>haven't there been sensationalist reports like this for the last 40 years?
So look at the science and ignore the sensationalist reports. They're not sitting around speculating, they're measuring sea ice. Use your own critical thinking skills too. How much evidential weight should a Fox News opinion piece get that doesn't have a link to the report it talks about?
>Imagine organized crime with a database on you similar to what the major credit tracking sites have.
It would be easy for them. How much does a "market research" firm cost to buy outright? How much money could a big crime syndicate muster?
Reminds me of Bruce Schneier talking to Verisign about how much it woulc cost an attacker to compromise their ultimate root certificate. If all else failed, they figured that a $15 million down payment would swig a leveraged buyout of Verisign.
>Security is hard to get right because you have to get *everything* right.
>Make one mistake and you've got no security.
We're used to thinking that because good security design is so rare. Imagine if all ships and boats were guaranteed to sink the instant a hole opened in the hull. Good design contains failures. Maybe, just maybe, UCLA's database had a view that left out the SSNs and that almost all users were required to use. Anyone seriously think they did it that way? Not to mention how long it took to notice the breach.
Yes, should be the default, but you can't even get a security freeze unless you live in a state that forces the credit bureaus to do it. California is one.
It should be illegal to treat the SSN as proof of identity anyway. What kind of password has the following properties? o Less than a billion possible values o Part of it based on your place of birth o You're required to disclose it to dozens or hundreds of places o Any credit-granting company can order a report and look at it o It never changes
A while back, right here on Slashdot, a porn hosting webmaster posted a relevant comment.
Every now and then, somebody would set up a website on their system and upload kiddy porn.
He tried being a good citizen and reporting it. Several times. The authorities didn't follow up, they simply made angry threats to arrest him.
His company now silently deletes kiddy porn sites.
Playing devil's advocate, though, how is this proposal different from the existing legislation that requires health care providers to report suspected child abuse?
What is "sad and funny" about catching a program that uses the same techniques as malware, techniques which are outside the range of normal software, and flagging it as potential malware?
It's also annoying to see a firewall listed as a failure because it's a firewall and not a host-based IDS.
I'd also argue that the host-based IDS programs are being sold for a purpose that is not their best use. Once a system has malicious software on it, expecting a process on the same machine to protect you and itself is, um, optimistic. Sure they try to defend themselves but that puts them on the wrong side of an arms race.
What they're best for is monitoring and control of "legitimate" software. I have Zone Alarm set to prompt me every time a program tries to run IE6, and to block media players from phoning home to whisper about what I'm watching.
>OUM requires fewer steps in an IC manufacturing process resulting in reduced cycle times, fewer defects, and greater manufacturing flexibility.
>a process that deviates little from a basic CMOS logic flow.
I get nervous about people who make claims like >the OUM memory state can be written more than 10 trillion times unless they've tested it to a trillion cycles, which is just possible.
Anyone else nervous that they didn't say anything like "write time N nanoseconds"?
>a user's Web browser would identify passwords and other sensitive information when keyed into HTML forms on Web pages. When those passwords are in- put into a new site, that incident would be reported to a server. If the server detects an unusual number of logons to the new site, it could send out a signal that the site should be investigated for a phishing scam.
Why compromise people's surfing privacy to get a delayed warning that you should start an investigation of a phishing site that will be gone in a few days?
Why not o Cache, on the client, a list of triples of hashed passwords (please salt them this time), public keys of the sites the passwords go to, and expiration dates of the public keys. o For each use of password in browser, extract public key of destination site and if (key != storedkey(hash(password)) && !expired(storedkey(hash(password)) { block_transaction(); alertuserandofferoverride();} Optional: report the incident to a server at some place that has a good working relationship with law enforcement in Romania Optional: have a backup check that suppresses the alert if the destination is in the same ??class C ?? to allow for server farms but catch redirects to weird phishy countries. Just a heuristic.
Add a wrinkle for the case of people using the same password on multiple sites. It still works, the phishing site won't be in the list of sites that go with the given password.
Which is no more than what ssh has been doing for, how many years now?
Maybe I should write a browser plugin as a publicity giveaway.
And quite an elegant one which eschews signatures in favor of detecting something that every rootkit simply has to do.
It also got publicized quite some time ago, so I wonder why we're hearing about it now as though it were something new.
Basically you run some deliberately naive system scan , easily fooled by a rootkit, and compare the results to the same scan run from a live CD. If a rootkit is hiding something then the two are different.
I can imagine ways a rootkit could avoid this but none are easy: o Detect the Ghostbuster scan and report honestly to it but not to anything else, hoping that nobody will notice one extra file with a cryptic name in the system32 directory. This reduces the effectiveness of the rootkit and puts the rootkit author on the wrong side of an arms race if Ghostbuster scans start changing. o Be strictly dynamic, not hiding any files, just processes. That puts the rootkit author in the lousy position of having to hide a malicious file in plain sight. Again the rootkit's effectiveness is much lower. o BIOS level rootkitting: take control from code in a flashable adapter card before the CD boots. As far as I know, nobody's ever built one of those (of course we wouldn't know about it for quite a while).
Still, it's hard to see the functional improvement over Tripwire on a live CD.
Thermal cycles, startup power surges, spinup current draw on the disk drive, that kind of thing.
The opposing school of thought is that failures are the result of heat times time and that a powered-up system is therefore slowly dying every minute it's on.
Address layout randomization tackles the problem of a process that already has privileges getting some foreign code stuck into it via a stack overflow or similar exploit. Normal memory protection doesn't help, because the process already has access to memory. But the exploit code has never been linked with the rest of the system, so it either has to know exactly where everything is, or know almost exactly and use a NOP slide, or else guess and usually crash as a result.
An attacker could submit thousands of shellcode attempts with different assumptions about memory layout until one finally worked, but (1) many people will notice when a daemon restarts several thousand times, and (2) there may be a limit on how often the OS will restart a crashed daemon (Microsoft is about to add such a limit, for example).
Straw man argument do not lead to good policy decisions.
>we simply don't know
There could be no better argument for avoiding large-scale experiments, then. But we do know that CO2 levels are rising, that it's not coming from living organisms, and that the pattern of change (warmer lower atmosphere, cooler upper atmosphere, warmer nights) matches the effects physics says to expect from CO2.
>So much for post-modern, secular humanism, eh?
Straw man arguments do not lead to good policy decisions.
>The earth has been around 6 billion years, give or take
4.5 billion.
>now we're to believe that somehow earth's perfect harmonial environemntal equilibirum, which never ever existed in the first place, is being upset by man?
Straw man arguments do not lead to good policy decisions. Neither do non sequiturs: none of the big excursions in the geological record happened while we were trying to feed six billion humans with climate-sensitive crops. Or had hundreds of millions of humans living within a few meters of sea level.
>When I see a Monday night football game in Seattle in November, and there's snow on the ground
A dry day in Seattle doesn't mean the climate is dry. A rainy day in Tucson doesn't mean the climate is wet. The fact that there was a cold day in winter in one place is not climate data. Confusing weather with climate, like the media do when they yammer about a heat wave during a climate change conference, is stupid.
Inviting the question, even if you trust them with your credit card numbers, and trust all their employees, do you want to bet that there won't be a security breach on one of their servers?
This is a serious limitation of SSL on commodity operating systems, by the way. IE's list of trusted root certificates is simply entries in the registry. Even if you're part of the infinitesimal fraction of users who knows what a CA cert is and where to look for them, how can you do a security review on all 39 of the root certificates that come with Firefox, or spot a new unwanted one? (One of those root certs is from AOL, by the way). If you trust the Mozilla foundation to audit the security and practices of each and every one, do you have the same trust in a proprietary browser's developers? Even assuming the developers make the decision instead of the marketers?
>You know what stops genocide? Functioning governments
Considering cases such as the US government and the native Americans, the Soviet government and the Ukrainians, the Turkish government and the Armenians, and the example that's too hackneyed to mention, it seems that effective governments are a risk factor for genocide. Even the apparently anarchic Rwandan genocide started with government-sponsored pogroms.
Scientists work hard, harder than you probably realize, and what do they do with their results? They give them away to the entire world in journal articles.
But then, everything the scientists built on was published by previous scientists.
Everybody winds up better off than they would if someone were to impose artifical scarcity on knowledge in order to make it work more like a naturally scarce resource such as land.
Slashdot Mirror
For example, I know one bow hunter in a rural area who had to deal with a problem bear in his yard.
One shot, immediate drop.
People who know bears and guns wouldn't expect results that fast from shooting a bear with a gun.
>haven't there been sensationalist reports like this for the last 40 years?
So look at the science and ignore the sensationalist reports. They're not sitting around speculating, they're measuring sea ice. Use your own critical thinking skills too. How much evidential weight should a Fox News opinion piece get that doesn't have a link to the report it talks about?
>Imagine organized crime with a database on you similar to what the major credit tracking sites have.
It would be easy for them. How much does a "market research" firm cost to buy outright? How much money could a big crime syndicate muster?
Reminds me of Bruce Schneier talking to Verisign about how much it woulc cost an attacker to compromise their ultimate root certificate. If all else failed, they figured that a $15 million down payment would swig a leveraged buyout of Verisign.
>Security is hard to get right because you have to get *everything* right.
>Make one mistake and you've got no security.
We're used to thinking that because good security design is so rare. Imagine if all ships and boats were guaranteed to sink the instant a hole opened in the hull. Good design contains failures. Maybe, just maybe, UCLA's database had a view that left out the SSNs and that almost all users were required to use. Anyone seriously think they did it that way? Not to mention how long it took to notice the breach.
Yes, should be the default, but you can't even get a security freeze unless you live in a state that forces the credit bureaus to do it. California is one.
It should be illegal to treat the SSN as proof of identity anyway. What kind of password has the following properties?
o Less than a billion possible values
o Part of it based on your place of birth
o You're required to disclose it to dozens or hundreds of places
o Any credit-granting company can order a report and look at it
o It never changes
A while back, right here on Slashdot, a porn hosting webmaster posted a relevant comment.
Every now and then, somebody would set up a website on their system and upload kiddy porn.
He tried being a good citizen and reporting it. Several times. The authorities didn't follow up, they simply made angry threats to arrest him.
His company now silently deletes kiddy porn sites.
Playing devil's advocate, though, how is this proposal different from the existing legislation that requires health care providers to report suspected child abuse?
Did you notice that guy's username?
What is "sad and funny" about catching a program that uses the same techniques as malware, techniques which are outside the range of normal software, and flagging it as potential malware?
It's also annoying to see a firewall listed as a failure because it's a firewall and not a host-based IDS.
I'd also argue that the host-based IDS programs are being sold for a purpose that is not their best use. Once a system has malicious software on it, expecting a process on the same machine to protect you and itself is, um, optimistic. Sure they try to defend themselves but that puts them on the wrong side of an arms race.
What they're best for is monitoring and control of "legitimate" software. I have Zone Alarm set to prompt me every time a program tries to run IE6, and to block media players from phoning home to whisper about what I'm watching.
It might be cheap:
>OUM requires fewer steps in an IC manufacturing process resulting in reduced cycle times, fewer defects, and greater manufacturing flexibility.
>a process that deviates little from a basic CMOS logic flow.
I get nervous about people who make claims like
>the OUM memory state can be written more than 10 trillion times
unless they've tested it to a trillion cycles, which is just possible.
Anyone else nervous that they didn't say anything like "write time N nanoseconds"?
>a user's Web browser would identify passwords and other sensitive information when keyed into HTML forms on Web pages. When those passwords are in- put into a new site, that incident would be reported to a server. If the server detects an unusual number of logons to the new site, it could send out a signal that the site should be investigated for a phishing scam.
Why compromise people's surfing privacy to get a delayed warning that you should start an investigation of a phishing site that will be gone in a few days?
Why not
o Cache, on the client, a list of triples of hashed passwords (please salt them this time), public keys of the sites the passwords go to, and expiration dates of the public keys.
o For each use of password in browser, extract public key of destination site and if (key != storedkey(hash(password)) && !expired(storedkey(hash(password)) { block_transaction(); alertuserandofferoverride();}
Optional: report the incident to a server at some place that has a good working relationship with law enforcement in Romania
Optional: have a backup check that suppresses the alert if the destination is in the same ??class C ?? to allow for server farms but catch redirects to weird phishy countries. Just a heuristic.
Add a wrinkle for the case of people using the same password on multiple sites. It still works, the phishing site won't be in the list of sites that go with the given password.
Which is no more than what ssh has been doing for, how many years now?
Maybe I should write a browser plugin as a publicity giveaway.
And quite an elegant one which eschews signatures in favor of detecting something that every rootkit simply has to do.
It also got publicized quite some time ago, so I wonder why we're hearing about it now as though it were something new.
Basically you run some deliberately naive system scan , easily fooled by a rootkit, and compare the results to the same scan run from a live CD. If a rootkit is hiding something then the two are different.
I can imagine ways a rootkit could avoid this but none are easy:
o Detect the Ghostbuster scan and report honestly to it but not to anything else, hoping that nobody will notice one extra file with a cryptic name in the system32 directory. This reduces the effectiveness of the rootkit and puts the rootkit author on the wrong side of an arms race if Ghostbuster scans start changing.
o Be strictly dynamic, not hiding any files, just processes. That puts the rootkit author in the lousy position of having to hide a malicious file in plain sight. Again the rootkit's effectiveness is much lower.
o BIOS level rootkitting: take control from code in a flashable adapter card before the CD boots. As far as I know, nobody's ever built one of those (of course we wouldn't know about it for quite a while).
Still, it's hard to see the functional improvement over Tripwire on a live CD.
Pests?!
They eat cockroaches. Treat them like the Egyptians treated the cats around their granaries.
Thermal cycles, startup power surges, spinup current draw on the disk drive, that kind of thing.
The opposing school of thought is that failures are the result of heat times time and that a powered-up system is therefore slowly dying every minute it's on.
Address layout randomization tackles the problem of a process that already has privileges getting some foreign code stuck into it via a stack overflow or similar exploit. Normal memory protection doesn't help, because the process already has access to memory. But the exploit code has never been linked with the rest of the system, so it either has to know exactly where everything is, or know almost exactly and use a NOP slide, or else guess and usually crash as a result.
An attacker could submit thousands of shellcode attempts with different assumptions about memory layout until one finally worked, but (1) many people will notice when a daemon restarts several thousand times, and (2) there may be a limit on how often the OS will restart a crashed daemon (Microsoft is about to add such a limit, for example).
Sandboxing IE is such a huge improvement that they could make the rest of the system worse than XP and still come out ahead.
>our blind devotion to global warming
Straw man argument do not lead to good policy decisions.
>we simply don't know
There could be no better argument for avoiding large-scale experiments, then. But we do know that CO2 levels are rising, that it's not coming from living organisms, and that the pattern of change (warmer lower atmosphere, cooler upper atmosphere, warmer nights) matches the effects physics says to expect from CO2.
>So much for post-modern, secular humanism, eh?
Straw man arguments do not lead to good policy decisions.
>The earth has been around 6 billion years, give or take
4.5 billion.
>now we're to believe that somehow earth's perfect harmonial environemntal equilibirum, which never ever existed in the first place, is being upset by man?
Straw man arguments do not lead to good policy decisions. Neither do non sequiturs: none of the big excursions in the geological record happened while we were trying to feed six billion humans with climate-sensitive crops. Or had hundreds of millions of humans living within a few meters of sea level.
>When I see a Monday night football game in Seattle in November, and there's snow on the ground
A dry day in Seattle doesn't mean the climate is dry. A rainy day in Tucson doesn't mean the climate is wet. The fact that there was a cold day in winter in one place is not climate data. Confusing weather with climate, like the media do when they yammer about a heat wave during a climate change conference, is stupid.
They're dialing back predictions of human impact by 25%. That is less than the known uncertainties in the range of possible predictions.
Then, the revised forecast includes one scenario of a 4.5 degrees C rise in average global temperature. That's still well into the severe range.
Inviting the question, even if you trust them with your credit card numbers, and trust all their employees, do you want to bet that there won't be a security breach on one of their servers?
This is a serious limitation of SSL on commodity operating systems, by the way. IE's list of trusted root certificates is simply entries in the registry. Even if you're part of the infinitesimal fraction of users who knows what a CA cert is and where to look for them, how can you do a security review on all 39 of the root certificates that come with Firefox, or spot a new unwanted one? (One of those root certs is from AOL, by the way). If you trust the Mozilla foundation to audit the security and practices of each and every one, do you have the same trust in a proprietary browser's developers? Even assuming the developers make the decision instead of the marketers?
>You know what stops genocide? Functioning governments
Considering cases such as the US government and the native Americans, the Soviet government and the Ukrainians, the Turkish government and the Armenians, and the example that's too hackneyed to mention, it seems that effective governments are a risk factor for genocide. Even the apparently anarchic Rwandan genocide started with government-sponsored pogroms.
>Ditto for Darfur
The government of Sudan has been very strict about not allowing reporters into Darfur.
>education is our salvation. This was a very popular belief in the mid-1800s
1800s, and even earlier. The Massachussetts Education Act of 1647 established schools partly for fear of the results of ignorance.
Scientists work hard, harder than you probably realize, and what do they do with their results? They give them away to the entire world in journal articles.
But then, everything the scientists built on was published by previous scientists.
Everybody winds up better off than they would if someone were to impose artifical scarcity on knowledge in order to make it work more like a naturally scarce resource such as land.
"I'm feeling truthsome": Malcolm Reynolds to Inara.
Making sure you really know where the low point of the plumbing is.
As a followup, pour antifreeze into drains so that the traps don't freeze.
Given the brains some of them display, that would be specifically vacuum tubes.