Just out of curiosity, what sort of data would one be able to recover after the 24th pass that would be irrecoverable after the 25th one? I mean I'm a little paranoid, but 25 times is ridiculous.
25 times is a bit paranoid, but not ridiculously so. After only a few erasures, a lab such as Total Recall may be able to recover (most of) the disk, and since the overwriting data is random rather than carefully chosen codes (eg Gutmann codes), more passes make adequate codes less likely.
Hard drive companies actually have low level formatters today and don't just call "writing 0's over the entire drive" low level formatting, when that is not what low level formatting is?
I don't know what HD manufacturers' "low level formatting" does, but hard drives use a number of codes (run-length limiting codes, error correcting codes, etc) to store data, so writing 0's over the entire drive doesn't flip every bit to 0. A utility that overwrites the surface of the disk randomly several times is desirable; that's part of the goal of Eraser (which uses like 36 passes or something, must take hours...)
* log-structured or journaled filesystems, such as those supplied with
AIX and Solaris (and JFS, ReiserFS, XFS, Ext3, etc.)
Filesystems which only journal metadata should work fine with shred. Ext3 doesn't normally journal data as far as I am aware. Not sure about the others. I think ReiserFS journals data, and so shred doesn't work.
But if you shred the device, it makes no difference.
I wouldn't install it if I had a signed afidavit from the CEO saying it won't call home or resist uninstallation, distills whiskey and prints $100 notes.
Of course not, because then you'd have the Secret Service after you...
If you want more of a challenge, try writing a regular expression that find any <script></script> tags along with anything in between using only greedy matching. You will find that the length of your regular expression goes up exponentially with the length of your ending condition.
The article isn't talking about bots per computer. It's talking about total percentage of worldwide bots. 25.2% of all worldwide bots are in the UK (not England, you will note, but that's beside the point). That is, the number of bots in the UK is 0.252*b where b is the total number of bots worldwide. Similarly, the number of bots in the USA is 0.246*b. Now, b is a positive number, so we must have
0.252*b > 0.246*b
ie, there are more bots in the UK than in the USA. Furthermore, since (as you pointed out) there are fewer computers in the UK than in the USA, and these numbers are both positive, the UK also has more bots per computer.
Tell me, what's the reason for restricting iTunes' streaming capabilities? It used to be five simultaneous users, now it's 5 per day. w00t.
I don't like DRM in general, and this isn't actually conventional DRM, but I'll tell you why they did it. iTunes is a major tool for illegal music sharing on college campuses. I myself wrote a program to bridge subnets, so that you can see everyone's music at your college, and was working on a tool to search this network and download songs from it (yes, you can download songs from iTunes). I was planning on using this systes them semi-legally, to make a Linux jukebox that streams from my and my roommates' iTunes libraries (violates the TOS but not copyright), but there were obvious totally illegal uses as well.
There are similar programs such as OurTunes that are already in use. Apple did this because people were using their program illegally, and most legal uses of the system wouldn't suffer. Was it annoying? Yes. Was it ridiculous? No.
I don't normally defend the Slashdot hivemind, but here I agree with it. It's not a matter of the company here. Most Slashdotters give kudos to DVD Jon for breaking this (see the posts in the article describing the break), although most of us knew that the hole would be closed.
However, it is clear that DVD Jon is legally in the wrong here, or would be if he were in the US. Apple is perfectly within their rights to sue him. I'd rather they not, but they are well within their rights to do so, just as Hasbro is well within their legal rights to sue eScrabble, but ought not to because the Scrabble design is 85 years old and Hasbro's online scrabble software sucks.
Fork + malloc bomb comes to mind: memory limits are usually per process.
Also possible are exhausting kernel file descriptors or, as one poster mentioned, semaphores. Or you can get a whole bunch of programs reading and writing a large number of files spread out across the disk (eg some in/tmp/) and thrash the machine so that disk I/O slows to a crawl. On many systems, there are system calls that take a lot of CPU time to complete; these are also a good candidate for attack.
Yeess... this line of argument always ends up justifying implying that (a) the author's taste is definitive and (b) that the author should arbitrate contracts rather than the people involved.
It's a childish argument.
It's not an argument. It's an explanation for why people on Slashdot don't like the RIAA. My taste in music or contracts doesn't have to be definitive to dislike them.
Of course, if you want more objective facts, you can look at the flattened dynamics and unoriginal chord progressions of most major-label music, or at the number of artists who end up in debt to the RIAA after having sold only tens of thousands of CDs.
I'll bite. And I'll even bold the key words for your apparently short attention span.
Copyright infringement is not theft. Theft is a crime, because when you steal something, the owner no longer has it.
Copyright infringement is not a crime unless it is done for profit. It is a civil offense. When you infringe a copyright, the owner still has his/her "intellectual property."
Copyright infringement for profit is a crime. This is partly because for-profit infringers have historically been able to distribute much more widely than freeloaders, but more importantly because the infringers are gaining revenues that the original owner loses out on; that is, they are profiting from the work of another without permission, and furthermore they are hurting that other person in the process. However, while it is a crime and therefore subject to jail time, for-profit copyright infringement is still not theft, just as theft is not robbery or murder. Theft is a different crime.
Copyright infringement is also not piracy. Piracy is robbery (i.e. forcing people to give goods with weapons or strength) and murder at sea. Copyright infringement does not involve weapons and does not usually take place at sea.
Of course, the pro-piracy opinions are largely self-serving, but there is an important difference here: Cherry OS is for profit. I expect that most of the pro-piracy posters on Slashdot are against selling bootlegged CDs or DVDs, and especially strongly against taking obscure works and selling them as your own.
I think that Slashdot as a whole tends to be against making money without making a useful contribution to society, and against corporatism. So they're OK when someone patents a specific, useful, non-obvious idea and makes money from it, but not when a corporation which probably didn't invent the idea buys up an obvious patent and goes around suing people who are using the idea independently. Similarly, if someone copyrights a work and makes it available at a reasonable price, most Slashdotters would be fine with that, even if they would prefer that he give it away. But when the RIAA gets rich by selling crap music with ridiculous contracts to prevent the artists from making a buck, this is a bad thing.
My personal views are pretty similar. I hate obvious patents, especially software and business method patents, and patent-whoring companies as well as copyright-whores like the RIAA (but their music is mostly crap, so I don't pirate it). I'm fine with copyrights on say Windows (although I wish it were better), and I think the copyrights on PearPC are legit also. Personally, I try to make my work public domain, because it's not good enough to sell and I don't want people to bother about credit, but if I do something saleworthy, I'll certainly sell it.
Medium Customarily Used for Software Interchange = 360K 5.25" floppy disk drive, DOS formatted, the PDF gzipped and split into sections. For a typical program, that's about 500 disks worth.
Yeah, that would be so slick. That way when someone asks them for the source, they have to ship them 500 floppy disks...
Your quote, while partially right, is out of context. Schneier is talking about cryptographic cracking contests, especially of the form "here's a ciphertext file, tell me the plaintext." In this case, the attackers have much more access to the machine. Furthermore, there are more skilled hackers with free time than skilled cryptographers with free time.
However, a much bigger problem is that they only give 96 hours. The Hardened Gentoo server is much more rigorous, as it has no prize associated but has been available to log into for a long time.
SSL certificates solve this problem pretty well. Even if you spoof paypal.com, you can't make a secure connection to it (with the little lock icon) without the user getting a huge warning about an unsigned cert, or a cert which is different from the current one.
SRP (Secure Remote Passwords) is a protocol that authenticates both the user and the server. Essentially, it makes sure that the server knows your password. Unless the protocol has unknown weaknesses, the security is essentially the best you can get:
Eavesdropper gets nothing. Guy pretending to be client gets one guess per login attempt; if he's wrong, he can't log in. Guy pretending to be server gets one guess per time he can get the client to type his password; if he's wrong, he can't log the client in. If the implementation caches passwords, this is exactly one guess. Man in the middle gets nothing other than his two guesses (for pretending to be the client, and pretending to be the server), and can't snoop on the connection. Guy who steals the password database on the server gets a dictionary attack, and can impersonate the server successfully.
All this without SSL certificates or anything. Unfortunately this is not implemented in most browsers or websites; there is a patch for SSH to use it though.
Note that the changelog in TFA is just from 2.6.11 RC5 to 2.6.11, not from 2.6.10 to 2.6.11.
Re:Don't panic! 'Broken' is not Cracked
on
SHA-1 Broken
·
· Score: 2, Informative
It's based heavily on AES's core operations which would make me feel uneasy. Diversity in the underlying techniques for crypto algos is exemplified here by how just about every hash we use today fell because of a lack of diversity.
True. But even if AES were to fall, its core is totally different from 3DES, IDEA, TWOFISH, BLOWFISH, SERPENT, MARS, RC6, TEA and so on. There are probably dozens of different, still-unbroken symmetric ciphers out there, and this doesn't even include stream ciphers like RC4. And the ciphers that I listed don't bear that much relationship: many of them are Feistel ciphers, but that's about the extent of the structural similarity. Even if a weakness were found in the Feistel design, we'd still have AES, IDEA and MARS at least (not sure about RC6).
No. You can use *small* resistors in the divider, which will minimize the effects on the attached circuit but leak a prodigious amount of power (think, big resistors are like an open circuit, so in limit the attached circuit is disconnected). What you want to do instead is use a voltage regulator. They're really not that expensive, only a couple dollars for one to drive a computer supply rail.
Slashdot Mirror
Just out of curiosity, what sort of data would one be able to recover after the 24th pass that would be irrecoverable after the 25th one? I mean I'm a little paranoid, but 25 times is ridiculous.
25 times is a bit paranoid, but not ridiculously so. After only a few erasures, a lab such as Total Recall may be able to recover (most of) the disk, and since the overwriting data is random rather than carefully chosen codes (eg Gutmann codes), more passes make adequate codes less likely.
Hard drive companies actually have low level formatters today and don't just call "writing 0's over the entire drive" low level formatting, when that is not what low level formatting is?
I don't know what HD manufacturers' "low level formatting" does, but hard drives use a number of codes (run-length limiting codes, error correcting codes, etc) to store data, so writing 0's over the entire drive doesn't flip every bit to 0. A utility that overwrites the surface of the disk randomly several times is desirable; that's part of the goal of Eraser (which uses like 36 passes or something, must take hours...)
* log-structured or journaled filesystems, such as those supplied with
AIX and Solaris (and JFS, ReiserFS, XFS, Ext3, etc.)
Filesystems which only journal metadata should work fine with shred. Ext3 doesn't normally journal data as far as I am aware. Not sure about the others. I think ReiserFS journals data, and so shred doesn't work.
But if you shred the device, it makes no difference.
I wouldn't install it if I had a signed afidavit from the CEO saying it won't call home or resist uninstallation, distills whiskey and prints $100 notes.
Of course not, because then you'd have the Secret Service after you...
Actually, they grow quadratically:
IHBT. Oh well.
The article isn't talking about bots per computer. It's talking about total percentage of worldwide bots. 25.2% of all worldwide bots are in the UK (not England, you will note, but that's beside the point). That is, the number of bots in the UK is 0.252*b where b is the total number of bots worldwide. Similarly, the number of bots in the USA is 0.246*b. Now, b is a positive number, so we must have
0.252*b > 0.246*b
ie, there are more bots in the UK than in the USA. Furthermore, since (as you pointed out) there are fewer computers in the UK than in the USA, and these numbers are both positive, the UK also has more bots per computer.
Was that so hard?
Tell me, what's the reason for restricting iTunes' streaming capabilities? It used to be five simultaneous users, now it's 5 per day. w00t.
I don't like DRM in general, and this isn't actually conventional DRM, but I'll tell you why they did it. iTunes is a major tool for illegal music sharing on college campuses. I myself wrote a program to bridge subnets, so that you can see everyone's music at your college, and was working on a tool to search this network and download songs from it (yes, you can download songs from iTunes). I was planning on using this systes them semi-legally, to make a Linux jukebox that streams from my and my roommates' iTunes libraries (violates the TOS but not copyright), but there were obvious totally illegal uses as well.
There are similar programs such as OurTunes that are already in use. Apple did this because people were using their program illegally, and most legal uses of the system wouldn't suffer. Was it annoying? Yes. Was it ridiculous? No.
I don't normally defend the Slashdot hivemind, but here I agree with it. It's not a matter of the company here. Most Slashdotters give kudos to DVD Jon for breaking this (see the posts in the article describing the break), although most of us knew that the hole would be closed.
However, it is clear that DVD Jon is legally in the wrong here, or would be if he were in the US. Apple is perfectly within their rights to sue him. I'd rather they not, but they are well within their rights to do so, just as Hasbro is well within their legal rights to sue eScrabble, but ought not to because the Scrabble design is 85 years old and Hasbro's online scrabble software sucks.
Or else he rolled really lucky. For those of us that roll our characters.
n/t
I'll take the 5th.
Fork + malloc bomb comes to mind: memory limits are usually per process.
/tmp/) and thrash the machine so that disk I/O slows to a crawl. On many systems, there are system calls that take a lot of CPU time to complete; these are also a good candidate for attack.
Also possible are exhausting kernel file descriptors or, as one poster mentioned, semaphores. Or you can get a whole bunch of programs reading and writing a large number of files spread out across the disk (eg some in
We're planning on even buying the redundant RAID array as well.
Acronym expansion fun!
"We're planning on even buying the redundant redundant array of [inexpensive/independent] disks array as well."
To be fair, you did say that it was redundant...
How about a "snooper rifle"?
Thanks. I love O'Caml, and I thought that since /. is an operator, I should use that as my sig. No one had commented on it, though.
Hm, nor on mine...
Yeess ... this line of argument always ends up justifying implying that (a) the author's taste is definitive and (b) that the author should arbitrate contracts rather than the people involved.
It's a childish argument.
It's not an argument. It's an explanation for why people on Slashdot don't like the RIAA. My taste in music or contracts doesn't have to be definitive to dislike them.
Of course, if you want more objective facts, you can look at the flattened dynamics and unoriginal chord progressions of most major-label music, or at the number of artists who end up in debt to the RIAA after having sold only tens of thousands of CDs.
I'll bite. And I'll even bold the key words for your apparently short attention span.
Copyright infringement is not theft. Theft is a crime, because when you steal something, the owner no longer has it.
Copyright infringement is not a crime unless it is done for profit. It is a civil offense. When you infringe a copyright, the owner still has his/her "intellectual property."
Copyright infringement for profit is a crime. This is partly because for-profit infringers have historically been able to distribute much more widely than freeloaders, but more importantly because the infringers are gaining revenues that the original owner loses out on; that is, they are profiting from the work of another without permission, and furthermore they are hurting that other person in the process. However, while it is a crime and therefore subject to jail time, for-profit copyright infringement is still not theft, just as theft is not robbery or murder. Theft is a different crime.
Copyright infringement is also not piracy. Piracy is robbery (i.e. forcing people to give goods with weapons or strength) and murder at sea. Copyright infringement does not involve weapons and does not usually take place at sea.
Of course, the pro-piracy opinions are largely self-serving, but there is an important difference here: Cherry OS is for profit. I expect that most of the pro-piracy posters on Slashdot are against selling bootlegged CDs or DVDs, and especially strongly against taking obscure works and selling them as your own.
I think that Slashdot as a whole tends to be against making money without making a useful contribution to society, and against corporatism. So they're OK when someone patents a specific, useful, non-obvious idea and makes money from it, but not when a corporation which probably didn't invent the idea buys up an obvious patent and goes around suing people who are using the idea independently. Similarly, if someone copyrights a work and makes it available at a reasonable price, most Slashdotters would be fine with that, even if they would prefer that he give it away. But when the RIAA gets rich by selling crap music with ridiculous contracts to prevent the artists from making a buck, this is a bad thing.
My personal views are pretty similar. I hate obvious patents, especially software and business method patents, and patent-whoring companies as well as copyright-whores like the RIAA (but their music is mostly crap, so I don't pirate it). I'm fine with copyrights on say Windows (although I wish it were better), and I think the copyrights on PearPC are legit also. Personally, I try to make my work public domain, because it's not good enough to sell and I don't want people to bother about credit, but if I do something saleworthy, I'll certainly sell it.
Medium Customarily Used for Software Interchange = 360K 5.25" floppy disk drive, DOS formatted, the PDF gzipped and split into sections. For a typical program, that's about 500 disks worth.
Yeah, that would be so slick. That way when someone asks them for the source, they have to ship them 500 floppy disks...
Your quote, while partially right, is out of context. Schneier is talking about cryptographic cracking contests, especially of the form "here's a ciphertext file, tell me the plaintext." In this case, the attackers have much more access to the machine. Furthermore, there are more skilled hackers with free time than skilled cryptographers with free time.
However, a much bigger problem is that they only give 96 hours. The Hardened Gentoo server is much more rigorous, as it has no prize associated but has been available to log into for a long time.
SSL certificates solve this problem pretty well. Even if you spoof paypal.com, you can't make a secure connection to it (with the little lock icon) without the user getting a huge warning about an unsigned cert, or a cert which is different from the current one.
SRP (Secure Remote Passwords) is a protocol that authenticates both the user and the server. Essentially, it makes sure that the server knows your password. Unless the protocol has unknown weaknesses, the security is essentially the best you can get:
Eavesdropper gets nothing.
Guy pretending to be client gets one guess per login attempt; if he's wrong, he can't log in.
Guy pretending to be server gets one guess per time he can get the client to type his password; if he's wrong, he can't log the client in. If the implementation caches passwords, this is exactly one guess.
Man in the middle gets nothing other than his two guesses (for pretending to be the client, and pretending to be the server), and can't snoop on the connection.
Guy who steals the password database on the server gets a dictionary attack, and can impersonate the server successfully.
All this without SSL certificates or anything. Unfortunately this is not implemented in most browsers or websites; there is a patch for SSH to use it though.
Note that the changelog in TFA is just from 2.6.11 RC5 to 2.6.11, not from 2.6.10 to 2.6.11.
It's based heavily on AES's core operations which would make me feel uneasy. Diversity in the underlying techniques for crypto algos is exemplified here by how just about every hash we use today fell because of a lack of diversity.
True. But even if AES were to fall, its core is totally different from 3DES, IDEA, TWOFISH, BLOWFISH, SERPENT, MARS, RC6, TEA and so on. There are probably dozens of different, still-unbroken symmetric ciphers out there, and this doesn't even include stream ciphers like RC4. And the ciphers that I listed don't bear that much relationship: many of them are Feistel ciphers, but that's about the extent of the structural similarity. Even if a weakness were found in the Feistel design, we'd still have AES, IDEA and MARS at least (not sure about RC6).
No. You can use *small* resistors in the divider, which will minimize the effects on the attached circuit but leak a prodigious amount of power (think, big resistors are like an open circuit, so in limit the attached circuit is disconnected). What you want to do instead is use a voltage regulator. They're really not that expensive, only a couple dollars for one to drive a computer supply rail.