This could cause a serious denial-of-service by breaking distributed authentication requiring synchronised clocks, or it could cause information leakage by triggering at-jobs scheduled for the future whose existence would not otherwise be known.
It looks like this should be possible. The RFC for ENUM describes a simple mapping of E.164 (international) phone numbers into domain names, which are supposed to have NAPTR records specifying mappings to contact URLs. I suppose you could have NAPTR records on your ordinary domain too, including one with a tel: (telephone number) contact URL.
SSNs aren't unique. One of the 9 digits is a checksum so there are fewer numbers available than there are people in the USA. An (SSN,name) tuple should be unique, though.
I see why certificates are expensive; there is a lot of work in deciding whether the requester is thrustworthy or not.
I'm sure the CAs would like you to think this, but that is not what they do. All they do is to check that the request came from an entity who has authority to use the identity being certified (for SSL, this is a domain name).
My problem is:
Why do we need them if all we want is encrypting communications?
Well, you need to get the public key for the entity you intend to communicate with, somehow. Certificates make key distribution easier by allowing peers to verify public keys sent by the very entity they are trying to check the identity of.
You can repudidate a physical signature if you show that it was forged or made under duress. I don't see why a court would refuse to accept the repudiation of a digital signature for similar reasons.
That's not what the technical description on the page says. It says they had a direct link to the local Mobile Switching Centre and that the network operator changed the settings on the base station to allow paging of 60 phones simultaneously.
In the US, mattresses must be sold with a tag attached to them telling you just how flammable they are and how liable you are to burn to death if you sleep on them. In addition to this information, the tag says "NOT TO BE REMOVED UNDER PENALTY OF LAW, EXCEPT BY THE CONSUMER". In Europe, we just ban the sale of unsafe mattresses.
Here's an example of the US military's internal response to security issues, mistakenly sent to me from the National Computing Security Centre at Fort Meade. I've removed email addresses to protect the guilty, but left in the IP address which really does belong to ncsc.mil.
Date: Thu, 11 Jul 2002 06:34:45 -0400 Return-path: <his address> Received: from thecouch.ncsc.mil ([144.51.42.6]) by halibut.roundpoint.co.uk with esmtp (Exim) id 17SbGC-0002fE-00 for my address; Thu, 11 Jul 2002 11:33:20 +0100 Message-ID: <005b01c228c6$941b06b0$0d8da8c0@SugarDaddy> From: "trent" <his address> To: "Ben Hutchings" <my address> References: <Pine.WNT.4.43.0207102114140.2400-100000@BENWORLD. roundpoint.co.uk> Subject: Re: Microsoft SQL Server password cracking Date: Thu, 11 Jul 2002 06:34:45 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Whoops, this dude says the earlier message was mistaken.
TP
----- Original Message ----- From: "Ben Hutchings" <my address> To: <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM> Sent: Wednesday, July 10, 2002 4:22 PM Subject: Re: Microsoft SQL Server password cracking
On Wed, 10 Jul 2002, Deus, Attonbitus wrote: <snip> > As described in a paper by Chris Anley, > http://www.nextgenss.com/papers/violating_database _security.pdf, > a regular user can employ a simple binary patch to client-side apps using > the ExectuionContext::UID function to explicitly return "UID 1" to table > selects, thus giving any user "SA" rights to the table. If the user can > log on, the user can get to any table.
You have misunderstood what the paper says. The patch is for the server executable (or the in-memory image); SQL Server may have poor security but it doesn't rely on client-side authentication! So it would be a useful payload for a buffer overflow exploit, but it does not in itself represent a vulnerability.
<snip> > Even if only true SA could get the hashes,
Which still seems to be the case.
> it still allows an attacker much more information than they should be > able to get- it is similar to pwdump2- you have to be admin on the box > to use it, but once you get the data, you find that compromising other > machines downrange is much easier.
Some Intel processors use 36-bit physical addresses. Virtual addresses remain 32-bit, of course, so each process is still limited to something under 4 GB. The kernel has to fiddle with its own page table to address the whole of physical memory. This is the HIGHMEM kluge that Linus was talking about.
IA64 is not mainstream because Intel intentionally priced it as a low-volume server product. Emphasis on 'intentionally'. Intel can't push ia64 mainstream b/c they would lose a very lucritive product.
I kind of doubt they intended to sell quite as few as they have done, though. Intel would be far better off selling tens of millions of them at a $10 profit rather than selling a few thousand at a $1000 profit, and I imagine they'll want to do that eventually. The reason they can't at the moment is that even at a low profit margin the price would be more than the mass market would bear.
Plus it's a fact that no one outside of servers and high-end workstations needs 64-bits... yet.
But they could certainly use more than 32 bits for disk and file addressing, and 64 seems to be the next step up.
Virgin doesn't have a line of mobile phones, any more than Sprint or Cingular does. Virgin Mobile is a "virtual operator" that sells service on other operators' networks under its own brand.
In Britain, the Audit Bureau of Circulations (ABC) audits circulation figures for newspapers and magazines, which the publications normally publish near the index along with the ABC logo. I'm not sure what their methodology is, but they seem to be trusted. Anyway, they now have an "electronic" division which attempts to do something similar for web sites. They do this by running some Perl scripts over the web logs. I don't know what the auditing step is in that...
Don't forget "half the world has never made a phone call" (sometimes people say more than half). This was probably true when it was originally claimed in 1994, but is far from the truth now, since there has been massive growth in phone service in many countries. Wireless networks can be built quickly and comparatively cheaply.
What they are selling is not an renewal nor an upgrade of the current certification. It is a new certificate.
You can't really renew a certificate, because the validity dates are (and must be) part of the certificate. So a new certificate will be needed after the existing one expires, whether or not the domain holder gets it from the same CA.
Most of those people were getting a trip to Orlando at someone else's expense. I probably wouldn't mind doing that whether or not I was interested in.NET.
Re:"MFC programming", what the heck?
on
Qt vs MFC
·
· Score: 2
uid_t and pthread_t are useful - they are the types used to hold a user ID or a thread ID. They can and do vary between implementations. Likewise types such as uint32_t and int_least16_t (from the C99 standard) are useful.
The WORD and DWORD types do not provide an abstraction and do not obviously have any particular numeric properties. I happen to know that the names WORD and DWORD come from x86 assembler and are signed 16-bit and 32-bit quantities, but a portable API should be using names like INT16 and INT32 for such types instead. Some of the other types are more reasonable, but the API is not that consistent.
All the pointer-to typedefs should be got rid of; they may have been somewhat useful under Win16 but are no longer relevant. UINT and ULONG are likewise fairly pointless.
In a few places the Win32 API could do with more use of typedefs, for example for process and thread IDs (currently DWORDs).
Re:A bit *too* nice about Qt
on
Qt vs MFC
·
· Score: 2
A simple tr() function is not the silver bullet here, contrary to what the article seems to suggest.
Yes it is. gettext() had it right from years. This approach allow the developer not to worry too much about translation, allow the translator not to cope with compiling stuff and get automatic update, and allow the user to add new language without hassle and to switch easily from one language to another.
A major problem with gettext() is that there can only be one translation of each of the strings in the original language. What happens when you use an English word with different meanings in different contexts, that should be translated to separate words in another languages? Usually your messages will be long enough that this doesn't happen, but in a GUI you may well use text labels with only one word in them.
Re:Advocacy, we never knew thee.
on
Qt vs MFC
·
· Score: 2
Microsoft used MFC quite a lot, mostly in their developer products (AFAICS). If you go to the Microsoft DLL information pages and enter the filename of a DLL you'll get a list of released versions; then by selecting "More Information" you can get a list of products that included that version. For MFC, try filenames mfc30.dll, mfc40.dll and mfc42.dll. Many versions of Windows include MFC, perhaps to support programs like WordPad. Various other products include an updated version of one of these DLLs.
I do sometimes wear a system administrator's hat, but I think I misunderstood your comment. I would have thought that a description of what the exploit gets you would be sufficient, but maybe an actual working exploit is more useful.
The claims seem to include a lot of things relating to Huffman coding. JPEG uses Huffman coding on the coefficients resulting from DCT. Somehow I suspect there's prior art, though.
The patents listed by W3C appear to be for arithmetic coding, which can optionally be used in JPEG but generally isn't - partly because of these patents, but also because of its heavy processing requirements.
Slashdot Mirror
This could cause a serious denial-of-service by breaking distributed authentication requiring synchronised clocks, or it could cause information leakage by triggering at-jobs scheduled for the future whose existence would not otherwise be known.
It looks like this should be possible. The RFC for ENUM describes a simple mapping of E.164 (international) phone numbers into domain names, which are supposed to have NAPTR records specifying mappings to contact URLs. I suppose you could have NAPTR records on your ordinary domain too, including one with a tel: (telephone number) contact URL.
SSNs aren't unique. One of the 9 digits is a checksum so there are fewer numbers available than there are people in the USA. An (SSN,name) tuple should be unique, though.
I'm sure the CAs would like you to think this, but that is not what they do. All they do is to check that the request came from an entity who has authority to use the identity being certified (for SSL, this is a domain name).
Well, you need to get the public key for the entity you intend to communicate with, somehow. Certificates make key distribution easier by allowing peers to verify public keys sent by the very entity they are trying to check the identity of.
You can repudidate a physical signature if you show that it was forged or made under duress. I don't see why a court would refuse to accept the repudiation of a digital signature for similar reasons.
That's not what the technical description on the page says. It says they had a direct link to the local Mobile Switching Centre and that the network operator changed the settings on the base station to allow paging of 60 phones simultaneously.
My impression has been that highly flammable mattresses can be sold just as long as the tag tells you how unsafe they are.
In the US, mattresses must be sold with a tag attached to them telling you just how flammable they are and how liable you are to burn to death if you sleep on them. In addition to this information, the tag says "NOT TO BE REMOVED UNDER PENALTY OF LAW, EXCEPT BY THE CONSUMER". In Europe, we just ban the sale of unsafe mattresses.
Here's an example of the US military's internal response to security issues, mistakenly sent to me from the National Computing Security Centre at Fort Meade. I've removed email addresses to protect the guilty, but left in the IP address which really does belong to ncsc.mil.
Some Intel processors use 36-bit physical addresses. Virtual addresses remain 32-bit, of course, so each process is still limited to something under 4 GB. The kernel has to fiddle with its own page table to address the whole of physical memory. This is the HIGHMEM kluge that Linus was talking about.
I kind of doubt they intended to sell quite as few as they have done, though. Intel would be far better off selling tens of millions of them at a $10 profit rather than selling a few thousand at a $1000 profit, and I imagine they'll want to do that eventually. The reason they can't at the moment is that even at a low profit margin the price would be more than the mass market would bear.
But they could certainly use more than 32 bits for disk and file addressing, and 64 seems to be the next step up.
Hedy Lamarr invented frequency-hopping, not CDMA.
Virgin doesn't have a line of mobile phones, any more than Sprint or Cingular does. Virgin Mobile is a "virtual operator" that sells service on other operators' networks under its own brand.
In Britain, the Audit Bureau of Circulations (ABC) audits circulation figures for newspapers and magazines, which the publications normally publish near the index along with the ABC logo. I'm not sure what their methodology is, but they seem to be trusted. Anyway, they now have an "electronic" division which attempts to do something similar for web sites. They do this by running some Perl scripts over the web logs. I don't know what the auditing step is in that...
Don't forget "half the world has never made a phone call" (sometimes people say more than half). This was probably true when it was originally claimed in 1994, but is far from the truth now, since there has been massive growth in phone service in many countries. Wireless networks can be built quickly and comparatively cheaply.
You can't really renew a certificate, because the validity dates are (and must be) part of the certificate. So a new certificate will be needed after the existing one expires, whether or not the domain holder gets it from the same CA.
Most of those people were getting a trip to Orlando at someone else's expense. I probably wouldn't mind doing that whether or not I was interested in .NET.
uid_t and pthread_t are useful - they are the types used to hold a user ID or a thread ID. They can and do vary between implementations. Likewise types such as uint32_t and int_least16_t (from the C99 standard) are useful.
The WORD and DWORD types do not provide an abstraction and do not obviously have any particular numeric properties. I happen to know that the names WORD and DWORD come from x86 assembler and are signed 16-bit and 32-bit quantities, but a portable API should be using names like INT16 and INT32 for such types instead. Some of the other types are more reasonable, but the API is not that consistent.
All the pointer-to typedefs should be got rid of; they may have been somewhat useful under Win16 but are no longer relevant. UINT and ULONG are likewise fairly pointless.
In a few places the Win32 API could do with more use of typedefs, for example for process and thread IDs (currently DWORDs).
A major problem with gettext() is that there can only be one translation of each of the strings in the original language. What happens when you use an English word with different meanings in different contexts, that should be translated to separate words in another languages? Usually your messages will be long enough that this doesn't happen, but in a GUI you may well use text labels with only one word in them.
Microsoft used MFC quite a lot, mostly in their developer products (AFAICS). If you go to the Microsoft DLL information pages and enter the filename of a DLL you'll get a list of released versions; then by selecting "More Information" you can get a list of products that included that version. For MFC, try filenames mfc30.dll, mfc40.dll and mfc42.dll. Many versions of Windows include MFC, perhaps to support programs like WordPad. Various other products include an updated version of one of these DLLs.
I do sometimes wear a system administrator's hat, but I think I misunderstood your comment. I would have thought that a description of what the exploit gets you would be sufficient, but maybe an actual working exploit is more useful.
Sure, I've seen a patch. I've also seen announcements of new binary packages from vendors that package it. What more do you want?
Sony already gave in.
The claims seem to include a lot of things relating to Huffman coding. JPEG uses Huffman coding on the coefficients resulting from DCT. Somehow I suspect there's prior art, though.
The patents listed by W3C appear to be for arithmetic coding, which can optionally be used in JPEG but generally isn't - partly because of these patents, but also because of its heavy processing requirements.