This has been true since passwords were first used. I've run password cracking programs against all of my systems and projects as part of a standard assessment. I would say that finding 30% of passwords in less than a day would be a fairly typical result.
The truth is that passwords are not a good security tool for all the reasons you would expect. The basic one is that memorable passwords are generally easily cracked passwords.
I use tricks like passphrases where I take the third letter of each word, mix case, and numbers for certain letters, etc. Even with those tricks, the password is still fairly easily attacked (the frequency of letters in the english language is hardly random).
IMHO the best solution is to combine authentication methods. Use a token system like SecureID combined with a password. Better yet, use password, token, and biometrics.
If you have to use passwords and only passwords, run the attacks yourself and lock accounts you can crack. If you don't run them, someone else will.
I run Quicken 2000 under Wine. I do not use the Internet features. They require installation of real IE and the install program for that doesn't work under Wine. I run Quicken on a wine-only (no real Windows software installed at all) setup. There a problems with some dialog boxes because of font mapping problems. You can set fonts in the wine config file, but I haven't bothered. An AC seemed to think you were asking about QuickBooks (QB), but QB is not Quicken.
Quicken 2000 probably runs perfectly under Wine if you have real Windows DLLs. Since real Windows DLLs means you really have Windows, you may as well run it under Windows instead of making yourself crazy.
Wine is getting better and more solid literally every day. I use anonymous CVS and update it every few days.
So, if you must have Quicken and must not have Windows, you can run it under wine, but it doesn't run everything, and it doesn't run perfectly. If you really need it all, you're stuck with Windows.
Open Source isn't a magic bullet for this kind of thing. Software Engineering is the solution to this kind of thing, and no one has a monopoly on that. The amount of crap code in the Open Source world and proprietary world is, in my experience, roughly equal. (Actually, I think there is a bit more crap code in Open Source, but it doesn't get used much). The difference is that with Open Source/Free Software you know what you are getting and with closed/proprietary you don't.
Re:Anything to get the students excited
on
Comic Book Physics
·
· Score: 2
I agree. The class I'm talking about was more of a freshman physics survey class. We did these little engineering problems because the goal was to introduce physics and engineering. The only math prereq was pre-calculus. I was in no way operating at the level you're talking about.
My point is that even people going for liberal arts degrees should be able to handle any basic application of F=ma. They should also understand the principles of experimental science (quantifiable, repeatable, controlled for variables, etc.). There is so much flim-flam out there and people buy it.
Feynman's speech on "Cargo Cult Science" pegs the issues for me. We live in a scientific age in the sense that the science professionals have made staggering progress in understanding the universe, but the rest of us (and I guess I'm part of the rest of us) accept these discoveries as facts in exactly the same way we accepted the pronouncements of any other priesthood in history. When you are ignorant of the methods of science you can't do anything else. Since I am not so ignorant, I have some chance of judging claims of scientific fact. Not that I have a superconducting super-collider in my basement...
Anything to get the students excited
on
Comic Book Physics
·
· Score: 3, Insightful
One of the biggest issues I think our society faces is a lack of basic science. I don't mean a knowledge of facts. We've got plenty of that. Ignorance of the methods of science -- how to do science -- makes us uncritical acceptors of media manipulation.
Anyone who can get someone to learn and do basic physics deserves respect and thanks. I had a teacher like this. He didn't use something so consistently systematic as comic book physics, but we did have a lot of fun doing calulations of pointlessly impossible experiments. I remember going over the calculations for the conversion of velocity to heat in a collision by calculating how fast you would have to throw a tomato at a brick wall to have it fully cooked on impact (never mind that you wouldn't be able to scrape enough of the result together to make a milliliter).
I remember calculating if you spontaneously destructed the sun how much oatmeal you could cook (in cups).
We also did some real physics, like designing a balsa wood bridge (everone got the same materials with no rules on how you could use the materials) to take the greatest load. We did our vector math, we did our elastic collisions, we did our statics. We also did a lot of "frictionless monkey" problems.
I loved physics and even though I ended up a programmer with a history major, I took away a love for and a basic knowledge of science.
Teachers like this are the greatest resource in the world.
I wish I could give this quote a correct attribution (I wish even more that I had said it originally): "It is morally wrong to allow ignorant end-users to keep their money."
Okay, maybe I need to read the FAQ for this one too, but where does it say that Salshdot is "a Linux site?" I thought it was about stories of general interest to the "geek community," hence the articles on movies, science, books, game consoles, etc. IMHO the "anti-Microsoft" bent on Slashdot comes from the fact that a large part of the "geek community" hates Microsoft (I count myself in this category -- objectivity is a myth).
Moderating on Slashdot is not done by the operators of Slashdot. It is done by readers who post. I've been reading/. for a number of years now, and, yes, it is full of uninformed loudmouths. Guess what? The world is full of uninformed loudmouths. Some of them even support Microsoft. As far as story content goes, I see "Update" prefixing changes to articles on/. all the time. I can't say they always do this (I don't watch them that closely), but I see labeled updates enough that it seems to me they are making a good faith effort. As for content linked though/. articles, well, they are linked though./. doesn't control other people's web sites.
And what, exactly, is pathetic about posting 6 articles critical of Microsoft, unless some of them are demonstrably false. If they are, I would sure like to see you post the evidence, instead of simply being another loundmouth.
You obviously don't know much either. Incandescent and flourescent lighting both "flicker" because they are powered by alternating current. Incandescent lights work by heating a wire so hot it glows white (that's what "incandescent" means). Flourescent lights work by using high voltage to excite a gas. That gas emits UV light which strikes phosphor compounds on the inside surface of the tube. These compounds emit visible light when struck by UV (they "flouresce," hence "flourescent").
Whether or not flicker is visible depends on the "persistence" of the phosphors and the cooling rate of the incandescent wire. They all flicker. The flicker is a result of the alternating current. Of course, you can use DC to make an incandescent bulb work. You can't do that with flourescent lights because AC is required to keep high voltage coming out of a transformer (transformers only work with changing magnetic fields - put DC into them and you only get output voltage when DC comes on and again when it shuts off).
Windows NT/XP was written to be modular. The whole thing is based around a microkernel architecture. You could turn Windows into Unix by replacing services. In theory, if the Hurd were further along, the nt/xp (whatever the hell MS marketing want s to call it this week) microkernel could run it and it would be the Hurd.
Windows IS modular, their claims notwithstanding. What microsoft has consistently tried to do is add APIs and then to insist that this is part of the operating system. This is how they "embrace and extend." It is only true to the extent that they can get ISVs to start using these APIs. This is why IE suddenly replaced Netscape in Quicken 2000 -- they got Quicken to swallow the new web integration APIs (and, IMHO they simultaneously screwed up and slowed to a crawl one of the best Windows apps out there).
These claims depend on what your definition of "Windows" and "Operating System" are.
All of that said, I don't think a modular Windows will do a bit of good in restraining Microsoft's outright criminal manipulation of the marketplace. I actually agree with the original breakup plan because I do not think the state should have a right to sieze intellectual property (force open APIs or source code). I think they should just keep financially and structurally beating up Microsoft until they finally decide it is not worth it to remain in defiance of the law. I am a big believer in property rights, given that they back both MS and the GPL.
I'm looking forward to seeing the discussion on this one. I'm a 35-year old longtime geek. I like this idea. I think between cable, satellite, video games, and the rest of the mass media assault, children have no childhood anymore. I'm of the opinion that children are not little adults and that while, indeed, many 15 year olds are fully mature, rational, ethical beings, many are not.
That said, it has also been 20 years since I was 15, and I really don't know how I would have felt then.
I think soceity has not only a right, but also an obligation to provide a healthy environment for the development of children into well-adjusted adults. To do so, we are forced to make some somewhat arbitrary decisions. We have the drinking age, the driving age, the age of majority. Why not similar limits on "toxic" media.
Now here's the funny thing. I think violence should be limited, and certain exploitative kinds of pornography, but not all. I think children at the mature end should be allowed to see sexual meterial that depicts adult sexual relationships based on mutual love. I don't see how that would be unhealthy. A world with more passionate kisses and fewer gun battles would be a better world indeed.
My old man was an electrical engineer. He and a ham radio buddy of his wrote a complex and detailed article about the problem of spectrum congestion. The suggested using the negative frequency spectrum (a joke, obviously). They included diagrams show how you bury your yagi and stick the ground rod up in the air. It was very geek funny.
Personally, I have always wanted to write a detailed RFC for implementing ARP on smoke-signal links. Someday when I have nothing to do...
Hey, I'm a radio amateur, not a physicist! I thought the whole body resonance phenomenon WAS the kinetic interaction. I stand corrected. I also stand by the rest of the post (danger of high-power RF even at 1-3 meter wavelengths, and the relatively low risks of low-power cell phone RF when compared to common risks we face every day), but since you also stand by this, I don't know why I say it;-).
The quote was from a physicist talking about the "dangers" of powerlines, but I like the quote because it is all about putting risk in perspective: "Standing in direct sunlight complaining about the radiation from power lines is like calling your neighbor during a hurricane to complain that his cat is breathing on your tree." Don't remember the chap's name. Good quote, though....
Good Lord! You stand right next to that FM radio antenna and tell me it doesn't hurt! It will burn your ass. I guarantee it. That's why they put them way up on those big assed towers (well, they put them up there to get more range too, but believe me, it is for safety too. Radio technicians have burned the shit out of their hands by having the final stage of a commercial transmitter key up by mistake.
It's all photons, folks. There are only two effects photons can have. One is kinetic (heat), caused when the photon strikes matter and imparts it energy kinetically. The other is when the photon is absorbed and it breaks an electron loose from a molecular bond. This is an ionic effect, and it is much more dangerous because it makes permanent chemical changes. It takes ultriviolet frequencies and higher to have ionizing effects. Microwaves are nowhere near this level of energy. In fact microwaves are much farther from UV than the AM band is from microwaves.
By Planck's law, the higher the frequency (shorter wavelength) the greater the energy of the photon. The freqency to "whole-body length" issue has to do with the probability that a given photon will react with the body. When we talk about the "wattage" of a transmitter, we are talking about how many photons per unit time the unit emits.
In terms of direct effect, the only ones we know about are the kinetic and ionic. As a mildly educated person, I don't see how cell phones can really harm us, unless photons have some effect we don't know about.
The open question is whether there are unknown effects. The heating caused by RF is internal: rather than heat outside the body leaking in and warming tissues, the internal tissues are heated directly. Maybe this has biological effects we don't know about. Non-natural RF has only been around for about 100 years, and it has only become ubiquitous in the last 50, and "man portable" equipment has only become ubiquitous in the last decade and a half. These exposures are too new to have had effects that would show up in morbidity and mortality statistics. For this reason, the FCC quite recently implemented exposure guidelines that are design to prevent exposure to any RF that can cause a measureable change in tissue temperature. They figure (sensibly enough) that if the radiation has no effect we can measure, then it is less likely to have any effect we can't measure.
As risks go, your cell phone is probably pretty danged low. Certainly orders of magnitude lower than cigarettes and Big Macs. If you are eating Oreos while worrying about cell phone radiation, you need to reasses your priorities.
If you are unafraid of Oreos, you should probably be unafraid of your cell phone too.
Sinclair Lewis wrote "Babbit." Ricki Lewis edited "Life," which is, I think, the book you are taling about. Your statement shows a bit of a misconception.
Virulence shows an organism poorly adapted to its host organism. When a disease is highly lethal and highly infectious, it is almost certainly new to the population. Earlier posters remembered that a European disease wiped out whole tribes of Indians after first contact. The disease was smallpox. Smallpox was a serious disease in Europe, but it was endemic. At a time when the "bad smell" theory of disease still had sway, smallpox killed only about 10% of the people it infected in Europe. Smallpox had been in Europe for many hundreds of years by that time.
When smallpox was introduced into a human population that had never been exposed to it (native central Americans), it killed over 90% of the hosts it infected. We evolve too. The 10% who survived to have children probably had children who could survive smallpox. It's not that simple, but in principle that's what happens.
It is NEW infections that are most likely to be devastating.
A highly infectious disease that kills its host rapidly tends to disappear of its own accord. Hosts must be close enough to one another to infect another host before the organism kills the host. If it kills too quickly, the population dies out and there are no more hosts close enough to infect before the host dies.
The odds that a microorganism from anothe biosphere would be infectious to humans is probably very small. But if it were, the chance that it might be devstating in its effect are probably fairly high.
Anyways, my point is your statement "Earth's bacteria and plagues have been evolving for billions of years just to kill Earth organisms," is fundamentally wrong. Earth's bacteria have been evolving to survive longer and reproduce more. Disease that kill their hosts and do it quickly are NOT successful at this. Diseases that spread easily but merely inconvenience their hosts are enormously successful (the common cold springs to mind). So I do not think your reason is a sound one for being unconcerned about mars germs. There probably are many reasons to be unconcerned, but the notion that "they haven't learned how to kill us" isn't one of them.
Again, I do not disagree with you. Your reasons are sound. I don't fully agree with them, but it is not because your position is unreasonable. I have worked for too many places where the people responsible for systems security were far too ignorant to understand the issues. They would merely forbid any scans, sniffers, and "shareware" and then they would assume they were secure. They would issue policies and do very little to actually close the holes. They would, in particular, ignore the ever growing toolsets of the script kiddies.
This has been particularly true in small shops, where the admins never felt complelled to acquire the right skills, and in very large shops where the adminstration was in cliques divied on technology lines, and certain cliques (without naming names, I'll say the big iron and the Windows PCs) just ignored the other group's cries about network security.
My attitude is conditioned by these experiences. I will say the situation seems to be getting better. I think it is finally sinking in though the industry that this is an important issue.
In your response, I'm particularly heartened by your statement: "But on an Internal WAN, I have no problem recommending the termination of any employee running unauthorized scans of hosts outside of their direct responsibility." This shows you are thinking flexibily about the issue. It was the absolute nature of the original statement I took exception to.
I think it is a capital mistake to assume that one is fully capable of finding holes on one's own, and that no one else will find a flaw one has not found oneself.
I don't disagree with this per se. I've been a software developer for 15 years. I write software that provides services over networks. I should not be prevented from attacking my programs using the same tools outsiders would use. No offense, but not everybody with your job is as competent as you are. I have worked under "security officers" who consistently confuse ARP and RARP, and who don't care about anything except their firewall.
My take is merely that any notion that saying "I forbid your use of a pneumatic hammer" prevents someone using one. It let's you terminate them for it, which is admittedly a disincentive, but still...
I think a properly set up network will mitigate most of the issues you offer up.
1. Production systems should not be routed to by non-production internal networks. Access to production networks should be through authenticated proxies only.
2. I would argue that any legacy system that reacts badly to being scanned is in itself a security hole and should be isolated as much as possible. I would make it a priority to reengineer any production processes running on such systems.
3. You are right. Nobody needs 1,000 identical tool X reports.
4. Again, your production systems should be non-routed from your internal network. You should be able to largely isolate intrusion detection logs from your production networks, your internal networks, and external networks. I do this at home, and it works well.
5. By this, all you are saying is it makes your job harder. I can sympathize.
6. How does forbidding scanners prevent this?
7. How does forbidding scanners prevent this? How do you know any of your tools don't do this right now (unless you are using open source tools and auditing them yourself?)
8. Yes, because he understands there is something called "accounting" that will eventually find him and send him to prison for a long, long, time. This is receisely the same coercion that your "no scans" edict has.
9. So does "ping." Do you forbid "ping?" Do you take the socket library off your IS development machines?
10. Do you assume this is NOT happening? If you do, how does that assumption enhance your security? My argument is merely that policy is NOT security. Any pretense that it is is an illusion.
The removable memory cards inside the devices could be used to bring in software that looks for vulnerabilities on a company's internal network.
Just how exactly does it improve the security of your systems to punish employees for exposing flaws? This guarantees that the only people scanning for vulnerabilities are outsiders and insiders with evil intent. Give scanning tools to employees and offer to pay them a bonus for reporting problems!
There is so much wrongheaded thinking out there, it is no wonder to me that security problems remain so numerous.
That's what I meant. It solves the key distribution problem by allowing the key to be sent in such a way that no third party can intercept it. The basic problem with the classic one-time pad is that the pad might be intercepted and copied in transit. They take all sorts of measures to prevent this: Multiple couriers, self destructive carriers, tamper-proof packaging (so that the fact that a key has been read cannot go unnoticed), etc.
The difficulty and expense in using one-time pads is in this need to secure the sharing of the keys. If,as the article suggests (and believe me, I'm no expert in quantum crypto, nor do I claim to be one, but I do have some security and crypto knowledge), quantum cryptography provides a means to do all of this key exchange safely "in the open" as it were, it gets rid of the biggest barrier to using the technique.
We have always had "uncrackable" codes. Any key-based cipher that uses truly random keys that are used exactly once is unbreakable. This is a so-called "one-time pad." So long as they keys are kept secret and the keys are truly random, and each key is used exactly once, there is no way to break the cipher. The nuclear "go" codes are one-time pads. It is a perfect crypto system. The cipher doesn't even have to be particularly strong. Why? Because the key is random and used only once, and given ciphertext can be tried a given key resulting in a given clear text. Since the key was truly random, there is no way to know which "clear text" is correct.
For example, assume the cipher text is "TTYM". You try one candidate key and the clear text is "KILL". You try another and the clear text is "LIVE". There is no way to know which is correct, or if either one is correct.
If the key is used twice, suddenly you are not perfectly secure. If a given candidate key results in the first message clear text of "LIVE" and a second message using the same key decrypts as "GRBL", you probably have the wrong key. If, however, you get "KILL" and "SHIP", you have a more probable correct key. The more messages sent with the key, the more likely the recovery by an attacker (that is to say, the more confidence the attacker will have that a candidate key is correct). The only issue is key management. In fact, key management is the big issue with any crypto system.
Quantum cryptography merely offers an easier to use and manage "perfect" crypto system than a one-time pad. It isn't one whit more secure.
The grandkids have latops, gameboys, and PS-2s (Sony, not IBM). No PC that sells for $500 (even without the Windows tax) is going to be a decent machine for today's games. I don't think this applies. My mother-in-law will never be bleeding edge... Maybe your mother-in-law is hipper than mine...
Based on what I see in the review, it does indeed look like they've done a good job producing the "anti-geek" Linux distro. I never thought there was any reason not to use Linux as a desktop OS, but I have always throught that the best qualities of Linux (no central control and ownership) were also the reasons it would not succeed on the desktop: No marketing, no power to challenge the Microsoft OEM stranglehold.
The most interesting aspect to me was that they sell cheapish desktops and laptops preinstalled with their distro. There are other Linux preinstallers, but most of them seem to aim at the geek mainstream or the server business.
There is no reason Linux can't be a major desktop player technically or practically, but the marketing muscle has always been absent. Lycoris may be a great product, but I don't see where it changes anything on that marketing power front.
Still, I may just buy their cheap desktop for my technophobe mother-in-law who doesn't know Windows or Linux. I will bet she will have no problems using the machine and will never ever wish she had Windows, or even really know that she isn't using Windows.
Slashdot Mirror
This has been true since passwords were first used. I've run password cracking programs against all of my systems and projects as part of a standard assessment. I would say that finding 30% of passwords in less than a day would be a fairly typical result.
The truth is that passwords are not a good security tool for all the reasons you would expect. The basic one is that memorable passwords are generally easily cracked passwords.
I use tricks like passphrases where I take the third letter of each word, mix case, and numbers for certain letters, etc. Even with those tricks, the password is still fairly easily attacked (the frequency of letters in the english language is hardly random).
IMHO the best solution is to combine authentication methods. Use a token system like SecureID combined with a password. Better yet, use password, token, and biometrics.
If you have to use passwords and only passwords, run the attacks yourself and lock accounts you can crack. If you don't run them, someone else will.
Why not get VMWare for Windows, run Civ III on Windows native and run Linux under VMWare? That works just fine you know.
I run Quicken 2000 under Wine. I do not use the Internet features. They require installation of real IE and the install program for that doesn't work under Wine. I run Quicken on a wine-only (no real Windows software installed at all) setup. There a problems with some dialog boxes because of font mapping problems. You can set fonts in the wine config file, but I haven't bothered. An AC seemed to think you were asking about QuickBooks (QB), but QB is not Quicken.
Quicken 2000 probably runs perfectly under Wine if you have real Windows DLLs. Since real Windows DLLs means you really have Windows, you may as well run it under Windows instead of making yourself crazy.
Wine is getting better and more solid literally every day. I use anonymous CVS and update it every few days.
So, if you must have Quicken and must not have Windows, you can run it under wine, but it doesn't run everything, and it doesn't run perfectly. If you really need it all, you're stuck with Windows.
That's precisely what I meant by "software engineering."
Open Source isn't a magic bullet for this kind of thing. Software Engineering is the solution to this kind of thing, and no one has a monopoly on that. The amount of crap code in the Open Source world and proprietary world is, in my experience, roughly equal. (Actually, I think there is a bit more crap code in Open Source, but it doesn't get used much). The difference is that with Open Source/Free Software you know what you are getting and with closed/proprietary you don't.
I agree. The class I'm talking about was more of a freshman physics survey class. We did these little engineering problems because the goal was to introduce physics and engineering. The only math prereq was pre-calculus. I was in no way operating at the level you're talking about.
My point is that even people going for liberal arts degrees should be able to handle any basic application of F=ma. They should also understand the principles of experimental science (quantifiable, repeatable, controlled for variables, etc.). There is so much flim-flam out there and people buy it.
Feynman's speech on "Cargo Cult Science" pegs the issues for me. We live in a scientific age in the sense that the science professionals have made staggering progress in understanding the universe, but the rest of us (and I guess I'm part of the rest of us) accept these discoveries as facts in exactly the same way we accepted the pronouncements of any other priesthood in history. When you are ignorant of the methods of science you can't do anything else. Since I am not so ignorant, I have some chance of judging claims of scientific fact. Not that I have a superconducting super-collider in my basement...
One of the biggest issues I think our society faces is a lack of basic science. I don't mean a knowledge of facts. We've got plenty of that. Ignorance of the methods of science -- how to do science -- makes us uncritical acceptors of media manipulation.
Anyone who can get someone to learn and do basic physics deserves respect and thanks. I had a teacher like this. He didn't use something so consistently systematic as comic book physics, but we did have a lot of fun doing calulations of pointlessly impossible experiments. I remember going over the calculations for the conversion of velocity to heat in a collision by calculating how fast you would have to throw a tomato at a brick wall to have it fully cooked on impact (never mind that you wouldn't be able to scrape enough of the result together to make a milliliter).
I remember calculating if you spontaneously destructed the sun how much oatmeal you could cook (in cups).
We also did some real physics, like designing a balsa wood bridge (everone got the same materials with no rules on how you could use the materials) to take the greatest load. We did our vector math, we did our elastic collisions, we did our statics. We also did a lot of "frictionless monkey" problems.
I loved physics and even though I ended up a programmer with a history major, I took away a love for and a basic knowledge of science.
Teachers like this are the greatest resource in the world.
I wish I could give this quote a correct attribution (I wish even more that I had said it originally): "It is morally wrong to allow ignorant end-users to keep their money."
Okay, maybe I need to read the FAQ for this one too, but where does it say that Salshdot is "a Linux site?" I thought it was about stories of general interest to the "geek community," hence the articles on movies, science, books, game consoles, etc. IMHO the "anti-Microsoft" bent on Slashdot comes from the fact that a large part of the "geek community" hates Microsoft (I count myself in this category -- objectivity is a myth).
Well, I stand corrected. Still, I read without moderation, so I see all the -1 comments. You can too.
Moderating on Slashdot is not done by the operators of Slashdot. It is done by readers who post. I've been reading /. for a number of years now, and, yes, it is full of uninformed loudmouths. Guess what? The world is full of uninformed loudmouths. Some of them even support Microsoft. As far as story content goes, I see "Update" prefixing changes to articles on /. all the time. I can't say they always do this (I don't watch them that closely), but I see labeled updates enough that it seems to me they are making a good faith effort. As for content linked though /. articles, well, they are linked though. /. doesn't control other people's web sites.
And what, exactly, is pathetic about posting 6 articles critical of Microsoft, unless some of them are demonstrably false. If they are, I would sure like to see you post the evidence, instead of simply being another loundmouth.
You obviously don't know much either. Incandescent and flourescent lighting both "flicker" because they are powered by alternating current. Incandescent lights work by heating a wire so hot it glows white (that's what "incandescent" means). Flourescent lights work by using high voltage to excite a gas. That gas emits UV light which strikes phosphor compounds on the inside surface of the tube. These compounds emit visible light when struck by UV (they "flouresce," hence "flourescent").
Whether or not flicker is visible depends on the "persistence" of the phosphors and the cooling rate of the incandescent wire. They all flicker. The flicker is a result of the alternating current. Of course, you can use DC to make an incandescent bulb work. You can't do that with flourescent lights because AC is required to keep high voltage coming out of a transformer (transformers only work with changing magnetic fields - put DC into them and you only get output voltage when DC comes on and again when it shuts off).
Windows NT/XP was written to be modular. The whole thing is based around a microkernel architecture. You could turn Windows into Unix by replacing services. In theory, if the Hurd were further along, the nt/xp (whatever the hell MS marketing want s to call it this week) microkernel could run it and it would be the Hurd.
Windows IS modular, their claims notwithstanding. What microsoft has consistently tried to do is add APIs and then to insist that this is part of the operating system. This is how they "embrace and extend." It is only true to the extent that they can get ISVs to start using these APIs. This is why IE suddenly replaced Netscape in Quicken 2000 -- they got Quicken to swallow the new web integration APIs (and, IMHO they simultaneously screwed up and slowed to a crawl one of the best Windows apps out there).
These claims depend on what your definition of "Windows" and "Operating System" are.
All of that said, I don't think a modular Windows will do a bit of good in restraining Microsoft's outright criminal manipulation of the marketplace. I actually agree with the original breakup plan because I do not think the state should have a right to sieze intellectual property (force open APIs or source code). I think they should just keep financially and structurally beating up Microsoft until they finally decide it is not worth it to remain in defiance of the law. I am a big believer in property rights, given that they back both MS and the GPL.
I'm looking forward to seeing the discussion on this one. I'm a 35-year old longtime geek. I like this idea. I think between cable, satellite, video games, and the rest of the mass media assault, children have no childhood anymore. I'm of the opinion that children are not little adults and that while, indeed, many 15 year olds are fully mature, rational, ethical beings, many are not.
That said, it has also been 20 years since I was 15, and I really don't know how I would have felt then.
I think soceity has not only a right, but also an obligation to provide a healthy environment for the development of children into well-adjusted adults. To do so, we are forced to make some somewhat arbitrary decisions. We have the drinking age, the driving age, the age of majority. Why not similar limits on "toxic" media.
Now here's the funny thing. I think violence should be limited, and certain exploitative kinds of pornography, but not all. I think children at the mature end should be allowed to see sexual meterial that depicts adult sexual relationships based on mutual love. I don't see how that would be unhealthy. A world with more passionate kisses and fewer gun battles would be a better world indeed.
My old man was an electrical engineer. He and a ham radio buddy of his wrote a complex and detailed article about the problem of spectrum congestion. The suggested using the negative frequency spectrum (a joke, obviously). They included diagrams show how you bury your yagi and stick the ground rod up in the air. It was very geek funny.
Personally, I have always wanted to write a detailed RFC for implementing ARP on smoke-signal links. Someday when I have nothing to do...
Hey, I'm a radio amateur, not a physicist! I thought the whole body resonance phenomenon WAS the kinetic interaction. I stand corrected. I also stand by the rest of the post (danger of high-power RF even at 1-3 meter wavelengths, and the relatively low risks of low-power cell phone RF when compared to common risks we face every day), but since you also stand by this, I don't know why I say it ;-).
The quote was from a physicist talking about the "dangers" of powerlines, but I like the quote because it is all about putting risk in perspective: "Standing in direct sunlight complaining about the radiation from power lines is like calling your neighbor during a hurricane to complain that his cat is breathing on your tree." Don't remember the chap's name. Good quote, though....
Good Lord! You stand right next to that FM radio antenna and tell me it doesn't hurt! It will burn your ass. I guarantee it. That's why they put them way up on those big assed towers (well, they put them up there to get more range too, but believe me, it is for safety too. Radio technicians have burned the shit out of their hands by having the final stage of a commercial transmitter key up by mistake.
It's all photons, folks. There are only two effects photons can have. One is kinetic (heat), caused when the photon strikes matter and imparts it energy kinetically. The other is when the photon is absorbed and it breaks an electron loose from a molecular bond. This is an ionic effect, and it is much more dangerous because it makes permanent chemical changes. It takes ultriviolet frequencies and higher to have ionizing effects. Microwaves are nowhere near this level of energy. In fact microwaves are much farther from UV than the AM band is from microwaves.
By Planck's law, the higher the frequency (shorter wavelength) the greater the energy of the photon. The freqency to "whole-body length" issue has to do with the probability that a given photon will react with the body. When we talk about the "wattage" of a transmitter, we are talking about how many photons per unit time the unit emits.
In terms of direct effect, the only ones we know about are the kinetic and ionic. As a mildly educated person, I don't see how cell phones can really harm us, unless photons have some effect we don't know about.
The open question is whether there are unknown effects. The heating caused by RF is internal: rather than heat outside the body leaking in and warming tissues, the internal tissues are heated directly. Maybe this has biological effects we don't know about. Non-natural RF has only been around for about 100 years, and it has only become ubiquitous in the last 50, and "man portable" equipment has only become ubiquitous in the last decade and a half. These exposures are too new to have had effects that would show up in morbidity and mortality statistics. For this reason, the FCC quite recently implemented exposure guidelines that are design to prevent exposure to any RF that can cause a measureable change in tissue temperature. They figure (sensibly enough) that if the radiation has no effect we can measure, then it is less likely to have any effect we can't measure.
As risks go, your cell phone is probably pretty danged low. Certainly orders of magnitude lower than cigarettes and Big Macs. If you are eating Oreos while worrying about cell phone radiation, you need to reasses your priorities.
If you are unafraid of Oreos, you should probably be unafraid of your cell phone too.
Sinclair Lewis wrote "Babbit." Ricki Lewis edited "Life," which is, I think, the book you are taling about. Your statement shows a bit of a misconception.
Virulence shows an organism poorly adapted to its host organism. When a disease is highly lethal and highly infectious, it is almost certainly new to the population. Earlier posters remembered that a European disease wiped out whole tribes of Indians after first contact. The disease was smallpox. Smallpox was a serious disease in Europe, but it was endemic. At a time when the "bad smell" theory of disease still had sway, smallpox killed only about 10% of the people it infected in Europe. Smallpox had been in Europe for many hundreds of years by that time.
When smallpox was introduced into a human population that had never been exposed to it (native central Americans), it killed over 90% of the hosts it infected. We evolve too. The 10% who survived to have children probably had children who could survive smallpox. It's not that simple, but in principle that's what happens.
It is NEW infections that are most likely to be devastating.
A highly infectious disease that kills its host rapidly tends to disappear of its own accord. Hosts must be close enough to one another to infect another host before the organism kills the host. If it kills too quickly, the population dies out and there are no more hosts close enough to infect before the host dies.
The odds that a microorganism from anothe biosphere would be infectious to humans is probably very small. But if it were, the chance that it might be devstating in its effect are probably fairly high.
Anyways, my point is your statement "Earth's bacteria and plagues have been evolving for billions of years just to kill Earth organisms," is fundamentally wrong. Earth's bacteria have been evolving to survive longer and reproduce more. Disease that kill their hosts and do it quickly are NOT successful at this. Diseases that spread easily but merely inconvenience their hosts are enormously successful (the common cold springs to mind). So I do not think your reason is a sound one for being unconcerned about mars germs. There probably are many reasons to be unconcerned, but the notion that "they haven't learned how to kill us" isn't one of them.
Again, I do not disagree with you. Your reasons are sound. I don't fully agree with them, but it is not because your position is unreasonable. I have worked for too many places where the people responsible for systems security were far too ignorant to understand the issues. They would merely forbid any scans, sniffers, and "shareware" and then they would assume they were secure. They would issue policies and do very little to actually close the holes. They would, in particular, ignore the ever growing toolsets of the script kiddies.
This has been particularly true in small shops, where the admins never felt complelled to acquire the right skills, and in very large shops where the adminstration was in cliques divied on technology lines, and certain cliques (without naming names, I'll say the big iron and the Windows PCs) just ignored the other group's cries about network security.
My attitude is conditioned by these experiences. I will say the situation seems to be getting better. I think it is finally sinking in though the industry that this is an important issue.
In your response, I'm particularly heartened by your statement: "But on an Internal WAN, I have no problem recommending the termination of any employee running unauthorized scans of hosts outside of their direct responsibility." This shows you are thinking flexibily about the issue. It was the absolute nature of the original statement I took exception to.
I think it is a capital mistake to assume that one is fully capable of finding holes on one's own, and that no one else will find a flaw one has not found oneself.
I don't disagree with this per se. I've been a software developer for 15 years. I write software that provides services over networks. I should not be prevented from attacking my programs using the same tools outsiders would use. No offense, but not everybody with your job is as competent as you are. I have worked under "security officers" who consistently confuse ARP and RARP, and who don't care about anything except their firewall.
My take is merely that any notion that saying "I forbid your use of a pneumatic hammer" prevents someone using one. It let's you terminate them for it, which is admittedly a disincentive, but still...
I think a properly set up network will mitigate most of the issues you offer up.
1. Production systems should not be routed to by non-production internal networks. Access to production networks should be through authenticated proxies only.
2. I would argue that any legacy system that reacts badly to being scanned is in itself a security hole and should be isolated as much as possible. I would make it a priority to reengineer any production processes running on such systems.
3. You are right. Nobody needs 1,000 identical tool X reports.
4. Again, your production systems should be non-routed from your internal network. You should be able to largely isolate intrusion detection logs from your production networks, your internal networks, and external networks. I do this at home, and it works well.
5. By this, all you are saying is it makes your job harder. I can sympathize.
6. How does forbidding scanners prevent this?
7. How does forbidding scanners prevent this? How do you know any of your tools don't do this right now (unless you are using open source tools and auditing them yourself?)
8. Yes, because he understands there is something called "accounting" that will eventually find him and send him to prison for a long, long, time. This is receisely the same coercion that your "no scans" edict has.
9. So does "ping." Do you forbid "ping?" Do you take the socket library off your IS development machines?
10. Do you assume this is NOT happening? If you do, how does that assumption enhance your security? My argument is merely that policy is NOT security. Any pretense that it is is an illusion.
Just how exactly does it improve the security of your systems to punish employees for exposing flaws? This guarantees that the only people scanning for vulnerabilities are outsiders and insiders with evil intent. Give scanning tools to employees and offer to pay them a bonus for reporting problems!
There is so much wrongheaded thinking out there, it is no wonder to me that security problems remain so numerous.
That's what I meant. It solves the key distribution problem by allowing the key to be sent in such a way that no third party can intercept it. The basic problem with the classic one-time pad is that the pad might be intercepted and copied in transit. They take all sorts of measures to prevent this: Multiple couriers, self destructive carriers, tamper-proof packaging (so that the fact that a key has been read cannot go unnoticed), etc.
The difficulty and expense in using one-time pads is in this need to secure the sharing of the keys. If,as the article suggests (and believe me, I'm no expert in quantum crypto, nor do I claim to be one, but I do have some security and crypto knowledge), quantum cryptography provides a means to do all of this key exchange safely "in the open" as it were, it gets rid of the biggest barrier to using the technique.
We have always had "uncrackable" codes. Any key-based cipher that uses truly random keys that are used exactly once is unbreakable. This is a so-called "one-time pad." So long as they keys are kept secret and the keys are truly random, and each key is used exactly once, there is no way to break the cipher. The nuclear "go" codes are one-time pads. It is a perfect crypto system. The cipher doesn't even have to be particularly strong. Why? Because the key is random and used only once, and given ciphertext can be tried a given key resulting in a given clear text. Since the key was truly random, there is no way to know which "clear text" is correct.
For example, assume the cipher text is "TTYM". You try one candidate key and the clear text is "KILL". You try another and the clear text is "LIVE". There is no way to know which is correct, or if either one is correct.
If the key is used twice, suddenly you are not perfectly secure. If a given candidate key results in the first message clear text of "LIVE" and a second message using the same key decrypts as "GRBL", you probably have the wrong key. If, however, you get "KILL" and "SHIP", you have a more probable correct key. The more messages sent with the key, the more likely the recovery by an attacker (that is to say, the more confidence the attacker will have that a candidate key is correct). The only issue is key management. In fact, key management is the big issue with any crypto system.
Quantum cryptography merely offers an easier to use and manage "perfect" crypto system than a one-time pad. It isn't one whit more secure.
The grandkids have latops, gameboys, and PS-2s (Sony, not IBM). No PC that sells for $500 (even without the Windows tax) is going to be a decent machine for today's games. I don't think this applies. My mother-in-law will never be bleeding edge... Maybe your mother-in-law is hipper than mine...
Based on what I see in the review, it does indeed look like they've done a good job producing the "anti-geek" Linux distro. I never thought there was any reason not to use Linux as a desktop OS, but I have always throught that the best qualities of Linux (no central control and ownership) were also the reasons it would not succeed on the desktop: No marketing, no power to challenge the Microsoft OEM stranglehold.
The most interesting aspect to me was that they sell cheapish desktops and laptops preinstalled with their distro. There are other Linux preinstallers, but most of them seem to aim at the geek mainstream or the server business.
There is no reason Linux can't be a major desktop player technically or practically, but the marketing muscle has always been absent. Lycoris may be a great product, but I don't see where it changes anything on that marketing power front.
Still, I may just buy their cheap desktop for my technophobe mother-in-law who doesn't know Windows or Linux. I will bet she will have no problems using the machine and will never ever wish she had Windows, or even really know that she isn't using Windows.