Free binary security updates for FreeBSD [daemonology.net]
Aha! You're the FreeBSD-Update guy. I thought the name sounded familiar. (mailing list junkie that I am)
Definitely an interesting topic. Reading the paper now -- I would never have guessed you could get enough timing information (or enough resolution) to recover that much of an encryption key...
I've always said hyperthreading was bad news for performance, guess it's bad for security too:p
But... if large amounts of the budget are handled by the states and the federal government ran on much smaller funding, you might have to -- *gasp* -- repeal the temporary income tax!
I realize I'm way late to this thread, but was looking at somebody's past posts and came across it...
This means corruption, accidental deletes, etc. Effect ALL your mail. At the very least, breaking down the storage into mail folders, so that your InBox is separate from your archived mail would do wonders for Entourage.
One thing I don't see mentioned a lot but is a big deal for both Entourage and Outlook is backups. With a big monolithic file, incrememtal backups are useless -- if you touch it the entire thing has to be written to tape again.
Multiply by 200 users with PST files on a file server and it because a big problem real fast.
Thanks, but I don't like focus-follows-mouse either:-).
Ah, well, to each his own:). I'm so used to it that I curse at stock windows machines when I start typing and all the text goes into the last clicked-on window...
I have to agree about the nonstandard widget thing, though. MS Office, Quicktime, anything Java based, and all Sony programs are on my "I'd really like to whack the designer upside the head" list.
There's a reason OSes provide common control libraries. It's to make things easier for users, not so you can write your own just to be "cool".
Meh? I've always been able to connect to JetDirect stuff using the "Standard TCP/IP Print Server" port in Windows 2000+. No extra jetdirect crap required.
Most JD boxes also support the lpr/lpd protocol, so you can always print using that.
I would suggest using tweak UI and trying out the focus-follows-mouse model (aka X-mouse) to see if it solves your iTunes problem. However, since you're also using MS Office products that would likely cause as many problems as it fixes.
MS Office + Xmouse = headache. They have an unfortunate tendancy to shove themselves to the top of the window stack whenever they get focus. Which means that with focus-follows-mouse, as soon as you mouse over even the smallest part of an Office app's window, it jumps in front of everything else. Argh!
"Imagine you were walking across a large field, and stumbled upon a beautiful watch. You open the cover, and notice that it is exactly right - it keeps perfect time. Is it not safe to assume that the watch had a maker?"
That might be a good metaphor if human beings were akin to precision timepieces.
For that to be a complete metaphor, there would also have to be lesser clocks and mechanical devices around that don't keep perfect time. Those other clocks would have to be capable of mechanically reproducing themselves, and not always being 100% correct when they do so. Not to mention the basic building blocks such as single celled organisms (tiny gears and springs that reproduce as well?). And so on.
/not sure about the bigger issue, I just don't think that's a particularly good metaphor
I stopped using TigerDirect years ago after they refused to accept a return on product that they falsely advertised. A dual-processor motherboard that required an extra APIC chip to use the second processor, and despite listing both as in stock when I ordered, the APIC was on back-order for over a month. Since I had not opened the box yet I just went to Fry's and bought a motherboard and called to cancel the APIC and return the useless board. The customer service people were uncooperative and the "manager" I talked to was downright rude.
So, despite having spent thousands of dollars there, they decided that they would rather lose both my personal business and that of the company I work for than accept a return on an unopened $120 board they sold under false pretenses.
Don't fool yourself -- you get what you pay for. TigerDirect is cheap because their service sucks the big one.
It depends which one though. FF6 required a ridiculous amount of leveling. 7 was better, but still required a fair bit (mostly for various bosses, the final boss wasn't too tough). FF8 was really easy. I didn't spend one minute running around killing stuff to level up in 8 (actually some people say that the game gets harder the higher level your characters are). I know some people felt the urge to have draw-fests and max out everything at 100, but that's really overkill (and the game gets EXTREMELY easy if you do that).
Haven't played FFX yet, don't know if I will ever get around to getting a PS2 or not.
It also pointed out that "writing and installing kernel-mode code is vastly more complicated" than using an existing raw socket feature,
Yeh, that's why the majority of people doing this use an widely available rootkit or equivalent to do it for them.
Exactly. All it takes is one person to do it. Once the cat is out of the bag, malware authors can just all copy that one.
It might not even be a black hat that does it. It wouldn't surprise me if the open source pcap driver for windows could be used to send arbitrary packets.
Yeah, because guess what: explorer.exe doesn't work under runas! It either doesn't run or opens a window as the currently logged on user (not the one you tried to runas).
A real pain when you need to do things like move lots of individual files that only the admin has access to. cmd isn't a very good shell so doing stuff like that from the command line is painful on windows. A hack that usually works is "NET USE * \\computer\c$/u:Administrator" to map a drive back to the same machine as a different user.
iexplore sort of works under runas, but not really (webbrowsing is very flaky for one). RunAs is just a hack that often doesn't work and is not even close to a real multiuser OS.
Of course we all know that using top-ten and default passwords are the worst way to 'secure' anything, but technically just because you chose a bad login:pass doesn't mean that the content was intended to be public. However I fear that this is exactly what the prosecution would try to prove, and then we have a whole new mess of legal precident on our hands, the consequences of which I can only begin to imagine.
If the courts equate bad security with intentional sharing, would that precedent not also mean that DVD CSS doesn't count as a protection measure under the DMCA?
The ping protocol says that the remote end should echo back the same data payload (usually defaults to 56 bytes in a specific pattern) to help detect data-dependant network problems during testing.
The windows ping doesn't seem to have an equivalent option.
The problem is not the AT command set but the crappy implementation. It strictly should only respond to AT commands from originating side of the modem but instead the modem is responding to AT commands on both sides.
Not quite... By pinging somebody with the +++ATH0 as part of the payload, their system includes the same string in the ping reply. So it DOES come from the originating side.
The modems that have the problem are the ones that don't require the 3 second pause around the +++.
I've seen spyware make other apps crash. Browser Helper Objects (a misnomer if I ever heard one), especially badly written ones, have a nasty habit of making IE even less stable than it normally is.
Ok, I'll bite... Say you want to produce the following layout (diagram sucks because lameness filter is unfairly biased against ASCII art -- it looked much better the first time):
A B C D D E F G E H I J
(where D is double width, and E is double hieght) According to the GridBagLayout documentation, it sounds like you should set the constraints on cell 'E' to gridheight=2 and gridwidth=REMAINDER. However, when doing this, the "next" cell starts _UNDER_ 'E'. So there's a blank line, everything gets shifted down, and 'F' starts where 'H' should be.
The only workaround I've found is to manually set gridx and gridy coordinates on every cell, which makes changing the layout later a royal pain.
It would help if GridBagLayout actually worked as advertised...
For example, is there any way to have a double-height cell at the end of a row, and start on the next (single) row, and not have to resort to statically numbering everything?
BoxLayout is good for simple stuff but not when you need to have things line up both horizontally and vertically.
Or, you could hedge your bets by not distributing other people's music.
I think it's more about the principle of it. Even if you're not pirating music, the CRIA/RIAA/whoever could make a bogus complaint against your IP address, be it intentional or due to incompetence (wrong timestamp and you're on DHCP). It's nice to know which ISPs will demand proof before handing over your personal information and which ones will not even bother checking. Says a lot about how they think of their customers.
Subversion doesn't come close to being replacement for BitKeeper. Not that it's a bad tool - it just doesn't support distributed repositories at all. Different philosophy.
I really like Python. It's an incredibly powerful language -- what other languages give you the power to redefine what "is" means? For example, you can override the '.' operator (and getattr) and create whole sets of virtual objects that don't really exist. Things like object proxies for RPC or external resources like Zope become possible.
Its main two faults in my mind are:
1. Speed (but this is being worked on, see the Parrot JIT compiler) 2. Memory usage. wxPython especially is an excellent toolkit but a memory HOG.
As far as Java goes, I don't particularly like Java all that much, but one area where it has a definite advantage over Python at the moment is libraries. Not just the standard library, but what add-on libraries are available. Python has a lot, but Java has pretty much everything and the kitchen sink.
For example, I recently worked on a project that needed to display and manipulate SVG graphics. The two requirements are that it be cross-platform, and be done quickly (in just a couple weeks). I originally wanted to use Python but was unable to find a cross-platform SVG rendering library for Python. I came across the Apache Batik toolkit for Java and found that it was exactly what I needed.
Batik is pretty sweet -- you get a swing component that you can plop into an app in about 10 lines of code and boom -- you have one of the most compliant SVG renderers that I've seen to date. Plus it even gives you a DOM interface that will update the graphical view in real-time. As much as I dislike Java in general (even more bloated than Python:), the third-party libraries certainly made this project a breeze.
Slashdot Mirror
Free binary security updates for FreeBSD [daemonology.net]
:p
Aha! You're the FreeBSD-Update guy. I thought the name sounded familiar. (mailing list junkie that I am)
Definitely an interesting topic. Reading the paper now -- I would never have guessed you could get enough timing information (or enough resolution) to recover that much of an encryption key...
I've always said hyperthreading was bad news for performance, guess it's bad for security too
Every measuring unit uses kilo/mega/giga to mean powers of ten. Computer world was the odd one out, and it should rightly be labeled specifically.
:)
Oh, the computer world uses those prefixes to mean powers of 10 too. They just mean powers of 10 in base 2 math
But... if large amounts of the budget are handled by the states and the federal government ran on much smaller funding, you might have to -- *gasp* -- repeal the temporary income tax!
False retina image on a contact lens?
I realize I'm way late to this thread, but was looking at somebody's past posts and came across it...
This means corruption, accidental deletes, etc. Effect ALL your mail. At the very least, breaking down the storage into mail folders, so that your InBox is separate from your archived mail would do wonders for Entourage.
One thing I don't see mentioned a lot but is a big deal for both Entourage and Outlook is backups. With a big monolithic file, incrememtal backups are useless -- if you touch it the entire thing has to be written to tape again.
Multiply by 200 users with PST files on a file server and it because a big problem real fast.
Thanks, but I don't like focus-follows-mouse either :-).
:). I'm so used to it that I curse at stock windows machines when I start typing and all the text goes into the last clicked-on window...
Ah, well, to each his own
I have to agree about the nonstandard widget thing, though. MS Office, Quicktime, anything Java based, and all Sony programs are on my "I'd really like to whack the designer upside the head" list.
There's a reason OSes provide common control libraries. It's to make things easier for users, not so you can write your own just to be "cool".
Meh? I've always been able to connect to JetDirect stuff using the "Standard TCP/IP Print Server" port in Windows 2000+. No extra jetdirect crap required.
Most JD boxes also support the lpr/lpd protocol, so you can always print using that.
I would suggest using tweak UI and trying out the focus-follows-mouse model (aka X-mouse) to see if it solves your iTunes problem. However, since you're also using MS Office products that would likely cause as many problems as it fixes.
MS Office + Xmouse = headache. They have an unfortunate tendancy to shove themselves to the top of the window stack whenever they get focus. Which means that with focus-follows-mouse, as soon as you mouse over even the smallest part of an Office app's window, it jumps in front of everything else. Argh!
"Imagine you were walking across a large field, and stumbled upon a beautiful watch. You open the cover, and notice that it is exactly right - it keeps perfect time. Is it not safe to assume that the watch had a maker?"
That might be a good metaphor if human beings were akin to precision timepieces.
For that to be a complete metaphor, there would also have to be lesser clocks and mechanical devices around that don't keep perfect time. Those other clocks would have to be capable of mechanically reproducing themselves, and not always being 100% correct when they do so. Not to mention the basic building blocks such as single celled organisms (tiny gears and springs that reproduce as well?). And so on.
/not sure about the bigger issue, I just don't think that's a particularly good metaphor
What OS?
They may have fixed it in XP, but I've tried it (from cmd, that's the only thing I ever runas) on many 2000 machines and it definitely doesn't work.
I stopped using TigerDirect years ago after they refused to accept a return on product that they falsely advertised. A dual-processor motherboard that required an extra APIC chip to use the second processor, and despite listing both as in stock when I ordered, the APIC was on back-order for over a month. Since I had not opened the box yet I just went to Fry's and bought a motherboard and called to cancel the APIC and return the useless board. The customer service people were uncooperative and the "manager" I talked to was downright rude.
So, despite having spent thousands of dollars there, they decided that they would rather lose both my personal business and that of the company I work for than accept a return on an unopened $120 board they sold under false pretenses.
Don't fool yourself -- you get what you pay for. TigerDirect is cheap because their service sucks the big one.
It depends which one though. FF6 required a ridiculous amount of leveling. 7 was better, but still required a fair bit (mostly for various bosses, the final boss wasn't too tough). FF8 was really easy. I didn't spend one minute running around killing stuff to level up in 8 (actually some people say that the game gets harder the higher level your characters are). I know some people felt the urge to have draw-fests and max out everything at 100, but that's really overkill (and the game gets EXTREMELY easy if you do that).
Haven't played FFX yet, don't know if I will ever get around to getting a PS2 or not.
It also pointed out that "writing and installing kernel-mode code is vastly more complicated" than using an existing raw socket feature,
Yeh, that's why the majority of people doing this use an widely available rootkit or equivalent to do it for them.
Exactly. All it takes is one person to do it. Once the cat is out of the bag, malware authors can just all copy that one.
It might not even be a black hat that does it. It wouldn't surprise me if the open source pcap driver for windows could be used to send arbitrary packets.
Yeah, because guess what: explorer.exe doesn't work under runas! It either doesn't run or opens a window as the currently logged on user (not the one you tried to runas).
/u:Administrator" to map a drive back to the same machine as a different user.
A real pain when you need to do things like move lots of individual files that only the admin has access to. cmd isn't a very good shell so doing stuff like that from the command line is painful on windows. A hack that usually works is "NET USE * \\computer\c$
iexplore sort of works under runas, but not really (webbrowsing is very flaky for one). RunAs is just a hack that often doesn't work and is not even close to a real multiuser OS.
Of course we all know that using top-ten and default passwords are the worst way to 'secure' anything, but technically just because you chose a bad login:pass doesn't mean that the content was intended to be public. However I fear that this is exactly what the prosecution would try to prove, and then we have a whole new mess of legal precident on our hands, the consequences of which I can only begin to imagine.
If the courts equate bad security with intentional sharing, would that precedent not also mean that DVD CSS doesn't count as a protection measure under the DMCA?
man ping
See the -p option.
The ping protocol says that the remote end should echo back the same data payload (usually defaults to 56 bytes in a specific pattern) to help detect data-dependant network problems during testing.
The windows ping doesn't seem to have an equivalent option.
The problem is not the AT command set but the crappy implementation. It strictly should only respond to AT commands from originating side of the modem but instead the modem is responding to AT commands on both sides.
Not quite... By pinging somebody with the +++ATH0 as part of the payload, their system includes the same string in the ping reply. So it DOES come from the originating side.
The modems that have the problem are the ones that don't require the 3 second pause around the +++.
Strong = Stong
Matt = DELETED!
bah, screw the Goa'uld, can I get Supreme Commander Thor's chariot? Ah the O'Neill...with 2 L's
You want to get blown up?
I've seen spyware make other apps crash. Browser Helper Objects (a misnomer if I ever heard one), especially badly written ones, have a nasty habit of making IE even less stable than it normally is.
According to the GridBagLayout documentation, it sounds like you should set the constraints on cell 'E' to gridheight=2 and gridwidth=REMAINDER. However, when doing this, the "next" cell starts _UNDER_ 'E'. So there's a blank line, everything gets shifted down, and 'F' starts where 'H' should be.
The only workaround I've found is to manually set gridx and gridy coordinates on every cell, which makes changing the layout later a royal pain.
It would help if GridBagLayout actually worked as advertised...
For example, is there any way to have a double-height cell at the end of a row, and start on the next (single) row, and not have to resort to statically numbering everything?
BoxLayout is good for simple stuff but not when you need to have things line up both horizontally and vertically.
Or, you could hedge your bets by not distributing other people's music.
I think it's more about the principle of it. Even if you're not pirating music, the CRIA/RIAA/whoever could make a bogus complaint against your IP address, be it intentional or due to incompetence (wrong timestamp and you're on DHCP). It's nice to know which ISPs will demand proof before handing over your personal information and which ones will not even bother checking. Says a lot about how they think of their customers.
Subversion doesn't come close to being replacement for BitKeeper. Not that it's a bad tool - it just doesn't support distributed repositories at all. Different philosophy.
What about svk?
I really like Python. It's an incredibly powerful language -- what other languages give you the power to redefine what "is" means? For example, you can override the '.' operator (and getattr) and create whole sets of virtual objects that don't really exist. Things like object proxies for RPC or external resources like Zope become possible.
:), the third-party libraries certainly made this project a breeze.
Its main two faults in my mind are:
1. Speed (but this is being worked on, see the Parrot JIT compiler)
2. Memory usage. wxPython especially is an excellent toolkit but a memory HOG.
As far as Java goes, I don't particularly like Java all that much, but one area where it has a definite advantage over Python at the moment is libraries. Not just the standard library, but what add-on libraries are available. Python has a lot, but Java has pretty much everything and the kitchen sink.
For example, I recently worked on a project that needed to display and manipulate SVG graphics. The two requirements are that it be cross-platform, and be done quickly (in just a couple weeks). I originally wanted to use Python but was unable to find a cross-platform SVG rendering library for Python. I came across the Apache Batik toolkit for Java and found that it was exactly what I needed.
Batik is pretty sweet -- you get a swing component that you can plop into an app in about 10 lines of code and boom -- you have one of the most compliant SVG renderers that I've seen to date. Plus it even gives you a DOM interface that will update the graphical view in real-time. As much as I dislike Java in general (even more bloated than Python