No matter what we do to the browser's TLS implementation, this attack would still be possible via Java, because Java has its own TLS implementation.
We are already working on proactively mitigating any improvements on the BEAST attack that could be made to work using native browser features that would be affected by changes to our TLS implementation. But, right now, there are no known ways to implement the attack using built-in browser features.
There may indeed be other vectors for an attack that use built-in browser features. However, some characteristics of how the browser manages connections and how it formats HTTP requests would defeat most (all, as far as we know at this time) variations of the attack that use built-in browser features.
Implementing that workaround in the browser will not help when the attacker users Java, because the Java Plugin does not use the browser's TLS implementation; it uses its own.
An Oracle engineer is the one that came up with that technique for interfering with the exploit.
We are going to implement it. I am finalizing the patch now.
Look at the BSD license, which contains the following clause: "Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution"
Imagine a modification of this license to also add this clause (lifted and slightly modified from the Apple Computer Inc. hiring policy):
"I support the equal rights of all people regardless of their race, color, religion, sex, national origin, marital status, age, sexual orientation, gender identity characteristics or expression, disability, medical condition, military or veteran status."
Would this be a good license? I think so. Notice that it doesn't prevent anybody from using the software, even if they disagree with the statement, as long as he keeps the clause intact when he distributes it. Yet, if the software presents this message in its slash screen every time it starts up, it sends a message. Not only is it saying that the creator and/or distributor believe in this message, but that the user does too, because it is on his/her computer.
The effect would be to discourage (not prevent!) people who do not believe in equal human rights from using the software. In particular, extremist evangelicals like Osama bin Laden, Jerry Falwell, Pat Robertson, Hitler, et al. would prevent themselves and their followers from using their software, but only by their own edicts, not through any action of yours.
When you have an emergency (P1), Oracle Support is top-notch--they will keep a very knowledgable support person available to you at all times (24-hours-a-day) until your problem is solved.
If you have a "how do I" question or "when will feature XXX get released" question then Oracle Support is not very good at first. However, you can take any issue and escalate it until you get somebody that knows exactly what you want to do.
For each table element, you have to pay somebody to write the summary attribute.
I am not sure what point you are trying to make. If you want the data in a tabular fashion, then you would use a table. Whether or not you have a summary depends on many factors--a good explanation of these factors appears in the Web Content Accessibility Guidelines. Often, if your table has a caption, and its columns are labeled appropriately, you will not need a seperate summary. A summary is needed mostly for tables that have complicated structures (spanning columns and rows, for example).
But, anyway, I wasn't trying to advocate using tables as a substitute for ordered lists. I was just pointing out that the automatic ordering of the OL tag is not helpful to you if you decide to change the presentation of the data from a list format into a tabular format.
I've yet to see any layout that's "impossible" with divs (though it took a long time to figure everything out, and some of the code is VERY confusing)
Usually, you can make div's work okay if you are willing to give up some flexibility regarding resizing behavior of columns and the vertical alignment of items. But, once resizing is taken into account, the div-based solutions are often hopelessly complicated, if not impossible to implement.
Often, people use div's instead of tables citing the reasons you give. But, the accessibility issue with layout tables is not a big deal as long as you follow the Web Content Accessibility Guidelines ( http://www.w3.org/TR/WAI-WEBCONTENT/#gl-table-mark up):
5.3 Do not use tables for layout unless the table makes sense when linearized. Otherwise, if the table does not make sense, provide an alternative equivalent (which may be a linearized version). [Priority 2]
The important part is "unless the table makes sense when linearized." A LOT of sites that try to be accessible by using div's instead of tables end up with a lot of div's that do not make sense when linearized. If you have table-based layout with one row of three columns, and it makes sense when linearized, then it will not be an accessibility problem, as long as the page scales gracefully (for text zooming and printing), you will be okay.
Your resume suffers from a problem much worse than table-based layout: it is very difficult to read the text when one is using the text magnification feature of the web browser. Your text size is 12px, which is 50% smaller than my default text size (I have a 140DPI monitor, so 12pt text takes about 20px, IIRC). When I use Firefox's text zoom tool, the bottom of your text flows "out of the book" and onto the dark background, making it very hard to read. In other words, your resume is significantly easier to use by a normally-sighted user when the stylesheet is disabled. That indicates an extreme usability failure--you spent effort to make something worse than it would be by default.
So what do you do when you want to start an ordered list at a value other than 1?
I believe that the numbers in an ordered list are part of the document, not part of the presentation of the document.
Take the track listing for Follow the Leader and put it into a table with columns "Track #," "Title," and "Length." Then you can't use ordered lists anymore (at least, not while retaining useful semantics). And, if you allow the users to sort the table by columns other than "Track #", then you cannot use any kind of HTML/CSS auto-numbering--you don't want the tracks to get renumbered just because they are presented in a different order.
The commercial users would just license it under the existing (non-GPL) terms instead of the GPL, like they do already. This would be similar to how MySQL is licensed.
I am already familiar with LINQ, and its relationship to Haskell and especially HaskellDB. And, I think that, all in all, everything has worked out great for all those involved (Microsoft, C# users, VB users, Haskell users, and presumably Simon too).
Besides WiX and other Windows-centric open-source Microsoft software that was already mentioned, Microsoft Research is also the primary party responsible for GHC, the Glasgow Haskell Compiler. GHC is available under a modified Apache/BSD license. Not only that, but their primary platform seems to be Linux (Windows is also supported).
I plugged the numbers into a programme I wrote for the purpose, and basically did nothing more than an exhaustive analysis of all possible combinations of timings.
Did you use the program-prover on this program too?
It's to a selected group; not available to anyone (eg police) who's interested.
If the police suspect anybody in your circle of friends, couldn't they do any of the following to break into the circle of trust and monitor your activities: (1) Sneak into your associates' houses and install hidden monitoring software directly into their HTTPS stacks on their computers. (2) Coerce your associates into providing them with access to their activities (3) Use social engineering to convince you to let them into your circle of trust
When you are fighting a government, which has basically unlimited resources, you cannot grant trust as easily as when you are merely dealing with civilian adversaries. For example, I trust https://amazon.com/ enough to put my credit card info into a form there, but I wouldn't trust _ANY_ server or peer-to-peer host with my detailed plans to subvert and/or overthrow the government.
I know that citing Orwell's 1984 is cliche in these discussions, but one of the points of the book is that, when fighting against the government, even your most trustworthy companions and things cannot be trusted. Remember Winston's speck of dust?
In fact, you cannot even really trust yourself when against extremely harsh coercive measures. Look at what Winston did at the end.
So, the Sun server's TCO appears to be $564 (~10%) higher than the whitebox server's TCO over three years.
Also, the blog you linked to was comparing the cost of a single dual-core Sun system to a dual-processor single-core whitebox system. A single dual-core chip is significantly cheaper than two single-core chips. Once that is taken into account, the TCO would be ~15-20% higher, I believe.
Can there truly be a flawless operating system? Is it possible to design an easy to use, accessible, and reliable application that has no security holes? I think not, but if you could, you may become richer than Gates himself.
The reason you wouldn't become richer than Gates if you did this is that it would be incredibly expensive to develop such a system. You would also have a long time-to-market. The result would be a very reliable operating system that is late to market and incredibly expensive. Your would-be customers would then choose your cheaper competitors that have more modern features that they have come to expect. These features would be ones that were invented during the huge period of time that your operating system is going through its rigorous design, implementation, and verification process.
Even coming up with a workable definition of a "flawless operating system" and stating exactly what criteria is used to certify the product as "easy to use, accessible, and reliable" would takes a lot of time and money.
$5K plus support? wow, that sucks. For $5000 they'd better throw in some support for free. And all this Per CPU stuff really gets on my nerves. Oh, sorry, you have good hardware, so you have to pay more. No wait, you don't have good hardware, you have an old dual CPU Pentium Pro, but you still have to pay more. If they want to charge more for people who have more power, they really should charge per cycle.
They used to charge Mhz * CPU's * platform-rate, but people thought that pricing was too complicated (and, I kind of agree).
I mostly agree with your sentiment: if PostgreSQL can do it, then use it instead of Oracle. But, in most cases, if Oracle has a feature you could signifantly benefit from, and PostgreSQL doesn't, then it is probably going to be cheaper to buy it from Oracle.
Also, don't discount the value of Oracle Support. I've never had better support than I got from Oracle in the two cases where we had critical problems. Oracle support has 24x7 30 minute response time and will spend hour helping you when you have a critical problem. In order to deploy PostgreSQL instead of Oracle, you have to take several measures to ensure that you will never, ever have any problems where this level of support is necessary.
Re:Our experience with Postgresql
on
Linux Helping Oracle
·
· Score: 3, Informative
It's good that Oracle runs on Linux, as Postgresql has done for many years, but at what point do you really need to spend all that money on Oracle? I think Postgresql will be more than sufficient for 95+% of all apps out there.
I agree, but I would like to point out that Oracle doesn't usually cost $50K/CPU for any system that would be sufficient for PostgreSQL. It is more fair to compare Oracle Standard Edition or Oracle SE One to PostgreSQL, which are priced significantly lower ($15K and $5K respectively, plus support). Even EE is "only" $40K/CPU, plus support.
Any word can be a verb if a group of people use it as a word. The fact that a huge number of people have a good idea of what "levereage (v.)" means, I think it is fairly safe to say that it is a verb now.
Slashdot Mirror
No matter what we do to the browser's TLS implementation, this attack would still be possible via Java, because Java has its own TLS implementation.
We are already working on proactively mitigating any improvements on the BEAST attack that could be made to work using native browser features that would be affected by changes to our TLS implementation. But, right now, there are no known ways to implement the attack using built-in browser features.
There may indeed be other vectors for an attack that use built-in browser features. However, some characteristics of how the browser manages connections and how it formats HTTP requests would defeat most (all, as far as we know at this time) variations of the attack that use built-in browser features.
An applet cannot steal the cookies directly but it could cause the JVM to send the cookies in HTTPS requests on its behalf.
The applet doesn't have to guess anything with the Java-based attack.
Implementing that workaround in the browser will not help when the attacker users Java, because the Java Plugin does not use the browser's TLS implementation; it uses its own.
An Oracle engineer is the one that came up with that technique for interfering with the exploit.
We are going to implement it. I am finalizing the patch now.
Look at the BSD license, which contains the following clause: "Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution"
Imagine a modification of this license to also add this clause (lifted and slightly modified from the Apple Computer Inc. hiring policy):
"I support the equal rights of all people regardless of their race, color, religion, sex, national origin, marital status, age, sexual orientation, gender identity characteristics or expression, disability, medical condition, military or veteran status."
Would this be a good license? I think so. Notice that it doesn't prevent anybody from using the software, even if they disagree with the statement, as long as he keeps the clause intact when he distributes it. Yet, if the software presents this message in its slash screen every time it starts up, it sends a message. Not only is it saying that the creator and/or distributor believe in this message, but that the user does too, because it is on his/her computer.
The effect would be to discourage (not prevent!) people who do not believe in equal human rights from using the software. In particular, extremist evangelicals like Osama bin Laden, Jerry Falwell, Pat Robertson, Hitler, et al. would prevent themselves and their followers from using their software, but only by their own edicts, not through any action of yours.
So many options! So little importance!
When you have an emergency (P1), Oracle Support is top-notch--they will keep a very knowledgable support person available to you at all times (24-hours-a-day) until your problem is solved.
If you have a "how do I" question or "when will feature XXX get released" question then Oracle Support is not very good at first. However, you can take any issue and escalate it until you get somebody that knows exactly what you want to do.
I am not sure what point you are trying to make. If you want the data in a tabular fashion, then you would use a table. Whether or not you have a summary depends on many factors--a good explanation of these factors appears in the Web Content Accessibility Guidelines. Often, if your table has a caption, and its columns are labeled appropriately, you will not need a seperate summary. A summary is needed mostly for tables that have complicated structures (spanning columns and rows, for example).
But, anyway, I wasn't trying to advocate using tables as a substitute for ordered lists. I was just pointing out that the automatic ordering of the OL tag is not helpful to you if you decide to change the presentation of the data from a list format into a tabular format.
Usually, you can make div's work okay if you are willing to give up some flexibility regarding resizing behavior of columns and the vertical alignment of items. But, once resizing is taken into account, the div-based solutions are often hopelessly complicated, if not impossible to implement.
Often, people use div's instead of tables citing the reasons you give. But, the accessibility issue with layout tables is not a big deal as long as you follow the Web Content Accessibility Guidelines (
http://www.w3.org/TR/WAI-WEBCONTENT/#gl-table-mar
The important part is "unless the table makes sense when linearized." A LOT of sites that try to be accessible by using div's instead of tables end up with a lot of div's that do not make sense when linearized. If you have table-based layout with one row of three columns, and it makes sense when linearized, then it will not be an accessibility problem, as long as the page scales gracefully (for text zooming and printing), you will be okay.
Your resume suffers from a problem much worse than table-based layout: it is very difficult to read the text when one is using the text magnification feature of the web browser. Your text size is 12px, which is 50% smaller than my default text size (I have a 140DPI monitor, so 12pt text takes about 20px, IIRC). When I use Firefox's text zoom tool, the bottom of your text flows "out of the book" and onto the dark background, making it very hard to read. In other words, your resume is significantly easier to use by a normally-sighted user when the stylesheet is disabled. That indicates an extreme usability failure--you spent effort to make something worse than it would be by default.
So what do you do when you want to start an ordered list at a value other than 1?
I believe that the numbers in an ordered list are part of the document, not part of the presentation of the document.
Take the track listing for Follow the Leader and put it into a table with columns "Track #," "Title," and "Length." Then you can't use ordered lists anymore (at least, not while retaining useful semantics). And, if you allow the users to sort the table by columns other than "Track #", then you cannot use any kind of HTML/CSS auto-numbering--you don't want the tracks to get renumbered just because they are presented in a different order.
http://finance.google.com/finance?cid=13756934
The commercial users would just license it under the existing (non-GPL) terms instead of the GPL, like they do already. This would be similar to how MySQL is licensed.
I am already familiar with LINQ, and its relationship to Haskell and especially HaskellDB. And, I think that, all in all, everything has worked out great for all those involved (Microsoft, C# users, VB users, Haskell users, and presumably Simon too).
Besides WiX and other Windows-centric open-source Microsoft software that was already mentioned, Microsoft Research is also the primary party responsible for GHC, the Glasgow Haskell Compiler. GHC is available under a modified Apache/BSD license. Not only that, but their primary platform seems to be Linux (Windows is also supported).
I plugged the numbers into a programme I wrote for the purpose, and basically did nothing more than an exhaustive analysis of all possible combinations of timings.
Did you use the program-prover on this program too?
It's to a selected group; not available to anyone (eg police) who's interested.
If the police suspect anybody in your circle of friends, couldn't they do any of the following to break into the circle of trust and monitor your activities:
(1) Sneak into your associates' houses and install hidden monitoring software directly into their HTTPS stacks on their computers.
(2) Coerce your associates into providing them with access to their activities
(3) Use social engineering to convince you to let them into your circle of trust
When you are fighting a government, which has basically unlimited resources, you cannot grant trust as easily as when you are merely dealing with civilian adversaries. For example, I trust https://amazon.com/ enough to put my credit card info into a form there, but I wouldn't trust _ANY_ server or peer-to-peer host with my detailed plans to subvert and/or overthrow the government.
I know that citing Orwell's 1984 is cliche in these discussions, but one of the points of the book is that, when fighting against the government, even your most trustworthy companions and things cannot be trusted. Remember Winston's speck of dust?
In fact, you cannot even really trust yourself when against extremely harsh coercive measures. Look at what Winston did at the end.
What is E$?
I am about to evaluate a X4100. Could you please point out how you found the LOM problems so that I can test out my system to make sure it works?
Also, I am interested in any other issues you had with the X4100.
Thanks,
Brian
You said:
Of course, that's cheapo in the Sun sense: their prices are still 50-200% higher than comparable anonymous white box hardware.
So what gives? Well, it turns out TCO for Sun hardware is actually lower [sun.com] even factoring in the higher hardware cost.
The article you cited says:
For purposes of our analysis, let's assume all servers are of equal cost: Server price: $3,000.00
whitebox AMD + Solaris: $3,000 + (3 * $120) + (36 * $65.00) = $5,700.00
Sun AMD + Solaris: $3,000 + (3 * $120) + (36 * $39.00) = $4,764.00
I say:
Let's take your estimate that Sun hardware is 50% more expensive than white-box hardware, and re-run the cited calculation:
Sun AMD + Solaris: (1.5 * $3,000) + (3 * $120) + (36 * $39.00) = $6,264.00
So, the Sun server's TCO appears to be $564 (~10%) higher than the whitebox server's TCO over three years.
Also, the blog you linked to was comparing the cost of a single dual-core Sun system to a dual-processor single-core whitebox system. A single dual-core chip is significantly cheaper than two single-core chips. Once that is taken into account, the TCO would be ~15-20% higher, I believe.
Please correct me if I've made any mistakes.
Can there truly be a flawless operating system?
Is it possible to design an easy to use, accessible, and reliable application that has no security holes?
I think not, but if you could, you may become richer than Gates himself.
The reason you wouldn't become richer than Gates if you did this is that it would be incredibly expensive to develop such a system. You would also have a long time-to-market. The result would be a very reliable operating system that is late to market and incredibly expensive. Your would-be customers would then choose your cheaper competitors that have more modern features that they have come to expect. These features would be ones that were invented during the huge period of time that your operating system is going through its rigorous design, implementation, and verification process.
Even coming up with a workable definition of a "flawless operating system" and stating exactly what criteria is used to certify the product as "easy to use, accessible, and reliable" would takes a lot of time and money.
$5K plus support? wow, that sucks. For $5000 they'd better throw in some support for free. And all this Per CPU stuff really gets on my nerves. Oh, sorry, you have good hardware, so you have to pay more. No wait, you don't have good hardware, you have an old dual CPU Pentium Pro, but you still have to pay more. If they want to charge more for people who have more power, they really should charge per cycle.
They used to charge Mhz * CPU's * platform-rate, but people thought that pricing was too complicated (and, I kind of agree).
I mostly agree with your sentiment: if PostgreSQL can do it, then use it instead of Oracle. But, in most cases, if Oracle has a feature you could signifantly benefit from, and PostgreSQL doesn't, then it is probably going to be cheaper to buy it from Oracle.
Also, don't discount the value of Oracle Support. I've never had better support than I got from Oracle in the two cases where we had critical problems. Oracle support has 24x7 30 minute response time and will spend hour helping you when you have a critical problem. In order to deploy PostgreSQL instead of Oracle, you have to take several measures to ensure that you will never, ever have any problems where this level of support is necessary.
It's good that Oracle runs on Linux, as Postgresql has done for many years, but at what point do you really need to spend all that money on Oracle? I think Postgresql will be more than sufficient for 95+% of all apps out there.
I agree, but I would like to point out that Oracle doesn't usually cost $50K/CPU for any system that would be sufficient for PostgreSQL. It is more fair to compare Oracle Standard Edition or Oracle SE One to PostgreSQL, which are priced significantly lower ($15K and $5K respectively, plus support). Even EE is "only" $40K/CPU, plus support.
Any word can be a verb if a group of people use it as a word. The fact that a huge number of people have a good idea of what "levereage (v.)" means, I think it is fairly safe to say that it is a verb now.
t ics
This is how languages evolve--take a social linguistics class. Or, at least leverage the knowledge contained in this Wikipedia article:
http://en.wikipedia.org/wiki/Prescriptive_linguis
This place has received awesome reviews. It hosts javablogs.com and also (I think) apache.org. They claim colocation is $50/mo.x .action
http://www.contegix.com/solutions/colocation/inde
I am considering going with them based on the recommendations I have seen. But, I have no first hand experience with them, so do your homework first.