OpenMoko can take open source code from Android. You should be able to run "Android Framework" apps on OpenMoko. It's not clear that the opposite is true.
It's not a lack of imagination, friend. I quite understand how this can be used after a successful remote execution exploit, my question is not about that, it's about whether this predictability can itself be used as the basis for a remote attack, the way TCP sequence number prediction could be used for remote spoofing attacks.
I'm actually a bit surprised that any applications requiring good random numbers would depend on a system random number generator. System random number generators have traditionally varied from poor to downright abysmal, and are useful for no more than part of the seed for a cryptographically strong PRNG included in the application. The introduction of random number generators that are even intended to be good enough quality for cryptographic use is pretty recent, and certainly no portable code should depend on them.
The comment in the paper, "The designers of the operating system can be expected to be versed with the required knowledge in cryptography, and know how to extract random system data to seed the generator. They can therefore implement an efficient and secure generator." implies a lot more trust in the security stance of the OS developers than I would have granted for all but a couple of examples. Windows NOT being one of them.
The abstract made me think that this was akin to the sequence number prediction problems in older TCP implementations, but it doesn't seem that this provides much opportunity for a remote attack. What is teh actual scope of the problem, how could this be practically used in an exploit?
In my case a developer had a nervous habit of playing with things... and was talking to someone and idly fiddling with the BRS. The guy he was talking to asked him to stop, because it was making him nervous. He stopped, then, but habits are hard to break and a few minutes later...
Judging by recent administrations, Democrats are the the conservative ones with the balanced budgets, and Republicans are the activists spending money on dubious programs.
Internet protocols should be regulated in such a way that the network itself enforces distribution licenses.
Since anyone can invent an internet protocol, just by writing code and distributing it, this has as much of a chance of happening as everyone using P2P to share music voluntarily switching to Amazon and iTunes.
The Internet is not a new phenomenom that magically facilitates people circumventing payment based licenses
When we first went to talk to these record companies -- you know, it was a while ago. It took us 18 months. And at first we said: None of this technology that you're talking about's gonna work. We have Ph.D.'s here, that know the stuff cold, and we don't believe it's possible to protect digital content. [...] What's new is this amazingly efficient distribution system for stolen property called the Internet -- and no one's gonna shut down the Internet. And it only takes one stolen copy to be on the Internet. And the way we expressed it to them is: Pick one lock -- open every door. It only takes one person to pick a lock. Worst case: Somebody just takes the analog outputs of their CD player and rerecords it -- puts it on the Internet. You'll never stop that. So what you have to do is compete with it. -- Steve Jobs, 2003.
OK, I think you have a really deep and fundamental misunderstanding somewhere about what I wrote.
This is not about Java. This is not about Java vs Flash, or even Java vs ActiveX.
This is about ActiveX.
The alternative path is, basically, everything but ActiveX. EVERYTHING. Flash. Java. Javascript. Embedded Postscript and SafeTcl and all the other technologies that never took off. Out of all the applet technologies for the web that's ever gotten past the starting gate... even the ones that broke a leg in the first yard... ActiveX as used by the Microsoft HTML control is the only one I've found that is not sandboxed. Even Java's funky sandbox model is still a sandbox.
There is no excuse for using ActiveX on the web, nor for allowing it to be used. It is fundamentally, unfixably, and even arguably criminally insecure. There is no way to make it secure.
Thank god it's restricted to *one* browser on Windows, so you can use something else that's only got fixable security flaws.
I'm forced like most middle class people, so no need to call me something I'm not.
I'm not calling you a socialist.
I'm calling the public road system socialist.
I'm simply saying that this is not a contest between socialist and non-socialist transport. The automobile is just as dependent on socialism as the omnibus or trolley-car, so fighting public transport because "it's socialist" is foolish.
The reason why this was done is because it's so much more convenient and "easier to use than EVER!!" compared to either not having such functionality, or having it severely locked down (say, whitelist-only, with restrictions).
First, ActiveX in theory *is* whitelist-only. Whitelisting is basically what the "security zones" model is all about. And it doesn't work. The only thing that actually works is providing a strictly restricted API.
Second, no product implemented this functionality before Microsoft did, and since no product has emulated Microsoft's design, and opening up your browser to allow it takes several times as much effort as explicitly downloading and installing the applet. So it's neither necessary nor more convenient.
Third, it is possible to use Windows, to partake of the monoculture, without using applications that apply the ActiveX design to untrusted content. And if you do that you get comparable security to the situation before Active Desktop was introduced. I did that, and it works.
Fourth, the monoculture is not what keeps bad designs shipped with the system in use. Inertia does that. There's design flaws in OS X and it's just as hard to convince people to do something about them as it is to convince them to eschew Internet Explorer and its fellow-travelers.
The monoculture is a problem, yes, but this particular design flaw is a much much bigger one, and breaking the monoculture wouldn't solve it.
Of course it's not a good idea, but look at the alternative.
The alternative to ActiveX is hard-sandboxed scripts and applets that provide no mechanism for the sandboxed code to ask the user for access outside the sandbox, let alone automatically getting it if they "smell right".
Since every other HTML implementation in the world, including the ones used by Firefox and Safari, take the alternative path, and the alternative path is the only option if you're not running Windows, then I guess I like the alternative and I'm kind of at a loss as to what you're getting at.
Taxes are socialism. The whole point to taxes is to take from individuals for the public good. It doesn't matter whether your taxes are going to public road or public rail - it's still a socialist project. You can not in good conscience decry one and not the other.
It's not the Window monoculture so much as the fact that the Windows HTML control is designed to allow you to pass it a chunk of code and say "run this" and if you smell right... it will! How anyone in the world could look at this design and not go "you mean, if I can get some trust hormones and smear them on my program, everyone who looks at it using Internet Explorer will run it?". I mean, this is such a completely insane design that I'm honestly boggled Microsoft hasn't been creamed by a trillion dollar class action suit over it yet. This is like Ford building autos that kick the owners out and follow you home if you wave a yellow hanky at them.
What the hell is wrong with people that anyone, for one minute, could think this is a good idea? It's not. It's so lousy an idea that it makes only moderately lousy ideas like Java's security model look good by comparison, even to people like me who know better. It's so lousy it'd still be scratching after a week in pyrethrin. It's so lousy... gah... there's not an analogy corny enough to do justice to how lousy it is.
I hade this mental image of George Jetson's brifcase scaled up to the size of a phone booth, but that's pretty cool. It's not really folding the car up, it's more pivoting it vertically.
OpenMoko can take open source code from Android. You should be able to run "Android Framework" apps on OpenMoko. It's not clear that the opposite is true.
They're made out of meat!
It's not a lack of imagination, friend. I quite understand how this can be used after a successful remote execution exploit, my question is not about that, it's about whether this predictability can itself be used as the basis for a remote attack, the way TCP sequence number prediction could be used for remote spoofing attacks.
I'm actually a bit surprised that any applications requiring good random numbers would depend on a system random number generator. System random number generators have traditionally varied from poor to downright abysmal, and are useful for no more than part of the seed for a cryptographically strong PRNG included in the application. The introduction of random number generators that are even intended to be good enough quality for cryptographic use is pretty recent, and certainly no portable code should depend on them.
The comment in the paper, "The designers of the operating system can be expected to be versed with the required knowledge in cryptography, and know how to extract random system data to seed the generator. They can therefore implement an efficient and secure generator." implies a lot more trust in the security stance of the OS developers than I would have granted for all but a couple of examples. Windows NOT being one of them.
The abstract made me think that this was akin to the sequence number prediction problems in older TCP implementations, but it doesn't seem that this provides much opportunity for a remote attack. What is teh actual scope of the problem, how could this be practically used in an exploit?
In my case a developer had a nervous habit of playing with things... and was talking to someone and idly fiddling with the BRS. The guy he was talking to asked him to stop, because it was making him nervous. He stopped, then, but habits are hard to break and a few minutes later...
I think the assumption that they didn't get two weeks "slacking" was more in the nature of a joke.
I know the last two weeks at my last two companies were some of the busiest two weeks I'd had, as I tied up all the loose ends.
Like those tollway tags?
(friend of mine keeps his below the dash when he's not actually going through a tollgate)
Judging by recent administrations, Democrats are the the conservative ones with the balanced budgets, and Republicans are the activists spending money on dubious programs.
Kleptocracy?
Don't forget the plexiglass cover for switch #1.
I've seen what happens when you leave that off.
Uh, roger cucumber velvet nosegay. Lamington tirade pluto frock swizzlestick. Tangiers rapscallion squeamish ossifrage? Tautology plenitude fabulous dishwater. Telemann pluperfect autocrat clerestory Borgia antigen!
Since anyone can invent an internet protocol, just by writing code and distributing it, this has as much of a chance of happening as everyone using P2P to share music voluntarily switching to Amazon and iTunes.
The Internet is not a new phenomenom that magically facilitates people circumventing payment based licenses
RCMP stands for "Royal Canadian Mounted Police".
No, actually flash works just fine on a Mac.
... even the ones that broke a leg in the first yard... ActiveX as used by the Microsoft HTML control is the only one I've found that is not sandboxed. Even Java's funky sandbox model is still a sandbox.
OK, I think you have a really deep and fundamental misunderstanding somewhere about what I wrote.
This is not about Java. This is not about Java vs Flash, or even Java vs ActiveX.
This is about ActiveX.
The alternative path is, basically, everything but ActiveX. EVERYTHING. Flash. Java. Javascript. Embedded Postscript and SafeTcl and all the other technologies that never took off. Out of all the applet technologies for the web that's ever gotten past the starting gate
There is no excuse for using ActiveX on the web, nor for allowing it to be used. It is fundamentally, unfixably, and even arguably criminally insecure. There is no way to make it secure.
Thank god it's restricted to *one* browser on Windows, so you can use something else that's only got fixable security flaws.
I'm forced like most middle class people, so no need to call me something I'm not.
I'm not calling you a socialist.
I'm calling the public road system socialist.
I'm simply saying that this is not a contest between socialist and non-socialist transport. The automobile is just as dependent on socialism as the omnibus or trolley-car, so fighting public transport because "it's socialist" is foolish.
The reason why this was done is because it's so much more convenient and "easier to use than EVER!!" compared to either not having such functionality, or having it severely locked down (say, whitelist-only, with restrictions).
First, ActiveX in theory *is* whitelist-only. Whitelisting is basically what the "security zones" model is all about. And it doesn't work. The only thing that actually works is providing a strictly restricted API.
Second, no product implemented this functionality before Microsoft did, and since no product has emulated Microsoft's design, and opening up your browser to allow it takes several times as much effort as explicitly downloading and installing the applet. So it's neither necessary nor more convenient.
Third, it is possible to use Windows, to partake of the monoculture, without using applications that apply the ActiveX design to untrusted content. And if you do that you get comparable security to the situation before Active Desktop was introduced. I did that, and it works.
Fourth, the monoculture is not what keeps bad designs shipped with the system in use. Inertia does that. There's design flaws in OS X and it's just as hard to convince people to do something about them as it is to convince them to eschew Internet Explorer and its fellow-travelers.
The monoculture is a problem, yes, but this particular design flaw is a much much bigger one, and breaking the monoculture wouldn't solve it.
Of course it's not a good idea, but look at the alternative.
The alternative to ActiveX is hard-sandboxed scripts and applets that provide no mechanism for the sandboxed code to ask the user for access outside the sandbox, let alone automatically getting it if they "smell right".
Since every other HTML implementation in the world, including the ones used by Firefox and Safari, take the alternative path, and the alternative path is the only option if you're not running Windows, then I guess I like the alternative and I'm kind of at a loss as to what you're getting at.
Taxes are socialism. The whole point to taxes is to take from individuals for the public good. It doesn't matter whether your taxes are going to public road or public rail - it's still a socialist project. You can not in good conscience decry one and not the other.
America is about independence on all levels.
Then you should be all in favor of getting independence from the oil oligarchy that's running the country.
'Public transit' is about communal life and should be avoided at all costs.
So you don't drive on public roads? Well, that's something to be thankful for at least.
Ok, you go ride your bus, ill keep my cars, and wave as i drive past the bus stop.
I'd rather you kept both hands on the controls, particularly when you're not looking where you're driving.
The space pen bullshit's already been refuted so many times in slashdot that it needs its own FAQ entry.
It's not the Window monoculture so much as the fact that the Windows HTML control is designed to allow you to pass it a chunk of code and say "run this" and if you smell right... it will! How anyone in the world could look at this design and not go "you mean, if I can get some trust hormones and smear them on my program, everyone who looks at it using Internet Explorer will run it?". I mean, this is such a completely insane design that I'm honestly boggled Microsoft hasn't been creamed by a trillion dollar class action suit over it yet. This is like Ford building autos that kick the owners out and follow you home if you wave a yellow hanky at them.
What the hell is wrong with people that anyone, for one minute, could think this is a good idea? It's not. It's so lousy an idea that it makes only moderately lousy ideas like Java's security model look good by comparison, even to people like me who know better. It's so lousy it'd still be scratching after a week in pyrethrin. It's so lousy... gah... there's not an analogy corny enough to do justice to how lousy it is.
Like military invasions?!
If every dollar George spent in Iraq had gone to space instead, we'd all be better off.
I hade this mental image of George Jetson's brifcase scaled up to the size of a phone booth, but that's pretty cool. It's not really folding the car up, it's more pivoting it vertically.
My cold dead hands.
:(
That's what EMS does all too often.