And here it is, the crucial data, according to one of my MANY servers:
root@www2[/opt/apache/logs]date
Fri Dec 31 23:57:56 CST 1999 root@www2[/opt/apache/logs]date Sat Jan 1 00:02:51 CST 2000
The calendar has rolled to the new year, so far EVERYTHING is up, and no Year2000 glitches anywhere near any of my systems.
Now, re-examine BP's post. Those "suits" who took their sites down are responsible for the greatest DoS in history... and it's not from a distributed synflood or any group of elite crackers... but a group of PHB's giving in to FUD.
Happy New Year, SlashDot....
--------- Question: How do I leverage the power of the internet?
Not to be argumentative or anything, but I think I'll disagree with your disagreement with the original generalization (heh).
If your site is down over New Years, think seriously about hiring a new IS manager
I've got to disagree with this generalization.
I believe the key word in BP's statement was think. If your IS manager bought into the hype without a VERY valid reason (a valid reason such as the one included in your post, for example) then think about replacing him/her. Of course, I think that most MIS workers should think about replacing thier management on a daily basis, anyways;)
--------- Question: How do I leverage the power of the internet?
If your site is down over New Years, think seriously about hiring a new IS manager.
Amen, Bruce.
I'm hear at work monitoring my sites (here and here to name a mere few), and I'll be here for the next 20+ hours.
Our upper management approached me with this same idea... should we pull our sites, or shut down our email, or etc, . My flat out response... NO WAY!
We're talking very important, very critical e-commerce, e-banking, and e-you_name_it sites that we've spent multiple millions on to keep running 24-7 x 365. Bulletproof sites which practically CANNOT go down due to disaster or mayhem, with state-of-the-art intrusion detection... so I'll be damned if i'm taking them offline due to the fear of a massive "CrackAttackY2k".
In fact, those sites pulling their servers offline are most likely going to lose my future business (or viewership, or whatever)... because they've definately lost my confidence. Such a big part of a website is public perception... I can't see how pulling your site offline can help that perception.
If your web site is vulnerable today it will be vulnerable tomorrow. This tells me that you are not confident enough in your own web sites ability to fend off attack but you expect the American public to remain calm during the Y2K rollover
--------- Question: How do I leverage the power of the internet?
First, I should warn you that this review is written by a Linux weenie that arrived at that particular brand of UNIX via NetWare and Windows NT.
followed by this nugget of truth later on...
There's no doubt that FreeBSD is rock-solid and fast. It has proven itself as a commercial-grade Internet server that's secure and exceedingly affordable. To make the most of it however, you'll need plenty of time to explore FreeBSD and come to grips with the convoluted system configuration process.
Well, that about sums this article up. Great to see *BSD in the press, but a more informed article would be nice...
--------- Question: How do I leverage the power of the internet?
the linux community is more helpful to newbies, where the BSD community is more guru focused - RTFM!
This is a common concern I hear from the pro-Linux community. Admitably, the BSD guru's willing to help are lesser in number than those on the Linux side (and thus perhaps the underlying message of the article), but they're still out there, and are still willing to help the newbies.
For example, check the following mailing lists for great support for those new to BSD:
-newbies is a discussion group for people new to FreeBSD, it's not intended for technical questions. Likewise, -questions is for technical questions, and not for discussions by new people. You WILL see a lot of "RTFM" on that list, and deservedly so...
*=note: SlashDot is inapropriately parsing the extended info in the mailto's. You should be able to get the gist of it if you click on the mailto links. It should be addressed to majordomo@FreeBSD.org, and have the text subscribe FreeBSD-newbies or subscribe FreeBSD-questions
--------- Question: How do I leverage the power of the internet?
New FreeBSD Sub.with 3.4. This will not just get you the brand new 3.4 release for the super-low price of $24.95, but will enroll you in the FreeBSD subscription program, where you'll get a new version of the disc automatically at the discounted subscription rate.
For the subscription, they bill your credit card automatically when the new version ships (credit cards are the only payment method possible for our subscriptions). The normal shipping charge applies. You may cancel at any time, just write, call, fax, or email. FYI, there are approximately four releases of FreeBSD a year, so it'll cost you approximately $100/yr. But you're supporting great, freely available software development... and a kickass OS!:)
--------- Question: How do I leverage the power of the internet?
I do not argue that this site is a great satire, according to the true definition of the word: 1 : a literary work holding up human vices and follies to ridicule or scorn 2 : trenchant wit, irony, or sarcasm used to expose and discredit vice or folly
But read the article, and see why Bush is trying to shut it down:
Bush's lawyers had warned Exley that he faced a lawsuit for his Web site's use of photos lifted from the copyrighted official Bush campaign site.
The Bush campaign also filed a complaint with the Federal Election Commission, accusing Exley of violating election laws and demanding that he operate under the rules and regulations of a political committee
Just to play devil's advocate, I have to agree (in theory, but not in principal) with those statements. I'd been to gwbush.com before, and saw it as much more of a political statement site than a humor or satire site. I feel the political nature of Exley's site definately falls within the second of GWB's points. And I'm not even going to start the flamewar over whether copywrights on websites are moral or no.
But, to stop playing devil's advocate, I'm pretty much entirely anti-government and anti-government-intervention. I personally think it's pretty "weak" that GWB would try to shut down any site. But, I can't argue with the two points that his lawyers are making... at least there's a somewhat valid reason, and they powers-that-be are not just shutting down the site for no good reason.
--------- Question: How do I leverage the power of the internet?
Two excellent emulators that show how the Enigma machine works. The first allows you to alter the machine settings, but it is not possible to track the electrical path through the scramblers. The latter has only one setting, but has a second window that shows the scramblers moving and the subsequent effect on the electrical path.
As a long time BSD biggot [grin], I feel that I'm somewhat qualified to speak on this one...
Quite simply, one of the biggest misconceptions about the BSD's is that OpenBSD is more secure than all other OS's period. OpenBSD is more secure than any other OS out of the "box"--you can install the latest version and have a damn highly-secure box without any fuss. But FreeBSD or NetBSD can be(and properly patched and config'd and etc ARE) just as secure. By no means should you think that FreeBSD (or NetBSD for that matter) is not a secure OS. It just requires a little more work out of the "box" to fully secure it.
One of the best pieces of advice I can give the BSD newbie is to head to Walnut Creek's site and go ahead and pay for the subscription. About 4 times a year you get the latest FreeBSD delivered right to your door on a CD, which is extremely handy for handing out to friends who have seen the light:) And, you're supporting some great software (and the development of some future great software)!
As for WHY you should make the switch, just wait till you see the screaming performance. Something about a magic TCP stack, i dunno;) but the Daemon just simply smokes with Apache.
--------- Question: How do I leverage the power of the internet?
Good Article... but (of course), not Great...
on
Rise of the Nanobots
·
· Score: 1
In further critique of this article, I'd say the following sentence severely underrates the severity of the potential dangers of nanotech
As with any new technology, molecular nanotechnology could have some negative side effects. Could have some negative side effects? Understandably the journalist doesn't want to scare people and wants to keep the article light, but come on people... just for starters consider the potential effect of Nanotech-flooding, if a set of assembers gets entirely out of our control and replicates forever at maximum speed until we're buried in heaps of nanotech...
--------- Question: How do I leverage the power of the internet?
There's no real problem with voting online, as long as the polls are handled in true slashdot fashion. For example, check the following poll for the next presidential election:
Who should be elected president? ( ) George W. Bush ( ) Al Gore ( ) Steve Forbes ( ) Jesse Ventura ( ) Larry Wall ( ) Hemos Sux, Taco Sux, this Poll Sux ( ) Drop the Chulupa
Most of the time, the "strange and humorous" choices would weed out the idiots... the only real problems would be those times when the only option that looks good is "Hemos Sux, Taco Sux, this Poll Sux".
--------- Question: How do I leverage the power of the internet?
Yes, LD can do Dolby Digital. The important part of my post is the Digital Audio (which deals with the type of connector used) and the transport mechanism (digital vs. analog). Not the Dolby Digital portion. That's just a way of decoding the sound information once it gets to the receiver. I'm talking about HOW the sound gets TO the receiver.
--------- Question: How do I leverage the power of the internet?
>LDs have an analogue sound track which [snip] >may or may not sound better than the DVD.
Anyone with a REAL DVD setup is using digital audio (digital coax, fiber optic, or 6 channel) from the DVD to the receiver, pumping out sound in Dolby Digital or (in rare cases) DTS. DVD's digital audio (especially when combined with S-video or (even better IMHO) component video) in this set-up blows away any Laserdisc I've ever heard. I understand everything in high-end A/V is pretty much preferential, but LD is a dead format. Many people try to argue, but it's dead (or at very least on its deathbed). DVD digital blows away analogue any day...
I own an old Pioneer LD player and only use it for two series of movies: Star Wars Trilogy & Godfather Trilogy. Once they come out on DVD, the LD is gone...
I own an overworked Pioneer 505 series DVD player, and have had absolutely zero problems. In the week or so I've had The Matrix, I have had three complete showings and have seen all the "special" hidden stuff at least twice. Zero problems.
AFIAK, there's not a better demo disc on the planet. Full-motion video on the scene selection, tons of extra goodies, and crystal-clear sound and video.
Personally, I would have been extremely disapointed had The Matrix not included all these kick-ass features. Early adaptors (those on the cutting edge of technology, who generally buy before the rest of the masses and are willing to put up with flakey tech - I am definately one) always get burned on these kind of new features down the line. I'm on my second DVD player for just that reason. Don't like the fact that your "old" player can't handle the badass new stuff? Get a new player which can handle it (~$300 at Best Buy). Don't try to stop technology from advancing. Adapt, or quit complaining;)
--------- Question: How do I leverage the power of the internet?
At Fall Comdex '98, Oracle Corp. CEO Larry Ellison challenged the IT community to run a standard business query using Microsoft SQL Server 7.0 and a 1 TB TPC-D database at a rate better than 1% of Oracle's best published performance. In mid-March 1999, Microsoft Corp. posted a benchmark result - although not based on the standard TPC-D query 5 test - of 1.07 seconds in executing what the company characterized as an OLAP-based solution that met the original intention of TPC-D.
What does this mean to those of you unfamiliar with the terms used above? Microsoft benchmarked at well better than the 1% rate they had to do to beat the challenge. But they didn't use the benchmark specified by Larry Ellison in the challenge. Based upon the Mindcraft fiasco and other such benchmark numbers from Microsoft, I wouldn't pay much heed to this one either.
AFAIK, nothing ever came after this. I'd assume MS couldn't do it, or else they would have collected.
--------- Question: How do I leverage the power of the internet?
Sorry about the length, but this very well written email from Russ posted to NTBUGTRAQ does a perfect job of laying out all sides of this issue...
-----Original Message----- From: Russ [mailto:Russ.Cooper@RC.ON.CA] Sent: Friday, September 03, 1999 2:58 PM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Alert: CryptoAPI and _NSAKey issue
-----BEGIN PGP SIGNED MESSAGE-----
This is also available at http://ntbugtraq.ntadvice.com/_nsakey.asp
Whoa horsie...
I had a long chat with Andrew Fernandes this morning, as well as another chat with others, and of course I've had a ton of messages sent my way with various links to various stories about the issue.
I wanted to get a few things straight before I sent this message, but given how quickly things are spreading it makes sent to send something interim.
Ok, so here's what I can tell you.
1. Andrew's speculation about the _NSAKEY being a backdoor for the NSA is based on;
a) The variable is called "NSA".
b) Its a second key, not known to exist in Windows previously.
c) What possible purpose would a second key serve?
d) Its presence, arguably, weakens CryptoAPI (Andrew explains this on his website at , I'll elaborate more later.
2. Sources close to Microsoft say that the key is a "Backup" key. It is owned by Microsoft, and only Microsoft have the private key to it. The key was named "_NSAKEY" because the NSA insisted that Microsoft include a backup key in their CryptoAPI before the Commerce Department would approve its inclusion in NT 4.0.
Editorial - ---------
There's a bunch of somewhat understandable furor going on over the idea that the NSA might have a backdoor to Windows. Unfortunately, however, all of this is based on a variable name. Anyone who programs knows that variables might get named anything for a variety of reasons. One would expect that they would be named descriptively, but alas, not everyone follows such stringent conventions (can you spell "Easter Egg"?).
The Conspiracy Theorist's theory goes; - -------------------------------------
- - The NSA has a signing key on your box.
- - The NSA can implant a Trojan to replace the module which performs encryption on your box with one that doesn't perform encryption, and because the failure of signature verification against Microsoft's key is silent, they can get their trojan'd app up and running without you being any the wiser.
- - The NSA can then sniff your traffic, now being conducted in plain-text.
There's obviously a ton of variations possible on this theory, they take your private key, they replace your key with another, etc...
They only have to get a Trojan to you and get you to run it, and as those same Conspiracy Theorists always say, there's likely bugs in the OS designed to allow them to do this...
Yeah, could be true.
My take from Microsoft's Perspective; - ------------------------------------
- - We want to have one build of our products that simultaneously supports weak or strong encryption functionality.
- - We want to be able to ship this one product world-wide, changing as few bits as possible for those that are being shipped outside the U.S. and Canada.
- - We'll build an API (good, bad, or otherwise) that allows the controlled bits to be inserted into an infrastructure, then get the infrastructure approved, and all will be good.
- - Commerce (with advice from lots of people including the NSA), agrees, and tells Microsoft they have to sign everything that can use the infrastructure. That way, Microsoft can ship its product anywhere, and Commerce will know that only those products that have been signed by Microsoft will be able to run on the OS.
- - You want to build a Cryptographic Service Provider (CSP), the module that performs the encryption, you gotta get Microsoft to sign it for it to run. Microsoft doesn't sign anything that doesn't have the appropriate Commerce Department Export approvals first.
Wonderful, life's good, Microsoft doesn't have to manage multiple versions based on Crypto-strength, folks can implement whatever crypto they want (assuming its Commerce approved).
Oh, the second key, I almost forgot; - -----------------------------------
I'm told the NSA insisted there had to be a backup. No explanation as to why yet, that's what I've been told. One theory that made a lot of sense to me was the simple idea of;
What happens if Microsoft's key is ever compromised? Well, they'd simply revoke it, right? Yeah, but the problem is that you'd have no way of telling a Microsoft system that there's a new key. You'd have to rely on the old one to tell it about the new one. But if there's a backup key, and they're kept separate, you could use the Backup to verify the new key to replace the primary.
That's only meaningful to Microsoft since there's no revocation lookup being done on the primary anyway. Microsoft would have a way to salvage its name by using a new key. In practice, this would be near impossible to deploy, but hey, at least there's a way to do it securely.
BUT!!! - ------
Andrew's discovery goes beyond this NSA stuff. There's a real issue here. Andrew has found that by replacing the _NSAKEY with one of your own, you are able to add a CSP to the system signed only by you. This by-passes Microsoft's signing controls (the ones Commerce needed to be in place to allow Microsoft to ship its products world-wide).
As Andrew says, "Export controll is effectively dead for Windows."
More importantly, it means you can add a CSP that does whatever you want it to do, and then modify existing Windows.dlls that call CryptoAPI such that they are signed by you instead of Microsoft. This will cause them to fail the Microsoft signature verification, but they'll pass verification against your own signature. Windows will silently let them run and do whatever it is you want them to with the CryptoAPI environment.
In theory, you create your own CSP to replace Microsoft's supplied CSP (implementing whatever you wanted in it, say boosting 40-bit to 128-bit), modify the second key to one of your own, install your CSP over Microsoft's, and fire up any application that uses CryptoAPI. The signature will fail Microsoft's verification, pass yours, and everything should work as if you had a U.S./Canadian version.
Fortify for Windows NT (I'd sure love to see that implemented, anyone up for the challenge?)
It also means the encryption you use on your system could be compromised in the same fashion, assuming it relies on CryptoAPI (hasn't this been called for by the U.S. President's commission?)
Andrew's demonstration program effectively proves most of this;
If there were only one key present in the system, Andrew acknowledges, then this wouldn't be possible. However, it would still be possible to subvert the export controls by trojanning all of the necessary.dlls used with CryptoAPI with ones signed by your key, and then replacing the Microsoft key with your own. Its a lot more work, but it would still achieve the same results.
Nobody is suggesting that any of this is a Remote Exploit, or something you have to worry about receiving in Email. Sure, Andrew's program demonstrates that a running application can subvert the second key and implement its own CSP...in memory...which is possible but unreliable.
Bottom-line: - ------------
I think the NSA thing is being over-hyped. Sure, its possible, and we need Microsoft to make their official statement about it to have it on the record. Once they do, if anyone can prove its not their key I will happily help them. I doubt anyone will...although I also doubt that people will readily accept that it is a second Microsoft key (who killed JFK?)...maybe Microsoft can sign something with the second key so we could verify it somehow??
Meanwhile, the risk of your system's cryptographic methods being exploited is limited while folks figure out how it could be done effectively. I'm looking at how you could audit access or manipulation, but what's really needed is a TripWire-like functionality (http://www.tripwiresecurity.com/). Alternatively, Microsoft should build-in some additional mechanism to verify that something that should be Microsoft signed, really is Microsoft signed, and not a blind failover to the second key.
As to the issues of a third key in W2K, I have no information regarding this beyond what Andrew has said.
>>even though the idea of making money playing games would certainly be nice. From one full-time 22-yr old network admin to another... =)
Making money playing games isn't at all a new idea, nor an unrealistic one. Take HEAT.net for example. They pay players in "virtual money" called "degrees" for winning tournaments, prize matches, and also simply per hour you play! These degrees can be spent in their online store, the "Black Market" which has software, hardware, console games & systems, etc etc... Go to the site and sign up for a free account...
I personally have been with HEAT.net since the beginnings, as an early beta tester. For the price of a $50 a year premium membership, I've recieved the equivilant of over $1,500 US Dollars in degrees (over 1.5 Million at the current published conversion rate of 1000 to $1). And that only counts the degrees i've won which HEAT tracks (they don't track degrees won in wagers with other players) Want more info? Check out my site as linked above ( Jedinite's HEATsite)
HEAT.net itself is a very similar virtual community as UO, where many of the above tenents apply... and unlike UO, it's free. (yes, i know it's not the same... HEAT.net is an online gaming community, and UO is an online game... one is a subset of the other, etc etc, but many of the same points apply, and you can check it out for free...)
They already have plenty of game companies on board, and a plethora of titles to release the system with... Coming from someone who owns the top Sega, Nintendo & Sony consoles, there's not a better gaming machine on the horizon than the DreamCast. I've got mine on preorder...;) two URLs for your viewing pleasure: Sega-otaku Sega's Dreamcast Page
Not to defend Microsoft or anything (heh), but here's how to keep IE5 (and 4.01 or later I believe) from crashing your system when it crashes:
In
IE5, hit TOOLS -- INTERNET OPTIONS then the ADVANCED tab. Check the option for "Launch Browser Window in a Separate Process". This will slow your browser a little when it first launches but it keeps each browser running separately as IEEXPLORE.EXE instead of one process.
For IE4.01, it's the same "clicky", but the INTERNET OPTIONS is in a different location (of course).
Slashdot Mirror
Now, re-examine BP's post. Those "suits" who took their sites down are responsible for the greatest DoS in history... and it's not from a distributed synflood or any group of elite crackers... but a group of PHB's giving in to FUD.
Happy New Year, SlashDot....
---------
Question: How do I leverage the power of the internet?
---------
Question: How do I leverage the power of the internet?
I'm hear at work monitoring my sites (here and here to name a mere few), and I'll be here for the next 20+ hours.
Our upper management approached me with this same idea... should we pull our sites, or shut down our email, or etc, . My flat out response... NO WAY!
We're talking very important, very critical e-commerce, e-banking, and e-you_name_it sites that we've spent multiple millions on to keep running 24-7 x 365. Bulletproof sites which practically CANNOT go down due to disaster or mayhem, with state-of-the-art intrusion detection... so I'll be damned if i'm taking them offline due to the fear of a massive "CrackAttackY2k".
In fact, those sites pulling their servers offline are most likely going to lose my future business (or viewership, or whatever)... because they've definately lost my confidence. Such a big part of a website is public perception... I can't see how pulling your site offline can help that perception.
I think HNN said it best responding to the Pentagon and the Military Taking Down Their Sites
---------
Question: How do I leverage the power of the internet?
---------
Question: How do I leverage the power of the internet?
the linux community is more helpful to newbies, where the BSD community is more guru focused - RTFM!
This is a common concern I hear from the pro-Linux community. Admitably, the BSD guru's willing to help are lesser in number than those on the Linux side (and thus perhaps the underlying message of the article), but they're still out there, and are still willing to help the newbies.
For example, check the following mailing lists for great support for those new to BSD:
Free-BSD-newbies@FreeBSD.org*
FreeBSD-questions@FreeBSD.org*
-newbies is a discussion group for people new to FreeBSD, it's not intended for technical questions. Likewise, -questions is for technical questions, and not for discussions by new people. You WILL see a lot of "RTFM" on that list, and deservedly so...
Also, of course, check out the support page at FreeBSD.org for more help.
*=note: SlashDot is inapropriately parsing the extended info in the mailto's. You should be able to get the gist of it if you click on the mailto links. It should be addressed to majordomo@FreeBSD.org, and have the text subscribe FreeBSD-newbies or subscribe FreeBSD-questions
---------
Question: How do I leverage the power of the internet?
The Complete FreeBSD Manual which flat out contains everything you need or want to know about BSD
New FreeBSD Sub.with 3.4. This will not just get you the brand new 3.4 release for the super-low price of $24.95, but will enroll you in the FreeBSD subscription program, where you'll get a new version of the disc automatically at the discounted subscription rate.
:)
For the subscription, they bill your credit card automatically when the new version ships (credit cards are the only payment method possible for our subscriptions). The normal shipping charge applies. You may cancel at any time, just write, call, fax, or email. FYI, there are approximately four releases of FreeBSD a year, so it'll cost you approximately $100/yr. But you're supporting great, freely available software development... and a kickass OS!
---------
Question: How do I leverage the power of the internet?
1 : a literary work holding up human vices and follies to ridicule or scorn
2 : trenchant wit, irony, or sarcasm used to expose and discredit vice or folly
But read the article, and see why Bush is trying to shut it down:
Just to play devil's advocate, I have to agree (in theory, but not in principal) with those statements. I'd been to gwbush.com before, and saw it as much more of a political statement site than a humor or satire site. I feel the political nature of Exley's site definately falls within the second of GWB's points. And I'm not even going to start the flamewar over whether copywrights on websites are moral or no.
But, to stop playing devil's advocate, I'm pretty much entirely anti-government and anti-government-intervention. I personally think it's pretty "weak" that GWB would try to shut down any site. But, I can't argue with the two points that his lawyers are making... at least there's a somewhat valid reason, and they powers-that-be are not just shutting down the site for no good reason.
---------
Question: How do I leverage the power of the internet?
http://www.attlabs.att.com. uk/andyc/enigma/enigma_j.html
http://www.izzy.net/~ian/enigma/a pplet/index.html
Two excellent emulators that show how the Enigma machine works. The first allows you to alter the machine settings, but it is not possible to track the electrical path through the scramblers. The latter has only one setting, but has a second window that shows the scramblers moving and the subsequent effect on the electrical path.
If you're interested, for further reading check The Code Book (recently reviewed here on SlashDot), Alan Turing: The Enigma, and the out-of-print Seizing the Enigma.
---------
Question: How do I leverage the power of the internet?
As a long time BSD biggot [grin], I feel that I'm somewhat qualified to speak on this one...
:) And, you're supporting some great software (and the development of some future great software)!
;) but the Daemon just simply smokes with Apache.
Quite simply, one of the biggest misconceptions about the BSD's is that OpenBSD is more secure than all other OS's period. OpenBSD is more secure than any other OS out of the "box"--you can install the latest version and have a damn highly-secure box without any fuss. But FreeBSD or NetBSD can be(and properly patched and config'd and etc ARE) just as secure. By no means should you think that FreeBSD (or NetBSD for that matter) is not a secure OS. It just requires a little more work out of the "box" to fully secure it.
FreeBSD is definately where you should start, I agreee 100%. Even though they've recently opened their driver database for the rest of the BSD's, you're so much more likely to get FreeBSD running on your existing hardware than any of the others.
One of the best pieces of advice I can give the BSD newbie is to head to Walnut Creek's site and go ahead and pay for the subscription. About 4 times a year you get the latest FreeBSD delivered right to your door on a CD, which is extremely handy for handing out to friends who have seen the light
As for WHY you should make the switch, just wait till you see the screaming performance. Something about a magic TCP stack, i dunno
---------
Question: How do I leverage the power of the internet?
Good read for the flegling to Nanotech, or for managerial types. For a much better Slashdot-level intro to Nanotech, read "The Age of Spiritual Machines : When Computers Exceed Human Intelligence" by Ray Kurzweil (ISBN: 0670882178). IMHO, this is one of the best books of its type ever written.
In further critique of this article, I'd say the following sentence severely underrates the severity of the potential dangers of nanotech
As with any new technology, molecular nanotechnology could have some negative side effects.
Could have some negative side effects? Understandably the journalist doesn't want to scare people and wants to keep the article light, but come on people... just for starters consider the potential effect of Nanotech-flooding, if a set of assembers gets entirely out of our control and replicates forever at maximum speed until we're buried in heaps of nanotech...
---------
Question: How do I leverage the power of the internet?
There's no real problem with voting online, as long as the polls are handled in true slashdot fashion. For example, check the following poll for the next presidential election:
Who should be elected president?
( ) George W. Bush
( ) Al Gore
( ) Steve Forbes
( ) Jesse Ventura
( ) Larry Wall
( ) Hemos Sux, Taco Sux, this Poll Sux
( ) Drop the Chulupa
Most of the time, the "strange and humorous" choices would weed out the idiots... the only real problems would be those times when the only option that looks good is "Hemos Sux, Taco Sux, this Poll Sux".
---------
Question: How do I leverage the power of the internet?
Yes, LD can do Dolby Digital. The important part of my post is the Digital Audio (which deals with the type of connector used) and the transport mechanism (digital vs. analog). Not the Dolby Digital portion. That's just a way of decoding the sound information once it gets to the receiver. I'm talking about HOW the sound gets TO the receiver.
---------
Question: How do I leverage the power of the internet?
>LDs have an analogue sound track which [snip]
>may or may not sound better than the DVD.
Anyone with a REAL DVD setup is using digital audio (digital coax, fiber optic, or 6 channel) from the DVD to the receiver, pumping out sound in Dolby Digital or (in rare cases) DTS. DVD's digital audio (especially when combined with S-video or (even better IMHO) component video) in this set-up blows away any Laserdisc I've ever heard. I understand everything in high-end A/V is pretty much preferential, but LD is a dead format. Many people try to argue, but it's dead (or at very least on its deathbed). DVD digital blows away analogue any day...
I own an old Pioneer LD player and only use it for two series of movies: Star Wars Trilogy & Godfather Trilogy. Once they come out on DVD, the LD is gone...
Check out this guide from MonsterCable regarding DVD, digital audio and your options.
---------
Question: How do I leverage the power of the internet?
I own an overworked Pioneer 505 series DVD player, and have had absolutely zero problems. In the week or so I've had The Matrix, I have had three complete showings and have seen all the "special" hidden stuff at least twice. Zero problems.
;)
AFIAK, there's not a better demo disc on the planet. Full-motion video on the scene selection, tons of extra goodies, and crystal-clear sound and video.
Personally, I would have been extremely disapointed had The Matrix not included all these kick-ass features. Early adaptors (those on the cutting edge of technology, who generally buy before the rest of the masses and are willing to put up with flakey tech - I am definately one) always get burned on these kind of new features down the line. I'm on my second DVD player for just that reason. Don't like the fact that your "old" player can't handle the badass new stuff? Get a new player which can handle it (~$300 at Best Buy). Don't try to stop technology from advancing. Adapt, or quit complaining
---------
Question: How do I leverage the power of the internet?
Some more info on my previous post, and based upon a quick web search (gotta love NorthernLight):
Microsoft Claims Victory in $1 Million Oracle Bounty
Microsoft's Press Release for that date, which strangely doesn't specifically mention the contest
MS Press Release...scroll thru the usual PR BS to find some "real" data on the benchmark.
---------
Question: How do I leverage the power of the internet?
At Fall Comdex '98, Oracle Corp. CEO Larry Ellison challenged the IT community to run a standard business query using Microsoft SQL Server 7.0 and a 1 TB TPC-D database at a rate better than 1% of Oracle's best published performance. In mid-March 1999, Microsoft Corp. posted a benchmark result - although not based on the standard TPC-D query 5 test - of 1.07 seconds in executing what the company characterized as an OLAP-based solution that met the original intention of TPC-D.
What does this mean to those of you unfamiliar with the terms used above? Microsoft benchmarked at well better than the 1% rate they had to do to beat the challenge. But they didn't use the benchmark specified by Larry Ellison in the challenge. Based upon the Mindcraft fiasco and other such benchmark numbers from Microsoft, I wouldn't pay much heed to this one either.
AFAIK, nothing ever came after this. I'd assume MS couldn't do it, or else they would have collected.
---------
Question: How do I leverage the power of the internet?
Sorry about the length, but this very well written email from Russ posted to NTBUGTRAQ does a perfect job of laying out all sides of this issue...
.dlls that call
l aceNsaKey.zip
.dlls
b 6mm4MPu2IPiO4Orr z 1UXJhJWF11qYF888 J UhkzOZ0Fa+tbXxt3
-----Original Message-----
From: Russ [mailto:Russ.Cooper@RC.ON.CA]
Sent: Friday, September 03, 1999 2:58 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Alert: CryptoAPI and _NSAKey issue
-----BEGIN PGP SIGNED MESSAGE-----
This is also available at http://ntbugtraq.ntadvice.com/_nsakey.asp
Whoa horsie...
I had a long chat with Andrew Fernandes this morning, as well as
another chat with others, and of course I've had a ton of messages
sent my way with various links to various stories about the issue.
I wanted to get a few things straight before I sent this message, but
given how quickly things are spreading it makes sent to send something
interim.
Ok, so here's what I can tell you.
1. Andrew's speculation about the _NSAKEY being a backdoor for the NSA
is based on;
a) The variable is called "NSA".
b) Its a second key, not known to exist in Windows previously.
c) What possible purpose would a second key serve?
d) Its presence, arguably, weakens CryptoAPI (Andrew explains this on
his website at ,
I'll elaborate more later.
2. Sources close to Microsoft say that the key is a "Backup" key. It
is owned by Microsoft, and only Microsoft have the private key to it.
The key was named "_NSAKEY" because the NSA insisted that Microsoft
include a backup key in their CryptoAPI before the Commerce Department
would approve its inclusion in NT 4.0.
Editorial
- ---------
There's a bunch of somewhat understandable furor going on over the
idea that the NSA might have a backdoor to Windows. Unfortunately,
however, all of this is based on a variable name. Anyone who programs
knows that variables might get named anything for a variety of
reasons. One would expect that they would be named descriptively, but
alas, not everyone follows such stringent conventions (can you spell
"Easter Egg"?).
The Conspiracy Theorist's theory goes;
- -------------------------------------
- - The NSA has a signing key on your box.
- - The NSA can implant a Trojan to replace the module which performs
encryption on your box with one that doesn't perform encryption, and
because the failure of signature verification against Microsoft's key
is silent, they can get their trojan'd app up and running without you
being any the wiser.
- - The NSA can then sniff your traffic, now being conducted in
plain-text.
There's obviously a ton of variations possible on this theory, they
take your private key, they replace your key with another, etc...
They only have to get a Trojan to you and get you to run it, and as
those same Conspiracy Theorists always say, there's
likely bugs in the OS designed to allow them to do
this...
Yeah, could be true.
My take from Microsoft's Perspective;
- ------------------------------------
- - We want to have one build of our products that simultaneously
supports weak or strong encryption functionality.
- - We want to be able to ship this one product world-wide, changing as
few bits as possible for those that are being shipped outside the U.S.
and Canada.
- - We'll build an API (good, bad, or otherwise) that allows the
controlled bits to be inserted into an infrastructure, then get the
infrastructure approved, and all will be good.
- - Commerce (with advice from lots of people including the NSA),
agrees, and tells Microsoft they have to sign everything that can use
the infrastructure. That way, Microsoft can ship its product anywhere,
and Commerce will know that only those products that have been signed
by Microsoft will be able to run on the OS.
- - You want to build a Cryptographic Service Provider (CSP), the module
that performs the encryption, you gotta get Microsoft to sign it for
it to run. Microsoft doesn't sign anything that doesn't have the
appropriate Commerce Department Export approvals first.
Wonderful, life's good, Microsoft doesn't have to manage multiple
versions based on Crypto-strength, folks can implement whatever crypto
they want (assuming its Commerce approved).
Oh, the second key, I almost forgot;
- -----------------------------------
I'm told the NSA insisted there had to be a backup. No explanation as
to why yet, that's what I've been told. One theory that made a lot of
sense to me was the simple idea of;
What happens if Microsoft's key is ever compromised? Well, they'd
simply revoke it, right? Yeah, but the problem is that you'd have no
way of telling a Microsoft system that there's a new key. You'd have
to rely on the old one to tell it about the new one. But if there's a
backup key, and they're kept separate, you could use the Backup to
verify the new key to replace the primary.
That's only meaningful to Microsoft since there's no revocation lookup
being done on the primary anyway. Microsoft would have a way to
salvage its name by using a new key. In practice, this would be near
impossible to deploy, but hey, at least there's a way to do it
securely.
BUT!!!
- ------
Andrew's discovery goes beyond this NSA stuff. There's a real issue
here. Andrew has found that by replacing the _NSAKEY with one of your
own, you are able to add a CSP to the system signed only by you. This
by-passes Microsoft's signing controls (the ones Commerce needed to be
in place to allow Microsoft to ship its products world-wide).
As Andrew says, "Export controll is effectively dead for Windows."
More importantly, it means you can add a CSP that does whatever you
want it to do, and then modify existing Windows
CryptoAPI such that they are signed by you instead of Microsoft. This
will cause them to fail the Microsoft signature verification, but
they'll pass verification against your own signature. Windows will
silently let them run and do whatever it is you want them to with the
CryptoAPI environment.
In theory, you create your own CSP to replace Microsoft's supplied CSP
(implementing whatever you wanted in it, say boosting 40-bit to
128-bit), modify the second key to one of your own, install your CSP
over Microsoft's, and fire up any application that uses CryptoAPI. The
signature will fail Microsoft's verification, pass yours, and
everything should work as if you had a U.S./Canadian version.
Fortify for Windows NT (I'd sure love to see
that implemented, anyone up for the challenge?)
It also means the encryption you use on your system could be
compromised in the same fashion, assuming it relies on CryptoAPI
(hasn't this been called for by the U.S. President's commission?)
Andrew's demonstration program effectively proves most of this;
http://www.cryptonym.com/hottopics/msft-nsa/Rep
On the other hand;
- -----------------
If there were only one key present in the system, Andrew acknowledges,
then this wouldn't be possible. However, it would still be possible to
subvert the export controls by trojanning all of the necessary
used with CryptoAPI with ones signed by your key, and then replacing
the Microsoft key with your own. Its a lot more work, but it would
still achieve the same results.
Nobody is suggesting that any of this is a Remote Exploit, or
something you have to worry about receiving in Email. Sure, Andrew's
program demonstrates that a running application can subvert the second
key and implement its own CSP...in memory...which is possible but
unreliable.
Bottom-line:
- ------------
I think the NSA thing is being over-hyped. Sure, its possible, and we
need Microsoft to make their official statement about it to have it on
the record. Once they do, if anyone can prove its not their key I will
happily help them. I doubt anyone will...although I also doubt that
people will readily accept that it is a second Microsoft key (who
killed JFK?)...maybe Microsoft can sign something with the second key
so we could verify it somehow??
Meanwhile, the risk of your system's cryptographic methods being
exploited is limited while folks figure out how it could be done
effectively. I'm looking at how you could audit access or
manipulation, but what's really needed is a TripWire-like
functionality (http://www.tripwiresecurity.com/). Alternatively,
Microsoft should build-in some additional mechanism to verify that
something that should be Microsoft signed, really is Microsoft signed,
and not a blind failover to the second key.
As to the issues of a third key in W2K, I have no information
regarding this beyond what Andrew has said.
More as information becomes available.
Cheers,
Russ - NTBugtraq Editor
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2
iQCVAwUBN9AoOBBh2Kw/l7p5AQEArgQApuinKKbm2VgQ3et
lhhzz3yYNqCJW0kgubSiPcZoOyHvD3VU2IXLk4CKRqeIhQE
pJQpo08ejP3aozx7AB4+37O7gWkLGcH+wAC8siMpOMMUjgH
ntSOJU8kXus=
=Ihd3
-----END PGP SIGNATURE-----
---------
Titanic Wrecking Crew
>>even though the idea of making money playing games would certainly be nice.
;-)
From one full-time 22-yr old network admin to another... =)
Making money playing games isn't at all a new idea, nor an unrealistic one. Take HEAT.net for example. They pay players in "virtual money" called "degrees" for winning tournaments, prize matches, and also simply per hour you play! These degrees can be spent in their online store, the "Black Market" which has software, hardware, console games & systems, etc etc... Go to the site and sign up for a free account...
I personally have been with HEAT.net since the beginnings, as an early beta tester. For the price of a $50 a year premium membership, I've recieved the equivilant of over $1,500 US Dollars in degrees (over 1.5 Million at the current published conversion rate of 1000 to $1). And that only counts the degrees i've won which HEAT tracks (they don't track degrees won in wagers with other players)
Want more info? Check out my site as linked above ( Jedinite's HEATsite)
You can even get a free T-shirt just for signing up! Do so at Jedinite's HEATsite recruitment center . Tell HEAT I sent you
HEAT.net itself is a very similar virtual community as UO, where many of the above tenents apply... and unlike UO, it's free. (yes, i know it's not the same... HEAT.net is an online gaming community, and UO is an online game... one is a subset of the other, etc etc, but many of the same points apply, and you can check it out for free...)
---------
Titanic Wrecking Crew
They already have plenty of game companies on board, and a plethora of titles to release the system with... Coming from someone who owns the top Sega, Nintendo & Sony consoles, there's not a better gaming machine on the horizon than the DreamCast. I've got mine on preorder... ;)
two URLs for your viewing pleasure:
Sega-otaku
Sega's Dreamcast Page
---------
Titanic Wrecking Crew
---------
Titanic Wrecking Crew