Um...who repairs motherboards anymore? At around $100 a pop, most people just get a new one.
If there's a high-end application for this technology, great, but getting rid of high-end hardware is one of the biggest reasons people are also getting rid of Sun...
Well...the $500 bounty is itself U.S.-centric. (Note that it's not expressed in Euros or Yen.)
I don't think Mozilla needs to sell itself to the rest of the world as hard as it has to sell itself to the U.S.; the rest of the world tends to already view Microsoft's browser with suspicion.
So...yeah. I'll refine my comments to say that the bounty is still marketing spin, although it is clearly directed at the U.S. browser markets.
The $500 bounty is just marketing spin. It's not as bad as the BS "crack the code" contests spun by snake oil cryptographers, but a low bounty like this isn't going to attract new white-hatters.
Think about it...this story will headline in tech rags (including this one) for free. Even if Mozilla pays out a couple bounties (say $3000), they get the message that "Mozilla is secure" out there fast and cheaply.
On the other hand, for most of us in the security community, $500 is maybe a half-day of work. So...there isn't a whole lot in terms of risk/reward if you are primarily motivated by money.
In addition to suggesting algorithms, NIST also VALIDATES code and devices to make sure they do exactly what they should when it comes to cryptography. (No back doors, no shortcuts, etc.)
More information about the Cryptographic Module Validation Program (the current standard for encryption is FIPS 140-2) can be found here:
http://csrc.nist.gov/cryptval/140-2.htm
Also, here's a group which has both Windows and Linux versions of a FIPS 140-2 AES implementation, if you want to know what it looks like in action:
http://www.standardnetworks.com/moveitcrypto
Bloated project management software helped kill Netscape - they spent all their time farting around with a bugtracker when they should have been fending off Microsoft.
Apache doing non-web server things makes me worried.
I used to run XWindows on 8 megs of RAM. (circa 1994)
I think the complaint that Linux desktops are getting too fat is spot-on. Then again, does anyone really run GUI applications on their important Linux servers?
This is a crappy environment for beginners.
The first thing they will bump into is crap-loads of IE vs. Mozilla vs. Netscape JavaScript inconsistencies.
The second thing they will bump into is "how do I save information per user, not per browser". The answer is server code, probably in a different languages than JavaScript, so now newbies have to keep two things straight.
Just giving it shit because somehow it ended up with an NHL team which ends up beating the crap out of my Blackhawks every time they're in town. Kind of like losing to the Diamondbacks - that's where the Cubs have a 3A team, for Christ's sake!
I work for a banking service provider (one of the guys who run the banking software for the little 1-50 branch banks). A few years ago we used to get excited because the Secret Service or FBI wanted us to pull some records. These days we almost need a full time person to track this stuff down. This week we got a call from a homicide detective in Columbus, OH. (Is that really a city?)
The detail we can provide these guys is pretty complete - even if it's just a lame web banking hack attempt, we can often link that attempt back to a specific ISP user (because the ISP often attaches additional information to web requests - ahem, AOL) as well as tell ever single transaction that account, that IP, that user has done since XXX.
And what does it take for people to get the information? At first we only trusted agents with ID at the door, but it really is getting to the point of a phone call and a fax; in fact, the best way to social engineer these days might just be to pretend you're a cop - the person on the other end of the phone (at least at my place) will generally roll over and cough up whatever you want by the second phone call.
Fortunately, some management types have started to pay attention to the hack opportunity provided and are beginning to educate the first-line responders to these kind of calls that just because they say they are cops, doesn't mean they really are....
Star Wars games routinely top the PC games sales charts on release.
I know I'm being lazy, but has this trend continued through the "Battle for Naboob" or whatever they released in concert with the Episode I/II prequel-sequels.
Star Trek games probably make up some of the worst games in PC gaming history
No argument there...the coolest Star Trek computer thing which ever came out was the Star Trek screen saver...ala 1992?
Who are we kidding here?
Remember when Star Wars was cool? (I mean, at least cooler than Star Trek?)
There are probably about 40 people in the world who give a shit about the Jedi knight thesis paper Lucas has decided to put on the silver screen. Meanwhile, every bored housewife from Florida to Washington seems to be on Everquest.
So...how the hell can you say (yet another) Star Wars game is going to be bigger than something already universally known as EVERCRACK?
...hmmm...based on my experience I'd have to say network hacking reached its "easiest" level right after the year 2000 turned over.
There were just so many holes in the software, so packages to choose from, so many unprotected systems, etc.
As people have gained wisdom (still without the +1 modifier) about security, I'd have to say systems have been getting steadily harder to hack. (This will probably change if.NET gets widely accepted however.) Of course, this article relies heavily on physical security risks, but I think orgs have greatly tightened these up too since 9/11.
Um...who repairs motherboards anymore? At around $100 a pop, most people just get a new one.
If there's a high-end application for this technology, great, but getting rid of high-end hardware is one of the biggest reasons people are also getting rid of Sun...
I don't think Mozilla needs to sell itself to the rest of the world as hard as it has to sell itself to the U.S.; the rest of the world tends to already view Microsoft's browser with suspicion.
So...yeah. I'll refine my comments to say that the bounty is still marketing spin, although it is clearly directed at the U.S. browser markets.
The $500 bounty is just marketing spin. It's not as bad as the BS "crack the code" contests spun by snake oil cryptographers, but a low bounty like this isn't going to attract new white-hatters.
Think about it...this story will headline in tech rags (including this one) for free. Even if Mozilla pays out a couple bounties (say $3000), they get the message that "Mozilla is secure" out there fast and cheaply.
On the other hand, for most of us in the security community, $500 is maybe a half-day of work. So...there isn't a whole lot in terms of risk/reward if you are primarily motivated by money.
More information about the Cryptographic Module Validation Program (the current standard for encryption is FIPS 140-2) can be found here: http://csrc.nist.gov/cryptval/140-2.htm
Also, here's a group which has both Windows and Linux versions of a FIPS 140-2 AES implementation, if you want to know what it looks like in action: http://www.standardnetworks.com/moveitcrypto
OK, that does make sense. I guess I'd forgotten that SlashDot HAD a Unix category; 85% of the people here seem to run Linux and only Linux.
What category would you like to see it under, Star Wars?
Can you show me a mainstream, modern browser that doesn't understand both GIF and PNG?
Bloated project management software helped kill Netscape - they spent all their time farting around with a bugtracker when they should have been fending off Microsoft.
Apache doing non-web server things makes me worried.
I used to run XWindows on 8 megs of RAM. (circa 1994)
I think the complaint that Linux desktops are getting too fat is spot-on. Then again, does anyone really run GUI applications on their important Linux servers?
The Brits Would Tax Your TV If They Could...oh wait...
This is a crappy environment for beginners. The first thing they will bump into is crap-loads of IE vs. Mozilla vs. Netscape JavaScript inconsistencies. The second thing they will bump into is "how do I save information per user, not per browser". The answer is server code, probably in a different languages than JavaScript, so now newbies have to keep two things straight.
Just giving it shit because somehow it ended up with an NHL team which ends up beating the crap out of my Blackhawks every time they're in town. Kind of like losing to the Diamondbacks - that's where the Cubs have a 3A team, for Christ's sake!
I work for a banking service provider (one of the guys who run the banking software for the little 1-50 branch banks). A few years ago we used to get excited because the Secret Service or FBI wanted us to pull some records. These days we almost need a full time person to track this stuff down. This week we got a call from a homicide detective in Columbus, OH. (Is that really a city?) The detail we can provide these guys is pretty complete - even if it's just a lame web banking hack attempt, we can often link that attempt back to a specific ISP user (because the ISP often attaches additional information to web requests - ahem, AOL) as well as tell ever single transaction that account, that IP, that user has done since XXX. And what does it take for people to get the information? At first we only trusted agents with ID at the door, but it really is getting to the point of a phone call and a fax; in fact, the best way to social engineer these days might just be to pretend you're a cop - the person on the other end of the phone (at least at my place) will generally roll over and cough up whatever you want by the second phone call. Fortunately, some management types have started to pay attention to the hack opportunity provided and are beginning to educate the first-line responders to these kind of calls that just because they say they are cops, doesn't mean they really are....
I know I'm being lazy, but has this trend continued through the "Battle for Naboob" or whatever they released in concert with the Episode I/II prequel-sequels.
Star Trek games probably make up some of the worst games in PC gaming history
No argument there...the coolest Star Trek computer thing which ever came out was the Star Trek screen saver...ala 1992?
Who are we kidding here? Remember when Star Wars was cool? (I mean, at least cooler than Star Trek?) There are probably about 40 people in the world who give a shit about the Jedi knight thesis paper Lucas has decided to put on the silver screen. Meanwhile, every bored housewife from Florida to Washington seems to be on Everquest. So...how the hell can you say (yet another) Star Wars game is going to be bigger than something already universally known as EVERCRACK?
...hmmm...based on my experience I'd have to say network hacking reached its "easiest" level right after the year 2000 turned over. There were just so many holes in the software, so packages to choose from, so many unprotected systems, etc. As people have gained wisdom (still without the +1 modifier) about security, I'd have to say systems have been getting steadily harder to hack. (This will probably change if .NET gets widely accepted however.) Of course, this article relies heavily on physical security risks, but I think orgs have greatly tightened these up too since 9/11.
This story was "on the wire" - published all over the place. How about a better link than the crappy "free reg" NY Times one?
We let people say they "borrowed" from great works because it makes us feel better about liking the pulpy pop-culture end product.
i.e. Madonna says she borrows from Mozart.
i.e. Lucas says he borrows from "mythology"