For anything sufficiently widely used you will have several competing groups looking at it...
With american commercial software you likely only have the vendor and the nsa looking at it... For something like linux you have not only the nsa, but also several foreign governments looking at it too. While you may not be able to trust a single party, the chance of error decreases when you have multiple parties who have no reason to collude together.
Exploits are really just clients for accessing a software vulnerability...
There is a very fine line between backdoors and vulnerabilities... After all, if you were creating a backdoor not only do you want it to be difficult to discover, but you want to minimise the resulting damage if it does get discovered. Having a backdoor which looks like a genuine coding error is therefore an obvious choice.
Open source most likely makes it much harder for the NSA, because they're in the same boat as everyone else when it comes to looking for exploitable holes. With US based commercial software they can compel the vendor to hand over the code, as pretty much all of the major vendors have already done. That way the only people looking for exploitable holes are people the NSA has leverage against.
Modifying OS level files would be defeated by software based disk encryption, as the hdd would have no idea what data it was storing... Ofcourse a backdoored HDD could always present the host system with a malicious boot sector, but again this would be defeated by having an unexpected system architecture...
I have tried buying Loongson hardware, but very little of it actually seems to be available... Only some of the older stuff which is probably slower than your POWER and Alpha kit.
You should be given a final price before you pay, you should read this final screen and identify any problems at this stage. After you've paid you've accepted the deal. If they charge you more than the final checkout screen states then its fraud plain and simple.
Going to arbitrary websites to download and subsequently execute binaries is extremely dangerous, and significantly disadvantages small vendors... How is a random user supposed to know that the website they've been to and the file they just downloaded is trustworthy and not some piece of malware?
If all you have to do is "sign" then thats even worse, a random pen mark is useless for any form of security... The PIN will be used to withdraw cash from an ATM using a cloned card, if they have a cloned card they can already make purchases without knowing the PIN if only a signature is required.
Windows corporate networks almost always operate on the idea of protecting the perimeter, and leaving the inside horrendously insecure... For something like a retail store, where the general public have physical access to the building that idea breaks down very quickly... You only need to have momentary access to a network socket/cable, and these will often be available at random points on the shop floor or at the very least at the back (i.e. facing the customer) of the pos terminals... Once you're on, chances are all the windows boxes are on one domain making them a very easy target.
It was expensive, and the weight savings were small because the panels had to be thicker to achieve a similar strength, and weight hasn't been all that important on most vehicles until recently.
Consider that Land Rover used to be owned by Ford... Ford used Jaguar and Land Rover as a testbed for new technology, for instance the Jaguar XJ got an aluminum bodyshell in 2003, while owned by Ford.
doesn't take long, and most importantly doesn't require very much of *your* time (vs machine time which will depend on the capability of the hardware and network). Most windows installations require you to babysit them to keep clicking next, they aren't capable of batch installation by default (and the time spent setting something like that up wouldn't be worth it unless you have lots of machines).
The problem with rebooting is it interrupts whatever else you might be doing, rebooting is a huge pain in the ass and best avoided in a productive multitasking environment... Having to reload all your apps, and lay them out across your virtual and physical screens again is a colossal waste of time.
Install sure, getting it to a usable state takes a lot longer.. Download/install any drivers which don't come with the stock install, probably reboot a few times too. Update, reboot, update, reboot, etc... Install apps by hand (since windows comes with only a crude set of apps and no package manager)..
You can't very well try and foist off the development cost to each customer or argue they should be willing to buy a lot of hardware to support it.
This is exactly what happens, customers of software have gotten used to ever increasing requirements so the only code that ever gets any kind of optimization tends to be code that the developer is planning to use a lot themselves.
They do... The DDC & EDID standards which are used to read monitor capabilities also supports reading the physical size. The problem is that windows ignores this information, and therefore some monitors don't bother to supply this information, or supply it incorrectly.
A higher resolution should not translate to more things on screen, it should translate to greater levels of detail, assuming the UI is designed properly... Font sizes for instance are measures in points, where 72 points equals an inch. As such, a 72 point font should always be an inch high when displayed on screen, irrespective of how many pixels are required to render it. Or to put it another way, when you watch a standard def movie on an hdtv you don't get a small box in the top corner and a big empty black space around it, the movie fills up the whole screen as best it can and you just have less detail than if it was an hd feed.
The extra level of detail may make it viable for smaller font sizes to still be readable...
There's not a single point of failure in the RSA case, they generate the seed values and give you the ones which correspond with the tokens, so your own server performs the authentication and RSA can't break it in that way, although they may be able to effect a denial of service through the license enforcement code.
The rest is correct however, they retain copies of all the seeds and can thus predict the token value at any time. That should have been a red flag to anyone, and I often recommended against using them but was always told that rsa are a big company and can be trusted, wont get hacked etc.
Meanwhile, the paper in my wallet doesn't need any conversion
Assuming you are trying to spend it in retailers which accept that particular type of currency... Try spending it in a foreign country and you'll have to convert it. Bitcoin is no different, some retailers will accept it and some will not.
Those alert/logging systems only work if users are accessing data through the normal expected ways, they are useless if someone boots the server storing the data from a livecd, or pulls the backup tapes, or any number of other ways.. If you have physical or superuser access to a computer you can always subvert any software based access control that's in place on that device.
In many cases i've seen while there may be a web based system for accessing the data which has all manner of access control and logging, but if you're the sysadmin you have access to the database and filesystem layers, both of which contain the data and neither of which have the same level of access control or logging. This is a key problem in IT today, the people higher up making the policies think that just because they access the data in a specific way, that this is the *only* way to access the data.
You would need to restrict any physical access to servers, and require that multiple people are present and watching for everything... This becomes costly, and is still prone to human error - watching someone work is very boring, so people will slack off and not watch closely enough. Plus you couldn't just employ minimum wage security guards for this, you would need people who understand what the sysadmins are doing - eg more sysadmins.
And then of course you have the network layer, most internal networks are terribly insecure and operate on the principle that users inside can be trusted, while hiding everything else from the outside world with firewalls... If you don't trust your own employees then it becomes a lot more work to harden your network as most software is designed for the more common case.
Also assuming that nothing is secure, you would have to keep watch over whats happening on your network... And again most common systems give you the choice between generating huge amounts of largely useless logs or very little.
Snowden is just levelling the playing field... Before him, only the intelligence services in countries with sufficiently high budgets (russia, china, israel?) were likely to have been aware... Now everyone is.
There are plenty of people with very deep pockets who are potential adversaries of the NSA, like the russian, german and chinese governments... These governments should independently audit open source cryptography, as something which is out in the open and has been audited by multiple competing parties is far more likely to be trustworthy. Never trust something that's only been seen by people who are all on the same side...
Slashdot Mirror
No, nor should you need to.
For anything sufficiently widely used you will have several competing groups looking at it...
With american commercial software you likely only have the vendor and the nsa looking at it...
For something like linux you have not only the nsa, but also several foreign governments looking at it too. While you may not be able to trust a single party, the chance of error decreases when you have multiple parties who have no reason to collude together.
Exploits are really just clients for accessing a software vulnerability...
There is a very fine line between backdoors and vulnerabilities... After all, if you were creating a backdoor not only do you want it to be difficult to discover, but you want to minimise the resulting damage if it does get discovered. Having a backdoor which looks like a genuine coding error is therefore an obvious choice.
Open source most likely makes it much harder for the NSA, because they're in the same boat as everyone else when it comes to looking for exploitable holes.
With US based commercial software they can compel the vendor to hand over the code, as pretty much all of the major vendors have already done. That way the only people looking for exploitable holes are people the NSA has leverage against.
You sure this isn't an Apple feature called "power nap", the system wakes up and downloads updates, checks for new email etc, then goes back to sleep.
Modifying OS level files would be defeated by software based disk encryption, as the hdd would have no idea what data it was storing...
Ofcourse a backdoored HDD could always present the host system with a malicious boot sector, but again this would be defeated by having an unexpected system architecture...
Alpha was american too, as is POWER...
I have tried buying Loongson hardware, but very little of it actually seems to be available... Only some of the older stuff which is probably slower than your POWER and Alpha kit.
You should be given a final price before you pay, you should read this final screen and identify any problems at this stage. After you've paid you've accepted the deal.
If they charge you more than the final checkout screen states then its fraud plain and simple.
Linux can do that via selinux, which is extremely fine grained but therefore difficult to manage...
Android can do it - see http://www.androidpolice.com/2013/07/25/app-ops-android-4-3s-hidden-app-permission-manager-control-permissions-for-individual-apps/
Going to arbitrary websites to download and subsequently execute binaries is extremely dangerous, and significantly disadvantages small vendors... How is a random user supposed to know that the website they've been to and the file they just downloaded is trustworthy and not some piece of malware?
If all you have to do is "sign" then thats even worse, a random pen mark is useless for any form of security...
The PIN will be used to withdraw cash from an ATM using a cloned card, if they have a cloned card they can already make purchases without knowing the PIN if only a signature is required.
Windows corporate networks almost always operate on the idea of protecting the perimeter, and leaving the inside horrendously insecure... For something like a retail store, where the general public have physical access to the building that idea breaks down very quickly... You only need to have momentary access to a network socket/cable, and these will often be available at random points on the shop floor or at the very least at the back (i.e. facing the customer) of the pos terminals...
Once you're on, chances are all the windows boxes are on one domain making them a very easy target.
It was expensive, and the weight savings were small because the panels had to be thicker to achieve a similar strength, and weight hasn't been all that important on most vehicles until recently.
Consider that Land Rover used to be owned by Ford... Ford used Jaguar and Land Rover as a testbed for new technology, for instance the Jaguar XJ got an aluminum bodyshell in 2003, while owned by Ford.
apt-get install texlive..
emerge texlive...
doesn't take long, and most importantly doesn't require very much of *your* time (vs machine time which will depend on the capability of the hardware and network). Most windows installations require you to babysit them to keep clicking next, they aren't capable of batch installation by default (and the time spent setting something like that up wouldn't be worth it unless you have lots of machines).
The problem with rebooting is it interrupts whatever else you might be doing, rebooting is a huge pain in the ass and best avoided in a productive multitasking environment... Having to reload all your apps, and lay them out across your virtual and physical screens again is a colossal waste of time.
Install sure, getting it to a usable state takes a lot longer..
Download/install any drivers which don't come with the stock install, probably reboot a few times too.
Update, reboot, update, reboot, etc...
Install apps by hand (since windows comes with only a crude set of apps and no package manager)..
None of these so called "risks" are anything new, the same problems exist with traditional cash.
You can't very well try and foist off the development cost to each customer or argue they should be willing to buy a lot of hardware to support it.
This is exactly what happens, customers of software have gotten used to ever increasing requirements so the only code that ever gets any kind of optimization tends to be code that the developer is planning to use a lot themselves.
They do...
The DDC & EDID standards which are used to read monitor capabilities also supports reading the physical size. The problem is that windows ignores this information, and therefore some monitors don't bother to supply this information, or supply it incorrectly.
http://scanline.ca/dpi/
https://lists.fedoraproject.org/pipermail/devel/2011-October/157671.html
A higher resolution should not translate to more things on screen, it should translate to greater levels of detail, assuming the UI is designed properly...
Font sizes for instance are measures in points, where 72 points equals an inch. As such, a 72 point font should always be an inch high when displayed on screen, irrespective of how many pixels are required to render it.
Or to put it another way, when you watch a standard def movie on an hdtv you don't get a small box in the top corner and a big empty black space around it, the movie fills up the whole screen as best it can and you just have less detail than if it was an hd feed.
The extra level of detail may make it viable for smaller font sizes to still be readable...
There's not a single point of failure in the RSA case, they generate the seed values and give you the ones which correspond with the tokens, so your own server performs the authentication and RSA can't break it in that way, although they may be able to effect a denial of service through the license enforcement code.
The rest is correct however, they retain copies of all the seeds and can thus predict the token value at any time. That should have been a red flag to anyone, and I often recommended against using them but was always told that rsa are a big company and can be trusted, wont get hacked etc.
Meanwhile, the paper in my wallet doesn't need any conversion
Assuming you are trying to spend it in retailers which accept that particular type of currency... Try spending it in a foreign country and you'll have to convert it. Bitcoin is no different, some retailers will accept it and some will not.
Those alert/logging systems only work if users are accessing data through the normal expected ways, they are useless if someone boots the server storing the data from a livecd, or pulls the backup tapes, or any number of other ways.. If you have physical or superuser access to a computer you can always subvert any software based access control that's in place on that device.
In many cases i've seen while there may be a web based system for accessing the data which has all manner of access control and logging, but if you're the sysadmin you have access to the database and filesystem layers, both of which contain the data and neither of which have the same level of access control or logging.
This is a key problem in IT today, the people higher up making the policies think that just because they access the data in a specific way, that this is the *only* way to access the data.
You would need to restrict any physical access to servers, and require that multiple people are present and watching for everything... This becomes costly, and is still prone to human error - watching someone work is very boring, so people will slack off and not watch closely enough. Plus you couldn't just employ minimum wage security guards for this, you would need people who understand what the sysadmins are doing - eg more sysadmins.
And then of course you have the network layer, most internal networks are terribly insecure and operate on the principle that users inside can be trusted, while hiding everything else from the outside world with firewalls... If you don't trust your own employees then it becomes a lot more work to harden your network as most software is designed for the more common case.
Also assuming that nothing is secure, you would have to keep watch over whats happening on your network... And again most common systems give you the choice between generating huge amounts of largely useless logs or very little.
Snowden is just levelling the playing field...
Before him, only the intelligence services in countries with sufficiently high budgets (russia, china, israel?) were likely to have been aware... Now everyone is.
There are plenty of people with very deep pockets who are potential adversaries of the NSA, like the russian, german and chinese governments... These governments should independently audit open source cryptography, as something which is out in the open and has been audited by multiple competing parties is far more likely to be trustworthy.
Never trust something that's only been seen by people who are all on the same side...
Of course any company will always focus on their profit above all else, that's the sole reason they exist.