Close your web browser, shut down your fucking linux "b0xen" and go outside for once in your life.
I think the fact that a site like slashdot, which caters to you fucking nerds out there, can't even survive without having to charge you for reading it, says alot about how much you fucks are worth to the rest of the world: ZERO.
This should serve as a wakeup call to all you nerds out there who think that working on your b0xen in your one bedroom apartment, posting useless shit to a useless web site like slashdot and reading about the newest version of OpenBSD that can run on your fucking Dreamcast console is a good way to go through life.
So wake the fuck up and DO something productive, something that makes money. Stop wasting your time talking about open source fucking garbage that will never amount to anything useful.
While studying cryptanalysis, I've been learning about a number of interesting attacks such as timing attacks and differential power attacks (your specialty, if I recall). While these attacks certainly seem to help cryptanalysis of various ciphers, how practical are they in terms of real security? That is to say, what are the chances that these methods are actively being used by attackers?
Paul:
It depends on the target. If the system you are trying to protect isn't worth an attacker's effort, or if there are easier ways to break in, the chances are small. On the other hand, if you are protecting extremely desirable data (money, data that will affect stock prices, Star Trek episodes, government secrets, etc.) you have to assume that smart people are going to attack your security. We spend a lot of time helping credit card companies and other smart card users build testing programs -- their products need to operate in high-risk environments where DPA, timing analysis, and other sophisticated attacks are a real problem.
2) Worst implementation? by burgburgburg
In your consulting capacity (and without naming names), have you ever run across a companies security implementation that was so bad, so insecure, so open to exploitation that you felt an overwhelming compulsion to shut down the servers, lock the doors and call in a security SWAT team? That you actually felt like going out and shorting the companies stock? That you had to hold back from whomping someone upside the head? That you inquired about having the head of security investigated to make sure he wasn't a black hat hacker/competitor's security spy/foreign agent? How bad was the worst implementation you've ever seen?
Paul:
To save typing, can I make a list of the systems that don't make me uncomfortable?
A smart, creative, experienced, determined attacker can find flaws in just about any standard commercial product. Our security evaluations find catastrophic problems more than half the time, even though evaluation projects generally have very limited budgets.
The most common situation is where the systems' security objectives could theoretically be met if the designers, implementers, and testers never made any errors. For example, in a quest for slightly better performance, operating systems put lots of complexity into the kernel and give device drivers free reign over the system. This approach would be great if engineers were infallible, but it's a recipe for trouble if all you have are human beings.
What I find most frustrating isn't bad software -- it's situations where we tell a company about a serious problem, but they decide to ignore it because we're under an NDA and therefore the problem won't hurt sales. If your company is knowingly advertising an insecure or untrustworthy product as secure, try to do something about it. Intentionally misleading customers is illegal, immoral, and a gigantic liability risk. (Keywords: Enron, asbestos, cigarettes.)
It's also frustrating that users keep buying products from companies that make misleading or unsupported claims about their security. If users won't pay extra for security, companies are going to keep selling insecure products (and our market will remain relatively small:-).
As for the worst security, I nominate the following password checking code:
gets(userEntry);
if (memcmp(userEntry, correctPassword, strlen(userEntry)) != 0)
return (BAD_PASSWORD);
ROT13 SPOILER: Na rzcgl cnffjbeq jvyy cnff guvf purpx orpnhfr gur pbqr hfrf gur yratgu bs gur hfre ragel, abg gur yratgu bs gur pbeerpg cnffjbeq. Bgure cbgragvny ceboyrzf (ohssre biresybjf, rgp.) ner yrsg nf na rkrepvfr sbe gur ernqre. [Funzryrff cyht: Vs lbh rawbl ceboyrzf yvxr guvf, unir fgebat frphevgl rkcrevrapr, pbzzhavpngr jryy, naq jnag n wbo ng n sha (naq cebsvgnoyr) pbzcnal, ivfvg uggc://jjj.pelcgbtencul.pbz/pbzcnal/pnerref.ugzy.]
Close your web browser, shut down your fucking linux "b0xen" and go outside for once in your life.
I think the fact that a site like slashdot, which caters to you fucking nerds out there, can't even survive without having to charge you for reading it, says alot about how much you fucks are worth to the rest of the world: ZERO.
This should serve as a wakeup call to all you nerds out there who think that working on your b0xen in your one bedroom apartment, posting useless shit to a useless web site like slashdot and reading about the newest version of OpenBSD that can run on your fucking Dreamcast console is a good way to go through life.
So wake the fuck up and DO something productive, something that makes money. Stop wasting your time talking about open source fucking garbage that will never amount to anything useful.
Slashdot Mirror
Remeber back in the 80s when that Tiffany chick did a mall tour too? That was totally awesome!
Close your web browser, shut down your fucking linux "b0xen" and go outside for once in your life.
I think the fact that a site like slashdot, which caters to you fucking nerds out there, can't even survive without having to charge you for reading it, says alot about how much you fucks are worth to the rest of the world: ZERO.
This should serve as a wakeup call to all you nerds out there who think that working on your b0xen in your one bedroom apartment, posting useless shit to a useless web site like slashdot and reading about the newest version of OpenBSD that can run on your fucking Dreamcast console is a good way to go through life.
So wake the fuck up and DO something productive, something that makes money. Stop wasting your time talking about open source fucking garbage that will never amount to anything useful.
Is a celebration for the worker!
are you the reason bill self left?
I would miss yelling "Bitch, shup up and make me a samich!" too much.
blue
1) Serious Threats?
:-).
by Prizm
While studying cryptanalysis, I've been learning about a number of interesting attacks such as timing attacks and differential power attacks (your specialty, if I recall). While these attacks certainly seem to help cryptanalysis of various ciphers, how practical are they in terms of real security? That is to say, what are the chances that these methods are actively being used by attackers?
Paul:
It depends on the target. If the system you are trying to protect isn't worth an attacker's effort, or if there are easier ways to break in, the chances are small. On the other hand, if you are protecting extremely desirable data (money, data that will affect stock prices, Star Trek episodes, government secrets, etc.) you have to assume that smart people are going to attack your security. We spend a lot of time helping credit card companies and other smart card users build testing programs -- their products need to operate in high-risk environments where DPA, timing analysis, and other sophisticated attacks are a real problem.
2) Worst implementation?
by burgburgburg
In your consulting capacity (and without naming names), have you ever run across a companies security implementation that was so bad, so insecure, so open to exploitation that you felt an overwhelming compulsion to shut down the servers, lock the doors and call in a security SWAT team? That you actually felt like going out and shorting the companies stock? That you had to hold back from whomping someone upside the head? That you inquired about having the head of security investigated to make sure he wasn't a black hat hacker/competitor's security spy/foreign agent? How bad was the worst implementation you've ever seen?
Paul:
To save typing, can I make a list of the systems that don't make me uncomfortable?
A smart, creative, experienced, determined attacker can find flaws in just about any standard commercial product. Our security evaluations find catastrophic problems more than half the time, even though evaluation projects generally have very limited budgets.
The most common situation is where the systems' security objectives could theoretically be met if the designers, implementers, and testers never made any errors. For example, in a quest for slightly better performance, operating systems put lots of complexity into the kernel and give device drivers free reign over the system. This approach would be great if engineers were infallible, but it's a recipe for trouble if all you have are human beings.
What I find most frustrating isn't bad software -- it's situations where we tell a company about a serious problem, but they decide to ignore it because we're under an NDA and therefore the problem won't hurt sales. If your company is knowingly advertising an insecure or untrustworthy product as secure, try to do something about it. Intentionally misleading customers is illegal, immoral, and a gigantic liability risk. (Keywords: Enron, asbestos, cigarettes.)
It's also frustrating that users keep buying products from companies that make misleading or unsupported claims about their security. If users won't pay extra for security, companies are going to keep selling insecure products (and our market will remain relatively small
As for the worst security, I nominate the following password checking code:
gets(userEntry);
if (memcmp(userEntry, correctPassword,
strlen(userEntry)) != 0)
return (BAD_PASSWORD);
ROT13 SPOILER: Na rzcgl cnffjbeq jvyy cnff guvf purpx orpnhfr gur pbqr hfrf gur yratgu bs gur hfre ragel, abg gur yratgu bs gur pbeerpg cnffjbeq. Bgure cbgragvny ceboyrzf (ohssre biresybjf, rgp.) ner yrsg nf na rkrepvfr sbe gur ernqre. [Funzryrff cyht: Vs lbh rawbl ceboyrzf yvxr guvf, unir fgebat frphevgl rkcrevrapr, pbzzhavpngr jryy, naq jnag n wbo ng n sha (naq cebsvgnoyr) pbzcnal, ivfvg uggc://jjj.pelcgbtencul.pbz/pbzcnal/pnerref.ugzy.]
3) Int
You misspelled organization. Please fix, thanks.
Props to GREAT WHITE and their fans!
huh?
best post of the day!
You can always plug in any USB mouse.
huh?
getting smaller too?
no one who speaks german could be evil.
does it run linux?
see, it's shit videos like this that turn Pete Townshend to kiddie porn. stop it
You mean like this:
hey, everybody! I'm a stupid moron with an ugly face and big butt and my butt smells and I like to kiss my own butt.
best.post.evar!
i'm imagining a beowulf cluster.
I just downloaded that song the other day.
just what we need, yet more linux!
Close your web browser, shut down your fucking linux "b0xen" and go outside for once in your life.
I think the fact that a site like slashdot, which caters to you fucking nerds out there, can't even survive without having to charge you for reading it, says alot about how much you fucks are worth to the rest of the world: ZERO.
This should serve as a wakeup call to all you nerds out there who think that working on your b0xen in your one bedroom apartment, posting useless shit to a useless web site like slashdot and reading about the newest version of OpenBSD that can run on your fucking Dreamcast console is a good way to go through life.
So wake the fuck up and DO something productive, something that makes money. Stop wasting your time talking about open source fucking garbage that will never amount to anything useful.
Go KDE!