Flash isn't much better in the regards of tracking than the html5 based technologies. Maybe flash ships with its own fonts, not relying on the OS fonts so you cant fingerprint basing on the fonts. But otherwise flash is in fact better for ad based tracking because you can't disable parts of it, you either take it all, or nothing of it.
Whoever told you that HTML5 allows better tracking than flash, is just outright wrong.
In fact, in the past flash has allowed so-called "supercookies", dunno if they are still enabled.
If you wanted to disable them, you had to visit the adobe website. How comforting to know that adobe can change whether I enable supercookies or not.
That's what you get by calling the GNU/Linux operating system "Linux". If you used Linux as the name of a kernel, this issue wouldn't happen.
Android is as much "Linux" as Windows would be "Linux" were Microsoft to replace the Windows kernel with the Linux kernel. That is, it would not be "Linux" in any meaningful sense.
Thanks to the shared kernel, Android has lots of things common with GNU/Linux:
* usage of the ext2 file system family * usage of / instead of \ * the same binary format * the same kernel APIs; if you write a driver for android, a gnu/linux driver is not far away
Thanks to these common things, people have been able to port things like busybox or shell servers to android.
One of the big security problems of Android is that you are unable to receive any software updates, including security patches, once the hardware manufacturer decides so, and hardware manufacturers have an interest in not providing updates because they cost money to test and deploy, as well as missing updates create an incentive for the customers to buy newer hardware.
This issue affects all places where the hardware vendor also supplies the software, and will become more and more important, as internet connected software gets its way into more and more things around us.
With the recentreports of anti-virus software sometimes actually adding security vulnerabilities to the systems, and the fact that windows ships with its own bundled anti-virus, what advantages do commercial third party anti-virus solutions these days offer?
I'm wondering specifically about the windows desktop, because this is the platform usually targeted by attackers.
Unification is what linux desperately needs in order to make it possible for third party closed source vendors to target the platform. Otherwise they just make ubuntu binaries, and that's it.
One might argue that third party closed source software is bad because its closed, but this is how the world works unfortunately, and linux won't get any hold on the desktop market if you can't even port your closed source application to it because each distro is its own special snowflake.
Giving a car analogy: if you operate a bridge, you maybe have surveillance cameras on that bridge. While you can easily scan the license plate numbers and check for cars that have been reported as stolen, trying to find out which car was stolen yourself is simply impossible. Is it the owner driving? Is it their spouse? Maybe they had a quarrel and the spouse stole the car? You can't look into the brain of the car owner (and there are hundreds of millions, if not billions on this planet) trying to find out who they have allowed to use their car.
Requiring from everybody who operates a bridge or owns a road to 1. equip it with surveillance technology and 2. find out which car has been stolen without reports from the owners is just simply ridiculous.
Its the biggest ponzi scheme in human history. I'd have liked to say that the burst of the bubble would be earth shattering, but since 2008 we know that if you succeed to bloat a bubble right in front of the eyes of the regulators (who do nothing), and the market's trust suddenly vanishes, the state will bail you out.
Either way, the funders have made the money of their lifetimes.
According to TFA that includes to not exploit tax loopholes. Very sad that companies that "just" pay their taxes are regarded as "public benefit corporation", and are not the norm.
They use the infrastructure, they benefit from the state keeping them secure. And they expect to not pay anything for it.
According to TFA, Kickstarter is going down the "never IPO" path.
That was true for ME versions up to 6.0, but for newer intel hardware, you can't boot a system without ME involvement anymore. Quoting https://libreboot.org/faq/#int...:
ME firmware versions 6.0 and later, which are found on all systems with an Intel Core i3/i5/i7 CPU and a PCH, include "ME Ingition" firmware that performs some hardware initialization and power management. If the ME's boot ROM does not find in the SPI flash memory an ME firmware manifest with a valid Intel signature, the whole PC will shut down after 30 minutes.
Yeah, the trusting trust problem extends to hardware. Modern computers are so small, you need a computer to build them. But in order to build that computer, you need yet another computer.
Wow, seems I haven't given attention and I've really fscked up the grammar with this one.
You are almost right about the first part, lemme modify it to outline what I wanted to say:
During wartime military officials have a lot of power over civilians of the nation they are fighting against. A military official could just shoot someone without just cause and later claim that the civilian was reaching for their (or the soilder's) weapon. There is a good chance that the military official would get away with it.
About the last sentence:
I would rather have military officials exert that power who haven't commited crimes than ones who have, because criminals are more likely to abuse their powers, as they have already broken the law once.
At wartime military officials have lots of power over civilians of the nation they are fighting. They can shoot somebody and tell they wanted to take their gun, and maybe get away with it. I'd rather have people who haven't commited than ones who do.
Well I have no problem with that. First joining the military is a free choice and there are other jobs to do. I personally would never do it, but that's because of other reasons (if other people want to join, that's fine, they are protecting their country, but I dont want to take part in it).
So if you use spy technology at the front, and maybe even against your own military personel in order to get more accountability, then that's a good thing. These people are happy if they die or live, and I think everybody would prefer some bit more spying than hundreds of dead soilders or impaired veterans.
Lets put it this way: I rather have a camera targeted at me than a gun. With today's spy technologies you can spare more civilian lives because you dont have to do carpet bombing anymore, with the proper intelligence you know exactly where your enemies hide and how to take them out.
This is the modern way of doing war and I prefer it to the horrible two world wars of the 20th century.
What I do not like is if spy technology gets used in peaceful times or against befriended nations you form alliances with. Maybe some intelligence is appropriate, and in fact important for a better diplomatic climate, but that can happen with simply doing open source collection.
this is common if you cooperate with china. They let you show how to do it and then they erect a second factory owned by the brother or the nephew or something. Ten years later you will be bought by that company.
And China wants to get the "free market" label. ROFL at this ridiculousness. OOXML is ten times more an open standard than china is a free market.
Precisely. Its damn easy to prevent this bug. Just add a 168k bytes limit to the messages. Most times it won't matter because there is already the 4k character limit, but in the case of these special unicode characters it will prevent further harm.
Its great to see electric cars to be leading, but what about the energy generation? It has to become "green" as well in order for there to be an impact.
All this "MD5/SHA-1 is easy to crack" talk essentially boils down to "MD5 is a fast hash algorithm".
People regard hash algorithms which are slower as more secure, as they take longer to crack. The fact is though that the longer a hash algorithm takes to crack, the more load it puts on the server. So if your server has to churn for three seconds running ten million iterations of bcrypt in order to have a "strong" cipher, it "only" gives a linear increase in difficulcy for the attacker.
And while the attacker only has to find a password once, the server has to process log-ins all day long, day after day.
A really better solution to this is to 1. hash+salt the passwords (e.g. with sha-1 or maybe sha-256 if you really want) and 2. encrypt them via a HSM (e.g. with AES). Then you send the HSM your sha-256 value and the encrypted hash from the database, and the HSM tells you whether they match or not.
This way you will prevent hackers from doing any off-line brute-force attacks *at all*, unless they somehow get hold of the secret key inside the HSM. But this is much much harder than accessing the database.
Well any way, in the real best case, everybody just used yubikeys as first and only factor...
Slashdot Mirror
Flash isn't much better in the regards of tracking than the html5 based technologies. Maybe flash ships with its own fonts, not relying on the OS fonts so you cant fingerprint basing on the fonts. But otherwise flash is in fact better for ad based tracking because you can't disable parts of it, you either take it all, or nothing of it.
Whoever told you that HTML5 allows better tracking than flash, is just outright wrong.
In fact, in the past flash has allowed so-called "supercookies", dunno if they are still enabled.
If you wanted to disable them, you had to visit the adobe website. How comforting to know that adobe can change whether I enable supercookies or not.
That's what you get by calling the GNU/Linux operating system "Linux". If you used Linux as the name of a kernel, this issue wouldn't happen.
Android is as much "Linux" as Windows would be "Linux" were Microsoft to replace the Windows kernel with the Linux kernel. That is, it would not be "Linux" in any meaningful sense.
Thanks to the shared kernel, Android has lots of things common with GNU/Linux:
* usage of the ext2 file system family
* usage of / instead of \
* the same binary format
* the same kernel APIs; if you write a driver for android, a gnu/linux driver is not far away
Thanks to these common things, people have been able to port things like busybox or shell servers to android.
One of the big security problems of Android is that you are unable to receive any software updates, including security patches, once the hardware manufacturer decides so, and hardware manufacturers have an interest in not providing updates because they cost money to test and deploy, as well as missing updates create an incentive for the customers to buy newer hardware.
This issue affects all places where the hardware vendor also supplies the software, and will become more and more important, as internet connected software gets its way into more and more things around us.
How can this problem be solved?
With the recent reports of anti-virus software sometimes actually adding security vulnerabilities to the systems, and the fact that windows ships with its own bundled anti-virus, what advantages do commercial third party anti-virus solutions these days offer?
I'm wondering specifically about the windows desktop, because this is the platform usually targeted by attackers.
Unification is what linux desperately needs in order to make it possible for third party closed source vendors to target the platform. Otherwise they just make ubuntu binaries, and that's it.
One might argue that third party closed source software is bad because its closed, but this is how the world works unfortunately, and linux won't get any hold on the desktop market if you can't even port your closed source application to it because each distro is its own special snowflake.
This.
Giving a car analogy: if you operate a bridge, you maybe have surveillance cameras on that bridge. While you can easily scan the license plate numbers and check for cars that have been reported as stolen, trying to find out which car was stolen yourself is simply impossible. Is it the owner driving? Is it their spouse? Maybe they had a quarrel and the spouse stole the car? You can't look into the brain of the car owner (and there are hundreds of millions, if not billions on this planet) trying to find out who they have allowed to use their car.
Requiring from everybody who operates a bridge or owns a road to 1. equip it with surveillance technology and 2. find out which car has been stolen without reports from the owners is just simply ridiculous.
Wtf, I think gmail is 10x more secure than running the webserver on the same server you run your wordpress based website on.
Its really hard to get your mail service as secure as gmail is.
Its the biggest ponzi scheme in human history. I'd have liked to say that the burst of the bubble would be earth shattering, but since 2008 we know that if you succeed to bloat a bubble right in front of the eyes of the regulators (who do nothing), and the market's trust suddenly vanishes, the state will bail you out.
Either way, the funders have made the money of their lifetimes.
Paying dividends also screws shareholders because dividends are taxable immediately
Kickstarter has declared itself a "public benefit corporation": https://www.kickstarter.com/bl...
According to TFA that includes to not exploit tax loopholes. Very sad that companies that "just" pay their taxes are regarded as "public benefit corporation", and are not the norm.
They use the infrastructure, they benefit from the state keeping them secure. And they expect to not pay anything for it.
According to TFA, Kickstarter is going down the "never IPO" path.
That was true for ME versions up to 6.0, but for newer intel hardware, you can't boot a system without ME involvement anymore. Quoting https://libreboot.org/faq/#int... :
ME firmware versions 6.0 and later, which are found on all systems with an Intel Core i3/i5/i7 CPU and a PCH, include "ME Ingition" firmware that performs some hardware initialization and power management. If the ME's boot ROM does not find in the SPI flash memory an ME firmware manifest with a valid Intel signature, the whole PC will shut down after 30 minutes.
Yeah, the trusting trust problem extends to hardware. Modern computers are so small, you need a computer to build them. But in order to build that computer, you need yet another computer.
Wow, seems I haven't given attention and I've really fscked up the grammar with this one.
You are almost right about the first part, lemme modify it to outline what I wanted to say:
During wartime military officials have a lot of power over civilians of the nation they are fighting against. A military official could just shoot someone without just cause and later claim that the civilian was reaching for their (or the soilder's) weapon. There is a good chance that the military official would get away with it.
About the last sentence:
I would rather have military officials exert that power who haven't commited crimes than ones who have, because criminals are more likely to abuse their powers, as they have already broken the law once.
At wartime military officials have lots of power over civilians of the nation they are fighting. They can shoot somebody and tell they wanted to take their gun, and maybe get away with it. I'd rather have people who haven't commited than ones who do.
Well I have no problem with that. First joining the military is a free choice and there are other jobs to do. I personally would never do it, but that's because of other reasons (if other people want to join, that's fine, they are protecting their country, but I dont want to take part in it).
So if you use spy technology at the front, and maybe even against your own military personel in order to get more accountability, then that's a good thing. These people are happy if they die or live, and I think everybody would prefer some bit more spying than hundreds of dead soilders or impaired veterans.
Lets put it this way: I rather have a camera targeted at me than a gun. With today's spy technologies you can spare more civilian lives because you dont have to do carpet bombing anymore, with the proper intelligence you know exactly where your enemies hide and how to take them out.
This is the modern way of doing war and I prefer it to the horrible two world wars of the 20th century.
What I do not like is if spy technology gets used in peaceful times or against befriended nations you form alliances with. Maybe some intelligence is appropriate, and in fact important for a better diplomatic climate, but that can happen with simply doing open source collection.
The moderators have made it "Redundant". Its obvious that facebook is stupid, nobody needs to point it out.
I think the critical part is that intel doesn't let anyone write code for that chip, basically making it a black box.
BUT I think its better to have it in the hands of Intel than, say, Microsoft.
this is common if you cooperate with china. They let you show how to do it and then they erect a second factory owned by the brother or the nephew or something. Ten years later you will be bought by that company.
And China wants to get the "free market" label. ROFL at this ridiculousness. OOXML is ten times more an open standard than china is a free market.
I think the movement now is heading towards yubikeys and U2F. The only thing required to happen is to use U2F as first and only factor.
Precisely. Its damn easy to prevent this bug. Just add a 168k bytes limit to the messages. Most times it won't matter because there is already the 4k character limit, but in the case of these special unicode characters it will prevent further harm.
I guess: on mars, build your home below ground. when travelling to mars (and/or back): hope that there is no storm coming your way :)
Its great to see electric cars to be leading, but what about the energy generation? It has to become "green" as well in order for there to be an impact.
Because the terrorist has done shooting in that nightclub because it was a gay nightclub?
The fact that it was a meeting place for gay people was more relevant for him doing the attack than the fact that it was a nightclub.
Its just in their interest. The more people can code, the less they have to pay them.
And as GP said, collision attacks are meaningless for leaked password databases.
What you actually need is preimage attacks, and MD5 still is strong on that front.
All this "MD5/SHA-1 is easy to crack" talk essentially boils down to "MD5 is a fast hash algorithm".
People regard hash algorithms which are slower as more secure, as they take longer to crack. The fact is though that the longer a hash algorithm takes to crack, the more load it puts on the server. So if your server has to churn for three seconds running ten million iterations of bcrypt in order to have a "strong" cipher, it "only" gives a linear increase in difficulcy for the attacker.
And while the attacker only has to find a password once, the server has to process log-ins all day long, day after day.
A really better solution to this is to 1. hash+salt the passwords (e.g. with sha-1 or maybe sha-256 if you really want) and 2. encrypt them via a HSM (e.g. with AES). Then you send the HSM your sha-256 value and the encrypted hash from the database, and the HSM tells you whether they match or not.
This way you will prevent hackers from doing any off-line brute-force attacks *at all*, unless they somehow get hold of the secret key inside the HSM. But this is much much harder than accessing the database.
Well any way, in the real best case, everybody just used yubikeys as first and only factor...