Apache releases patches for the 1.x and 2.x branches when security glitches happen, why the hell would they patch versions older then 1.3? It doesn't cost any money, and I'm sure they're not incompatible or anything.
And this total interdependence runs counter to just about everything they teach you about Software Engineering. Small, independent pieces, wether they are command line programs or COM objects are the way to go.
The Moz and Konq teams didn't tie their browser deep into the OS. It's a stand-alone app... what could it break?
Having browser functionality in the OS is nice, but what Microsoft should have done is shipped with a 'local-only' version of IE that never runs outside code for showing all the pretty DHTML chrome in windows. They then should have had a very simple, modular, API for showing un-trusted HTML, which users could replace with Moz, Opera, whatever.
I took it to mean there were no 'sploits available. After all, if there is an exploit, someone had to at least test it. No "reported" attacks would be more likely, but who would report or even know about it right away?
I agree that this has more to do with the slashdot's slow-ass posting policy then any ignorance on the part of the submitter.
They could compare hash(challenge + hash(password)). I.e. they have you append a challenge value to the hash of the password, and then do the same on their end with stored-hash-of-password rather then hash(password)
Also, key distribution is not a problem with public key systems.
use a salt
on
Javascrypt
·
· Score: 4, Informative
Rather then passing hash(password) send in hash(salt + password), where hash is a random string sent by the server. The server then compares the sent value to it's own hash of salt + password. If you don't want to deal with sessions, you could simply change the salt every hour or 5 minutes or whatever.
You could also do hash(salt + hash(password)), that way you don't need to keep the password in the DB.
Implement RSA in java
on
Javascrypt
·
· Score: 3, Informative
public static byte[] encrypt(byte[] enKey, byte[] data) throws Exception{
//make sure our int is unsigned; //this means -45 --> 45 or whatever, as opposed // to not being digital signed with a public key crypto system:) byte unsigned_data[] = new byte[data.length+1]; unsigned_data[0] = 0x7f; for(int i = 0; i < data.length; i++){ unsigned_data[i+1] = data[i]; }
KeyFactory kf = KeyFactory.getInstance("RSA"); RSAPublicKey k = (RSAPublicKey)kf.generatePublic(new X509EncodedKeySpec(enKey)); BigInteger T = new BigInteger(unsigned_data); return T.modPow(k.getPublicExponent(), k.getModulus()).toByteArray(); }
I don't think the point of this is to replace SSL or password hashing.
Think AC. Think. When do you call encryption in a website? Transactions.
Actually, I call it "Encryption in a Website". What do "transactions" have to do with it? You're obviously not talking about Database Transactions, or the general meaning of the word.
shouldn't this be called ECMASCrypt?
on
Javascrypt
·
· Score: 4, Insightful
I mean really, people are confused enough about the difference between Java and Javascript (which basically have nothing to do with each other other then some brain-dead attempt at synergistic marketing. JS was originally going to be called Livescript)
ECMAScript runs on the localhost
on
Javascrypt
·
· Score: 3, Insightful
If you want to, you should be able to download the page, disconnect from the internet, and still encrypt/decrypt data.
In other words, you don't really understand what's going on. Although it would be a good idea to to check the page source to make sure that it dosn't upload your data...
Yow, there was actualy a/. interview of some guy at Pheonix a while back, and he clearly said that the TC stuff would be an option that motherboard makers could chose to implement or not.
Law #1 doesn't apply here. The intruder sniffed a password, and ran his own software. As far as I know, nobody was tricked into running malicious software. Law #1 should read, for real OS's
"Law #1: If a bad guy can persuade you to run his program on your account, its not your account anymore."
Huffman coding is not minimaly redundant, because you always need at least one bit per symbol. If more then 50% of a signal is one symbol, it's wasteful. There's an encoding out there that lets you use less then a bit, but I forget.
A couple of people aperantly havn't realized that OSDL, the group that released this isn't the same as OSDN, the group that owns slashdot, source forge, etc. OSDL is a multi-company group including IBM that funds Linux and other OSS software, and employs Linus.
My only peeve is when companies do stupid things like outsource. It's basically selling your company's soul, and it actually costs MORE than having your own department.
Well, if it's not an IT company, there's no reason not to do it. Why deal with having your own IT department, where you might not be able to hire the best people, when you could let someone else, with more infrastructure to deal with that kind of thing, do it?
Frankly, I think they should give users options to tweak their algorithm. It's terrible that SEOs are abusing their system, but I really think their anti-SEO system is seriously wack, and degrading their search results over all.
Autopr0n doesn't even show up on a search for "autopr0n" despite the fact that no one used the term before I did, and lots of sites have linked to me, with that term. Rather my slashdot info page, k5 info page, and livejournal show up on the first page.
And then some pages that simply include "autopr0n" in a long string of crap search terms designed to get links from search engines! And beyond that a bunch of garbage links. It's really annoying.
And yes, back when google didn't suck I got a lot of hits from people search for "autopr0n". Don't ask me why.
The root cause of course is SEOs and other spam types, but google should let people tweak the algorithm they use when they search.
What about my website makes you think I can't understand spoken english? I scored a 740 on the SAT verbal, and that was back in highschool. It's pretty unlikely that your english skills are better then mine.
The solution here is to not use domain names for verification rather then trying to force the whole world to use Latin characters for naming internet sites. As you mentioned, there are already problems with using Latin. A bank system should already have a digital certificate, and that's mostly what we're worried about.
The reason not to use Unicode is that it won't be backwards compatable with the old DNS standard, which was meant to be compatable across ASCII and non-ascii systems.
While Microsoft (and their products) aren't perfect, neither the computer intustry nor the Internet would be what it is today without their contributions.
Slashdot Mirror
Apache releases patches for the 1.x and 2.x branches when security glitches happen, why the hell would they patch versions older then 1.3? It doesn't cost any money, and I'm sure they're not incompatible or anything.
And this total interdependence runs counter to just about everything they teach you about Software Engineering. Small, independent pieces, wether they are command line programs or COM objects are the way to go.
The Moz and Konq teams didn't tie their browser deep into the OS. It's a stand-alone app... what could it break?
Having browser functionality in the OS is nice, but what Microsoft should have done is shipped with a 'local-only' version of IE that never runs outside code for showing all the pretty DHTML chrome in windows. They then should have had a very simple, modular, API for showing un-trusted HTML, which users could replace with Moz, Opera, whatever.
I took it to mean there were no 'sploits available. After all, if there is an exploit, someone had to at least test it. No "reported" attacks would be more likely, but who would report or even know about it right away?
I agree that this has more to do with the slashdot's slow-ass posting policy then any ignorance on the part of the submitter.
They could compare hash(challenge + hash(password)). I.e. they have you append a challenge value to the hash of the password, and then do the same on their end with stored-hash-of-password rather then hash(password)
Also, key distribution is not a problem with public key systems.
Rather then passing hash(password) send in hash(salt + password), where hash is a random string sent by the server. The server then compares the sent value to it's own hash of salt + password. If you don't want to deal with sessions, you could simply change the salt every hour or 5 minutes or whatever.
You could also do hash(salt + hash(password)), that way you don't need to keep the password in the DB.
import java.io.*;
//make sure our int is unsigned;
//this means -45 --> 45 or whatever, as opposed
// to not being digital signed with a public key crypto system :)
import java.util.*;
import java.security.*;
import java.security.interfaces.*;
import java.security.spec.*;
import javax.crypto.*;
import javax.crypto.interfaces.*;
import javax.crypto.spec.*;
import java.math.*;
....
public static byte[] encrypt(byte[] enKey, byte[] data) throws Exception{
byte unsigned_data[] = new byte[data.length+1];
unsigned_data[0] = 0x7f;
for(int i = 0; i < data.length; i++){
unsigned_data[i+1] = data[i];
}
KeyFactory kf = KeyFactory.getInstance("RSA");
RSAPublicKey k = (RSAPublicKey)kf.generatePublic(new X509EncodedKeySpec(enKey));
BigInteger T = new BigInteger(unsigned_data);
return T.modPow(k.getPublicExponent(), k.getModulus()).toByteArray();
}
//your welcome
I don't think the point of this is to replace SSL or password hashing. Think AC. Think. When do you call encryption in a website? Transactions.
Actually, I call it "Encryption in a Website". What do "transactions" have to do with it? You're obviously not talking about Database Transactions, or the general meaning of the word.
I mean really, people are confused enough about the difference between Java and Javascript (which basically have nothing to do with each other other then some brain-dead attempt at synergistic marketing. JS was originally going to be called Livescript)
If you want to, you should be able to download the page, disconnect from the internet, and still encrypt/decrypt data.
In other words, you don't really understand what's going on. Although it would be a good idea to to check the page source to make sure that it dosn't upload your data...
Yow, there was actualy a /. interview of some guy at Pheonix a while back, and he clearly said that the TC stuff would be an option that motherboard makers could chose to implement or not.
There are people with lots of money who want to see Linux taken down. Not everyone shares your ideals.
Law #1 doesn't apply here. The intruder sniffed a password, and ran his own software. As far as I know, nobody was tricked into running malicious software. Law #1 should read, for real OS's "Law #1: If a bad guy can persuade you to run his program on your account, its not your account anymore."
So linux isn't a real OS now?
(Yes, that's a joke, I'm not Elin) :)
Really? I never would have guessed!
Huffman coding is not minimaly redundant, because you always need at least one bit per symbol. If more then 50% of a signal is one symbol, it's wasteful. There's an encoding out there that lets you use less then a bit, but I forget.
did you see the pic? She's friggn' hot. I doubt she has any trouble finding willing sexual partners...
What computer problems did they accenentaly solve? Jobs and Gates started companies, and Woz built a computer that did what it was supposed to do.
A couple of people aperantly havn't realized that OSDL, the group that released this isn't the same as OSDN, the group that owns slashdot, source forge, etc. OSDL is a multi-company group including IBM that funds Linux and other OSS software, and employs Linus.
They have lots of SCO news on their site.
My only peeve is when companies do stupid things like outsource. It's basically selling your company's soul, and it actually costs MORE than having your own department.
Well, if it's not an IT company, there's no reason not to do it. Why deal with having your own IT department, where you might not be able to hire the best people, when you could let someone else, with more infrastructure to deal with that kind of thing, do it?
A message told to you by someone you employ to know these kinds of things is going to be more powerfull then crazy ranting on TV...
This assumes managers don't automaticaly assume they are smarter then those they manage...
Frankly, I think they should give users options to tweak their algorithm. It's terrible that SEOs are abusing their system, but I really think their anti-SEO system is seriously wack, and degrading their search results over all.
Autopr0n doesn't even show up on a search for "autopr0n" despite the fact that no one used the term before I did, and lots of sites have linked to me, with that term. Rather my slashdot info page, k5 info page, and livejournal show up on the first page.
And then some pages that simply include "autopr0n" in a long string of crap search terms designed to get links from search engines! And beyond that a bunch of garbage links. It's really annoying.
And yes, back when google didn't suck I got a lot of hits from people search for "autopr0n". Don't ask me why.
The root cause of course is SEOs and other spam types, but google should let people tweak the algorithm they use when they search.
What about my website makes you think I can't understand spoken english? I scored a 740 on the SAT verbal, and that was back in highschool. It's pretty unlikely that your english skills are better then mine.
The solution here is to not use domain names for verification rather then trying to force the whole world to use Latin characters for naming internet sites. As you mentioned, there are already problems with using Latin. A bank system should already have a digital certificate, and that's mostly what we're worried about.
The reason not to use Unicode is that it won't be backwards compatable with the old DNS standard, which was meant to be compatable across ASCII and non-ascii systems.
While Microsoft (and their products) aren't perfect, neither the computer intustry nor the Internet would be what it is today without their contributions.
Oh my god, we'd all be using OS/2!!!!
The horror!