Let me add to that... There are not well established procedures to remove viruses on a Mac either. My institution recently went through an evaluation of AV vendors. We grilled each one on various topics, including a few things related to Macs since we have about 20-30% Macs on our network. One thing was an incident where Sophos AV did some damage trying to remove an OS X system file which was incorrectly identified as a virus. The Sophos guy said that they try to do the best that they can with lab tests but it's not the same as having experience with real viruses. Since there isn't a significant amount of any kind of malware for OS X, they don't have much to go on.
If I hibernate / sleep while on the corporate network, and I wake up that thing at home, opening an explorer window will take ~20 seconds because it tries to access the previously mapped network drives. This should be done out of band or potentially not at all in my view, not *every* bloody time you open an explorer. It's a bad implementation.
Why should a web browser be automatically accessing mapped drives anyway? Unless I'm missing something, this is a typical example of bloatware. It's just the sort of thing that causes some of us to be dissatisfied with Microsoft.
There's a restaurant in my area which accidentally set up at Faraday Cage with the wire mesh used in their stucco exterior. Cell phones don't work inside.
I suppose with a prison like this they have multiple buildings and the prisoners might have time outside where they could use cell phones. Then, of course, they want their own guard's radios to work.
Back in the Clinton administration, the FTC tried to set a precedent for enforcement of privacy policies with the case of Toysmart.com. Toysmart.com went bankrupt and a judge ruled that they could sell their customer database in violation of their own privacy policy to settle debt. The Clinton administration tried to reverse the decision on appeal but the case went on after Clinton left office and Bush came in.
The Bush administration tried to broker a compromise allowing Toysmart.com to sell their database as long as it was to a company in the same industry. One of the shareholders in Toysmart.com didn't want to be responsible for that decision so he bought the database himself and destroyed it. No precedent was set and the Bush administration hasn't tried to prosecute anyone for violation of privacy policy since.
Yes and no. The Internet was designed to withstand the destruction of large amounts of hardware. Things like DDOS attacks are another matter altogether and were not really anticipated.
I think the answer to your question is that there's always some specific test for the encryption algorithm to use to see that it has the right password and cracking software will use that same test. The algorithm, itself, can't assume that it can discern your data from random data. In fact, there are situations where you do encrypt random data (IIRC, TrueCrypt does this to hide the extent of encrypted actual data).
Having to crack two passwords, therefore, only doubles the complexity. Using a key twice as long, in the first place, makes the crack many orders of magnitude harder. There's a common misconception about 3-DES that it just encrypts your file three times, using segments of one passphrase as though it were three different passwords. It's actually much more complex than that.
A situation that is similar to what you're talking about is the default password hashing of Windows XP, which you can crack with a tool such as John the Ripper. XP breaks up your password into segments of 7 characters and there are 95 possible characters that can be used in passwords. So, if your password is 14 characters (or fewer), the cracker has to go through 95^7 possibilities twice (2 X 95^7). If you change to a better hashing system, then you can increase the possibilities to 95^14 with the same password. Even an eight character password is much better than two seven character passwords because it's 95 times harder to crack instead of twice as hard.
My employer is currently going through a change of policies after an incident where someone stole laptops which had SSN's on them. They were actually locked up at the time but with flimsy cables. The cables were found cut and the laptops gone. At first the users of the machines said that there had been no sensitive data on them but then, once backups were analyzed, it became apparent that there was a lot of sensitive data present. That's lesson number one. End users often don't even realize the sensitivity of what they're working with.
We are in the process of changing policies and procedures. It seems that the main measure taken will be to change workflows and setups to locate data on file shares rather than on local hard drives or other disks. We are, in fact, using Find_SSNs but only for Mac users. The recommended software for Windows is Identity Finder because it's much more user friendly. Senf is more user friendly than Find_SSNs but I think the reason we chose against it was that, in testing, it had a higher rate of false positives and false negatives.
Rumor has it that there is a running debate within Apple about whether or not to open source Mac OS 9 and earlier. I don't suppose anyone can validate that rumor without violating an NDA? The main argument against is that it would cannibalize some of the market share of OS X.
I agree that it would have been an interesting move for Apple to open source A/UX back when it was still in use but that's a different question from the idea of abandonware. There isn't much point in open sourcing it now because the only thing that's really novel about A/UX compared to other UNIX is that it included an emulator to run System 7 software. There was speculation that Apple would use that to handle legacy support in OS X but they decided it was better to create the Blue Box "Classic Environment," instead.
I have thought about that sort of thing a lot since I joined the Green Party. The thing is that I did it mostly as a protest against the so called "two party system." I have yet to actually vote for a Green Party candidate except for local, town level, elections.
Note that the screen shot of the poker trojan shows that the password dialog only has an "OK" button. There is no cancel. Some fraction of users are going to put in their password just because they don't see any other way to get rid of the dialog box. I've seen users do stuff like that before.
A few years ago, we had a situation where attackers were scanning the net to find machines running Irix (Silicon Graphics UNIX) because they were easy to break into. Attackers go after easy targets, not necessarily common targets.
I have been one of the first to point out the same thing in each of these past cases but this is different. We have a scriptable application setuid to root. That's an obvious vulnerability on a sliver platter. What was Apple thinking?
As a republican, I find this sort of increased government intervention frightening.
As a Green Party member, I do too. By participating in the process, the government is lending legitimacy to the result. Undesirable things could happen right under their nose and it will be difficult to have any recourse because Microsoft can always argue that whatever they did was approved at the time.
I thought that Sun won the JAVA suit as a matter of trademark infringement. Sun had created a detailed definition of what the JAVA trademark stands for and included the idea that it uses a common denominator approach to achieve interoperability. For example, only supporting one mouse button because some computer systems only have one mouse button. Microsoft, by including support for things not common to all major computer systems, had created something which didn't fit the definition of JAVA but which they were calling JAVA.
Since then, some FOSS advocates have encouraged the idea of projects registering trademarks to protect their work in exactly this way.
Right, and Microsoft has already gone on the record saying that they were creating OOXML because ODF lacks features. What those missing features are, I don't know but now they will just have to help out the community by adding features to ODF.
Apple's iWork does do many of these things, but isn't a fantastic candidate due to its platform dependence. Cost is also an issue, though at a fraction of the cost of Office, it remains fairly competitive.
I think it would be a good thing, however, if Apple adopted ODF as iWork's default format. That way the files, if not the software, would be cross-platform. It would also help to contribute towards a critical mass of non-Microsoft support for ODF.
It also happens that Apple announced a long time ago that they would port Cocoa to Windows. Rumors are that they have now done so and are using it to develop iTunes and Safari on Windows but the full Cocoa framework isn't ready for prime time on Windows yet. Once it is, I'm sure that Apple will use it to port iWork to Windows.
Local law, where I live, draws a distinction between "electronic signatures" and "digital signatures." The latter means PKI. The former can be any of many different things, even a database flag which says that a given user has approved something. Of course, very few people actually understand the distinction.
We had a system for a while where there was a VB script which doctors would use to sign their transcribed dictations (MS Word files). That VB script would apply a digital (PKI) signature, insert a line in the footer saying that the document was digitally signed, and insert a graphic of the doctor's written (and scanned) signature. Naturally, administrative assistants would routinely refer to the graphic as the digital signature. The fact that there was also a cryptographic signature, with a digital certificate was lost on them.
I guess you're referring to 2001 A Space Odyssey, whose theme is "The Blue Danube," which is a Strauss waltz. I followed the link on the article to see if that's the one they used but it isn't. They used "The Voice of Spring."
Slashdot Mirror
Right, remember to always wear a mask while driving.
It seems like more often they see some piece of software that they like and buy the company that wrote it.
Let me add to that... There are not well established procedures to remove viruses on a Mac either. My institution recently went through an evaluation of AV vendors. We grilled each one on various topics, including a few things related to Macs since we have about 20-30% Macs on our network. One thing was an incident where Sophos AV did some damage trying to remove an OS X system file which was incorrectly identified as a virus. The Sophos guy said that they try to do the best that they can with lab tests but it's not the same as having experience with real viruses. Since there isn't a significant amount of any kind of malware for OS X, they don't have much to go on.
Why should a web browser be automatically accessing mapped drives anyway? Unless I'm missing something, this is a typical example of bloatware. It's just the sort of thing that causes some of us to be dissatisfied with Microsoft.
There's a restaurant in my area which accidentally set up at Faraday Cage with the wire mesh used in their stucco exterior. Cell phones don't work inside.
I suppose with a prison like this they have multiple buildings and the prisoners might have time outside where they could use cell phones. Then, of course, they want their own guard's radios to work.
Back in the Clinton administration, the FTC tried to set a precedent for enforcement of privacy policies with the case of Toysmart.com. Toysmart.com went bankrupt and a judge ruled that they could sell their customer database in violation of their own privacy policy to settle debt. The Clinton administration tried to reverse the decision on appeal but the case went on after Clinton left office and Bush came in.
The Bush administration tried to broker a compromise allowing Toysmart.com to sell their database as long as it was to a company in the same industry. One of the shareholders in Toysmart.com didn't want to be responsible for that decision so he bought the database himself and destroyed it. No precedent was set and the Bush administration hasn't tried to prosecute anyone for violation of privacy policy since.
I think you're missing the point. It's all about buzzword compliance.
So you're saying that they do not so much fly as plummet.
Yes and no. The Internet was designed to withstand the destruction of large amounts of hardware. Things like DDOS attacks are another matter altogether and were not really anticipated.
That would be Clan Macintosh of Silicon Valley.
I think the answer to your question is that there's always some specific test for the encryption algorithm to use to see that it has the right password and cracking software will use that same test. The algorithm, itself, can't assume that it can discern your data from random data. In fact, there are situations where you do encrypt random data (IIRC, TrueCrypt does this to hide the extent of encrypted actual data).
Having to crack two passwords, therefore, only doubles the complexity. Using a key twice as long, in the first place, makes the crack many orders of magnitude harder. There's a common misconception about 3-DES that it just encrypts your file three times, using segments of one passphrase as though it were three different passwords. It's actually much more complex than that.
A situation that is similar to what you're talking about is the default password hashing of Windows XP, which you can crack with a tool such as John the Ripper. XP breaks up your password into segments of 7 characters and there are 95 possible characters that can be used in passwords. So, if your password is 14 characters (or fewer), the cracker has to go through 95^7 possibilities twice (2 X 95^7). If you change to a better hashing system, then you can increase the possibilities to 95^14 with the same password. Even an eight character password is much better than two seven character passwords because it's 95 times harder to crack instead of twice as hard.
My employer is currently going through a change of policies after an incident where someone stole laptops which had SSN's on them. They were actually locked up at the time but with flimsy cables. The cables were found cut and the laptops gone. At first the users of the machines said that there had been no sensitive data on them but then, once backups were analyzed, it became apparent that there was a lot of sensitive data present. That's lesson number one. End users often don't even realize the sensitivity of what they're working with.
We are in the process of changing policies and procedures. It seems that the main measure taken will be to change workflows and setups to locate data on file shares rather than on local hard drives or other disks. We are, in fact, using Find_SSNs but only for Mac users. The recommended software for Windows is Identity Finder because it's much more user friendly. Senf is more user friendly than Find_SSNs but I think the reason we chose against it was that, in testing, it had a higher rate of false positives and false negatives.
Rumor has it that there is a running debate within Apple about whether or not to open source Mac OS 9 and earlier. I don't suppose anyone can validate that rumor without violating an NDA? The main argument against is that it would cannibalize some of the market share of OS X.
I agree that it would have been an interesting move for Apple to open source A/UX back when it was still in use but that's a different question from the idea of abandonware. There isn't much point in open sourcing it now because the only thing that's really novel about A/UX compared to other UNIX is that it included an emulator to run System 7 software. There was speculation that Apple would use that to handle legacy support in OS X but they decided it was better to create the Blue Box "Classic Environment," instead.
I have thought about that sort of thing a lot since I joined the Green Party. The thing is that I did it mostly as a protest against the so called "two party system." I have yet to actually vote for a Green Party candidate except for local, town level, elections.
Right, Microsoft is the new IBM.
Note that the screen shot of the poker trojan shows that the password dialog only has an "OK" button. There is no cancel. Some fraction of users are going to put in their password just because they don't see any other way to get rid of the dialog box. I've seen users do stuff like that before.
A few years ago, we had a situation where attackers were scanning the net to find machines running Irix (Silicon Graphics UNIX) because they were easy to break into. Attackers go after easy targets, not necessarily common targets.
I have been one of the first to point out the same thing in each of these past cases but this is different. We have a scriptable application setuid to root. That's an obvious vulnerability on a sliver platter. What was Apple thinking?
I thought that Sun won the JAVA suit as a matter of trademark infringement. Sun had created a detailed definition of what the JAVA trademark stands for and included the idea that it uses a common denominator approach to achieve interoperability. For example, only supporting one mouse button because some computer systems only have one mouse button. Microsoft, by including support for things not common to all major computer systems, had created something which didn't fit the definition of JAVA but which they were calling JAVA.
Since then, some FOSS advocates have encouraged the idea of projects registering trademarks to protect their work in exactly this way.
Right, and Microsoft has already gone on the record saying that they were creating OOXML because ODF lacks features. What those missing features are, I don't know but now they will just have to help out the community by adding features to ODF.
It also happens that Apple announced a long time ago that they would port Cocoa to Windows. Rumors are that they have now done so and are using it to develop iTunes and Safari on Windows but the full Cocoa framework isn't ready for prime time on Windows yet. Once it is, I'm sure that Apple will use it to port iWork to Windows.
Local law, where I live, draws a distinction between "electronic signatures" and "digital signatures." The latter means PKI. The former can be any of many different things, even a database flag which says that a given user has approved something. Of course, very few people actually understand the distinction.
We had a system for a while where there was a VB script which doctors would use to sign their transcribed dictations (MS Word files). That VB script would apply a digital (PKI) signature, insert a line in the footer saying that the document was digitally signed, and insert a graphic of the doctor's written (and scanned) signature. Naturally, administrative assistants would routinely refer to the graphic as the digital signature. The fact that there was also a cryptographic signature, with a digital certificate was lost on them.