From TFA: > Kathleen Carroll, a spokeswoman for HID's Government Relations group acknowledged that a letter was sent to IOActive but that it did not mention patent infringement. She said that the company has long been aware that its proximity cards are vulnerable to hacking but does not believe that the cards are as vulnerable as Paget suggests. > "For someone to be able to surreptitiously read a card, they'd have to get within two or three inches and get into the same plane as the card," Carroll said.
Oh, do you mean like placing a reader under a seat at the bus station? I'm pretty sure that my ass is in the same plane as the seat and my wallet is right there too.
Why can't companies whose job is security do security right?
Honestly, some people won't be satisfied until the government publishes a 500 page manual on how to wipe your ass and makes it illegal to do it in any other way.
I wouldn't mind if the government gave me a 500 page manual for wiping my ass. As long as the pages were soft - that is.
Try again once you understand the differences between intel, analysis thereof...
And you can try again when you understand the differences between sarcasm, humor, and serious commentary. Can you guess which one my post wasn't intended to contain?
Well, this should make it much easier on the adminstration whenever they don't like an intelligence report. Now they can just click "Edit" and change it to what they want it to say.
> Just out of curiosity -- HAVE you contacted the developer asking for a fix? Just because its a closed-source solution you can't fix yourself, doesn't mean the vendor won't fix it if someone asks. Especially if its really as simple as a couple of hours (although there is always extra overhead, such as back-testing, etc.)
Yes. I had just this sort of problem with a vendor-hosted application my employer used (I'll call it VOMIT here as that's what spellcheck changes its name to).
I saw that VOMIT's login page was vulnerable to SQL injection. We immediately contacted the company (someone important enough to resolve the problem) and let them know exactly how to fix their application. Their response was that VOMIT had been reviewed by security 'experts' and that VOMIT has [several paragraphs of technobabble] that prevents such attacks.
We then made a screen shot of the 'admin' page which was accessible using the exploit. After some scrabbling and backpedalling, they then 'fixed' the problem. Their 'fix' consisted of a couple lines of javascript to give an error message if quotes were put in one of the login input fields. I then disabled javascript in my browser, and made another screen shot of the same problem. They then (finally) made the changes we had originally suggested.
So instead of a five minute fix (to correct an obvious problem that should never have been allowed to begin with), we ended up with numerous meetings with our security people, their VP, and God knows who else. All too many vendors seem too willing to engage in obfuscation and denial rather even when the solution is handed to them on silver platter.
Once, I was reading a book (in the chair I often watch TV in). My wife started talking to me, so I hit the pause button on the nearby Tivo remote before down my book.
As there is one of those old fashioned vinyl-type records speeding out of the solar system on V'ger, there's a good chance vinyl will outlive all of us too.
I've found the only game I have any hope of making a profit at long-term at the casino is poker. The house always wins (since they take a cut out of the pot regardless of who wins). You just need to make sure that there some weak players at your table to drain money from to make up the difference. And you need to remember -- if you don't see a weak player at your table, then its problably you.
One of the simplest counting systems involves assigning a +1 to all the tens in the deck (tens and face cards), and a -1 to all the 2s, 3s, 4s, and 5s. Whenever the count is positive, you have a higher ratio of tens to the lower cards, and thus you probably have an advantage. The more tens, the more likely you get a blackjack, and the more likely the dealer will bust if you don't get a blackjack.
You apparently have that backwards. If 8 face cards, and no small cards came up the first hand, that would leave you with a +8, but you would be at a disadvantage since more 10's would out of the deck than the small cards. From looking at http://en.wikipedia.org/wiki/Card_counting the 10/face cards should be -1, and the low cards +1.
Since wikipedia's content is freely available, why can't they just copy it. Then the Ministry of Truth (whatever it happens to be called) can change as they will.
> If, as you admit, there is no reasonable way for a website to enforce minimum-age restrictions, then the law is unjust and should not be upheld.
This isn't about kids lying and saying they are 18 to view porn. This is kids saying their true age (or never being asked), and some company ignoring privacy and marketing and rules that limit how they can track and market to young children.
Go to http://www.budweiser.com/default.asp -- The first question you're asked is your birthday. If you're not 21 they send you a site for Anheuser-Busch theme parks instead of one about the beer.
Go to http://www.nickjr.com/ -- A popup will (try to) appear for a survey -- If you say you're under 13, the survey ends and the popup closes.
On a practical level, one benefit the electoral college gives us is isolating debacles like Florida in 2000. Imagine if we had a direct popular vote, and we were within a few thousand votes. We would have had the madness in Florida going on in 50 different states.
Other than that, yes, the college is outdated and should be tossed.
Seriously however, I don't why something like this can't be done: 1) Voter does all the verification stuff to prove they can vote 2) Election judge gives them a blank ballot 3) Voter goes to machine, inserts blank ballot, selects candiates of choice from screen 4) Machine prints out selections on ballot in unambiguous, human-readable manner 5) Voter visual verifies that paper ballot matches their selections. 6) Voter drops paper ballot in ballot box.
We then get: A) Instantly available results (recorded from the machine) B) Iron-clad verifiablity (from the printed ballots) Obviously if there were discrepancies/irregularities the paper ballots would be the binding result.
What you're describing sounds like one of the examples from "Are your Lights On: How to Figure Out What the Problem REALLY Is" by Donald Gause, a book about problem solving and solving the REAL problem -- not necessarily the problem reported. In the example the building management tries various solutions like this one to reduce complaints about the elevator. (Until someone from the elevator company eventually sees that the elevator was configured incorrectly and drastically reduces the wait time).
Yes, I've read Red, but not Green or Blue (yet anyway). A space elevator would make a prime target for terrorism. In reality, terrorist would probably attack the base (as apposed to the counterbalance asteroid), so the cable would drift away, instead of coming crashing down in a huge mess.
Slashdot Mirror
From TFA:
> Kathleen Carroll, a spokeswoman for HID's Government Relations group acknowledged that a letter was sent to IOActive but that it did not mention patent infringement. She said that the company has long been aware that its proximity cards are vulnerable to hacking but does not believe that the cards are as vulnerable as Paget suggests.
> "For someone to be able to surreptitiously read a card, they'd have to get within two or three inches and get into the same plane as the card," Carroll said.
Oh, do you mean like placing a reader under a seat at the bus station? I'm pretty sure that my ass is in the same plane as the seat and my wallet is right there too.
Why can't companies whose job is security do security right?
-K
Do you mean like this: http://www.navigadget.com/index.php/2007/01/29/hom emade-gps-jammer/
DRM-infected books
Honestly, some people won't be satisfied until the government publishes a 500 page manual on how to wipe your ass and makes it illegal to do it in any other way.
I wouldn't mind if the government gave me a 500 page manual for wiping my ass. As long as the pages were soft - that is.
And you can try again when you understand the differences between sarcasm, humor, and serious commentary. Can you guess which one my post wasn't intended to contain?
Well, this should make it much easier on the adminstration whenever they don't like an intelligence report. Now they can just click "Edit" and change it to what they want it to say.
--
sig withheld by request
> Just out of curiosity -- HAVE you contacted the developer asking for a fix? Just because its a closed-source solution you can't fix yourself, doesn't mean the vendor won't fix it if someone asks. Especially if its really as simple as a couple of hours (although there is always extra overhead, such as back-testing, etc.)
Yes. I had just this sort of problem with a vendor-hosted application my employer used (I'll call it VOMIT here as that's what spellcheck changes its name to).
I saw that VOMIT's login page was vulnerable to SQL injection. We immediately contacted the company (someone important enough to resolve the problem) and let them know exactly how to fix their application. Their response was that VOMIT had been reviewed by security 'experts' and that VOMIT has [several paragraphs of technobabble] that prevents such attacks.
We then made a screen shot of the 'admin' page which was accessible using the exploit. After some scrabbling and backpedalling, they then 'fixed' the problem. Their 'fix' consisted of a couple lines of javascript to give an error message if quotes were put in one of the login input fields. I then disabled javascript in my browser, and made another screen shot of the same problem. They then (finally) made the changes we had originally suggested.
So instead of a five minute fix (to correct an obvious problem that should never have been allowed to begin with), we ended up with numerous meetings with our security people, their VP, and God knows who else. All too many vendors seem too willing to engage in obfuscation and denial rather even when the solution is handed to them on silver platter.
Ken ') or 2=2 --
double calculateTruthiness(String politicianStatement) {
return 0.0;
}
Once, I was reading a book (in the chair I often watch TV in). My wife started talking to me, so I hit the pause button on the nearby Tivo remote before down my book.
(Pausing the book -- not my wife that is)
As there is one of those old fashioned vinyl-type records speeding out of the solar system on V'ger, there's a good chance vinyl will outlive all of us too.
I've found the only game I have any hope of making a profit at long-term at the casino is poker. The house always wins (since they take a cut out of the pot regardless of who wins). You just need to make sure that there some weak players at your table to drain money from to make up the difference. And you need to remember -- if you don't see a weak player at your table, then its problably you.
Ken
One of the simplest counting systems involves assigning a +1 to all the tens in the deck (tens and face cards), and a -1 to all the 2s, 3s, 4s, and 5s. Whenever the count is positive, you have a higher ratio of tens to the lower cards, and thus you probably have an advantage. The more tens, the more likely you get a blackjack, and the more likely the dealer will bust if you don't get a blackjack.
You apparently have that backwards. If 8 face cards, and no small cards came up the first hand, that would leave you with a +8, but you would be at a disadvantage since more 10's would out of the deck than the small cards. From looking at http://en.wikipedia.org/wiki/Card_counting the 10/face cards should be -1, and the low cards +1.
Ken
Looks like someone is already on it: http://en.wikipedia.org/wiki/Baidu_Baike
Since wikipedia's content is freely available, why can't they just copy it. Then the Ministry of Truth (whatever it happens to be called) can change as they will.
>I find your argument dismissive and biased.
You must be new here.
> If, as you admit, there is no reasonable way for a website to enforce minimum-age restrictions, then the law is unjust and should not be upheld.
This isn't about kids lying and saying they are 18 to view porn. This is kids saying their true age (or never being asked), and some company ignoring privacy and marketing and rules that limit how they can track and market to young children.
Go to http://www.budweiser.com/default.asp -- The first question you're asked is your birthday. If you're not 21 they send you a site for Anheuser-Busch theme parks instead of one about the beer.
Go to http://www.nickjr.com/ -- A popup will (try to) appear for a survey -- If you say you're under 13, the survey ends and the popup closes.
On a practical level, one benefit the electoral college gives us is isolating debacles like Florida in 2000. Imagine if we had a direct popular vote, and we were within a few thousand votes. We would have had the madness in Florida going on in 50 different states.
Other than that, yes, the college is outdated and should be tossed.
Ken
The missing step 2 can be found in appendix 3 of their proposal "M2Z'S COMMITMENT TO PROTECT MINORS...".
Unfiltered sites are free. Porn costs extra.
So their business plan must be:
1. Give away free broadband access
2. Charge for porn
3. Profit
kenj0418
--
This week's message brought to you by the numbers 0 and 1.
So, if I gave these guys $25 to have 10,000 of their zombie computers all run SETI@Home, could I write it off as a tax deduction?
> Given the findings here, can we have a do-over?
Sure. Does November 3, 2008 work for you?
Seriously however, I don't why something like this can't be done:
1) Voter does all the verification stuff to prove they can vote
2) Election judge gives them a blank ballot
3) Voter goes to machine, inserts blank ballot, selects candiates of choice from screen
4) Machine prints out selections on ballot in unambiguous, human-readable manner
5) Voter visual verifies that paper ballot matches their selections.
6) Voter drops paper ballot in ballot box.
We then get:
A) Instantly available results (recorded from the machine)
B) Iron-clad verifiablity (from the printed ballots)
Obviously if there were discrepancies/irregularities the paper ballots would be the binding result.
What you're describing sounds like one of the examples from "Are your Lights On: How to Figure Out What the Problem REALLY Is" by Donald Gause, a book about problem solving and solving the REAL problem -- not necessarily the problem reported. In the example the building management tries various solutions like this one to reduce complaints about the elevator. (Until someone from the elevator company eventually sees that the elevator was configured incorrectly and drastically reduces the wait time).
Yes, I've read Red, but not Green or Blue (yet anyway). A space elevator would make a prime target for terrorism. In reality, terrorist would probably attack the base (as apposed to the counterbalance asteroid), so the cable would drift away, instead of coming crashing down in a huge mess.