find that a big draw for Outlook would be it's well designed UI (seriously, it's about the only thing it's good for!:) and the lock-in you get with MS Exchange, but the huge drawback being the fact that it is so easily comprimised by viruses and worms and whatnot.
Sadly most people seem to be insanely ignorant of this point, and just keep chugging along, happily flooding the internet with Klez, Bugbear, and Sobig.:(
Actually, there are no known auto-execute exploits in the current (default) version of Outlook. Microsoft security may suck, but they were smart enough to patch it eventually. And if the users are stupid enough to run ReallyCoolScreensaver.scr that they got in their inbox, they're screwed whatever client they use.
This system (or any other "panopticon" they're excited about) would be fucking awesome for solving crimes. You can see exactly where that truck went after leaving the house of the victim, etc. No more disappearing into the night.
What I'm concerned about is abuses of the system, either passing ridiculous laws and using this to selectively enforce them, or using the data to embarass political enemies.
Industry officials counter that if they don't have the right to approach consumers at least once, people will be deprived of potentially valuable offers that they would otherwise not hear about.
Yes, I'm so glad they can email me without permission... I'd hate to be deprived of all those valuable offers to E N L A R G E my penis...
I'm honored to know that at least someone values my opinion:-)
One of the most important considerations in security is what you're defending against.
Encryption is an excellent method for protecting against password sniffing, and should be used basically everywhere you're sending passwords. It doesn't, however, go very far in defending database integrity, because the databases are on another tier from the data users. You might encrypt the link with the server to prevent poeple from reading/changing stuff on the wire, but if your database gets rooted or your data-consuming app is vulnerable, you're screwed anyway.
Vulnerable scripts are a huge deal. String interpolation attacks are very common, and probably still an effective means of lifting cc# databases. All the encryption in the world doesn't save you from these, and access checking only goes so far. You really have to secure the scripts as well.
Buffer overruns and similar exploits can root your box, and then it's game over if the hacker is worth his salt, crypto or none. A firewall can probably protect your database server, but you'd have trouble protecting your webservers this way. For that, you'd have to have an up-to-date OS, and some sort of intrusion alarm. If your webserver gets rooted, it won't take a good hacker too long to attack your database, and he'll get loads of information useful for another attack, but if you detect it fast enough (and are lucky), you probably won't get much sensitive data stolen.
With bank PINs, the only way to attack them is an online attack, unless you've bugged their network (the sensitive parts of which are well-separated from the internet), in which case they probably have bigger problems. For this reason, 6 characters is easily enough for an ATM PIN: if it freezes your account for a day after 5 wrong guesses, it would take 300 years to guess on average, and assuming they notify you, you'd be doing something about it long before then.
I'm no forensics expert, but what I do know is that it is usually darned-near impossible to figure out what someone looked at after a break, with or without tripwire (which is an excellent tool for seeing what was *changed*, but if they're only looking, it is much less useful). Append-only logfiles are good for this purpose, so that should offer some protection against being rooted or against passwords being guessed/sniffed/social-engineered/whatever. However, a vulnerable script leaves little traces of being exploited unless you log every input anyone passes to it. This could be prohibitively expensive, although it wouldn't be too hard to grep through it once you know you've been broken into.
As for making things difficult, you are right. That should keep most script kiddies off your site, and given all the insecure sites out there, people will seek easier targets. If a black hat really wants to crack you (which could cause more damage than script kiddies), it'll afford a human on your end more time to notice and respond. But oftentimes, there will be a quick hole from a bug due to the increased complexity of the system, which would allow someone to break it almost instantly. This could balance out the benefits of "difficult" security schemes.
See, I know they say that these are the same, but the "piles" feature in the patent is like a folder, which pops up its items (with a fancy iCandy effect) when moused over or something. This would be really handy for.tex,.aux,.log,.dvi,.ps,.pdf combinations that seem to be in an awful lot of folders for me...
It certainly helps to keep your cc# db encrypted, possibly using syskey or the like to access it. But remember, the database is there for a good reason--there are lookups run against it all the time (heck, otherwise you could just airwall it). So you have to be able to decrypt it, and that generally means that if someone roots either the box it's sitting on, or one of the boxes that does lookups against it, all your base are belong to them.
Tripwire is one that comes to mind, and if used properly is an excellent forensic tool. Too bad some schmoes don't know that.
Yeah, Tripwire is great, but it wouldn't help you know what's been stolen. It only detects modifications to files; it doesn't tell you if someone ran a 'sploit, sniffed a password or two, and lifted your cc# database. The access times would be useless too, as it's probably accessed way too much for that. You'd have to keep very detailed logs to figure out what had happened, and even then it's difficult to figure it out.
Hackers have used this attack many times before. The most recent one that I remember was PayPal. They claimed the password database had been corrupted or something, and asked people to click the link and reenter their passwords. Got a whole lot of accounts that way.
Someone else did it with a note that said they were putting a timer on service so that you had to log in every so often to keep your account active. People went and logged in by the thousands to the phony site they set up.
If the errors are not bugs in the code, but rather illegal operations by the user, and the software gives the same message for them, that might not be theft. I wouldn't count, say, a "Scaling factors must be nonzero" error as theft.
On the other hand, a copied might be theft (ie infringement of copyright), depending on just how detailed those messages were that they copied.
You could compile the latest Mozilla while running Win2K in VMWare with Seti@Home in the background while playing Quake without taking a performance hit.
In a 64-bit address space, all your pointers take up twice the space.
This IS SIGNIFICANT in many applications, and they must be run in the 32-bit mode.
The extra address space helps you only if you're willing to spend another several hundred dollars to get over 2 gigs of RAM, or are willing to put up with a huge swap.
Seriously. Apple has such a history of doctoring benchmarks to make their own proccies look faster that I didn't even parse the headline as "World's fastest PC!" Rather, I read it as, "Capable of being doctored to look like the world's fastest PC!" Which, you have to admit, is a quantum leap over the G4.
That said, I use Photoshop a lot, and given their claims I would expect it to be at least competitively fast at Photoshop. And hopefully we'll get an optimized version of POV-Ray for the G5 (more likely MacMegaPOV), which would be great for my render jobs. While compile speed will probably remain slower than the competition, Apple's new IDE should soften that with its precompiling etc.
So when it comes down to it, I'll probably get one of these systems, maybe after they drop in price (combo drive anyone?) and sport Panther. After using OS X, Linux and Windows for a few years, I'd say that the Mac operating system, unlike the processor, is decidedly superior, and when I'm writing a term paper, surfing the web, or serving a low-traffic site, that's what counts more than speed. While the price is an issue, it's worth it not to need tech support.
Much to my surprise, the benchmarks for the stuff I am doing (cryptographic algorithms) tell me that this box requires more than twice as many CPU cycles to complete the job as my 2-year old 1 GHz Athlon box.
Heh. You should try a G4 (or, if they come out today, a 970). Altivec has a couple SIMD instructions good for codes, such as SIMD rotate. See distributed.net for more info. (Their stats are for RC5, which is particularly nice on a G4; the improvements with AES, TWOFISH, etc would be somewhat less; with RC4 there's basically no difference).
Slashdot Mirror
Yeah, except that doing that would probably catch the receiver on fire.
Or is blowing people up some new form of gathering information?
Only if you read the entrails.
GWB: For great justice, take off every DDoS attack!
And just think, we're doing that for them now.
find that a big draw for Outlook would be it's well designed UI (seriously, it's about the only thing it's good for! :) and the lock-in you get with MS Exchange, but the huge drawback being the fact that it is so easily comprimised by viruses and worms and whatnot.
:(
Sadly most people seem to be insanely ignorant of this point, and just keep chugging along, happily flooding the internet with Klez, Bugbear, and Sobig.
Actually, there are no known auto-execute exploits in the current (default) version of Outlook. Microsoft security may suck, but they were smart enough to patch it eventually. And if the users are stupid enough to run ReallyCoolScreensaver.scr that they got in their inbox, they're screwed whatever client they use.
... that they still cost 10 times as much as gold.
Can you see me now?
Good!
Can you see me now?
Good!
"Open a blank tab."
Hint, he's not using IE...
This system (or any other "panopticon" they're excited about) would be fucking awesome for solving crimes. You can see exactly where that truck went after leaving the house of the victim, etc. No more disappearing into the night.
What I'm concerned about is abuses of the system, either passing ridiculous laws and using this to selectively enforce them, or using the data to embarass political enemies.
.009% got sick of all the spam and left.
Industry officials counter that if they don't have the right to approach consumers at least once, people will be deprived of potentially valuable offers that they would otherwise not hear about.
Yes, I'm so glad they can email me without permission... I'd hate to be deprived of all those valuable offers to E N L A R G E my penis...
I'm honored to know that at least someone values my opinion :-)
One of the most important considerations in security is what you're defending against.
Encryption is an excellent method for protecting against password sniffing, and should be used basically everywhere you're sending passwords. It doesn't, however, go very far in defending database integrity, because the databases are on another tier from the data users. You might encrypt the link with the server to prevent poeple from reading/changing stuff on the wire, but if your database gets rooted or your data-consuming app is vulnerable, you're screwed anyway.
Vulnerable scripts are a huge deal. String interpolation attacks are very common, and probably still an effective means of lifting cc# databases. All the encryption in the world doesn't save you from these, and access checking only goes so far. You really have to secure the scripts as well.
Buffer overruns and similar exploits can root your box, and then it's game over if the hacker is worth his salt, crypto or none. A firewall can probably protect your database server, but you'd have trouble protecting your webservers this way. For that, you'd have to have an up-to-date OS, and some sort of intrusion alarm. If your webserver gets rooted, it won't take a good hacker too long to attack your database, and he'll get loads of information useful for another attack, but if you detect it fast enough (and are lucky), you probably won't get much sensitive data stolen.
With bank PINs, the only way to attack them is an online attack, unless you've bugged their network (the sensitive parts of which are well-separated from the internet), in which case they probably have bigger problems. For this reason, 6 characters is easily enough for an ATM PIN: if it freezes your account for a day after 5 wrong guesses, it would take 300 years to guess on average, and assuming they notify you, you'd be doing something about it long before then.
I'm no forensics expert, but what I do know is that it is usually darned-near impossible to figure out what someone looked at after a break, with or without tripwire (which is an excellent tool for seeing what was *changed*, but if they're only looking, it is much less useful). Append-only logfiles are good for this purpose, so that should offer some protection against being rooted or against passwords being guessed/sniffed/social-engineered/whatever. However, a vulnerable script leaves little traces of being exploited unless you log every input anyone passes to it. This could be prohibitively expensive, although it wouldn't be too hard to grep through it once you know you've been broken into.
As for making things difficult, you are right. That should keep most script kiddies off your site, and given all the insecure sites out there, people will seek easier targets. If a black hat really wants to crack you (which could cause more damage than script kiddies), it'll afford a human on your end more time to notice and respond. But oftentimes, there will be a quick hole from a bug due to the increased complexity of the system, which would allow someone to break it almost instantly. This could balance out the benefits of "difficult" security schemes.
See, I know they say that these are the same, but the "piles" feature in the patent is like a folder, which pops up its items (with a fancy iCandy effect) when moused over or something. This would be really handy for .tex, .aux, .log, .dvi, .ps, .pdf combinations that seem to be in an awful lot of folders for me...
That was the most brillian troll I've seen in a long time. Please, mod up to +5, troll.
It certainly helps to keep your cc# db encrypted, possibly using syskey or the like to access it. But remember, the database is there for a good reason--there are lookups run against it all the time (heck, otherwise you could just airwall it). So you have to be able to decrypt it, and that generally means that if someone roots either the box it's sitting on, or one of the boxes that does lookups against it, all your base are belong to them.
Tripwire is one that comes to mind, and if used properly is an excellent forensic tool. Too bad some schmoes don't know that.
Yeah, Tripwire is great, but it wouldn't help you know what's been stolen. It only detects modifications to files; it doesn't tell you if someone ran a 'sploit, sniffed a password or two, and lifted your cc# database. The access times would be useless too, as it's probably accessed way too much for that. You'd have to keep very detailed logs to figure out what had happened, and even then it's difficult to figure it out.
My baysian filter can beat your baysian filter.
Oh yeah? Well, my Bayesian filter is spelled right...
Hackers have used this attack many times before. The most recent one that I remember was PayPal. They claimed the password database had been corrupted or something, and asked people to click the link and reenter their passwords. Got a whole lot of accounts that way.
Someone else did it with a note that said they were putting a timer on service so that you had to log in every so often to keep your account active. People went and logged in by the thousands to the phony site they set up.
If the errors are not bugs in the code, but rather illegal operations by the user, and the software gives the same message for them, that might not be theft. I wouldn't count, say, a "Scaling factors must be nonzero" error as theft.
On the other hand, a copied might be theft (ie infringement of copyright), depending on just how detailed those messages were that they copied.
Do either of them have an option for SSL, or any encryption at all (other than that that trys to make the protocole obscure as posiable)
No. But Panther has IPSec and IPv6 installed, so you might try using those.
You could compile the latest Mozilla while running Win2K in VMWare with Seti@Home in the background while playing Quake without taking a performance hit.
:-P
I bet you couldn't do that on a G5.
You're right.
On the G5 you'd be running Safari.
OK. But then how much space does a (void *) take up? 6 bytes? There are alignment issues that would suggest it to be 8...
In a 64-bit address space, all your pointers take up twice the space.
This IS SIGNIFICANT in many applications, and they must be run in the 32-bit mode.
The extra address space helps you only if you're willing to spend another several hundred dollars to get over 2 gigs of RAM, or are willing to put up with a huge swap.
Seriously. Apple has such a history of doctoring benchmarks to make their own proccies look faster that I didn't even parse the headline as "World's fastest PC!" Rather, I read it as, "Capable of being doctored to look like the world's fastest PC!" Which, you have to admit, is a quantum leap over the G4.
That said, I use Photoshop a lot, and given their claims I would expect it to be at least competitively fast at Photoshop. And hopefully we'll get an optimized version of POV-Ray for the G5 (more likely MacMegaPOV), which would be great for my render jobs. While compile speed will probably remain slower than the competition, Apple's new IDE should soften that with its precompiling etc.
So when it comes down to it, I'll probably get one of these systems, maybe after they drop in price (combo drive anyone?) and sport Panther. After using OS X, Linux and Windows for a few years, I'd say that the Mac operating system, unlike the processor, is decidedly superior, and when I'm writing a term paper, surfing the web, or serving a low-traffic site, that's what counts more than speed. While the price is an issue, it's worth it not to need tech support.
As long as Jobs continues to raise up religious zealots to the cause, Apple will never really be dead. ... but rather undead?
Much to my surprise, the benchmarks for the stuff I am doing (cryptographic algorithms) tell me that this box requires more than twice as many CPU cycles to complete the job as my 2-year old 1 GHz Athlon box.
Heh. You should try a G4 (or, if they come out today, a 970). Altivec has a couple SIMD instructions good for codes, such as SIMD rotate. See distributed.net for more info. (Their stats are for RC5, which is particularly nice on a G4; the improvements with AES, TWOFISH, etc would be somewhat less; with RC4 there's basically no difference).