All right, maybe you have a point that you'll never know if the patch worked without a way to test it. But come on, if the changelog says it's fixed, are you going to test every security exploit there is just to see if you've applied the test correctly?
The problem is if you can test the patch by trying to use the exploit, someone els can use that same exploit on an unpatched system. Nessus can be used very well to hack servers, for example. I'm not saying the exploit code should be kept secret from everyone, but I'd rather have it there were restrictions on who has the code and for what purpose. Certainly it shouldn't be posted on every corner. Some leaks are unavoidable, but the less the better.
If all I have are instructions on "how to be secure", how do I know if the instructions work?
If you're not sure that the instructions given to you by the authors of the software work, i don't think you should use that software.
Do you know any "hax0r"s? Have they told you this?
I do indeed know a bunch of "hax0rs" who do indeed "hax0r" their ISPs or whatever. And packetstorm is their best friend. Unfortunatly only the minority of admins follow the patches closely enough.
1. IE is not opensource - the fact that you know about the exploit doesn't mean you can do anything about(except stop using IE). That goes to IIS, Windows, Macs, some commercial unixes, etc.
2. If you're talking about opensource software, say apache, since it is widely used, if you're not a developer involved in apache, there is much less of a chance that you're going to do something about it, as opposed to someone who is actively involved. And if you are aware about the exploit(through you own discovery) and do something about, and share the patch/solution in the community, you're more likely to be admiited the info about future security bugs if you wish to be.
Mozilla doesn't open it's security bugs and I have never seen anything that posed a serious threat and wasn't promptly solved by mozilla developers.
The philosophy is: you have to prove yourself worthy if you want information that can pose a threat to others.
If I use the software, I need the information, so I can protect myself
Pardon me, if you use IE, how is the exploit code going to help you protect yourself? All the information the end-user needs is a patch or directions to fixing the exploit.
The only person who needs the exploit desciption is the maintainer of the program, to fix it. Read the article. The information in question was already available in black-hat circles, and was actively being used in the wild. Do you believe that the white hats shouldn't be on level footing?
I don't believe that one more occurense of that particular piece of information will help users in any way. The first sites that any "hax0r" goes to to find out about exploits or such are major bugtraq sites, like securityfocus or packetstorm. They do more harm then good.
Only people who need that information should be allowed to it. That's why only something like bugzilla really works well with a product that is likely to be subject to exploits - only the people who are developers of the relevant piece of code are admitted into the security exploits section.
If that kind of info is posted openly on the web, I fail to see the difference between that and stupid pages that always post activex exploits thinking they're cool hax0rs. Cool hax0rs don't post exploits, they fix them.
And what if you got some of the spray onto your socks while applying it to your shoes... I can see it now - forever stinking, laundry-resistant... oh the horror!
I don't know what they did
on
Mesa 5.0 Released
·
· Score: 5, Informative
But the new mesa seems to have intelligent workload distribution between the cpu and the gpu, i e
glxgears running in a small window - 200 fps, average 2% cpu load(with Mesa 4.1 it was 800 fps 100% load), running maximized in 1600x1200 - 80 fps, 100% load(exactly as with Mesa 4.1). And all the games and etc run at exactly the same speeds with less cpu load.
All I can say is this is great - nobody needs insane fps numbers above 100 and it saves cpu for my poor apache running in the background:). Server gaming woohoo!
Comdex has so many potential sources for making money!
- All Las Vegas casinos and hotels make insane amounts from comdex visitors - possible investors
- Last year's comdex(the only one I've been to) was full to the brim with corporate advertising - they can charge more for the booths, and everyone will still pay, cause the big companies have to be at comdex - that's where you get a lot of clients, investments and etc.
And really, I don't understand how can they lose money. Comdex is like a gold mine - sure it's expensive to organize and such, but the money they make is almost always much larger then the expenses! Sure, last year's participation was below excpectations(everyone being afraid of terrorists and all), they lost some money there, but surely not enough to push them as far as bankrupcy!
You have violated the laws of United MSNation, and the United MStates by breathing air that you have agreed not to breath when you were forced to sign the EUBA (End User Birth Agreement).
Please wait for the FBI.NET team to arrive or press CTRL-ALT-DEL to activate the 10000V circuit built into your chair.
Thank you for using Windows WD, the World Dominance edition!
Why not use it for something a little bit more useful then repairing corrosion on tanks, like cure cancer(and that would be possible with that kind of electronics). And I don't really understand this how this nano-tech will work. Like where the hell will the power source be? and etc. Something tells me that the editor of Military & Aerospace Electronics has a drug problem.
not for solaris. But here's an example of a patch to the linux kernel for postgres.
Well, this only shows that all applications that are needed for a server can run on anything else just as well as on solaris - any kernel-issues are resolved with a patch. And besides the example you gave is about inter-architecture compatibility, not kernel-compatibility - the patch is for posgresql to work on ia64. We are talking bout x86 systems only. Perhaps I misunderstand your point...
Solaris has always been just another argument for buying sun servers - that you get support and free updates to the os when you buy the hardware. I mean, if you make your own/buy other unix-based x86 server, what's the point of later buying solaris for it? It won't offer anything more, then, say, linux. Now sun has made their x86 servers look more expensive - that you've got to pay for the updates + service too.
Solaris only makes a real difference on sparcs - and that's where they can charge for it, because if you already have a sparc server, then you are much more likely to pay money for a solaris update, then if you have an x86 server and the ability to switch to other OSes without losing performance or compatibility.
There is something I don't understand. Only 3 million? For microsoft that's like a penny. I mean they could dump 30 million dollars into politics and not even notice the loss. How come they don't flood everyone with contributions? Well, 3 million is good, but 30 million is better. Heck, I reckon they could buy every congressman there is with the kinda money they have.
Well, see, if mplayer will be able support it, it will mean that you will be able to stream it into a file (thorough mencoder, or without it), encode it and share on giFT or whatever.
The problem is that the original company will probably make up some legal thing like "illegal to view with anything else then our software", or make the format itself include some kind of crypting component that will disable any 3rd-party-software compability
My bank supports pretty much any browser, as long as it can handle an ssl connection. However, I know that csbc wasn't supporting mozilla about half a year ago, don't know how it is now (probably the same).
And really, there I can't see any reason why some browsers would not be allowed to use the online system. I mean I understand that they might design the site with IE in mind, but why not just say something like "Use whatever you like, that has ssl, but we won't offer technical support to anything but IE" and put one of those ugly "best viewed with Internet Explorer" banners?
Well, personally, I prefer to read text without AA, because anti-aliased text is too blurry. Sure it looks pretty on screenshots and you can impress al your friends, but really, when I have to read large amounts of text from a pc screen my eyes get tired twice as wuickly with AA switched on. Sharp edges help.
Now, merely having TTFs or anti-aliasing isn't enough. Take a look at this screen shot of TTFs in an OpenOffice.org document. They're clunky and blocky and basically impossible to distinguish from each other. However, with a bit of tweaking we can make them look distinct, slick and refined, as you can see in this screen shot.
I think everyone agrees that the first one is horrible. And the second... well maybe it's just me, but I can't see a difference between their tweaked AA and my own no-tweaked non-AA...
The new technique builds on previous methods but modifies the lowest levels of pixel values using data-embedding algorithms. It allows authorized viewers to extract the embedded authentication message while also removing any distortions created by the embedded information
So while the encrypted data is in the image, the picture is still distorted, it's only when you take the data out, then you get the original. What's the point of that??? I mean that was what it was like before, wasn't it?
By the way, adding plain text to the end of a jpeg file doesn't alter the image in any way, no matter how much you add. So you could encrypt the text you want and add it at the end and there you go, lossless data encryption in images:). Do I get a Nobel prize now?
Well, I haven't seen the article, cause it's been slashdotted, but to all that talk about wine virii execution - look at this (the author of the screenshot is C-Pro).
Besides, I mean, just as with any other tool, you need caution. If you run wine as root with the whole tree as e: then sooner or later you're gonna regret it. The level achieved by wine emulation is amazing, so there are going to be security flaws if you don't know what you are doing, just as with any product with functionality as extensive as wine's
I don't think gps phones threaten anyone's provacy that much - i mean no one cries a river just because their adress is known to the IRS or whatever. Knowing you current location is not that far off from knowing your adress.
Really, if you think about how much the insurance compnies know about you, there is the real issue.
Wouldn't an acess point be much much better for a "small community network"? I mean ad-hoc only makes good sense if you have like two computers, doesn't it?
Slashdot Mirror
All right, maybe you have a point that you'll never know if the patch worked without a way to test it. But come on, if the changelog says it's fixed, are you going to test every security exploit there is just to see if you've applied the test correctly?
The problem is if you can test the patch by trying to use the exploit, someone els can use that same exploit on an unpatched system. Nessus can be used very well to hack servers, for example. I'm not saying the exploit code should be kept secret from everyone, but I'd rather have it there were restrictions on who has the code and for what purpose. Certainly it shouldn't be posted on every corner. Some leaks are unavoidable, but the less the better.
Do you find information on how to build a nuclear device in your library?
If all I have are instructions on "how to be secure", how do I know if the instructions work?
If you're not sure that the instructions given to you by the authors of the software work, i don't think you should use that software.
Do you know any "hax0r"s? Have they told you this?
I do indeed know a bunch of "hax0rs" who do indeed "hax0r" their ISPs or whatever. And packetstorm is their best friend. Unfortunatly only the minority of admins follow the patches closely enough.
1. IE is not opensource - the fact that you know about the exploit doesn't mean you can do anything about(except stop using IE). That goes to IIS, Windows, Macs, some commercial unixes, etc.
2. If you're talking about opensource software, say apache, since it is widely used, if you're not a developer involved in apache, there is much less of a chance that you're going to do something about it, as opposed to someone who is actively involved. And if you are aware about the exploit(through you own discovery) and do something about, and share the patch/solution in the community, you're more likely to be admiited the info about future security bugs if you wish to be.
Mozilla doesn't open it's security bugs and I have never seen anything that posed a serious threat and wasn't promptly solved by mozilla developers.
The philosophy is: you have to prove yourself worthy if you want information that can pose a threat to others.
If I use the software, I need the information, so I can protect myself
Pardon me, if you use IE, how is the exploit code going to help you protect yourself? All the information the end-user needs is a patch or directions to fixing the exploit.
The only person who needs the exploit desciption is the maintainer of the program, to fix it.
Read the article. The information in question was already available in black-hat circles, and was actively being used in the wild. Do you believe that the white hats shouldn't be on level footing?
I don't believe that one more occurense of that particular piece of information will help users in any way. The first sites that any "hax0r" goes to to find out about exploits or such are major bugtraq sites, like securityfocus or packetstorm. They do more harm then good.
is insecure.
Only people who need that information should be allowed to it. That's why only something like bugzilla really works well with a product that is likely to be subject to exploits - only the people who are developers of the relevant piece of code are admitted into the security exploits section.
If that kind of info is posted openly on the web, I fail to see the difference between that and stupid pages that always post activex exploits thinking they're cool hax0rs. Cool hax0rs don't post exploits, they fix them.
Perhaps now we will get the Answer to Life, Universe, Everything!
And it damn better not be 42!
And what if you got some of the spray onto your socks while applying it to your shoes... I can see it now - forever stinking, laundry-resistant... oh the horror!
But the new mesa seems to have intelligent workload distribution between the cpu and the gpu, i e
:). Server gaming woohoo!
glxgears running in a small window - 200 fps, average 2% cpu load(with Mesa 4.1 it was 800 fps 100% load),
running maximized in 1600x1200 - 80 fps, 100% load(exactly as with Mesa 4.1).
And all the games and etc run at exactly the same speeds with less cpu load.
All I can say is this is great - nobody needs insane fps numbers above 100 and it saves cpu for my poor apache running in the background
Comdex has so many potential sources for making money!
- All Las Vegas casinos and hotels make insane amounts from comdex visitors - possible investors
- Last year's comdex(the only one I've been to) was full to the brim with corporate advertising - they can charge more for the booths, and everyone will still pay, cause the big companies have to be at comdex - that's where you get a lot of clients, investments and etc.
And really, I don't understand how can they lose money. Comdex is like a gold mine - sure it's expensive to organize and such, but the money they make is almost always much larger then the expenses! Sure, last year's participation was below excpectations(everyone being afraid of terrorists and all), they lost some money there, but surely not enough to push them as far as bankrupcy!
You have violated the laws of United MSNation, and the United MStates by breathing air that you have agreed not to breath when you were forced to sign the EUBA (End User Birth Agreement).
Please wait for the FBI.NET team to arrive or press CTRL-ALT-DEL to activate the 10000V circuit built into your chair.
Thank you for using Windows WD, the World Dominance edition!
Why not use it for something a little bit more useful then repairing corrosion on tanks, like cure cancer(and that would be possible with that kind of electronics). And I don't really understand this how this nano-tech will work. Like where the hell will the power source be? and etc. Something tells me that the editor of Military & Aerospace Electronics has a drug problem.
not for solaris. But here's an example of a patch to the linux kernel for postgres.
Well, this only shows that all applications that are needed for a server can run on anything else just as well as on solaris - any kernel-issues are resolved with a patch. And besides the example you gave is about inter-architecture compatibility, not kernel-compatibility - the patch is for posgresql to work on ia64. We are talking bout x86 systems only. Perhaps I misunderstand your point...
How about an application's compatibility with the kernel however that doesnt just go over to another OS
Umm... can you please show me an example of a server-oriented application that only works on solaris and doesn't have a substitute on other systems?
Solaris has always been just another argument for buying sun servers - that you get support and free updates to the os when you buy the hardware. I mean, if you make your own/buy other unix-based x86 server, what's the point of later buying solaris for it? It won't offer anything more, then, say, linux. Now sun has made their x86 servers look more expensive - that you've got to pay for the updates + service too.
Solaris only makes a real difference on sparcs - and that's where they can charge for it, because if you already have a sparc server, then you are much more likely to pay money for a solaris update, then if you have an x86 server and the ability to switch to other OSes without losing performance or compatibility.
There is something I don't understand. Only 3 million? For microsoft that's like a penny. I mean they could dump 30 million dollars into politics and not even notice the loss. How come they don't flood everyone with contributions? Well, 3 million is good, but 30 million is better. Heck, I reckon they could buy every congressman there is with the kinda money they have.
Well, see, if mplayer will be able support it, it will mean that you will be able to stream it into a file (thorough mencoder, or without it), encode it and share on giFT or whatever.
The problem is that the original company will probably make up some legal thing like "illegal to view with anything else then our software", or make the format itself include some kind of crypting component that will disable any 3rd-party-software compability
My bank supports pretty much any browser, as long as it can handle an ssl connection. However, I know that csbc wasn't supporting mozilla about half a year ago, don't know how it is now (probably the same).
And really, there I can't see any reason why some browsers would not be allowed to use the online system. I mean I understand that they might design the site with IE in mind, but why not just say something like "Use whatever you like, that has ssl, but we won't offer technical support to anything but IE" and put one of those ugly "best viewed with Internet Explorer" banners?
Well, personally, I prefer to read text without AA, because anti-aliased text is too blurry. Sure it looks pretty on screenshots and you can impress al your friends, but really, when I have to read large amounts of text from a pc screen my eyes get tired twice as wuickly with AA switched on. Sharp edges help.
Now, merely having TTFs or anti-aliasing isn't enough. Take a look at this screen shot of TTFs in an OpenOffice.org document. They're clunky and blocky and basically impossible to distinguish from each other. However, with a bit of tweaking we can make them look distinct, slick and refined, as you can see in this screen shot.
I think everyone agrees that the first one is horrible. And the second... well maybe it's just me, but I can't see a difference between their tweaked AA and my own no-tweaked non-AA...
So while the encrypted data is in the image, the picture is still distorted, it's only when you take the data out, then you get the original. What's the point of that??? I mean that was what it was like before, wasn't it?
By the way, adding plain text to the end of a jpeg file doesn't alter the image in any way, no matter how much you add. So you could encrypt the text you want and add it at the end and there you go, lossless data encryption in images :). Do I get a Nobel prize now?
Well, I haven't seen the article, cause it's been slashdotted, but to all that talk about wine virii execution - look at this (the author of the screenshot is C-Pro).
Besides, I mean, just as with any other tool, you need caution. If you run wine as root with the whole tree as e: then sooner or later you're gonna regret it. The level achieved by wine emulation is amazing, so there are going to be security flaws if you don't know what you are doing, just as with any product with functionality as extensive as wine's
Linus, you da pimp! yeehaw...
um, sorry got carried away...
I don't think gps phones threaten anyone's provacy that much - i mean no one cries a river just because their adress is known to the IRS or whatever. Knowing you current location is not that far off from knowing your adress.
Really, if you think about how much the insurance compnies know about you, there is the real issue.
you are about the first person in this thread who makes sense. Tak derjat.
Wouldn't an acess point be much much better for a "small community network"? I mean ad-hoc only makes good sense if you have like two computers, doesn't it?
PS oh missed fp by about 1 second...