Worth pointing out, the graphical X509 tools for OS X are fairly new. I think they came in with 10.4, maybe 10.3, but you used to have to perform black (or at least, fairly grey) magic with command line tools to add X509 certificates. I know, because it drove me nuts...
(Having said that, the new graphical tool rocks muchly)
Re:"even more catastrophic" ???
on
Back to the Bunker
·
· Score: 3, Insightful
*pause* So, what you're saying is that the Bush administration is the national catastrophe?:)
Okay, I imagine I'm not the only/.er to be working with no fixed hours (although I may be the only one where that doesn't mean 60+ hours a week). Following a rather vague train of thought, I suspect people working from home might not be too hard to persuade to spend an extra hour doing work, instead of time they might be commuting. Alternatively, even if they spend that hour relaxing, having more relaxed staff should also benefit productivity....
Look, can I just claim it's the sleep deprevation's fault?
Ah, yes, you are in a maze of twisty cubicles, all alike...
Seriously though, yes, cubicles suck. They're a worst of both worlds kinda thing, where they don't quite have the privacy of an office, or the openness of open-plan. If an employer just puts people into small isolated boxes, they're not going to start magically working well together.
What's worked well for our group, is we have 2-ish person offices, close to each other, plus a break-out space. We're never fully isolated, but can always turn to the person next to us and go "Am I doing something silly here?", and we tend to have lunch in the break-out space, and work through problems there too.
I think the issue is that people are viewing this as a "One size fits all". Some people are best working in an office, some people are best working from home, some people are best with a combination of the two; for example, I tend to spend more time working, at work, but have a lot less distractions at home, so if I need to get one single task done fast, home is most appropriate, but otherwise at work is better.
Well, it'll be interesting to see how this all comes out in the end, anyway...
Because as much as programmers and IT personnel don't want to deal with each other, if you can get them to actually talk, you can get some significant improvements in performance. This is particularly true of you're dealing with projects bigger than one person; by putting your staff within easy access of each other, questions will be answered faster, and that can really help. Even if working on independent projects, the ability to trivially ask someone for their advice on a particularly tricky problem is invaluable.
This is not to say that working in an office together is always better; if your staff have an hour's commute each way, the time saved by having them close to each other will almost certainly be wiped out by time commuting instead of either relaxing or working. The point is that there are upsides and downsides, and a balance has to be found between them...
*sigh*/.'s attitude of "It's okay to copy anything I want" is really, really getting tiring.
Look, yes, the movie companies are almostly solely producing overpriced undifferentiated mush. However, it's clearly mush a lot of you want. As such, is it so crazy to suggest you either pay for it, or if you genuinely feel it's over priced, make a stand by neither buying nor copying? All you're doing by copying movies/music/games/etc. is saying to the producers "I want your product, but don't want to pay for it".
The MPAA/RIAA are both fairly clearly evil incarnate, I agree. However, copying everything you want is not actually going to help, it's just going to give them more legal leverage. If you actually feel things need to change, stop buying, and stop copying. Go read a book or something:)
Had a bit of a thinkthrough with people, about this. Simplest way to make a program trickier to understand, is to make it larger. However, all ways I can think of doing this (generating values that aren't used, non-conditional jumps you don't need, etc.) can be pulled out automatically in O(n) time (where n is number of instructions in the code). Unless you're going to start shipping code on 100s of DVDs, you're unlikely to really make things hard this way.
So the next step is to adapt the code to use non-deterministic execution, as I suggested in the previous post. Thing is, current processors are (meant to be?:)) purely deterministic; you can use a random number generator based on timestamps to emulate non-deterministic, but the user is still going to be able to change that time input, and therefore render your code determinstic. Still, I think you can get the time to analyse the code up to O(n^2)... at this point, it becomes annoyingly hard to decipher, but is certainly not what I'd call "unbreakable".
If the code can depend on non-deterministic execution, the only way to analyse it pretty much comes down to repeatedly running it, and seeing what it tends to do. I'm not entirely sure what that does to the big-O, I just know it's going to be better than pseudo-non-deterministic.
The last possibilty is self-modifying code, although that's merely changing the nature of the problem (it makes analysis code a nightmare to write, but I don't think it actually changes the big-O).
Anyway, point is, nothing I can think of is going to withstand significant attack. Self modify non-determistic code would beat most people, though...
> This proves that, and just what the bleedin' hell is going with those horizontal dividers Timothy? They're hideous. 100 years in the CSS stylepolice dungeons.
One first read of the article, I thought they were a rendering glitch!
Someone else has pointed out that (more or less?) anything can be broken with enough resources, so ignoring that point...
What you're really talking about is, as well as hiding the key, using an obfuscated programming style in order to make sure that it's infeasible to analyse the code to find the key. I'm unaware of any research into making code that is actually secure in it's level of obfuscation - anyone want to tell me I'm wrong? I suspect that with enough time, it would be possible to make some fairly hard to analyse code, though.
Non-deterministic behaviour, would be a good start. Throwing ideas out as I have them, imagine your code pulls half a dozen random numbers out of an algorithm, averages them, and uses the resulting number to determine what it does next. Say that number is, 90% of the time, the correct right step, and 10% of the time, it's not. A human running the program would probably simply go "Oh, my files haven't unencrypted, I'll try that again", but it would definitely make analysis harder.
What I really meant, is I don't have the mathematics background to really get into cryptography. I know how it all works from a using it in the real world point of view (particularly, SSL), and happen to know how the maths for RSA works because it's actually remarkably simple, but most of this stuff I'm as lost as everyone else:)
First up, a man in the middle attack requires that someone spotting the virus on its way to your computer, and re-writing the public key parts. So, not really an issue here. Mostly, the poster appears to be confused with using public keys for verifying identity.
Problem is, however, that the same private key would unlock all ransomed files. The virus actually needs to be able to get a new public key for each computer in infects, which means having a remote site accessible for it to register with, and request a new key from.
I'm assuming fairly standard RSA here. There is the possibility that someone could make a more complex cipher; so you start with a private/public key, and the virus carries the public key. On arrival at a system, it generates another public/private key pair, from the public key, which it would encrypt the files with, then destroys the private key. The public key it just generated would then be sent back with payment, the virus author creates a unique decryption key from that public key, and their private key, and sends it in turn back. Hell, it may be possible to do this with RSA, I'm not that much into crypto.
Luckily, anyone bright enough to figure that all out can probably earn plenty of money legally:)
While almost all the MMORPGs I can think of recently (Auto Assault, Huxley, RF Online, Seed, Star Trek, Tabula Rasa) are non-fantasy, I think suggesting WoW is responsible massively underestimates the production time on a MMORPG (around 5 years, from what I hear). What I mean is, sure, there are less fantasy MMORPGs coming out, but I think that was because people wanted something different to Everquest, as opposed to avoiding the genre because WoW it's so difficult to compete with WoW...
> Sounds like a bad manager to me. Why would he ever hire an inexperienced programmer? So... inexperienced programmers should become experienced by... ?
Assuming they did a computer science degree, it's rather odd they got through their entire degree while refusing to use constants, however a computer science degree is not a degree on programming. Sure, some institutions will train their students to a level where they can hit the ground running in a programming job, in the environment they're used to. However, where I work and did my degree (St. Andrews university), the focus is definitely on the why, rather than the how (so, topics such as software engineering, language design, logic, to name a few), and currently we're second best in the UK for Computer Science:
Sender and receiver already pay for traffic, to their respective ISPs. This is like being charged extra to let the parcel you already paid FedEx to deliver, actually be delivered.
Anyone that's unhappy about this clearly hasn't ever seen someone alt-f4 (or cmd-W if you're into that sort of thing) a browser window when it unexpectedly starts producing sound, and never look back.
(And, in my case, find and install AdBlock as a direct result)
*pause* I wonder what the legal situation is of writing a program that says "Hey, would you like me to e-mail a copy of myself to everyone in your Outlook Express address book?"...
But with quality releases such as Resident Evil: Apocalypse, Van Helsing, The Chronicles of Riddick and Underworld: Evolution, how can you claim a lack of content?
Okay, I'm being harsh, there's some... decent... movies coming out. However, gotta say, it's all stuff I'd either never buy, or have already...
The PS2 came out at £299, not £425 (or, as I like to call it, almost 50% more).
DVDs had been out for several years, and not only were an established format, had a sizable catalogue available (1,000+ titles, I believe). Blu-Ray will have been out for a few months, with a catalogue best measured in dozens.
DVDs showed a clear advantage over the previous format, on almost any TV. Blu-Ray shows a noticable advantage (and even less noticable if you've ever tried an upscaling DVD player) on HDTVs... which are still in the minority even in the US, and very much in the minority in the UK.
>It's not so much of a stretch to think that this supposed "hacking" is just really a clever game strategy or "easter egg" designed to help and reward the players clever enough to figure it out.
Yes it is. It should be fairly common sense it's not!
>He did not use a "3rd party hack", he just used existing conditions to his favor.
Just because he figured out the hack before a 3rd party did, does not make it any better...
> At the very least, he found a very important bug in the game. He deserves to be paid as a bug tester at the very least.
In the same way that, if I pick the locks on your house, I deserve to be paid for showing problems in your home security? If he'd said to Linden "I was looking at your auction system, and if I edit the URL like so, I can access plots of land that are not yet available", it would have been nice if they'd given him a "thanks for telling us and not horribly exploiting the system" gift.
> Deleting his account and jacking his stuff is uncalled for. No, they froze his account. That's fairly standard practice if you catch someone hacking your system, it's called damage control. They'll currently be spending a fortune (in man hours) checking everything he's done, and making sure this is the only thing he's been hacking. I would be disappointed if they didn't let him transfer the balance in Liden dollars out, once this mess is cleared up, but if you hack something, particularly for your own gain, you should expect to be banned. Permanently.
In particular, if the browser has to second-guess what the page means, so will a human. In some cases, I've seen web pages where I couldn't fix the HTML directly, I had to look at what rendered in IE, and rewrite the HTML based on that. Not good...
I want you to imagine your boss comes to you and says "Why doesn't our site work on IE 12: Soul sucking edition?". Consider the following two answers:
"Well, we hadn't tested it on IE 12, so have no idea where it would break." "Well, our site complies to the relevant standards, however IE 12 delibrately breaks them."
Neither's good, but y'know, I think they're going to like the second one more...
Specifying an alt tag of "" explicitely indicates the image has no content. Not including that alt tag could mean it has no content, or you just didn't think about it; as someone pointed out, Lynx specifically renders it is [IMAGE].
And seriously, is alt="" that much bloat?
Oh, it's also not the validator's fault, it is part of the HTML 4.01 standard. Argue with the W3C if you don't like it.
> Nowadays, about 60-70% of my pages validates automaticlly on the first try.
Exactly what I was going to say; validating pages as you go will really help you learn to avoid problems. Writing your pages in XHTML (and then serving them with the correct MIME type, application/xml+html ) is a helpful step, as it causes Firefox and Safari (possibly also Opera) to actually spit out errors if your page is mangled! It's not perfect; you need to be able to serve them as text/html for IE, but it's what we do with our webapps, and it seems to help...
Slashdot Mirror
Worth pointing out, the graphical X509 tools for OS X are fairly new. I think they came in with 10.4, maybe 10.3, but you used to have to perform black (or at least, fairly grey) magic with command line tools to add X509 certificates. I know, because it drove me nuts...
(Having said that, the new graphical tool rocks muchly)
*pause* So, what you're saying is that the Bush administration is the national catastrophe? :)
To be honest, I'm more thinking efficiency.
/.er to be working with no fixed hours (although I may be the only one where that doesn't mean 60+ hours a week). Following a rather vague train of thought, I suspect people working from home might not be too hard to persuade to spend an extra hour doing work, instead of time they might be commuting. Alternatively, even if they spend that hour relaxing, having more relaxed staff should also benefit productivity. ...
Okay, I imagine I'm not the only
Look, can I just claim it's the sleep deprevation's fault?
Ah, yes, you are in a maze of twisty cubicles, all alike...
Seriously though, yes, cubicles suck. They're a worst of both worlds kinda thing, where they don't quite have the privacy of an office, or the openness of open-plan. If an employer just puts people into small isolated boxes, they're not going to start magically working well together.
What's worked well for our group, is we have 2-ish person offices, close to each other, plus a break-out space. We're never fully isolated, but can always turn to the person next to us and go "Am I doing something silly here?", and we tend to have lunch in the break-out space, and work through problems there too.
I think the issue is that people are viewing this as a "One size fits all". Some people are best working in an office, some people are best working from home, some people are best with a combination of the two; for example, I tend to spend more time working, at work, but have a lot less distractions at home, so if I need to get one single task done fast, home is most appropriate, but otherwise at work is better.
Well, it'll be interesting to see how this all comes out in the end, anyway...
Because as much as programmers and IT personnel don't want to deal with each other, if you can get them to actually talk, you can get some significant improvements in performance. This is particularly true of you're dealing with projects bigger than one person; by putting your staff within easy access of each other, questions will be answered faster, and that can really help. Even if working on independent projects, the ability to trivially ask someone for their advice on a particularly tricky problem is invaluable.
This is not to say that working in an office together is always better; if your staff have an hour's commute each way, the time saved by having them close to each other will almost certainly be wiped out by time commuting instead of either relaxing or working. The point is that there are upsides and downsides, and a balance has to be found between them...
*sigh* /.'s attitude of "It's okay to copy anything I want" is really, really getting tiring.
:)
Look, yes, the movie companies are almostly solely producing overpriced undifferentiated mush. However, it's clearly mush a lot of you want. As such, is it so crazy to suggest you either pay for it, or if you genuinely feel it's over priced, make a stand by neither buying nor copying? All you're doing by copying movies/music/games/etc. is saying to the producers "I want your product, but don't want to pay for it".
The MPAA/RIAA are both fairly clearly evil incarnate, I agree. However, copying everything you want is not actually going to help, it's just going to give them more legal leverage. If you actually feel things need to change, stop buying, and stop copying. Go read a book or something
Had a bit of a thinkthrough with people, about this. Simplest way to make a program trickier to understand, is to make it larger. However, all ways I can think of doing this (generating values that aren't used, non-conditional jumps you don't need, etc.) can be pulled out automatically in O(n) time (where n is number of instructions in the code). Unless you're going to start shipping code on 100s of DVDs, you're unlikely to really make things hard this way.
:)) purely deterministic; you can use a random number generator based on timestamps to emulate non-deterministic, but the user is still going to be able to change that time input, and therefore render your code determinstic. Still, I think you can get the time to analyse the code up to O(n^2)... at this point, it becomes annoyingly hard to decipher, but is certainly not what I'd call "unbreakable".
So the next step is to adapt the code to use non-deterministic execution, as I suggested in the previous post. Thing is, current processors are (meant to be?
If the code can depend on non-deterministic execution, the only way to analyse it pretty much comes down to repeatedly running it, and seeing what it tends to do. I'm not entirely sure what that does to the big-O, I just know it's going to be better than pseudo-non-deterministic.
The last possibilty is self-modifying code, although that's merely changing the nature of the problem (it makes analysis code a nightmare to write, but I don't think it actually changes the big-O).
Anyway, point is, nothing I can think of is going to withstand significant attack. Self modify non-determistic code would beat most people, though...
> This proves that, and just what the bleedin' hell is going with those horizontal dividers Timothy? They're hideous. 100 years in the CSS stylepolice dungeons.
One first read of the article, I thought they were a rendering glitch!
Someone else has pointed out that (more or less?) anything can be broken with enough resources, so ignoring that point...
What you're really talking about is, as well as hiding the key, using an obfuscated programming style in order to make sure that it's infeasible to analyse the code to find the key. I'm unaware of any research into making code that is actually secure in it's level of obfuscation - anyone want to tell me I'm wrong? I suspect that with enough time, it would be possible to make some fairly hard to analyse code, though.
Non-deterministic behaviour, would be a good start. Throwing ideas out as I have them, imagine your code pulls half a dozen random numbers out of an algorithm, averages them, and uses the resulting number to determine what it does next. Say that number is, 90% of the time, the correct right step, and 10% of the time, it's not. A human running the program would probably simply go "Oh, my files haven't unencrypted, I'll try that again", but it would definitely make analysis harder.
What I really meant, is I don't have the mathematics background to really get into cryptography. I know how it all works from a using it in the real world point of view (particularly, SSL), and happen to know how the maths for RSA works because it's actually remarkably simple, but most of this stuff I'm as lost as everyone else :)
You're both wrong :)
:)
First up, a man in the middle attack requires that someone spotting the virus on its way to your computer, and re-writing the public key parts. So, not really an issue here. Mostly, the poster appears to be confused with using public keys for verifying identity.
Problem is, however, that the same private key would unlock all ransomed files. The virus actually needs to be able to get a new public key for each computer in infects, which means having a remote site accessible for it to register with, and request a new key from.
I'm assuming fairly standard RSA here. There is the possibility that someone could make a more complex cipher; so you start with a private/public key, and the virus carries the public key. On arrival at a system, it generates another public/private key pair, from the public key, which it would encrypt the files with, then destroys the private key. The public key it just generated would then be sent back with payment, the virus author creates a unique decryption key from that public key, and their private key, and sends it in turn back. Hell, it may be possible to do this with RSA, I'm not that much into crypto.
Luckily, anyone bright enough to figure that all out can probably earn plenty of money legally
Going back to stuff I should be doing, now.
While almost all the MMORPGs I can think of recently (Auto Assault, Huxley, RF Online, Seed, Star Trek, Tabula Rasa) are non-fantasy, I think suggesting WoW is responsible massively underestimates the production time on a MMORPG (around 5 years, from what I hear). What I mean is, sure, there are less fantasy MMORPGs coming out, but I think that was because people wanted something different to Everquest, as opposed to avoiding the genre because WoW it's so difficult to compete with WoW...
> Sounds like a bad manager to me. Why would he ever hire an inexperienced programmer?
b ject=false&FirstRow=0&SortOrderDirection=&SortOrde rColumn=GuardianTeachingScore&Subject=Computer+sci ences+and+IT&Tariff=6&Go=Submit
So... inexperienced programmers should become experienced by... ?
Assuming they did a computer science degree, it's rather odd they got through their entire degree while refusing to use constants, however a computer science degree is not a degree on programming. Sure, some institutions will train their students to a level where they can hit the ground running in a programming job, in the environment they're used to. However, where I work and did my degree (St. Andrews university), the focus is definitely on the why, rather than the how (so, topics such as software engineering, language design, logic, to name a few), and currently we're second best in the UK for Computer Science:
http://browse.guardian.co.uk/education?SearchBySu
The key problem was not their level of programming experience when hired, but their unwillingness to learn better techniques.
It's worse than that.
Sender and receiver already pay for traffic, to their respective ISPs. This is like being charged extra to let the parcel you already paid FedEx to deliver, actually be delivered.
Anyone that's unhappy about this clearly hasn't ever seen someone alt-f4 (or cmd-W if you're into that sort of thing) a browser window when it unexpectedly starts producing sound, and never look back.
(And, in my case, find and install AdBlock as a direct result)
*pause* I wonder what the legal situation is of writing a program that says "Hey, would you like me to e-mail a copy of myself to everyone in your Outlook Express address book?"...
But with quality releases such as Resident Evil: Apocalypse, Van Helsing, The Chronicles of Riddick and Underworld: Evolution, how can you claim a lack of content?
Okay, I'm being harsh, there's some... decent... movies coming out. However, gotta say, it's all stuff I'd either never buy, or have already...
A few points:
>It's not so much of a stretch to think that this supposed "hacking" is just really a clever game strategy or "easter egg" designed to help and reward the players clever enough to figure it out.
Yes it is. It should be fairly common sense it's not!
>He did not use a "3rd party hack", he just used existing conditions to his favor.
Just because he figured out the hack before a 3rd party did, does not make it any better...
> At the very least, he found a very important bug in the game. He deserves to be paid as a bug tester at the very least.
In the same way that, if I pick the locks on your house, I deserve to be paid for showing problems in your home security? If he'd said to Linden "I was looking at your auction system, and if I edit the URL like so, I can access plots of land that are not yet available", it would have been nice if they'd given him a "thanks for telling us and not horribly exploiting the system" gift.
> Deleting his account and jacking his stuff is uncalled for.
No, they froze his account. That's fairly standard practice if you catch someone hacking your system, it's called damage control. They'll currently be spending a fortune (in man hours) checking everything he's done, and making sure this is the only thing he's been hacking. I would be disappointed if they didn't let him transfer the balance in Liden dollars out, once this mess is cleared up, but if you hack something, particularly for your own gain, you should expect to be banned. Permanently.
In particular, if the browser has to second-guess what the page means, so will a human. In some cases, I've seen web pages where I couldn't fix the HTML directly, I had to look at what rendered in IE, and rewrite the HTML based on that. Not good...
I want you to imagine your boss comes to you and says "Why doesn't our site work on IE 12: Soul sucking edition?". Consider the following two answers:
"Well, we hadn't tested it on IE 12, so have no idea where it would break."
"Well, our site complies to the relevant standards, however IE 12 delibrately breaks them."
Neither's good, but y'know, I think they're going to like the second one more...
Specifying an alt tag of "" explicitely indicates the image has no content. Not including that alt tag could mean it has no content, or you just didn't think about it; as someone pointed out, Lynx specifically renders it is [IMAGE].
And seriously, is alt="" that much bloat?
Oh, it's also not the validator's fault, it is part of the HTML 4.01 standard. Argue with the W3C if you don't like it.
> Nowadays, about 60-70% of my pages validates automaticlly on the first try.
Exactly what I was going to say; validating pages as you go will really help you learn to avoid problems. Writing your pages in XHTML (and then serving them with the correct MIME type, application/xml+html ) is a helpful step, as it causes Firefox and Safari (possibly also Opera) to actually spit out errors if your page is mangled! It's not perfect; you need to be able to serve them as text/html for IE, but it's what we do with our webapps, and it seems to help...
To be honest, I think the only way to be sure of avoiding phishing scams is to never enter credentials into a page you get to from a URL in an e-mail.
No, really, never. No exceptions. If you can't get to the page from where you'd normally log into that site, call them up, talk to them about it.