfect, but in this case it's taking the lesser of two evils.
---begin tangent
I find it very ironic that the book of Matthew (the fisrt book of the Christian Bible, thus the part closest to the hand of the oath-taker) warns Christians against taking oaths, yet the Bible is often used for that purpose. <nitpick>
Well, most educated Christians regard Allah to be one and the sam as the Judeo-Christian God (AKA the God of Abraham), so you're half-right. (Many arabic -speaking Christians also use the term Allah while praying, etc. Allah simply means "the God", referring to any monotheistic deity.) Granted, we all know he was trying to make a jab at radical Islam, and I'm surprised we haven't heard Osama claiming some nonsense about Allah punishing the US space program for putting an Israeli astronaut in space.</nitpick>
ftp ftp.nintendo.com
ftp> open ftp.nintendo.comOkay, throw me a bone here. Password rhymes with Tritney Sbears? Accidently leaked disk image to Kazaa as DEVEL_024135.img? My home open SMB share is at 62.218.7.36? I throw out the old development discs on Tuesday nights? I ftp the source unencrypted across three continents at 3:24 UTC every Monday? We use the old discs as pocker chips at the Blue Rhino club after work every Wednesday? You know it wants to be free. Think happy penguins playing all over the world. Just give them a little nudge out the door.
These studues often assume one OS per machine. This is increasingly not the case. The studies may not be intentionally flawed. MS might also be seeing more sales due to reduced piracy percentages.
If you want x86 on a Mac, look into Bochs (Free) or VirtualPC (proprietary).
No, that was not your callenge. Read your post again. Here are your only three criteria.
Your original three criteria are good criteria. The extra constraints you added in the post I'm replying to are impossible, even with browser-specific code. My first web browser was MacWeb. The only graphics format it allowed was GIF, and background images weren't actually made into background. You simply can't meet the requirement in this latest post even with browser-specific HTML. Your earlier criteria were good criteria. You don't even really know what you want. Sit down and think out your goals. Next, make them possible. (Hint: you can't have every W3C feature available to all users w/o forcing them to upgrade thier browser. You can't even closely approximate/emulate all of the newer features using only the features in the original HTML standard.)