"Couldn't get any easier" and a config file sick up do not go very well together. I suggest you tell an average person this, and see their reaction.
wpa_supplicant + NetworkManager, on the other hand *is* easy. However, I don't know if the wpasupplicant package is part of a standard Ubutu install - which means you'd still need a wired connection and mess about with Synaptic.
These companies presumably target the typical consumer... the ones that don't wipe their disks purposely.
Probably the most common use case is: "Aargh, my disk has stopped working and I need to get my important documents off it". So the causes:
1) The disk has become corrupt. Doing a dd and re-constructing bits (MBR, file tables/trees, etc.) or scanning the disk for JPEG headers and the like is probably what's going to happen.
2) The disk has physically broken. First, move the platters to a working disk and follow the solution in cause #1.
Most of these companies probably don't deal with recovering purposely-destroyed disks. You'll likely have to talk to a government for that.
Ultimately, this is a protocol that is encrypted/obfuscated and then put on the wire.
If this was not encrypted, then the Skype protocol would be inherently interceptable (ISPs could just redirect traffic through a monitoring 3rd party).
Now, because the Skype protocol is encrypted, then all one would need to do theoretically is know how to decrypt the Skype protocol - something that Skype are able to do, and this information a law enforcement agency would be able to get from Skype legally.
This really is obvious. For what it's worth, an open alternative - SIP - is unencrypted and is also susceptible to "bugging".
Please keep this in proportion - do Skype claim that your connection is private?
"[Ubuntu have] been working with ValuSoft... The boxed set comes with an Ubuntu 8.04 CD, a Quick Start Guide and 60 days of support from the ValuSoft team, trained and backed by the Canonical support guys. The support covers installation and getting started using Ubuntu and is priced at $19.99." (http://blog.canonical.com/?p=18)
It comes with two months support, to get people up and running presumably. Plus it can be installed by those geek squad guys. These two things make it more compelling for a newbie.
I'm assuming that it's SSL to the tracker, in which case you'll only need one connection.
SSL is expensive when connecting (using an asymmetric cryptography algorithm such as RSA or DSA), however SSL is relatively cheap when the connection is established - RC4 for instance is known to be pretty quick.
So no, it won't really slow things down. TPB's trackers may get a bit slow if they have to deal with many new connections (and this would be a simple way to DDoS them), but you'd see a delay in connection rather than a general speed issue.
I think the problem is on a higher level - why do you need to send these details outside of your trusted zone?
Would it not make more sense to have the "new package" installed into your network, and have the data migrated in place?
Bear in mind... SSNs are used presumably in use for 80+ years, so whatever encryption you use *should* be uncrackable in this period.
And then, of course, you have to be sure that the consultant stores this data in a secure way - or are they going to decrypt the package and store it on his/her laptop in unencrypted form?
Transfer is only one part - you need to consider end-to-end encryption to ensure correct security.
Exactly the same with GIMP[1] - once you get used to the interface, you know where everything is so it may seem 'intuitive' to you. The fact that you had to 'get used' to the interface indeed implies it's not intuitive.
[1] And some comparative non-FOSS apps too - Photoshop, Maya.
Would it be fair to say that all complex design (3D or 2D) apps have crappy interfaces? If so, that would be rather ironic.
After a cursory glance, the [swf] specifications look pretty complete - they even give a sample "dissection" of a flash file, as well as a nice index of "opcodes" (tags) - should indeed be useful to the Gnash project.
The swf specifications do not seem to document ActionScript, however so it's not easy riding for the Gnash team (Gnash's ActionScript todo list)
I wonder if this document will give raise to any security vulnerabilities?
Seriously, if it was easier to compromise Ubuntu or Vista why not do that instead of going to the trouble of hacking the more secure(your implied claim) Apple laptop?
Your statement presupposes that discovering a flaw was part of the contest. It was not; Many people likely knew of vulnerabilities on all three(?) machines - it was a matter of who got there first. It just so happens that a guy with knowledge of a Mac OS-X/Safari vulnerability got into the building first.
It actually means nothing as a measurement of which is more secure, or which is a more desirable machine.
And while you're there, use UTC. There is no sense in using timezones, it just causes pain and suffering for people that talk to others in many different countries.
Or use netcat/nc (installed by default on most Linux distros). Server cats it's output directly to a file (or to tar -x). Client grabs it's input from a file.
Server: nc -l 1234 | tar -x Client: tar -c file_list_here | nc localhost 1234
As the winsock TCP/IP stack randomises it's TCP sequence numbers, I would suggest that it's very likely that it uses a PRNG output directly, and therefore is at risk of being spoofable.
Theoretically, one would need knowledge of just one TCP sequence number, and then it could generate the future sequence numbers coming out of the box. Therefore one would be able to hijack TCP/IP sessions *much* faster and easier than before.
That a Linux machine is sold out at Walmart suggests that plain folks -- not like you and me -- know and respect Linux.
On the contrary, it seems to suggest that the average consumer really doesn't give a crap about what OS they use, as long as it works sufficiently well (but how do you know until you buy it; at which point, "sufficiently well" is reduced to "works enough times such that it doesn't warrant being taken back"). It suggests that the average consumer eats what it is fed.
Linux certainly works "sufficiently well". It is no longer about software developers - what we make is good enough - it is about marketing.
Well, this is why you need a Web Of Trust - Ultimately, you must trust *someone*. If you're really that paranoid, you should arrange to meet the person in Real Life, and ensure they are who they say they are (with a passport or drivers licence - again, this could be forged). Even your hardware (motherboard, processor, switches, routers, modems) - can you trust these? Where does it end?
I agree, any flavour of BSD and the majority of Linux distros are shamelessly secure out of the box, whilst Windows is not. This is not the point I was making.
The issue is this: People (i.e. your average Joe). A normal user will fall for the same phishing scam regardless of the OS they run on. Once a rogue program gets onto your system, it really doesn't matter if it hasn't got root access. A few trivial solutions that come to mind, with a bit of thought I'm sure you can come up with many more: - Adding it to the primary users' X session startup program. - Adding it as a user cron job that runs on reboot. - Some form of web browser plugin that gets invoked and persists after a user closes the browser window.
And of course, executables do not need to be root to communicate with the outside world (> port 1024 of course).
Viruses or Bots do not need to be root, I don't know why many people think this. Security is not a programming problem. Security is primarily a people problem.
(And FWIW, I have used Linux as my primary desktop for over 7 years, I can assure you I have no Windows bias, I'm just being a realist. I can't comment on Mac OS-X, I've not used it for longer than about 30 mins)
Linux, BSD, OSX, Solaris, and heck even Minux could clearly stand up to a threat like this much more easily than Windows.
Bzzzt! Wrong. There are many attack vectors for Storm's entry into someone's computer (one of which is indeed an OS vulnerability). AFAIK, the majority of the attack vectors rely on people downloading some bootstrapper program via their email or web browser. Nothing is going to stop this happening to a "normal" user on *NIX.
Slashdot Mirror
"Couldn't get any easier" and a config file sick up do not go very well together. I suggest you tell an average person this, and see their reaction.
wpa_supplicant + NetworkManager, on the other hand *is* easy. However, I don't know if the wpasupplicant package is part of a standard Ubutu install - which means you'd still need a wired connection and mess about with Synaptic.
Why would they?
These companies presumably target the typical consumer... the ones that don't wipe their disks purposely.
Probably the most common use case is: "Aargh, my disk has stopped working and I need to get my important documents off it". So the causes:
1) The disk has become corrupt. Doing a dd and re-constructing bits (MBR, file tables/trees, etc.) or scanning the disk for JPEG headers and the like is probably what's going to happen.
2) The disk has physically broken. First, move the platters to a working disk and follow the solution in cause #1.
Most of these companies probably don't deal with recovering purposely-destroyed disks. You'll likely have to talk to a government for that.
However, as Wine becomes better and better, it becomes more viable for companies to easily port their application across (using winelib etc.).
Ultimately, this is a protocol that is encrypted/obfuscated and then put on the wire.
If this was not encrypted, then the Skype protocol would be inherently interceptable (ISPs could just redirect traffic through a monitoring 3rd party).
Now, because the Skype protocol is encrypted, then all one would need to do theoretically is know how to decrypt the Skype protocol - something that Skype are able to do, and this information a law enforcement agency would be able to get from Skype legally.
This really is obvious. For what it's worth, an open alternative - SIP - is unencrypted and is also susceptible to "bugging".
Please keep this in proportion - do Skype claim that your connection is private?
A perception of security is generally far worse than no security at all.
It wouldn't be far fetched to imagine a bespoke MITM proxy that decrypts all connections and logs them to a backend.
"[Ubuntu have] been working with ValuSoft ... The boxed set comes with an Ubuntu 8.04 CD, a Quick Start Guide and 60 days of support from the ValuSoft team, trained and backed by the Canonical support guys. The support covers installation and getting started using Ubuntu and is priced at $19.99." (http://blog.canonical.com/?p=18)
It comes with two months support, to get people up and running presumably. Plus it can be installed by those geek squad guys. These two things make it more compelling for a newbie.
I'm assuming that it's SSL to the tracker, in which case you'll only need one connection.
SSL is expensive when connecting (using an asymmetric cryptography algorithm such as RSA or DSA), however SSL is relatively cheap when the connection is established - RC4 for instance is known to be pretty quick.
So no, it won't really slow things down. TPB's trackers may get a bit slow if they have to deal with many new connections (and this would be a simple way to DDoS them), but you'd see a delay in connection rather than a general speed issue.
I think the problem is on a higher level - why do you need to send these details outside of your trusted zone?
Would it not make more sense to have the "new package" installed into your network, and have the data migrated in place?
Bear in mind... SSNs are used presumably in use for 80+ years, so whatever encryption you use *should* be uncrackable in this period.
And then, of course, you have to be sure that the consultant stores this data in a secure way - or are they going to decrypt the package and store it on his/her laptop in unencrypted form?
Transfer is only one part - you need to consider end-to-end encryption to ensure correct security.
Exactly the same with GIMP[1] - once you get used to the interface, you know where everything is so it may seem 'intuitive' to you. The fact that you had to 'get used' to the interface indeed implies it's not intuitive.
[1] And some comparative non-FOSS apps too - Photoshop, Maya.
Would it be fair to say that all complex design (3D or 2D) apps have crappy interfaces? If so, that would be rather ironic.
After a cursory glance, the [swf] specifications look pretty complete - they even give a sample "dissection" of a flash file, as well as a nice index of "opcodes" (tags) - should indeed be useful to the Gnash project.
The swf specifications do not seem to document ActionScript, however so it's not easy riding for the Gnash team (Gnash's ActionScript todo list)
I wonder if this document will give raise to any security vulnerabilities?
It's not (just) about writing code/documents/text - it's (also) about reading them.
One word: Websites.
Sure, but legally it's a grey area - and if a company produced a box that did mp3, I'm sure Fraunhofer would jump on them for licence fees.
At some point, either the distro or the sponsoring company would have to fork out the cost for the mp3 licence.
From the Fraunhofer licence site, it's US$ 0.75 per unit, and a minimum of US$ 15K a year.
Or maybe it was "Anonymous" after all, knowing that people would come to the same conclusion as you have, and blame Scientology.
Nice, and the pictorial view they link to gives you a nice "yay" or "nay" running result.
none of the machines got compromised. Including the Vista and Ubuntu machines.
This essentially means "at that moment in time, there were no available* 0-day remote vulnerabilities for those systems".
*I actually mean "no available 0-day remote vulnerabilities worth <=~20,000"
Seriously, if it was easier to compromise Ubuntu or Vista why not do that instead of going to the trouble of hacking the more secure(your implied claim) Apple laptop?
Your statement presupposes that discovering a flaw was part of the contest. It was not; Many people likely knew of vulnerabilities on all three(?) machines - it was a matter of who got there first. It just so happens that a guy with knowledge of a Mac OS-X/Safari vulnerability got into the building first.
It actually means nothing as a measurement of which is more secure, or which is a more desirable machine.
And while you're there, use UTC. There is no sense in using timezones, it just causes pain and suffering for people that talk to others in many different countries.
Or use netcat/nc (installed by default on most Linux distros). Server cats it's output directly to a file (or to tar -x). Client grabs it's input from a file.
Server: nc -l 1234 | tar -x
Client: tar -c file_list_here | nc localhost 1234
Wireshark has the ability to reconstruct RTP streams, and has been able to for some time. "SIPtap" is doing the same thing. Hyperbole indeed.
As the winsock TCP/IP stack randomises it's TCP sequence numbers, I would suggest that it's very likely that it uses a PRNG output directly, and therefore is at risk of being spoofable.
Theoretically, one would need knowledge of just one TCP sequence number, and then it could generate the future sequence numbers coming out of the box. Therefore one would be able to hijack TCP/IP sessions *much* faster and easier than before.
Anyone know to the contrary?
That a Linux machine is sold out at Walmart suggests that plain folks -- not like you and me -- know and respect Linux.
On the contrary, it seems to suggest that the average consumer really doesn't give a crap about what OS they use, as long as it works sufficiently well (but how do you know until you buy it; at which point, "sufficiently well" is reduced to "works enough times such that it doesn't warrant being taken back"). It suggests that the average consumer eats what it is fed.
Linux certainly works "sufficiently well". It is no longer about software developers - what we make is good enough - it is about marketing.
Well, this is why you need a Web Of Trust - Ultimately, you must trust *someone*. If you're really that paranoid, you should arrange to meet the person in Real Life, and ensure they are who they say they are (with a passport or drivers licence - again, this could be forged). Even your hardware (motherboard, processor, switches, routers, modems) - can you trust these? Where does it end?
Brings a new meaning to the words "Nigerian Scammer".
I agree, any flavour of BSD and the majority of Linux distros are shamelessly secure out of the box, whilst Windows is not. This is not the point I was making.
The issue is this: People (i.e. your average Joe). A normal user will fall for the same phishing scam regardless of the OS they run on. Once a rogue program gets onto your system, it really doesn't matter if it hasn't got root access. A few trivial solutions that come to mind, with a bit of thought I'm sure you can come up with many more:
- Adding it to the primary users' X session startup program.
- Adding it as a user cron job that runs on reboot.
- Some form of web browser plugin that gets invoked and persists after a user closes the browser window.
And of course, executables do not need to be root to communicate with the outside world (> port 1024 of course).
Viruses or Bots do not need to be root, I don't know why many people think this. Security is not a programming problem. Security is primarily a people problem.
(And FWIW, I have used Linux as my primary desktop for over 7 years, I can assure you I have no Windows bias, I'm just being a realist. I can't comment on Mac OS-X, I've not used it for longer than about 30 mins)
Linux, BSD, OSX, Solaris, and heck even Minux could clearly stand up to a threat like this much more easily than Windows.
Bzzzt! Wrong. There are many attack vectors for Storm's entry into someone's computer (one of which is indeed an OS vulnerability). AFAIK, the majority of the attack vectors rely on people downloading some bootstrapper program via their email or web browser. Nothing is going to stop this happening to a "normal" user on *NIX.