Trouble is, that if it works, then people might use the system in future Olympics.
Which would make the security by obscurity feature completely useless, as it won't be obscure any more (people intent on doing things will be able to get hold of more info over four years).
Except people will continue touting that success (if there was any) as a reason to use the system again, ignoring one of the reasons it worked in the first place (assuming it did).
Executable (EXE) files are compiled (possibly prepackaged) programs which can be downloaded and executed on Windows systems. It is possible to write data into an EXE file so that any code at all whatsoever can be executed. This includes viruses, trojans and the like. This is fairly easy to do so don't mess with EXE files from untrusted sources.
OK, so that mindset is one that they've introduced from the beginning (all credit to Microsoft, though, for making the desktop computer as ubiquitous as it has become).
That still doesn't make your conclusion (that users consider Windows to be "good enough") valid, because you're assuming that users don't complain about it. That simply isn't true, it's just that they don't return the product because it's the most widely available, compatible etc (and in many users worlds the only available).
Thus, Windows is doing everything that the majority of users need...
Except that it could be argued that Microsoft (and the software industry in general) have changed the average user's mindset to believe that this is as good as computers get, and getting any better stability, inherent virus resistance and security and so forth isn't really possible.
I was thanked for revealing the security hole, but was also strongly advised to follow proper procedures about calling for help from Security in the future.
The sad thing is that if that happened today nobody would be surprised if you were thrown into jail for being a terrorist.
For that matter, any time I find something that I need to download a Windows executable to get to work.
Or even services managed by regulators (ADSL, for example) should now be supported in non-Windows systems, or at least for specificatiosn to be released so that they may be.
This is very good news. The next time I find a government-connected website, (or anything funded or contracted by the government for that matter) which does not work in Mozilla, I'll be emailing them a link to this page.
Except that typically the ISP will have received hundreds of complaints from different people. That gives the ISP reasonable grounds to believe that the complaints are correct.
On the other hand, cutting someone's pipe just because a single big corporation with lots of lawyers says so?
Yes, it's possible to forge emails from various different people using various different open relays, but that certainly would be fraudulent and could be dealt with legally.
And yes, complaints filed under the DMCA to an ISP to cut off someone's connection are made under penalty of perjury, but this only works if people are willing to sue the very large company with lots of lawyers, which tends not to happen, due to the large financial resources required.
In France, there's a ubiquitous system which requires you to type your code for every purchase you do with it. AFAIK, nobody ever complained about it, considering you can't use a stolen French card anywhere in France. If it's combined with a Visa card, you can still use it outside the country where there's no direct way to check its validity.
As far as I understand it, the French system has been cracked, although to what extent I'm not sure (see Bruce Schneier's Secrets and Lies, he mentions it).
Apparantely the first guy who figured it out went to the card company, who asked him to prove it, which he did by buying a metro ticket. They then had him arrested, and forced him to sign an NDA to avoid prosecution.
Then someone else independently cracked it, and posted it anonymously from a cybercafe (in Paris, IIRC)
Smart cards are fine, but they need to use proper encryption, complete with completely open standards. I won't trust them until then. I know that companies expect fraud and absorb the costs, but you still need to be able to prove that you didn't make the purchase. Without a need for the vendor to produce a signature, this could be difficult.
It isn't so simple, because when the card becomes widespread (if it becomes widespread), then someone will figure out how to make these cards, and will be able to purchase things for nothing.
Then the information will get distributed on the internet, and the company who made the `technology' will start suing everyone in sight (VISAA? American Express AA?:-)
Of course, the technology currently exists to use encryption to make this impossible, but how do we know that the card uses it?
I got my drive replaced as well, but haven't used it for backups since. I got a CD writer because I reckoned that it isn't really likely for the drive to physically damage the CD, so if my drive failed I could just get another to restore a backup.
Sure, the media's cheaper, it's faster, it's portable, and the media's available, but CDs don't exactly store much!
...after having my computer crash and discovering that my Iomega tape back-up drive liked to physically mangle tapes when attempting to restore back-ups...
It's not just me then? I got a writer for that reason too!
...but it does know in specific when you are typing the one to start the session.
Is this included in the problem the article is referring to?
...in an interactive mode, each keystroke that a user types is sent to a remote machine in separate IP packets immediately after the key is pressed.
The article doesn't seem too clear on this, and I can't read the modem lights because it's in the other room. But IMHO it'd be stupid to do it; the reason it does it in `interactive' mode is because it uses raw mode.
I'm not sure, but I don't think that the individual characters of the password are sent in separate packets at the start of an ssh session. Feel free to check and correct me:-)
That won't quite work; ssh has no idea when you are typing in a password, and when you're expecting an interactive response. Imagine using the passwd command during an ssh session; how does ssh know?
ssh won't know because local echoing gets turned off, because it's turned off by default.
My solution is simply not to use passwords at all; I use RSA keys exclusively, with ssh agent forwarding enabled. On computers I control, sshd will only allow non-root RSA authentication. The only problem with this solution, though, is that su-ing can reveal a password.
Obviously I don't know the details, but look at this from the publisher of the Windows version of the game's point of view - they won't lose any money by allowing a Linux port, and of course they would be able to win royalties.
So it's in their interest to make a deal with Loki that's profitable to them both. If the economics mean that Loki can only pay a certain percentage in royalties per game sold, then it's still worthwhile for the publisher to make the deal -- there's no risk (Loki's taking it all) and they could make some money.
So all Loki have to do is break even on the money spent on the programmers to do the port, minus the royalties.
Slashdot Mirror
He means in 24 1-hour "lessons", but it sells better that way (except to the incredulous :-)
Trouble is, that if it works, then people might use the system in future Olympics.
Which would make the security by obscurity feature completely useless, as it won't be obscure any more (people intent on doing things will be able to get hold of more info over four years).
Except people will continue touting that success (if there was any) as a reason to use the system again, ignoring one of the reasons it worked in the first place (assuming it did).
Just a thought :-)
Executable (EXE) files are compiled (possibly prepackaged) programs which can be downloaded and executed on Windows systems. It is possible to write data into an EXE file so that any code at all whatsoever can be executed. This includes viruses, trojans and the like. This is fairly easy to do so don't mess with EXE files from untrusted sources.
OK, so that mindset is one that they've introduced from the beginning (all credit to Microsoft, though, for making the desktop computer as ubiquitous as it has become).
That still doesn't make your conclusion (that users consider Windows to be "good enough") valid, because you're assuming that users don't complain about it. That simply isn't true, it's just that they don't return the product because it's the most widely available, compatible etc (and in many users worlds the only available).
Oh that's interesting, basically none..
Thus, Windows is doing everything that the majority of users need...
Except that it could be argued that Microsoft (and the software industry in general) have changed the average user's mindset to believe that this is as good as computers get, and getting any better stability, inherent virus resistance and security and so forth isn't really possible.
I was thanked for revealing the security hole, but was also strongly advised to follow proper procedures about calling for help from Security in the future.
The sad thing is that if that happened today nobody would be surprised if you were thrown into jail for being a terrorist.
See The Right to Read: A Dystopian Short Story
When I first read it, it seemed far fetched, though I could see what it was saying and it's relation to the DMCA. Now I'm not so sure.
This is the second step to that situation, folks!
Or you could have a series of different coloured filters. Move each filter over the sensor in turn, while shining bright white light at the face...
For that matter, any time I find something that I need to download a Windows executable to get to work.
Or even services managed by regulators (ADSL, for example) should now be supported in non-Windows systems, or at least for specificatiosn to be released so that they may be.
This is very good news. The next time I find a government-connected website, (or anything funded or contracted by the government for that matter) which does not work in Mozilla, I'll be emailing them a link to this page.
Only if we get the conditioning right. How many children obey their parents? If we can't even get that right...
Except that typically the ISP will have received hundreds of complaints from different people. That gives the ISP reasonable grounds to believe that the complaints are correct.
On the other hand, cutting someone's pipe just because a single big corporation with lots of lawyers says so?
Yes, it's possible to forge emails from various different people using various different open relays, but that certainly would be fraudulent and could be dealt with legally.
And yes, complaints filed under the DMCA to an ISP to cut off someone's connection are made under penalty of perjury, but this only works if people are willing to sue the very large company with lots of lawyers, which tends not to happen, due to the large financial resources required.
In France, there's a ubiquitous system which requires you to type your code for every purchase you do with it. AFAIK, nobody ever complained about it, considering you can't use a stolen French card anywhere in France. If it's combined with a Visa card, you can still use it outside the country where there's no direct way to check its validity.
As far as I understand it, the French system has been cracked, although to what extent I'm not sure (see Bruce Schneier's Secrets and Lies, he mentions it).
Apparantely the first guy who figured it out went to the card company, who asked him to prove it, which he did by buying a metro ticket. They then had him arrested, and forced him to sign an NDA to avoid prosecution.
Then someone else independently cracked it, and posted it anonymously from a cybercafe (in Paris, IIRC)
Smart cards are fine, but they need to use proper encryption, complete with completely open standards. I won't trust them until then. I know that companies expect fraud and absorb the costs, but you still need to be able to prove that you didn't make the purchase. Without a need for the vendor to produce a signature, this could be difficult.
It isn't so simple, because when the card becomes widespread (if it becomes widespread), then someone will figure out how to make these cards, and will be able to purchase things for nothing.
Then the information will get distributed on the internet, and the company who made the `technology' will start suing everyone in sight (VISAA? American Express AA? :-)
Of course, the technology currently exists to use encryption to make this impossible, but how do we know that the card uses it?
I got my drive replaced as well, but haven't used it for backups since. I got a CD writer because I reckoned that it isn't really likely for the drive to physically damage the CD, so if my drive failed I could just get another to restore a backup.
Sure, the media's cheaper, it's faster, it's portable, and the media's available, but CDs don't exactly store much!
It's not just me then? I got a writer for that reason too!
Microsoft zelots have basicly gotten away with pimping Windows for any application even when Windows is horrably unqualified.
Worse, Microsoft themselves do that. NT 4, anyone?
Did you actually read what I said?
ssh won't know because local echoing gets turned off, because it's turned off by default.
Why do you suppose there's a slight delay in seeing characters appear even when you're on the command line?
Is this included in the problem the article is referring to?
The article doesn't seem too clear on this, and I can't read the modem lights because it's in the other room. But IMHO it'd be stupid to do it; the reason it does it in `interactive' mode is because it uses raw mode.
I'm not sure, but I don't think that the individual characters of the password are sent in separate packets at the start of an ssh session. Feel free to check and correct me :-)
That won't quite work; ssh has no idea when you are typing in a password, and when you're expecting an interactive response. Imagine using the passwd command during an ssh session; how does ssh know?
ssh won't know because local echoing gets turned off, because it's turned off by default.
My solution is simply not to use passwords at all; I use RSA keys exclusively, with ssh agent forwarding enabled. On computers I control, sshd will only allow non-root RSA authentication. The only problem with this solution, though, is that su-ing can reveal a password.
Same thing with the AOL Honor System.
AOL users have honor?
I can see that people might start doing that just to get that particular of text to appear.
Obviously I don't know the details, but look at this from the publisher of the Windows version of the game's point of view - they won't lose any money by allowing a Linux port, and of course they would be able to win royalties.
So it's in their interest to make a deal with Loki that's profitable to them both. If the economics mean that Loki can only pay a certain percentage in royalties per game sold, then it's still worthwhile for the publisher to make the deal -- there's no risk (Loki's taking it all) and they could make some money.
So all Loki have to do is break even on the money spent on the programmers to do the port, minus the royalties.
And you actually believe what this guy says? He's a security consultant, and he can't punctuate?
DeCSS (or some other version of it) doesn't need the key at all. The originally released one did, but it's been improved upon.