Insight into modern issues I might agree with. Great author? In short spurts maybe (like first 1/3 of Snow Crash) but often writes as if he's just trying to get the damn thing done (third 1/3 of Snow Crash). His stuff is good, and I read it, but seriously, this guy will be completely forgotten in 30 years.
Now come on, grow up. You want to break into a system? Set one up. Crack it. Next, get a friend to set one up, not tell you what he did, then crack it. And so on. You want to elude detection? Install Snort, and try to elude it. Etc.
Well said. I wonder if anyone actually has done this. Such a thing, if well organized, would be of tremendous value to the entire community. Picture it, the Black Team of hackers/crackers trying to get in. The White Team of developers and admins trying to keep them out. Keep logs of everything, so if the Black Team wins, there are valuable lessons to be learned by all. It could be like the Geek Olympics.:)
A voice of reason from the dark/other side. I'd like to build on your point.
As a programmer/developer you will, or at least should, go through a larval stage of trying every new language and taking pride in the breadth of your knowledge. This is extremely healthy for a long and happy career. However at a certain point you might want to start pulling the strings and move up to principal/architect, whatever it's called at your company. If you think you're going to get there by knowing a bunch of languages, you're fooling yourself no matter how smart you are. There is just WAY too much going on in each community to be able to keep up with every language at a super expert level.
Personally, I can professionally code VB, C, Perl, MUMPS. Though I have never worked with them I'm sure I could get a handle on the newer breeds like Python in a week or two. I consider all that my foundation to being a top Java programmer.
I basically came to a point in my career where I said to myself "Eric, there are too many paths from here on for you to keep running a little ways down each one, make a damn decision". This was before I had much Java experience by the way. My response to myself was, "OK, this Java thing looks good, I'll try that and if it doesn't work out I'm going to MSFT stuff". Well, Java worked out for me, and my career has flourished as a result of my decision. I still consider myself a hacker and I don't consider myself a Sun groupie at all. If I'd picked MSFT I don't see that it would be much better or worse, and I'd probably be excited about.NET.
Hackers as an archetype pride themselves on flexibility. If all the Java jobs went away tomorrow, am I out of luck? No, but I wouldn't be surprised if I slipped a few rungs when I jumped to another ladder, and since Java ISN'T going away tomorrow, or probably anytime in the next 5 years, I have actually increased not only the security, but the quality of my job by being a valuable resource to whoever is employing me and my skills.
Moral of my story as analogy: It's like dating. You spend a while finding out what you want. Eventually you find it, or find something you're reasonably sure is it. Stick with it for a while. Things going good? Stick with it for a long while. There is alot of truth to the statement "If you want to get rich, stay married", and it doesn't just apply to romantic relationships.
So what does c# have going FOR it? java haters that won't look at any lanugage that didn't come from m$.
Java works with JREs from competing companies (IBM,Sun). Java works on any platform. So what is the point of a "standard"? All an IEEE standard is going to do is dramatically slow down changes (which have almost exclusively been for the better) to the language. A scientist's stamp on a specification means a heck of alot less to me than a signature on my paycheck, which is going to be bigger if I'm using a language that quickly adapts itself to the business environment.
Actually the question is, "How can I go back on my statement now that someone has actually delivered what I asked for thinking it would never happen, so I can continue to get stuff I should be paying _something_ for, for free, with a clear concience?"
Don't worry, you're not alone, a lot of people are asking themselves that statement right now. The rest are, or have been, getting their music legit.
Re:Got a whole lotta hype
on
Brain Privacy
·
· Score: 3, Interesting
Actually the hate crime point is valid. The hate crime legislation makes penalties stiffer for the same crime when the court/jury determines you did it to a member of an identifiable group (race, gender, religion, etc) out of hatred for said group, thus thought (in the form of hatred) is an issue. Of course, thought (in the form of intent) being an element of a crime is nothing new, its core to the legal definition of many, possibly most, crimes.
IANAL either, but I would imagine that spoofing the domain of a company (like AOL) registered in that state, or one with all of its mail servers (the recipient of bounces and thus victim of the aftermath) would likely qualify too.
ART lacks a satisfactory definition. It is easier to describe it as the way something is done -- "the use of skill and imagination in the creation of aesthetic objects, environments, or experiences that can be shared with others" (Britannica Online) -- rather than what it is.
http://www.arthistory.sbc.edu/artartists/artarti st s.html
By that definition, the barcodes (and the sink) are art. I think you underestimate the amount of art in our world, and simultaneously overvalue your concept of an artist. I personally don't find any reward in looking at a Van Gogh or a Monet, but I can lose myself in an Ansel Adams picture, and all he did was press a button, right?(it took a long time for photography to be considered "art") We each have tastes, and we each value certain things as art or not. And in someone's opinion, we're wrong.
Good publicity is a Good Thing. Do you think a root exploit for your product showing up on the front page of slashdot is a Good Thing? People will gain familiarity with the name but its going to be forever "Oh yeah, I saw that on slashdot, its got some security issues". You think Amazon would experience any positive effects if there was a credible story that they were defrauding customers? The whole concept of bad publicity being better than no publicity is extremely short sighted and for every case out there of it being true there are probably 1000 that illustrate it is not.
Look at it in the non-software sense, Colin Farrell is super-popular for the fact that he entertains himself with hookers and drugs, and Robert Downey Junior doesn't have much trouble finding work. However, apply this behavior to others, like the CEO of a company, and its curtains for that career. Ever hear of a guy named Gary Condit? Was it for any legislation he supported? How did he do in his last election?
As far as open source stuff goes, yes, awareness is a good thing. The nature of the beast is that if there is a problem one might assume that it will be fixed. However, how many Samba exploits have I seen over the years, I've lost count. Even though I'm sure those ones are fixed, I know that security issues in software en masse are problems patches aren't going to fix and I'm sure not going to caught running it.
Actually, I (and others I know) only bought half-life so I could play counter-strike. I probably put about 10 minutes (9 of which was the damn opening train ride sequence you can't skip) into the SP version...
Yeah but neither can the people that you DO want to talk to, but forget to tell. I recently landed a project with a former employer because I've had the same cell number for 5+ years, despite moving several times. That one phone call generated more money than I will spend on phone fees in my lifetime, and if I had switched its very unlikely they would have bothered to (or been able to) track me down.
Also, aren't telemarketers prohibited by law from calling cell phones? In the rare event they do call me I tell them it's a cell and they quickly apologize and disconnect.
I realize that I'm in an atypically well-to-do area (Boston), but seriously folks, 23%? That seems ridiculously high. If 60 million people in this country that can't read, I think I would meet more than a handful per year.
Forging headers is not an exploit of a bug. Mail servers simply don't look at them. Why?
Received Headers:
1. Parsing and reversing all the domains in there is expensive. (as expensive as spam? probably not but see #3) 2. There's nothing in the RFC that says all the headers have to match up end to end. A large email provider often has separate inbound and outbound mail servers so a mail getting forward will have headers from A to B and C to D, despite being a legitimate mail. 3. Third, there is no requirement for reverse naming on mail servers. If there was then maybe #1 would be a valid tactic.
The from header:
This is what most non-technical people think of when they talk forged headers. Again, this is not an exploit, in fact its part of relaying which is a feature of the SMTP RFC. Some mail providers (like us) actually check the domain you are using when sending and stop you from sending the mail if you are faking it. However this isn't what most ISP's do because not many people actually use the Verizon or whatever address.
Pay attention to what this guy is saying people. If you think the rise of spam and the rise of broadband happening simultaneously are coincidental you are a fool.
You're missing the point of import modding. You're supposed to spend alot of money on air dams, fat mufflers, and rims to make you're econobox go alot slower than a lower-priced car that was actually designed to race.
"If you follow the letter of the spec, you really are supposed to reject email which comes from a server who's forward and reverse lookups don't match, or who are missing either"
What spec is this? I don't remember reading anything about reverse lookups in the SMTP RFC's, especially consdidering that relaying was designed as a feature, not a bug.
Re:How about legacy-free cars ?
on
Legacy-Free PCs
·
· Score: 1
"I don't think flying cars will ever get here:-("
I sure as hell hope not. All I need is some drunk bastard flying through the roof of my house.
"We don't post the home address of those accused of Murder, Rape, or Kidnapping... in what universe is Spam worse than those?"
Actually, the media pretty much does. They publish a photo of "John Smith of Anytown, Anystate" because he allegedly committed something. As far as his exact street address, no it's not posted but I think a photo, name, and town is more than specific enough for someone to find an address and a phone number if they intended harm to John Smith. Plus there's that whole child-molestor registration thing.
Do I think Moore has a right to privacy? Not in the case of his business address. The public needs a way to get in touch with him if they have a problem with services or products, and I'm guessing that if he had a legitimate business he would have this registed with the state.
As far as his home address? I'm not sure about that. We live in a society of trial by media where "investigative reporters" track down and harass people at the slightest accusation. What's the difference here?
Slashdot Mirror
Also:
*COUGH* English *COUGH* French *COUGH* Chinese *COUGH* Grabbing your throat when you are choking *COUGH* *WHEEZE* *THUMP*
Insight into modern issues I might agree with. Great author? In short spurts maybe (like first 1/3 of Snow Crash) but often writes as if he's just trying to get the damn thing done (third 1/3 of Snow Crash). His stuff is good, and I read it, but seriously, this guy will be completely forgotten in 30 years.
Now come on, grow up. You want to break into a system? Set one up. Crack it. Next, get a friend to set one up, not tell you what he did, then crack it. And so on. You want to elude detection? Install Snort, and try to elude it. Etc.
:)
Well said. I wonder if anyone actually has done this. Such a thing, if well organized, would be of tremendous value to the entire community. Picture it, the Black Team of hackers/crackers trying to get in. The White Team of developers and admins trying to keep them out. Keep logs of everything, so if the Black Team wins, there are valuable lessons to be learned by all. It could be like the Geek Olympics.
A voice of reason from the dark/other side. I'd like to build on your point.
.NET.
As a programmer/developer you will, or at least should, go through a larval stage of trying every new language and taking pride in the breadth of your knowledge. This is extremely healthy for a long and happy career. However at a certain point you might want to start pulling the strings and move up to principal/architect, whatever it's called at your company. If you think you're going to get there by knowing a bunch of languages, you're fooling yourself no matter how smart you are. There is just WAY too much going on in each community to be able to keep up with every language at a super expert level.
Personally, I can professionally code VB, C, Perl, MUMPS. Though I have never worked with them I'm sure I could get a handle on the newer breeds like Python in a week or two. I consider all that my foundation to being a top Java programmer.
I basically came to a point in my career where I said to myself "Eric, there are too many paths from here on for you to keep running a little ways down each one, make a damn decision". This was before I had much Java experience by the way. My response to myself was, "OK, this Java thing looks good, I'll try that and if it doesn't work out I'm going to MSFT stuff". Well, Java worked out for me, and my career has flourished as a result of my decision. I still consider myself a hacker and I don't consider myself a Sun groupie at all. If I'd picked MSFT I don't see that it would be much better or worse, and I'd probably be excited about
Hackers as an archetype pride themselves on flexibility. If all the Java jobs went away tomorrow, am I out of luck? No, but I wouldn't be surprised if I slipped a few rungs when I jumped to another ladder, and since Java ISN'T going away tomorrow, or probably anytime in the next 5 years, I have actually increased not only the security, but the quality of my job by being a valuable resource to whoever is employing me and my skills.
Moral of my story as analogy: It's like dating. You spend a while finding out what you want. Eventually you find it, or find something you're reasonably sure is it. Stick with it for a while. Things going good? Stick with it for a long while. There is alot of truth to the statement "If you want to get rich, stay married", and it doesn't just apply to romantic relationships.
Actually you have it backwards:
So what does c# have going FOR it? java haters that won't look at any lanugage that didn't come from m$.
Java works with JREs from competing companies (IBM,Sun). Java works on any platform. So what is the point of a "standard"? All an IEEE standard is going to do is dramatically slow down changes (which have almost exclusively been for the better) to the language. A scientist's stamp on a specification means a heck of alot less to me than a signature on my paycheck, which is going to be bigger if I'm using a language that quickly adapts itself to the business environment.
I got all the parts of my last computer in one box from googlegear, does that count as a casemod?
Actually the question is, "How can I go back on my statement now that someone has actually delivered what I asked for thinking it would never happen, so I can continue to get stuff I should be paying _something_ for, for free, with a clear concience?"
Don't worry, you're not alone, a lot of people are asking themselves that statement right now. The rest are, or have been, getting their music legit.
Actually the hate crime point is valid. The hate crime legislation makes penalties stiffer for the same crime when the court/jury determines you did it to a member of an identifiable group (race, gender, religion, etc) out of hatred for said group, thus thought (in the form of hatred) is an issue. Of course, thought (in the form of intent) being an element of a crime is nothing new, its core to the legal definition of many, possibly most, crimes.
IANAL either, but I would imagine that spoofing the domain of a company (like AOL) registered in that state, or one with all of its mail servers (the recipient of bounces and thus victim of the aftermath) would likely qualify too.
ART lacks a satisfactory definition. It is easier to describe it as the way something is done -- "the use of skill and imagination in the creation of aesthetic objects, environments, or experiences that can be shared with others" (Britannica Online) -- rather than what it is.
i st s.html
http://www.arthistory.sbc.edu/artartists/artart
By that definition, the barcodes (and the sink) are art. I think you underestimate the amount of art in our world, and simultaneously overvalue your concept of an artist. I personally don't find any reward in looking at a Van Gogh or a Monet, but I can lose myself in an Ansel Adams picture, and all he did was press a button, right?(it took a long time for photography to be considered "art") We each have tastes, and we each value certain things as art or not. And in someone's opinion, we're wrong.
Good publicity is a Good Thing. Do you think a root exploit for your product showing up on the front page of slashdot is a Good Thing? People will gain familiarity with the name but its going to be forever "Oh yeah, I saw that on slashdot, its got some security issues". You think Amazon would experience any positive effects if there was a credible story that they were defrauding customers? The whole concept of bad publicity being better than no publicity is extremely short sighted and for every case out there of it being true there are probably 1000 that illustrate it is not.
Look at it in the non-software sense, Colin Farrell is super-popular for the fact that he entertains himself with hookers and drugs, and Robert Downey Junior doesn't have much trouble finding work. However, apply this behavior to others, like the CEO of a company, and its curtains for that career. Ever hear of a guy named Gary Condit? Was it for any legislation he supported? How did he do in his last election?
As far as open source stuff goes, yes, awareness is a good thing. The nature of the beast is that if there is a problem one might assume that it will be fixed. However, how many Samba exploits have I seen over the years, I've lost count. Even though I'm sure those ones are fixed, I know that security issues in software en masse are problems patches aren't going to fix and I'm sure not going to caught running it.
That adage only applies to show business...
Actually, I (and others I know) only bought half-life so I could play counter-strike. I probably put about 10 minutes (9 of which was the damn opening train ride sequence you can't skip) into the SP version...
Yeah but neither can the people that you DO want to talk to, but forget to tell. I recently landed a project with a former employer because I've had the same cell number for 5+ years, despite moving several times. That one phone call generated more money than I will spend on phone fees in my lifetime, and if I had switched its very unlikely they would have bothered to (or been able to) track me down.
Also, aren't telemarketers prohibited by law from calling cell phones? In the rare event they do call me I tell them it's a cell and they quickly apologize and disconnect.
But it's not available in Boston area :(
And before you ask: Yes, I meet more than 20 people per year :P
I realize that I'm in an atypically well-to-do area (Boston), but seriously folks, 23%? That seems ridiculously high. If 60 million people in this country that can't read, I think I would meet more than a handful per year.
why shouldn't we hire knowledgable people away from doing what we don't want, and into doing what we do want?
:P
What does this have to do with Mitnick?
Forging headers is not an exploit of a bug. Mail servers simply don't look at them. Why?
Received Headers:
1. Parsing and reversing all the domains in there is expensive. (as expensive as spam? probably not but see #3)
2. There's nothing in the RFC that says all the headers have to match up end to end. A large email provider often has separate inbound and outbound mail servers so a mail getting forward will have headers from A to B and C to D, despite being a legitimate mail.
3. Third, there is no requirement for reverse naming on mail servers. If there was then maybe #1 would be a valid tactic.
The from header:
This is what most non-technical people think of when they talk forged headers. Again, this is not an exploit, in fact its part of relaying which is a feature of the SMTP RFC. Some mail providers (like us) actually check the domain you are using when sending and stop you from sending the mail if you are faking it. However this isn't what most ISP's do because not many people actually use the Verizon or whatever address.
Pay attention to what this guy is saying people. If you think the rise of spam and the rise of broadband happening simultaneously are coincidental you are a fool.
Could someone kindly find the place the RFC that says you can't limit traffic to your own mail server?
You're missing the point of import modding. You're supposed to spend alot of money on air dams, fat mufflers, and rims to make you're econobox go alot slower than a lower-priced car that was actually designed to race.
"If you follow the letter of the spec, you really are supposed to reject email which comes from a server who's forward and reverse lookups don't match, or who are missing either"
What spec is this? I don't remember reading anything about reverse lookups in the SMTP RFC's, especially consdidering that relaying was designed as a feature, not a bug.
"I don't think flying cars will ever get here :-("
I sure as hell hope not. All I need is some drunk bastard flying through the roof of my house.
"We don't post the home address of those accused of Murder, Rape, or Kidnapping... in what universe is Spam worse than those?"
Actually, the media pretty much does. They publish a photo of "John Smith of Anytown, Anystate" because he allegedly committed something. As far as his exact street address, no it's not posted but I think a photo, name, and town is more than specific enough for someone to find an address and a phone number if they intended harm to John Smith. Plus there's that whole child-molestor registration thing.
Do I think Moore has a right to privacy? Not in the case of his business address. The public needs a way to get in touch with him if they have a problem with services or products, and I'm guessing that if he had a legitimate business he would have this registed with the state.
As far as his home address? I'm not sure about that. We live in a society of trial by media where "investigative reporters" track down and harass people at the slightest accusation. What's the difference here?