First off, we already know that "we have a much larger infrastructure". That argument is tired. We're still behind - even accounting for this significant hurdle. Other countries have made it a priority and have put measures in place that allow the process to bypass red tape and move forward.
This is really quite simple - the type of machine that can render Prime-based and Discrete Log-based encryption "useless" has not been invented yet. Furthermore, as the article points out, most (including Adelman) belive it'll be a long time before one is.
The problem (P vs. NP) is still just as difficult, and we aren't really much closer to solving it than 10 or 20 years ago.
Quite simply, those who do things becasue they love them tend to do them better than those who do them because they have to. So yes, this would seem to imply that those who use Python (a language that's just now gaining ground) tend to be more skilled than those who use Java (a language that can make you money)....not a rule, per say, but I can see the potential for truth in it.
Is this the end as we know it for simple remote command shell exploits?
No, it's not. First there is the issue of bandwidth, but even more compelling is the "leetness" of the options. The CLI will always appeal to the more dangerous crackers - and those that immitate them.
This is a no-brainer. Most people in computer science got into it because they heard there was money in it - not because they had a love for it. Now that it's become clear that compsci's not a crap shoot when it comes to getting a high-paying job, they're jumping ship like there's airborne HIV on board.
Only the true geeks (the ones who love the stuff) will stay with it even when it gets rocky.
It's a promise unfulfilled - that's all. They tell us to keep waiting and keep waiting...meanwhile the competition is steadily improving and innovating. Longhorn in 2006? Will that get bumped to 2007?
Come on, man - you have to see that this is a dangerous time for them.
I like where you went with your post, but ports are functions of TCP and UDP - which are transport layer protocols (at layer 4).:)
As for the MAC address filtering, you can do that with Netfilter as well, but it wouldn't help much in a WAN setting since you are only going to see the MAC address of your next router hop.
I agree with your points, but surely you must see that this commentary of yours applies to pretty much every invention known to man that is both powerful and started out being free and open.
Look at air travel - there you have spend a ton of time just getting on a plane because of very few bad people. The Wright brothers didn't want this, I'm sure, but it doesn't mean the invention is being perverted in any way; it only says that our world is hostile and that we must protect ourselves from ourselves. Anything useful and completely open these days is ripe for exploitation.
1. TCPWrappers (has to be be right IP and/or daemon) 2. Portknocking (has to have the right sequence) 3. Passive Fingerprinting (only Linux and BSD systems can connect) 4. Keys Only (you must have the correct DSA private key)
Usually unnecessary, yet very interesting - much like Slashdot itself....
I'm just not too sure what they could put in another O'Reilly book about it. Google hacks (O'Reilly), as well as the Google website itself, has tons of information on the less known features.
Here's a brief summary of a few of my favorites that I use to remind myself of them.
It's true that while open source is taking off it will have many of the characteristics that Gates is describing, but ultimately all software needs skilled people to install it and maintain it. An entire infrastructure for a business, city, or government is not going to run itself and generate no jobs just because the development of the software itself was done for free.
1. The firewall's on by default. This is a huge shift for Microsoft and I am glad to see it happen. This alone will stop a ton of worm infections.
2. Browser security. From what I can tell, these enhancements are going to go a long way toward stopping the problems that CERT and everyone have been complaining about.
3. Email security. OE is getting hardened in a way similar to IE, and this also is a very much welcomed move.
Between worm propogation and the two most common ways for a user to infect themselves, if they were to even modestly improve in all three of these areas it would make a significant impact on the security posture of people running the update.
I thought it may be worthwhile to mention the fact that this tool does not attack MD5 in any way. Remember, MD5 is designed to give the exact same output for identical input, all this is doing is trying all inputs for lowercase a-z and 0-9, i.e. it's a very limited brute force tool.
1. Security.// Linux is usually more secure by default and is able to be secured easier due to the fact that users have complete access available to the system
2. Philosophy.// as a quasi-altruistic community, the Linux world often has Google-like aspirations regarding concepts of free information and such - as opposed to views that are arguably centered on money alone
3. Stability.// most uptimes in Linux are measured in months and years rather than days and weeks (with exceptions, of course), and the GUI being a completely separate component from the kernel helps this greatly
"Let me assure you that most people (except techies and maybe managers of techies) do not have the faintest idea what "MCSE" means."
I mentioned that for one reason alone -- to defend the article and myself vs. categorization as a MS-basher at first glance. This helped it get promoted more efficiently (more people picked it up), and hundreds of people have responded to me personally who are self-proclaimed "non-techies" that are now either switched or are considering switching to Firefox, Netscape, or Opera.
So, whether or not the person benefiting from the article knew what it meant, my adding it to the very beginning in order to deflect hate seems to have been effective.
http://channels.lockergnome.com/news/archives/20 04 0615_why_you_should_dump_internet_explorer.phtml If that doesn't work, just put "why you should dump internet explorer" into Google. It'll be the first hit.
My piece, written for the non-techie masses, on why they should consider other browsers: http://channels.lockergnome.com/news/ar chives/2004 0615_why_you_should_dump_internet_explorer.phtml I am glad to see CERT step up and make a decision like this despite the fact that they are guaranteed to be flogged for it.
This story is probably most likely to incite BMW owners to get an iPod to go with their car, but in my case it's actually inspired me to get a BMW to go with my iPod.:) I was close to getting one anyway, this just finalizes things for me...
Slashdot Mirror
First off, we already know that "we have a much larger infrastructure". That argument is tired. We're still behind - even accounting for this significant hurdle. Other countries have made it a priority and have put measures in place that allow the process to bypass red tape and move forward.
We haven't, and we need to.
This is really quite simple - the type of machine that can render Prime-based and Discrete Log-based encryption "useless" has not been invented yet. Furthermore, as the article points out, most (including Adelman) belive it'll be a long time before one is.
The problem (P vs. NP) is still just as difficult, and we aren't really much closer to solving it than 10 or 20 years ago.
...that you can still sell services based around that free software.
Quite simply, those who do things becasue they love them tend to do them better than those who do them because they have to. So yes, this would seem to imply that those who use Python (a language that's just now gaining ground) tend to be more skilled than those who use Java (a language that can make you money). ...not a rule, per say, but I can see the potential for truth in it.
Is this the end as we know it for simple remote command shell exploits?
No, it's not. First there is the issue of bandwidth, but even more compelling is the "leetness" of the options. The CLI will always appeal to the more dangerous crackers - and those that immitate them.
This is a no-brainer. Most people in computer science got into it because they heard there was money in it - not because they had a love for it. Now that it's become clear that compsci's not a crap shoot when it comes to getting a high-paying job, they're jumping ship like there's airborne HIV on board.
Only the true geeks (the ones who love the stuff) will stay with it even when it gets rocky.
It's a promise unfulfilled - that's all. They tell us to keep waiting and keep waiting...meanwhile the competition is steadily improving and innovating. Longhorn in 2006? Will that get bumped to 2007?
Come on, man - you have to see that this is a dangerous time for them.
...Linux and OS X pick up three. If they don't get their house in order soon, they are going to have more to worry about than browser marketshare.
I like where you went with your post, but ports are functions of TCP and UDP - which are transport layer protocols (at layer 4). :)
As for the MAC address filtering, you can do that with Netfilter as well, but it wouldn't help much in a WAN setting since you are only going to see the MAC address of your next router hop.
I agree with your points, but surely you must see that this commentary of yours applies to pretty much every invention known to man that is both powerful and started out being free and open.
Look at air travel - there you have spend a ton of time just getting on a plane because of very few bad people. The Wright brothers didn't want this, I'm sure, but it doesn't mean the invention is being perverted in any way; it only says that our world is hostile and that we must protect ourselves from ourselves. Anything useful and completely open these days is ripe for exploitation.
"Now, mixing instead knocking and a cryptographic application seems to me instead more promising."
Yeah, that's what the other guy mentioned did. He's got a one-time-pad implementation that looks pretty cool.
1. TCPWrappers (has to be be right IP and/or daemon)
2. Portknocking (has to have the right sequence)
3. Passive Fingerprinting (only Linux and BSD systems can connect)
4. Keys Only (you must have the correct DSA private key)
Usually unnecessary, yet very interesting - much like Slashdot itself....
I'm just not too sure what they could put in another O'Reilly book about it. Google hacks (O'Reilly), as well as the Google website itself, has tons of information on the less known features.
Here's a brief summary of a few of my favorites that I use to remind myself of them.
I could tell it was a Microsoft site without even looking at the URL. How? Easy, it failed to render correctly using a W3C complient browser.
It's true that while open source is taking off it will have many of the characteristics that Gates is describing, but ultimately all software needs skilled people to install it and maintain it. An entire infrastructure for a business, city, or government is not going to run itself and generate no jobs just because the development of the software itself was done for free.
Three things strike me about the release:
1. The firewall's on by default. This is a huge shift for Microsoft and I am glad to see it happen. This alone will stop a ton of worm infections.
2. Browser security. From what I can tell, these enhancements are going to go a long way toward stopping the problems that CERT and everyone have been complaining about.
3. Email security. OE is getting hardened in a way similar to IE, and this also is a very much welcomed move.
Between worm propogation and the two most common ways for a user to infect themselves, if they were to even modestly improve in all three of these areas it would make a significant impact on the security posture of people running the update.
I applaud them in advance for even trying.
I thought it may be worthwhile to mention the fact that this tool does not attack MD5 in any way. Remember, MD5 is designed to give the exact same output for identical input, all this is doing is trying all inputs for lowercase a-z and 0-9, i.e. it's a very limited brute force tool.
Move along...nothing to see here...
Here's my piece I did on the topic about a week before the CERT announcement:
http://www.dmiessler.com/reading/ie.html
1. Security. // Linux is usually more secure by default and is able to be secured easier due to the fact that users have complete access available to the system
// as a quasi-altruistic community, the Linux world often has Google-like aspirations regarding concepts of free information and such - as opposed to views that are arguably centered on money alone
// most uptimes in Linux are measured in months and years rather than days and weeks (with exceptions, of course), and the GUI being a completely separate component from the kernel helps this greatly
// nuff' said
2. Philosophy.
3. Stability.
4. Cost.
Those are just a few for starters...
"Let me assure you that most people (except techies and maybe managers of techies) do not have the faintest idea what "MCSE" means."
I mentioned that for one reason alone -- to defend the article and myself vs. categorization as a MS-basher at first glance. This helped it get promoted more efficiently (more people picked it up), and hundreds of people have responded to me personally who are self-proclaimed "non-techies" that are now either switched or are considering switching to Firefox, Netscape, or Opera.
So, whether or not the person benefiting from the article knew what it meant, my adding it to the very beginning in order to deflect hate seems to have been effective.
Regards,
-Daniel
Ah, yes. That space is what did it... Thanks.
Sorry for the URL issue; let me try again:
0 04 0615_why_you_should_dump_internet_explorer.phtml
http://channels.lockergnome.com/news/archives/2
If that doesn't work, just put "why you should dump internet explorer" into Google. It'll be the first hit.
My piece, written for the non-techie masses, on why they should consider other browsers:r chives/2004 0615_why_you_should_dump_internet_explorer.phtml
http://channels.lockergnome.com/news/a
I am glad to see CERT step up and make a decision like this despite the fact that they are guaranteed to be flogged for it.
"That's as dumb as buying a car because it matches your shoes and nail polish."
:)
It was a joke; attack yourself.
This story is probably most likely to incite BMW owners to get an iPod to go with their car, but in my case it's actually inspired me to get a BMW to go with my iPod. :) I was close to getting one anyway, this just finalizes things for me...