I wonder about this myself. The company that masterminded the entire thing gets the $20.7 million fine for antitrust and wire fraud, big deal, pay it out of the company coffer. But according to the same article...
That employee, Desmond McQuoid, was the custodial supervisor of the district. He pleaded guilty to mail fraud last year and was sentenced to 21 months in prison
The guy at one of the schools who just took the bribe (to skip getting competitive bids), also pleading guilty of wire fraud, gets jail time. Why the difference?
I have identified this service to be a scam using the "superfluous female person standing next to logo" method. I'm still wondering where her headset went, though...
Wait...I thought some phones already could play mp3s as their ringtone. Hell, I think you can pick up a cellphone these days that will brush your teeth for you.
The Chernobyl girl's English seems to have improved dramatically. From the revised page:
"I have never had problems with the dosimeter guys, who man the checkpoints. They are experts, and if they find radiation on you vehicle, they give it a chemical shower. I don't count those couple of times when "experts" tried to invent an excuse to give me a shower, because those had a lot more to do with physical biology than biological physics."
My personal favorite is back in the day when someone (IBM? Somebody else has to know this story, but know it correctly) released some expensive brick of a computer with a given amount of usable memory (This was back in the good ole days; I'm thinking 16k, but it may have been as much as 256k), with full knowledge that that amount of memory would not be enough for many of the users.
These users could buy a very expensive memory upgrade that a technician from the computer company would come out and install. The memory upgrade consisted of a jumper wire which enabled the other 16k(?) that was already installed from the factory, but purposely disabled.
This is only from memory; I can't find a link with the details. Anyone remember this?
Is there a reason in this case that you can't use the "phone" cat5 for basic 10Mbps ethernet (only needs 4 wires)? Ya, you'd be stuck with 'only' 10Mbps, but still have 2 phone lines left to order pizza and fax angry limerics to the satellite installer at the same time:-)
This may be non-news to those who read the paper, but it seems like the "vulnerabilities" here are overstated. Plenty of "rah, rah, should've used open-source, all your data are belong..." comments, but successful use of any of the exploits in the paper seems highly unlikely at best.
The vulnerabilities listed basically boil down to:
* Filenames and sizes aren't encrypted. If you store sensitive data in the filename, it can be read. (The paper uses the example of Bob intercepting a zip file containing a file named PinkSlipForBob.doc)
* The type of encryption method used is not authenticated. If a malicious user is able to perform a man-in-the-middle attack and edit the file so that it specifies a different (incorrect) encryption method, the final recipient will decrypt it and get a file of nothing but garbage. Now, if the attacker can also social-engineer the victim to send him that garbage file, the original file can be reconstructed.
* File names stored in the.zip are not authenticated. Like above, if the attacker can change the file extension, (s)he can cause the file to open in the wrong application when the victim unzips that file. This will likely be a nuisance at best; while the paper states that this method could be used to mount an attack similar to the above (getting garbage decrypted by a different method), it's unclear how this would actually work (since the file decrypted successfully, and there isn't any garbage). The attacker would have to coerce the user to send the unencrypted file itself.
* The next attack involves the attacker actually knowing the entire contents of the file (s)he wants to intercept, which to me at least, seems to defeat the purpose of intercepting it. Actually, that's a slight oversimplification: for this attack, the attacker needs to know 1 of n possibilities of what the exact file contents could be, and with this information, has a 1 in n chance of finding out if (s)he was right, by replacing the file in the archive with the "guess" (again, requiring the ability to modify the file in transit), and use the fact of whether (s)he intercepts a "Hey Bob, that zip file you sent was corrupted" message to find out whether the guess was right. (If it was a 1-byte file named "yesorno.txt", and the attacker wanted to know whether it contained "Y" or "N", this could be a useful attack. For less trivial files, however, this doesn't seem very feasible.)
* WinZip allows both encrypted and un-encrypted files in the same archive, so the end-user doesn't know if any given file was encrypted or not. An attacker can (man-in-middle, yadayada) add files to the archive before it reaches its recipient, and the recipient won't know they're not part of the original archive. A definite flaw, however, not directly a data leak of any kind. (Although, if one of the 'unofficial files' is a keylogger, and you can get the luser to run it....)
* A weakness in key randomization will cause a repeat key to be generated once every 2^32 files rather than the theoretical maximum of 2^64 files. So, "all" the attacker needs to do is find a victim who will use WinZip to encrypt, oh, 4.2 billion files or so, and they will have a good chance that one of the encryption keys is a repeat. Supposing there was a repeat, now they just have to know the entire contents of the larger of the two files, and they can determine the contents of the smaller one.
The paper also briefly mentions attacks like "plant a keylogger" or "replace Winzip with a program that looks like Winzip", but I wouldn't exactly call these flaws in the AES implementation. (The paper also comes to pretty much this conclusion, and so doesn't dwell on these possibilities.)
The complaint filed alleges "Tortuous Interference with Contract,...
Um, I think the spammer means "tortious" (involving tort law), not "tortuous" (long and winding, IIRC). Don't lawyers proofread these things anymore? (Of course, without seeing the original filing, I can't tell whether the spammer's lawyer or the reporter is the doofus.)
You always could ask for voluntary donations. We've been doing it for a couple years now at cexx.org - since that time, reader support has covered all of the site's expenses, including hosting/bandwidth (around 40GBytes/month currently), domain renewal, etc. Granted, coming right out and asking for money can be humbling, but it doesn't involve anything popping up in the viewer's face (or worse, trying to auto-install "browser enhancements" and whatever else sites are using to offset their expenses these days).
Slashdot Mirror
Sorry, I don't have mod points, but I just damn near pissed myself.
Gack. I somehow read that as "insertable computing devices".
That would keep down on the mugging, anyway..
Or Cheetos.
Speaking purely hypothetically, of course.
I wonder about this myself. The company that masterminded the entire thing gets the $20.7 million fine for antitrust and wire fraud, big deal, pay it out of the company coffer. But according to the same article...
That employee, Desmond McQuoid, was the custodial supervisor of the district. He pleaded guilty to mail fraud last year and was sentenced to 21 months in prison
The guy at one of the schools who just took the bribe (to skip getting competitive bids), also pleading guilty of wire fraud, gets jail time. Why the difference?
You mean this one?
# WTF?!?
All over my code, that's where...
The 'Uninstall' setting.
(ducks)
I have identified this service to be a scam using the "superfluous female person standing next to logo" method. I'm still wondering where her headset went, though...
it involves redirecting all mail to be tracked through their servers by appending "didtheyreadit.com" to your recipient's email address.
Maybe they should team up with this company.
I switched to browsing at -1 and the OP already has three marriage proposals,
Those bastards! Beating me to it, and such. Well, better make it 4...
Wait...I thought some phones already could play mp3s as their ringtone. Hell, I think you can pick up a cellphone these days that will brush your teeth for you.
The Chernobyl girl's English seems to have improved dramatically. From the revised page:
"I have never had problems with the dosimeter guys, who man the checkpoints. They are experts, and if they find radiation on you vehicle, they give it a chemical shower. I don't count those couple of times when "experts" tried to invent an excuse to give me a shower, because those had a lot more to do with physical biology than biological physics."
Quite true. Kibibytes sounds (to me, at least) like some type of dog food.
Well, MY spam level jumped 200% as soon as this new 'postmaster' worm started making the rounds.
My personal favorite is back in the day when someone (IBM? Somebody else has to know this story, but know it correctly) released some expensive brick of a computer with a given amount of usable memory (This was back in the good ole days; I'm thinking 16k, but it may have been as much as 256k), with full knowledge that that amount of memory would not be enough for many of the users.
These users could buy a very expensive memory upgrade that a technician from the computer company would come out and install. The memory upgrade consisted of a jumper wire which enabled the other 16k(?) that was already installed from the factory, but purposely disabled.
This is only from memory; I can't find a link with the details. Anyone remember this?
Is there a reason in this case that you can't use the "phone" cat5 for basic 10Mbps ethernet (only needs 4 wires)? Ya, you'd be stuck with 'only' 10Mbps, but still have 2 phone lines left to order pizza and fax angry limerics to the satellite installer at the same time :-)
... I used two 24-port patch panels, which ended up being just enough for the layout that I used. ...
:-)
So um...let me get this straight, you have 48 network ports in your house, and still have to hang hubs off them?
Just what goes on in this house, I wannaknow
Advertising Computer: We've identified that you often reflexively look at ads that FLICKER.
Me: Damn!
This may be non-news to those who read the paper, but it seems like the "vulnerabilities" here are overstated. Plenty of "rah, rah, should've used open-source, all your data are belong..." comments, but successful use of any of the exploits in the paper seems highly unlikely at best.
.zip are not authenticated. Like above, if the attacker can change the file extension, (s)he can cause the file to open in the wrong application when the victim unzips that file. This will likely be a nuisance at best; while the paper states that this method could be used to mount an attack similar to the above (getting garbage decrypted by a different method), it's unclear how this would actually work (since the file decrypted successfully, and there isn't any garbage). The attacker would have to coerce the user to send the unencrypted file itself.
The vulnerabilities listed basically boil down to:
* Filenames and sizes aren't encrypted. If you store sensitive data in the filename, it can be read. (The paper uses the example of Bob intercepting a zip file containing a file named PinkSlipForBob.doc)
* The type of encryption method used is not authenticated. If a malicious user is able to perform a man-in-the-middle attack and edit the file so that it specifies a different (incorrect) encryption method, the final recipient will decrypt it and get a file of nothing but garbage. Now, if the attacker can also social-engineer the victim to send him that garbage file, the original file can be reconstructed.
* File names stored in the
* The next attack involves the attacker actually knowing the entire contents of the file (s)he wants to intercept, which to me at least, seems to defeat the purpose of intercepting it. Actually, that's a slight oversimplification: for this attack, the attacker needs to know 1 of n possibilities of what the exact file contents could be, and with this information, has a 1 in n chance of finding out if (s)he was right, by replacing the file in the archive with the "guess" (again, requiring the ability to modify the file in transit), and use the fact of whether (s)he intercepts a "Hey Bob, that zip file you sent was corrupted" message to find out whether the guess was right. (If it was a 1-byte file named "yesorno.txt", and the attacker wanted to know whether it contained "Y" or "N", this could be a useful attack. For less trivial files, however, this doesn't seem very feasible.)
* WinZip allows both encrypted and un-encrypted files in the same archive, so the end-user doesn't know if any given file was encrypted or not. An attacker can (man-in-middle, yadayada) add files to the archive before it reaches its recipient, and the recipient won't know they're not part of the original archive. A definite flaw, however, not directly a data leak of any kind. (Although, if one of the 'unofficial files' is a keylogger, and you can get the luser to run it....)
* A weakness in key randomization will cause a repeat key to be generated once every 2^32 files rather than the theoretical maximum of 2^64 files. So, "all" the attacker needs to do is find a victim who will use WinZip to encrypt, oh, 4.2 billion files or so, and they will have a good chance that one of the encryption keys is a repeat. Supposing there was a repeat, now they just have to know the entire contents of the larger of the two files, and they can determine the contents of the smaller one.
The paper also briefly mentions attacks like "plant a keylogger" or "replace Winzip with a program that looks like Winzip", but I wouldn't exactly call these flaws in the AES implementation. (The paper also comes to pretty much this conclusion, and so doesn't dwell on these possibilities.)
Perhaps we are getting to the stage where the whole allotment of bandwidth is reorganized to me
I like this idea already.
Still preferable to Developers Developers Developers Developers ....
The /. lameness filter provides no impedance to bad puns? What a load.
The complaint filed alleges "Tortuous Interference with Contract,...
Um, I think the spammer means "tortious" (involving tort law), not "tortuous" (long and winding, IIRC). Don't lawyers proofread these things anymore? (Of course, without seeing the original filing, I can't tell whether the spammer's lawyer or the reporter is the doofus.)
Is there any other industry that tries to force itself upon a public that is explicity making it clear it wants no part of it?
Why, the Rape industry, of course.
You always could ask for voluntary donations. We've been doing it for a couple years now at cexx.org - since that time, reader support has covered all of the site's expenses, including hosting/bandwidth (around 40GBytes/month currently), domain renewal, etc. Granted, coming right out and asking for money can be humbling, but it doesn't involve anything popping up in the viewer's face (or worse, trying to auto-install "browser enhancements" and whatever else sites are using to offset their expenses these days).
Do you think the marketers will ever realize why there are 300 different types of popup-blocking software, but no AdWord-blocking software?