In engineering terms, an explosion is when a supersonic shockwave travels through a fuel-oxidant compound, which causes a spontaneous chemical decomposition. There's a strict technical difference between an 'explosion' and a very rapid combustion.
In the real world nobody gives a fuck. There was a big fireball. The damn thing exploded, OK?
Re:No site should trust client-side information.
on
Cross Site Cooking
·
· Score: 0, Redundant
God God.
We don't have Trusted Computing, and hopefully we never will. Everything sent by the client can be modified, tampered with, or stuffed with bogus data. Trust no-one. Verify everything. And don't store anything client-side other than a randomly generated number that tells you who to look up in your server-side database.
Re:Fuzzing and Obfuscation
on
Mitnick on OSS
·
· Score: 1
Never mind that most people don't have./ in their path, I want to know how dropping a file to disk makes it exectuable? If you have enough of an exploit to chmod the file, you probably have enough of an exploit to go ahead and run it as well.
Or are you expecting people to acidentally type 'sh./la' ?
The police are generally well aware that polygraphs are unreliable. It doesn't matter. If the suspect believes that the polygraph works, they'll admit to all kinds of crap. It's almost purely a psychological advantage.
Hence the urban legend about the photocopier-polygraph. It doesn't have to work. It doesn't even have to be a polygraph, as long as the suspect thinks it is.
This perfectly illustrates the point of the article. Here we have a supposedly 'technical' website and many people on it don't even understand the barest fundimentals of DC electricity or the relationship between voltage, current, resistance, and power.
When I was growing up my parents gave me an old car battery to play with as well as a bunch of lights, switches, wire, motors, 12v train set.
12v won't hurt you. Even if your hands are soaking wet the most you'll feel is a bit of a tingle. About the only time things ever got 'hairy' was when I shorted the battery directly with copper bell wire.
25-plate truck battery, fully charged. One hand on negative, the other on positive. Not even a tingle. Want me to post a photo?
If you touch a live wire to ground it's a whole different story. Lots of current, lots of heat, the insulation starts to melt almost instantly and you'll burn your fingers. But that's from the heat, not the electricity directly.
Agreed. I have a friend who religiously turns his computer off (speakers, monitor and printer individually) to save power. It's an old 300MHZ Compaq so it's not even using that much power running..
His house is fitted throughout with 100W incandecent lightbulbs. I haven't checked, but I suspect he also leaves his TV and amp on standby.
the 'spec' never said anything about executing code when some invalid value happened to be equal to 1. That was a bug. And it's not a bug that likely would have been reproduced if even the same programmers had rewritten the code from scratch to meet the same specification.
Vista is, without a shadow of doubt, based largely on older Windows code. It WILL have many of the same vulnerabilities as Windows XP. Time will prove this.
I don't know about you guys but I quite regularly leave a frozen chicken and a few potatoes in my oven and set the timer. It's not quite as high-tech as the oven mentioned, but generally I know what time I should be home and if I'm a few hours late I can always warm stuff up again in the microwave.
Every oven I've ever used has had this capability, for the last 20 years at least.
Not really. Most of the time they just knock stuff off with no regard to patents anyhow, I doubt they'd even care.
The whole arguement is totally stupid; there's ten times the rick that under the current system, some company will bump off their top inventor so they don't have to honor whatever royalty-sharing agreements they signed and can keep 100% of the profits. Does it happen? Some tinfoil-hat wearing person can probably find a possible case or two but it's certainly not common.
Company currently employs inventor. Has monopoly on idea as long as he's still alive. Profit.
Same company kills inventor, kills their own profit. Dumb.
Other company kills inventor. Monopoly goes away. Original company still makes some profit, for a while, through brandname recognition. Everyone else has to compete against Taiwanese-manufactured product that retails for less that local manufacturing cost.
Section 1 para 3 Complete Corresponding Source Code also includes any encryption or authorization codes necessary to install and/or execute the source code of the work, perhaps modified by you, in the recommended or principal context of use, such that its functioning in all circumstances is identical to that of the work, except as altered by your modifications. It also includes any decryption codes necessary to access or unseal the work's output.
In otherwords; if you port GPL software onto a system that only accepts signed binaries, you have to provide -everything- required for the end user to compile their own signed, runnable binary; source, keys (encryption or authorization codes) to sign it, etc.
GPL2 basically said the same thing; if you modify GPL code you must make available everything[0] required to rebuild your code.
If you use custom libraries, write parts in a new language or port to some obscure platform for which the compiler isn't readily available, it's NOT enough just to provide the source.
[0] - Everything excluding excluding "general-purpose tools" - what's installed on a typical developer's machine. GCC, GNU make, the usual set of libraries and kernel headers can be assumed..
Wasn't there a part where it says that if you distribute binaries for a "Trusted Computing" platform that have to be signed in order to run, you also have to distribute the keys required to sign them?
This is just a clarification of GPL2; you have to supply not just source code but everything required to build the binaries if it's not part of the 'standard install'. If your code requires your own custom libraries, headers, configuration, etc to build, you have to include them. If it has to be signed before it will run on the target platform GPL2 implied, and GPL3 implicitly says, you have to supply the keys to sign it.
you could compile it yourself, but why would you bother? It's still warez. You can get every version of Windows ever written (with any level of SP's preinstalled) on any p2p network RIGHT NOW. For free.
To have any meaning at all it'd need to be some kind of hash of the voter ID and votes, right? which means that it can be recalculated and confirmed outside the polling booth.
Any kind of post-polling verification leads to the possibility of coercion. (or vote selling, but I don't see that as a problem. If I'm shallow enough that I can be swayed by a $50 bribe, how is that any different from being swayed by an expensive advertising campaign except that I get the $50 in my pocket instead of some rich media company?)
My own suggestion;
Stick with simple "fill the dot with a marker pen" paper forms and count them electronically. Spot-check them by hand, if things don't add up recount the lot by hand or using a completely different machine
For blind or otherwise differentially-abled users (or anyone who chooses), have a touchscreen machine that prints out an identical, scannable form. The machine should be permanently in 'dissabled' mode (buttons you can feel, headphones reading the options, etc.), so any systematic errors are picked up by non-dissabled voters who can visually verify that it's filling the form correctly.
Finally handle the paper forms in the 'old-fashioned' way; locked boxes which are transported, opened and counted only under the watchful eye of volunteers from who should represent at least two of the involved parties.
1) You download a well-behaved, unsigned program windows warns you this might be dangerous. It warns you again that the program's not signed. It warns you a third time when you try to run the program (and every time if you don't change the checkbox)
But none of this stops web-based malware from downloading and installing itself with no interaction whatsoever.
2) If you install a well-behaved unsigned driver, you have to first tell Windows that you're _prefer_ that to the signed, generic driver with limited functionality. Then you get warned again that the driver's unsigned.
But none of this stops Sony's XCP from installing an unsigned, misnamed driver directly into the heart of windows with no user interaction. (The EULA dialog Sony's disks provide could easily have been left out; their other copy protection system installs all the software and -then- asks for permission.)
Somehow I don't think Vista's security is going to be significantly better. It's designed to stop Open Source, not malware. Open Source is a threat to Microsoft. Malware is a source of additional revenue.
No job skills? I dispute that. He'd be the ultimate authority on our current period of 'history', and considering the amount of information being stored in DRM-locked formats on short-term digital media, he might wake up in a future that knows almost nothing about this time.
One of my favorite wines is "Purple Death" It's really nice stuff, strong and fruity, almost a liqueur like blackberry nip. I've also heard good things about Cat's Pee on a Gooseberry Bush although I haven't tried it yet. Definately intend to pick up a bottle somethme though!
Slashdot Mirror
picky picky.
In engineering terms, an explosion is when a supersonic shockwave travels through a fuel-oxidant compound, which causes a spontaneous chemical decomposition. There's a strict technical difference between an 'explosion' and a very rapid combustion.
In the real world nobody gives a fuck. There was a big fireball. The damn thing exploded, OK?
God God.
We don't have Trusted Computing, and hopefully we never will. Everything sent by the client can be modified, tampered with, or stuffed with bogus data. Trust no-one. Verify everything. And don't store anything client-side other than a randomly generated number that tells you who to look up in your server-side database.
Never mind that most people don't have ./ in their path, I want to know how dropping a file to disk makes it exectuable? If you have enough of an exploit to chmod the file, you probably have enough of an exploit to go ahead and run it as well.
./la' ?
Or are you expecting people to acidentally type 'sh
Boy did you miss the point.
The police are generally well aware that polygraphs are unreliable. It doesn't matter. If the suspect believes that the polygraph works, they'll admit to all kinds of crap. It's almost purely a psychological advantage.
Hence the urban legend about the photocopier-polygraph. It doesn't have to work. It doesn't even have to be a polygraph, as long as the suspect thinks it is.
It doesn't have to work to be effective. The suspect just has to believe it works.
This perfectly illustrates the point of the article. Here we have a supposedly 'technical' website and many people on it don't even understand the barest fundimentals of DC electricity or the relationship between voltage, current, resistance, and power.
When I was growing up my parents gave me an old car battery to play with as well as a bunch of lights, switches, wire, motors, 12v train set.
12v won't hurt you. Even if your hands are soaking wet the most you'll feel is a bit of a tingle. About the only time things ever got 'hairy' was when I shorted the battery directly with copper bell wire.
I can go better.
25-plate truck battery, fully charged. One hand on negative, the other on positive. Not even a tingle. Want me to post a photo?
If you touch a live wire to ground it's a whole different story. Lots of current, lots of heat, the insulation starts to melt almost instantly and you'll burn your fingers. But that's from the heat, not the electricity directly.
Agreed. I have a friend who religiously turns his computer off (speakers, monitor and printer individually) to save power. It's an old 300MHZ Compaq so it's not even using that much power running..
His house is fitted throughout with 100W incandecent lightbulbs. I haven't checked, but I suspect he also leaves his TV and amp on standby.
the 'spec' never said anything about executing code when some invalid value happened to be equal to 1. That was a bug. And it's not a bug that likely would have been reproduced if even the same programmers had rewritten the code from scratch to meet the same specification.
Vista is, without a shadow of doubt, based largely on older Windows code. It WILL have many of the same vulnerabilities as Windows XP. Time will prove this.
I don't know about you guys but I quite regularly leave a frozen chicken and a few potatoes in my oven and set the timer. It's not quite as high-tech as the oven mentioned, but generally I know what time I should be home and if I'm a few hours late I can always warm stuff up again in the microwave.
Every oven I've ever used has had this capability, for the last 20 years at least.
Not really. Most of the time they just knock stuff off with no regard to patents anyhow, I doubt they'd even care.
The whole arguement is totally stupid; there's ten times the rick that under the current system, some company will bump off their top inventor so they don't have to honor whatever royalty-sharing agreements they signed and can keep 100% of the profits. Does it happen? Some tinfoil-hat wearing person can probably find a possible case or two but it's certainly not common.
Thanks for that. I was going to post the same comment but you beat me to it.
There's a certain irony in kazaa complaining about illegal copies of their software..
Why?
Company currently employs inventor. Has monopoly on idea as long as he's still alive. Profit.
Same company kills inventor, kills their own profit. Dumb.
Other company kills inventor. Monopoly goes away. Original company still makes some profit, for a while, through brandname recognition. Everyone else has to compete against Taiwanese-manufactured product that retails for less that local manufacturing cost.
Section 1 para 3
Complete Corresponding Source Code also includes any encryption or authorization codes necessary to install and/or execute the source code of the work, perhaps modified by you, in the recommended or principal context of use, such that its functioning in all circumstances is identical to that of the work, except as altered by your modifications. It also includes any decryption codes necessary to access or unseal the work's output.
In otherwords; if you port GPL software onto a system that only accepts signed binaries, you have to provide -everything- required for the end user to compile their own signed, runnable binary; source, keys (encryption or authorization codes) to sign it, etc.
GPL2 basically said the same thing; if you modify GPL code you must make available everything[0] required to rebuild your code.
If you use custom libraries, write parts in a new language or port to some obscure platform for which the compiler isn't readily available, it's NOT enough just to provide the source.
[0] - Everything excluding excluding "general-purpose tools" - what's installed on a typical developer's machine. GCC, GNU make, the usual set of libraries and kernel headers can be assumed..
My kid's allergic to whole wheat, you insensitive clod!
(n/t)
Wasn't there a part where it says that if you distribute binaries for a "Trusted Computing" platform that have to be signed in order to run, you also have to distribute the keys required to sign them?
This is just a clarification of GPL2; you have to supply not just source code but everything required to build the binaries if it's not part of the 'standard install'. If your code requires your own custom libraries, headers, configuration, etc to build, you have to include them. If it has to be signed before it will run on the target platform GPL2 implied, and GPL3 implicitly says, you have to supply the keys to sign it.
you could compile it yourself, but why would you bother? It's still warez. You can get every version of Windows ever written (with any level of SP's preinstalled) on any p2p network RIGHT NOW. For free.
Someone needs to give bush a blowjob. Then perhaps they could have him impeached!
To have any meaning at all it'd need to be some kind of hash of the voter ID and votes, right? which means that it can be recalculated and confirmed outside the polling booth.
Any kind of post-polling verification leads to the possibility of coercion. (or vote selling, but I don't see that as a problem. If I'm shallow enough that I can be swayed by a $50 bribe, how is that any different from being swayed by an expensive advertising campaign except that I get the $50 in my pocket instead of some rich media company?)
My own suggestion;
Stick with simple "fill the dot with a marker pen" paper forms and count them electronically. Spot-check them by hand, if things don't add up recount the lot by hand or using a completely different machine
For blind or otherwise differentially-abled users (or anyone who chooses), have a touchscreen machine that prints out an identical, scannable form. The machine should be permanently in 'dissabled' mode (buttons you can feel, headphones reading the options, etc.), so any systematic errors are picked up by non-dissabled voters who can visually verify that it's filling the form correctly.
Finally handle the paper forms in the 'old-fashioned' way; locked boxes which are transported, opened and counted only under the watchful eye of volunteers from who should represent at least two of the involved parties.
Only well-behaved drivers will have to be signed.
Cf. XP-SP2
1) You download a well-behaved, unsigned program windows warns you this might be dangerous. It warns you again that the program's not signed. It warns you a third time when you try to run the program (and every time if you don't change the checkbox)
But none of this stops web-based malware from downloading and installing itself with no interaction whatsoever.
2) If you install a well-behaved unsigned driver, you have to first tell Windows that you're _prefer_ that to the signed, generic driver with limited functionality. Then you get warned again that the driver's unsigned.
But none of this stops Sony's XCP from installing an unsigned, misnamed driver directly into the heart of windows with no user interaction. (The EULA dialog Sony's disks provide could easily have been left out; their other copy protection system installs all the software and -then- asks for permission.)
Somehow I don't think Vista's security is going to be significantly better. It's designed to stop Open Source, not malware. Open Source is a threat to Microsoft. Malware is a source of additional revenue.
My children have confirmed this firsthand!
No job skills? I dispute that. He'd be the ultimate authority on our current period of 'history', and considering the amount of information being stored in DRM-locked formats on short-term digital media, he might wake up in a future that knows almost nothing about this time.
One of my favorite wines is "Purple Death" It's really nice stuff, strong and fruity, almost a liqueur like blackberry nip. I've also heard good things about Cat's Pee on a Gooseberry Bush although I haven't tried it yet. Definately intend to pick up a bottle somethme though!
install guidedog. It's a nice GUI tool that lets you easily configure routing and NAT.