The weed out programs worked well when you could drop a class an hour before the final exam but universities decided that wasn't a good idea for some reason so now there is an enormous stress on students to follow their course even if the weed out course said they shouldn't be in that field at all. Oddly enough these changes seemed to have come from the accreditation side of the teaching business yet mecreases the vaule of degrees.
My take is only about 1 in 100 people will ever understand how the machines work well enough to be great programmers. I want to be able to pick a page out of "The Art of Computer Programming" and have a prospective programmer explain what the page is talking about and why (or why not) the concept mentioned would be used.
Coal baseload power in Australia is about $25MWhr or about £12.
A major problem with shutting down coal plants in Australia is that the coal plant operators are the ones paying to protect the coal from fires. If they stop paying, it will catch fire and burn. There is a coal fire north of Sydney that has been burring for about 6,000 years. Not using the coal doesn't mean it isn't going to burn and it is much cleaner to burn it in a coal plant than in a coal seam fire.
There are programs that will convert mp3 from cassette tape recordings into the raw bit stream and back to the audio again. That means you can plug your mp3 player into the cassette port of your TRS-80/IBM-PC/Vic or Apple and load the programs.
Can anyone read 9 track tapes in Melbourne Oz? I have one that needs read before all the bits go bad. Its a 6250cpi for maybe upto about 175 mbytes.
The viewers aren't the consumer of TV shows. The comerical buyers are and comercials in Sci-fi don't get watched so the comercial buyers won't buy the ads.
10.5.8 is the last version that will run on millions of PPC systems. They were mostly high end and fast systems when they were new and are still very functional. Many of those systems were handed over to other family members after upgrades and they are still out there working. Even the lifesaver machines from 1999 will run os x 10.5.8 and they are quite responsive enough to be useful when using Safari. They tend to get a bit bogged down with Chrome 21 or Firefox 16 but they still work. There are millions of old macs still out there that aren't ever going to get upgraded.
I didn't think I would ever see another article with the proper use of the term zero-day. I expect when the NSA talks about zero-day they get the terminology right. An exploit the NSA discovers and doesn't use isn't a zero day until someone else start using it. Exploits they buy are most likely zero-day. Bugs found and reported to vendors but not used aren't zero-day if a patch arrives before an exploit. A real trick is knowing if a new exploit is being used and I think it is clear that the spooks might have an advantage in detecting that sort of thing.
I've seen someone talk their way into real data centers so many times, i've lost count. One case the guy talked his way into the building then talked his way into the data center and then removed a servers from a rack that he didn't have a key for and took the server away.
The entropy in hashes must be less than the entropy in the data or it isn't a hash. That means that a hash requires that there be collisions by definition. A good hash will minimize those but there will always be a risk.
When writing a program that requires a hash, I find it useful to gut the hash function so that if I'm using sha256, I set all the bytes except for one to zero so I see what happens with collisions and can test that functionality. It is amazing how many bugs I've found in protocol implementations by doing this with hashes and block cyphers.
A coder also needs to balance performance with the function of the code if it's cpu bound. Many web pages now spend more than half their load time doing the TLS handshake. If you decided you want to go beyond what the CPU supports, you can also find your code runs very slow. Say you want to run something like a hypothetical AES-1024. The hardware only supports 256 bits so you get a 10x penalty for that plus you have to deal with 4 times more bits so there isn't anyway the new code won't be less than 40 times slower. Sometimes it is just better to use a much faster weaker hash for some parts and a slower better hash for data intergrity. An example of this would be something like rsync or torrent where there are lots of little blocks and very fast hash is helpful but for a better hash can be used for sets of blocks. You can not count on the speed of a hash for security either. A cheap bitcoin USB device can do hashes 31,000 times faster than my workstation.
Blacklistd looks like a great idea but I checked out the syntax in blacklistd.conf and I think it could use some work.
I could see lots of admins getting bitten by "nfail=*" meaning never. To me, that name or a '*' isn't the right choice. Security config files absolutely must be unambiguous to people aren't going to read the manual. Cron has a similar syntax and I've seen several cases were a simple change to a crontab resulted in a 5 star screwup that ran something 1440 times a day.
I bought a Q10 a few months ago after years of trying and then abandoning other smart phones. I managed to use it without signing up for any accounts for several weeks. I can run android apps on it without rooting the thing. You can port QT apps to it with ease.
My phone uses MY servers for its data not someone one elses. That data link is fully encrypted and under my control.
BB apps make more money for most app developers than iphone and android apps.
The main problem with the thing is they managed to screw up the "screen lock/power" button so the thing turns off in my pocket. The thing has 39 buttons so they should drop pressing the top button to power off and require something like the top button and hold down "P" to power down and top button and "U" to unlock. I don't know how they could screw up something that has been well know for so long.
Alos remember that the RAID controller in the NAS might be the only thing that will ever be able to read the drives so if lightning takes out the NAS, so long all the data even if the drives don't get zapped.
RAID also doesn't quite ccope with the problem that on large sotrage systems, the MTBF means that something is always broken and undetected and it is only going to get worse.
Rogue was the most popular and cloned by many others. Moria on the Vax (780?) pushed the limits of the machine at the time and aparently the limit of the game features was based on what could be tested using the test program that would check that new changes could be won. The odd thing is that it was written on a one off VAX (ouvax?) that had been an odd upgrade research project when DEC had a crazy idea that they could do field updagrades from PDPs to VAXen.
It follows the formula of Soap from 1977. Take an absurd idea and just push the boundaries in a semi-plausible way for some effect. Soap operas have been doing that since the early days of radio. The TV show Soap used that formula and in place of the absurd romantic ideas, tried comedy and pushing the edges of social issues that could be shown at the time.
Mach messages are much faster than SysV but not up to the speed of Solaris doors (which have some odd security issues but drop context swtiches). The SysV streams message system is based on the SysV IPC which is based on SysV shared memory and SysV semaphores. That stuff came from the early 1980s when a 2 CPU WE32000 in a 3B20 (or 5 or 15?) was the reference design for the biggest hardware Real UNIX (TM) would run on. Since that came from AT&T who wanted to make mainframes but had to have phone switches so their semaphore system was designed to work with things like a 5ESS phone switch where doing the right thing on failing hardware was better than doing anything fast.
If you run a major credit card processing system you will find CC numbers in all sorts of places from file names to any field any user can type in. That needs to be overwritten at the block level and no major OS allows that today.
I'm in Australia and I find a dozen or so SSN per year. I've seem where people used SSN@gmail or CC_number@hotmail as email addresses that work.
When I say I need a file system where I can overwrite stuff, I mean I need it. Let me do it.
The file system encryption is only used if the disk goes wonky and gets pulled and some how misses the machine shop downstairs where it should be turned to dust.
Assume someone sends you batches of data including SSN or credit card numbers. if you put them in a ZFS system, you can't comply with any sane security procedure. Maybe the ZFS bit is encrypted but the raw device will decrypt for you.
You need to have a overwrite the raw blocks option.
As far as the funky time, that is remote exploitable from Solaris 2.5 on to most recent. You can play bios attacks, forth firmware games, NTP and at least 3 other vectors. It DoSs runnings systems dead (and should havea CVE number)
If you have old SSH1 only type devices (like old switches and routers), you might not be able to talk to them anymore after this update. You might want to keep a version of 6.6 around as ssh1 to talk to the old stuff that can't be upgraded to newer stuff.
Due to Mary Ann Davidson's statements I'll post this here.
If you manage to get a Solaris clock set before 1970 the loader doesn't work. It means that anything running will keep running but you can't start any new programs (including init and shutdown). Talk about a great way to keep a sysadm out of a system.
There is also no way to wipe sensitive data from ZFS file systems. You need an option to say "this pool overwrites blocks" so that scrubbing works correctly. The reasons for this will come to light when the flaw in your ZFS encryption hits the press. Maybe you can put this in Solaris 11.3 since that is still in beta.
I suspect the reasons is the s-box numbers help with an ECC/parity like feature that weakens things that has been known for more than 4 decades, at least to some people.
Hack your friendly crypto program that does des/aes/whatever to dump out s-box state at the end of each round and ask your self why are some bits always in a known state for a given key every so many rounds. Then ask can this be used to do an inside-out attack and then ask why is there only one non-s-box related cypher in TLS 1.1 and 1.2 and they aren't the same.
Then sleep well at night knowing your crypto is safe.
Long ago on usenet, someone who seemed to be against the long term copyright extensions was asking people to send in video of politicians singing happy birthday in public. I don't remember the specifics and I suspected it might have been a lobist or someone working for the rights holder.
I still think it would be cool for someone like the EFF to start collecting this so the next time Disney wants another 20 years, they can come out and list a whole bunch of pirates that are in congress.
It would have been more interesting to see major projects like Apache/http, gcc or core python and perl but I expect they had an easy way to pull their data from GitHub. It also reads like a rejected academic paper. It should have started out the list stating that TF=1 is bad and TF>1 is better.
Slashdot Mirror
The weed out programs worked well when you could drop a class an hour before the final exam but universities decided that wasn't a good idea for some reason so now there is an enormous stress on students to follow their course even if the weed out course said they shouldn't be in that field at all. Oddly enough these changes seemed to have come from the accreditation side of the teaching business yet mecreases the vaule of degrees.
My take is only about 1 in 100 people will ever understand how the machines work well enough to be great programmers. I want to be able to pick a page out of "The Art of Computer Programming" and have a prospective programmer explain what the page is talking about and why (or why not) the concept mentioned would be used.
Coal baseload power in Australia is about $25MWhr or about £12.
A major problem with shutting down coal plants in Australia is that the coal plant operators are the ones paying to protect the coal from fires. If they stop paying, it will catch fire and burn. There is a coal fire north of Sydney that has been burring for about 6,000 years. Not using the coal doesn't mean it isn't going to burn and it is much cleaner to burn it in a coal plant than in a coal seam fire.
There are programs that will convert mp3 from cassette tape recordings into the raw bit stream and back to the audio again. That means you can plug your mp3 player into the cassette port of your TRS-80/IBM-PC/Vic or Apple and load the programs.
Can anyone read 9 track tapes in Melbourne Oz? I have one that needs read before all the bits go bad. Its a 6250cpi for maybe upto about 175 mbytes.
The viewers aren't the consumer of TV shows. The comerical buyers are and comercials in Sci-fi don't get watched so the comercial buyers won't buy the ads.
10.5.8 is the last version that will run on millions of PPC systems. They were mostly high end and fast systems when they were new and are still very functional. Many of those systems were handed over to other family members after upgrades and they are still out there working. Even the lifesaver machines from 1999 will run os x 10.5.8 and they are quite responsive enough to be useful when using Safari. They tend to get a bit bogged down with Chrome 21 or Firefox 16 but they still work. There are millions of old macs still out there that aren't ever going to get upgraded.
I didn't think I would ever see another article with the proper use of the term zero-day. I expect when the NSA talks about zero-day they get the terminology right. An exploit the NSA discovers and doesn't use isn't a zero day until someone else start using it. Exploits they buy are most likely zero-day. Bugs found and reported to vendors but not used aren't zero-day if a patch arrives before an exploit. A real trick is knowing if a new exploit is being used and I think it is clear that the spooks might have an advantage in detecting that sort of thing.
I've seen someone talk their way into real data centers so many times, i've lost count. One case the guy talked his way into the building then talked his way into the data center and then removed a servers from a rack that he didn't have a key for and took the server away.
The entropy in hashes must be less than the entropy in the data or it isn't a hash. That means that a hash requires that there be collisions by definition. A good hash will minimize those but there will always be a risk.
When writing a program that requires a hash, I find it useful to gut the hash function so that if I'm using sha256, I set all the bytes except for one to zero so I see what happens with collisions and can test that functionality. It is amazing how many bugs I've found in protocol implementations by doing this with hashes and block cyphers.
A coder also needs to balance performance with the function of the code if it's cpu bound. Many web pages now spend more than half their load time doing the TLS handshake. If you decided you want to go beyond what the CPU supports, you can also find your code runs very slow. Say you want to run something like a hypothetical AES-1024. The hardware only supports 256 bits so you get a 10x penalty for that plus you have to deal with 4 times more bits so there isn't anyway the new code won't be less than 40 times slower. Sometimes it is just better to use a much faster weaker hash for some parts and a slower better hash for data intergrity. An example of this would be something like rsync or torrent where there are lots of little blocks and very fast hash is helpful but for a better hash can be used for sets of blocks. You can not count on the speed of a hash for security either. A cheap bitcoin USB device can do hashes 31,000 times faster than my workstation.
Blacklistd looks like a great idea but I checked out the syntax in blacklistd.conf and I think it could use some work.
I could see lots of admins getting bitten by "nfail=*" meaning never. To me, that name or a '*' isn't the right choice. Security config files absolutely must be unambiguous to people aren't going to read the manual. Cron has a similar syntax and I've seen several cases were a simple change to a crontab resulted in a 5 star screwup that ran something 1440 times a day.
It looks like the USA is taking its defense plans from the pre-WWII French.
1st it was the Joke Strike Fighter and now its a gentleman's agreement to stop doing what everyone knows is going on all the time.
Can they build another wall?
I bought a Q10 a few months ago after years of trying and then abandoning other smart phones. I managed to use it without signing up for any accounts for several weeks. I can run android apps on it without rooting the thing. You can port QT apps to it with ease.
My phone uses MY servers for its data not someone one elses. That data link is fully encrypted and under my control.
BB apps make more money for most app developers than iphone and android apps.
The main problem with the thing is they managed to screw up the "screen lock/power" button so the thing turns off in my pocket. The thing has 39 buttons so they should drop pressing the top button to power off and require something like the top button and hold down "P" to power down and top button and "U" to unlock. I don't know how they could screw up something that has been well know for so long.
"We don't care, we don't have to...we're the phone company." -- Ernestine (Lily Tomlin)
Another NSA related video from Laugh-In from about 1970.
Or anyone on the do not call list this is still getting phone calls.
Alos remember that the RAID controller in the NAS might be the only thing that will ever be able to read the drives so if lightning takes out the NAS, so long all the data even if the drives don't get zapped.
RAID also doesn't quite ccope with the problem that on large sotrage systems, the MTBF means that something is always broken and undetected and it is only going to get worse.
Rogue was the most popular and cloned by many others. Moria on the Vax (780?) pushed the limits of the machine at the time and aparently the limit of the game features was based on what could be tested using the test program that would check that new changes could be won. The odd thing is that it was written on a one off VAX (ouvax?) that had been an odd upgrade research project when DEC had a crazy idea that they could do field updagrades from PDPs to VAXen.
It follows the formula of Soap from 1977. Take an absurd idea and just push the boundaries in a semi-plausible way for some effect. Soap operas have been doing that since the early days of radio. The TV show Soap used that formula and in place of the absurd romantic ideas, tried comedy and pushing the edges of social issues that could be shown at the time.
Do cats see IR like rats and snakes can? If so, how do you make it dark when they are glowing in the IR range.
Mach messages are much faster than SysV but not up to the speed of Solaris doors (which have some odd security issues but drop context swtiches). The SysV streams message system is based on the SysV IPC which is based on SysV shared memory and SysV semaphores. That stuff came from the early 1980s when a 2 CPU WE32000 in a 3B20 (or 5 or 15?) was the reference design for the biggest hardware Real UNIX (TM) would run on. Since that came from AT&T who wanted to make mainframes but had to have phone switches so their semaphore system was designed to work with things like a 5ESS phone switch where doing the right thing on failing hardware was better than doing anything fast.
UFS on top is pointless.
If you run a major credit card processing system you will find CC numbers in all sorts of places from file names to any field any user can type in. That needs to be overwritten at the block level and no major OS allows that today.
I'm in Australia and I find a dozen or so SSN per year. I've seem where people used SSN@gmail or CC_number@hotmail as email addresses that work.
When I say I need a file system where I can overwrite stuff, I mean I need it. Let me do it.
The file system encryption is only used if the disk goes wonky and gets pulled and some how misses the machine shop downstairs where it should be turned to dust.
Assume someone sends you batches of data including SSN or credit card numbers. if you put them in a ZFS system, you can't comply with any sane security procedure. Maybe the ZFS bit is encrypted but the raw device will decrypt for you.
You need to have a overwrite the raw blocks option.
As far as the funky time, that is remote exploitable from Solaris 2.5 on to most recent. You can play bios attacks, forth firmware games, NTP and at least 3 other vectors. It DoSs runnings systems dead (and should havea CVE number)
If you have old SSH1 only type devices (like old switches and routers), you might not be able to talk to them anymore after this update. You might want to keep a version of 6.6 around as ssh1 to talk to the old stuff that can't be upgraded to newer stuff.
Due to Mary Ann Davidson's statements I'll post this here.
If you manage to get a Solaris clock set before 1970 the loader doesn't work. It means that anything running will keep running but you can't start any new programs (including init and shutdown). Talk about a great way to keep a sysadm out of a system.
There is also no way to wipe sensitive data from ZFS file systems. You need an option to say "this pool overwrites blocks" so that scrubbing works correctly. The reasons for this will come to light when the flaw in your ZFS encryption hits the press. Maybe you can put this in Solaris 11.3 since that is still in beta.
Thanks for taking security seriously.
-tim
I suspect the reasons is the s-box numbers help with an ECC/parity like feature that weakens things that has been known for more than 4 decades, at least to some people.
Hack your friendly crypto program that does des/aes/whatever to dump out s-box state at the end of each round and ask your self why are some bits always in a known state for a given key every so many rounds. Then ask can this be used to do an inside-out attack and then ask why is there only one non-s-box related cypher in TLS 1.1 and 1.2 and they aren't the same.
Then sleep well at night knowing your crypto is safe.
Long ago on usenet, someone who seemed to be against the long term copyright extensions was asking people to send in video of politicians singing happy birthday in public. I don't remember the specifics and I suspected it might have been a lobist or someone working for the rights holder.
I still think it would be cool for someone like the EFF to start collecting this so the next time Disney wants another 20 years, they can come out and list a whole bunch of pirates that are in congress.
It would have been more interesting to see major projects like Apache/http, gcc or core python and perl but I expect they had an easy way to pull their data from GitHub. It also reads like a rejected academic paper. It should have started out the list stating that TF=1 is bad and TF>1 is better.