I assume that you can copy and paste, so apparently the article has been updated. It now reads: "On some systems, the server will check a cryptographic signature on a token...".
But the answer to your question is yes, it matters. When the place it fails to match changes, this information is leaked by the response time. This is how an attacker extracts information from random guesses.
You know, attitudes like yours are IMHO the root of all that's wrong with computers today. And I'm saying that as a programmer, not as Jane Grandma. The whole idiotic OCD idea that you _must_ make up rules about everything, and that your rules are more important than what people are actually trying to do. The idea that if even someone's name doesn't fit "your" database, then you can just brush them off and have a beer.
Your message is more than 140 characters long, and doesn't fit in my database.
> it can be a small problem, I think, when "non-random" sequences are removed from possible random number generations. [...] it may take a fair slice out of the available keyspace
This is true, and could be a problem if everyone's PIN were randomly generated. Since most PINs are selected by users and conform to a known, decidedly non-uniform distribution, this actually makes sense. If it's known that e.g. 1234 is over-represented in the pool of PINs, that would be one of the first ones an attacker would try. Therefore, it makes sense to filter that out. But note that it's the over-representation of the PIN and the fact that attackers are aware of this skew that makes it worth avoiding, and not anything inherently insecure about "runs" or "pairs".
GP is probably referring to things like address randomization, which make many types of vulnerabilities harder to exploit. I think Matasano Chargen has a good writeup if you're interested in more.
Absolutely. I find myself using most of my moderator points marking posts as off-topic. A reply (even an insightful, informative, funny one) to an off-topic comment is itself off-topic. I've even considered saying so in my sig. And yes, I am aware of the irony of posting this, as it has nothing to do with rats or cables.
Totally. My home machine came with ME. I wiped it and replaced it with 2K. It was my primary machine until I got a laptop last year, and I never had a single problem with it for 8 years. I'd still use it, but the hardware gave out a few months ago.
In cases like that, it is better to have a distinctive set of characters for Google to find (a process I call 'kiboing').
In stark contrast to Microsoft, who insist on naming new technologies after top level domains. When do you think they'll come out with a management tool called.Org?
But Stephenson's style tries my patience. His books have gotten successively less fun to read. He clearly did a lot of research, but he bludgeons you with it instead of just letting it improve the story.
Slashdot Mirror
Of course you don't have a driver - you bought a $35,000 car.
I assume that you can copy and paste, so apparently the article has been updated. It now reads: "On some systems, the server will check a cryptographic signature on a token...".
But the answer to your question is yes, it matters. When the place it fails to match changes, this information is leaked by the response time. This is how an attacker extracts information from random guesses.
You know, attitudes like yours are IMHO the root of all that's wrong with computers today. And I'm saying that as a programmer, not as Jane Grandma. The whole idiotic OCD idea that you _must_ make up rules about everything, and that your rules are more important than what people are actually trying to do. The idea that if even someone's name doesn't fit "your" database, then you can just brush them off and have a beer.
Your message is more than 140 characters long, and doesn't fit in my database.
> it can be a small problem, I think, when "non-random" sequences are removed from possible random number generations. [...] it may take a fair slice out of the available keyspace
This is true, and could be a problem if everyone's PIN were randomly generated. Since most PINs are selected by users and conform to a known, decidedly non-uniform distribution, this actually makes sense. If it's known that e.g. 1234 is over-represented in the pool of PINs, that would be one of the first ones an attacker would try. Therefore, it makes sense to filter that out. But note that it's the over-representation of the PIN and the fact that attackers are aware of this skew that makes it worth avoiding, and not anything inherently insecure about "runs" or "pairs".
Well, here's one from 5 days ago. I think he beat you.
Either the FBI are wrong, or the article summary is.
The summary is wrong? That's unpossible!
they come here for (sometimes) informative, enlightened, or humorous discussion of the article and related topics.
I come here for the depressingly predictable jokes. Where's my "I for one..."? Ah, there it is.
Not sure about that.
GP is probably referring to things like address randomization, which make many types of vulnerabilities harder to exploit. I think Matasano Chargen has a good writeup if you're interested in more.
Initially, URL shorteners were a solution to a problem nobody had. Fortunately, Twitter came along and created a problem!
There is no bridge to Plum Island.
> I've been rick rolled plenty, but thankfully there are no memes that involve duping people into going to NSFW sites and getting written up by HR.
Apparently too young to remember when slashdot comments would link to goatse. That was long before "rick rolling".
Absolutely. I find myself using most of my moderator points marking posts as off-topic. A reply (even an insightful, informative, funny one) to an off-topic comment is itself off-topic. I've even considered saying so in my sig. And yes, I am aware of the irony of posting this, as it has nothing to do with rats or cables.
Totally. My home machine came with ME. I wiped it and replaced it with 2K. It was my primary machine until I got a laptop last year, and I never had a single problem with it for 8 years. I'd still use it, but the hardware gave out a few months ago.
More interesting than useful, but I think the idea of writing a regex to do integer division is awesome.
http://bmm6o.blogspot.com/2008/03/divisibility-testing-and-pattern_27.html
Let's hope they get it right this time: http://forum.us.dell.com/supportforums/board/messa ge?board.id=si_virus&message.id=47628 (the last post is mine).
Where are the probes shuttling the oxygen to?
A runtime Error has occurred. Do you wish to Debug?
Line: 28
Error: Permission denied
Yes No
We could rerun this Ask Slashdot.
This was hashed out on the JOS forum earlier in the summer: http://discuss.fogcreek.com/joelonsoftware/default .asp?cmd=show&ixPost=160966
In cases like that, it is better to have a distinctive set of characters for Google to find (a process I call 'kiboing').
.Org?
In stark contrast to Microsoft, who insist on naming new technologies after top level domains. When do you think they'll come out with a management tool called
C combines the power and speed of assembler with the maintanability of assembler.
But Stephenson's style tries my patience. His books have gotten successively less fun to read. He clearly did a lot of research, but he bludgeons you with it instead of just letting it improve the story.
No, they're trying to slashdot themselves. Trying to put themselves in someone else's shoes.
Yeah yeah mod me down if you must but I'd feel much better having embedded Linux...
Have you forgotten where you posted this? Nobody gets modded down for picking Linux over MS.
Yes, but the patent is unenforceable. I hold the patent on the cat (Felis domesticas).
--God