Why on earth would we want to support and perpetuate the horror that is ActiveX? The more platforms it is supported by, the more legitimacy it has as a "de-facto standard".
For years clueful IT people have been saying that end users should be more conscious of their security. Now that people are actually showing signs of doing this (albeit in a silly manner) they get criticised?
Not everyone wants to, needs to or has the time to know everything about network security. Don't jump down their throats just because they happen to care about the traffic traversing their networks.
That right, the author should have said that it is complete and bug free - then it would surely be acceptable! After all, free software projects are always born whole.
... and by linking to it, Slashdot validates this style of gutter journalism through the only metric which matters to the publishers - page impressions.
It really is a case of "ignore it and it will go away."
I ran OpenBSD 2.6 on an old 486-25 laptop for about six months. It was very stable and I only decomissioned it becuase I needed a faster machine to do IPsec.
Yes, it sucks, yes, there are probably motivations to enforce it NOW all of the sudden. But that doesn't make it less enforceable or less of an argument.
Actually it does - one of the central principles of trademark law is that you have to actively defend your trademark. You cannot, for example, wait for your trademark to come into general use and then demand it back.
With OpenSSH you have a chance to thwart these attacks - not only does it support SSH protocol 2, it also displays "fingerprints" for each unknown key it receives from over the network. You can use this fingerprint to do out-of-band checking of key authenticity (eg. by phone, in person, PGP signatures on a web page, etc).
There is also a project underway to allow OpenSSH to use keys distributed by DNSSEC.
This attack then comes back to user apathy (i.e not bothering to verify key fingerprints). An alternative (not yet implemented) is some form of PKI, which has its own problems (complexity, centralised trust, revocation issues).
Duh. The software that these people write is responsible for *lives*. If I had to depend on the code of some "pizza and coke" programmer for my existance I would want the development process to be predictable too.
I have been making music with Linux on and off for about five years using Csound. Csound is a venerable piece of synthesis software. Its origins date back to some of the earliest formalised computer music at MIT.
Writing music in csound is pretty difficult, but very rewarding. Instruments are written in a flexible and powerful language (think of a language for describing modular synths and you are halfway there). The score is written in a seperate tabular file and there exist tools to convert MIDI files to Csound scores and back.
Recently Csound has picked up realtime capabilities. It is now possible to play Csound using a MIDI keyboard and hear the results by a soundcard. It is also possible to use Csound as a realtime effects unit.
OpenBSD isn't just NetBSD with a bit of crypto thrown in for good measure. OpenBSD is the first free operating system engineered with security as its primary goal.
Every line of code in OpenBSD has been audited, crypto has been used pervasively (not just applications, but in libc and the kernel) and the team is more than willing to say "no" to features which would negatively impact on security.
The first and last of the above points make integration difficult. Most people cannot be bothered and are not able to perform real security reviews and most people are more interested in features than security.
I am happy that the crypt() code needed no changes - this indicates that it is stable. Stable crypto code = good.
Re:two-party vs. three-party authentication
on
SSH v. SRP
·
· Score: 2
SSH and (IIRC) IPsec use two-party authentication. That means anyone can talk to anyone else, but as another article pointed out it also opens the door to "man-in-the-middle" attacks.
Both SSH and IPsec also include mechanisms for prevention of MITM attacks. SSH uses RSA host keys which can be pre-exchanged (OpenSSH extends this to include PGP-style key fingerprints), IPsec can use a variety of methods including preshared symmetric or PK keys or certificates for various forms (OpenPGP, X509, DNSSEC).
Re:It's just that fewer girls are religions loons
on
Want More Geek Chicks?
·
· Score: 1
It's not not the female hackers are needed on open source projects, but people who are outside of the religious circles that are so common among Linux programmers and users. Being inside such a circle is a primary cause of design errors and business mistakes.
Care to back this up with some concrete examples? Most of the projects I have been involved with (as a user and/or developer) suffer from lack of human resources rather than groupthink.
All of your gripes can be explained by the fact that the software in question is written by developers who donate their time. I will probably never write a C++ API for any of the software that I work on, because it is uninteresting to me, not because of groupthink or an inherent hatred of C++.
Perhaps a contribution in the form of code, money or even a polite request would get these projects cleaned up to your satisfaction. Bitching at the people who are actually doing something certainly won't.
appears to be a better search algorithm for finding keys in already-compromised media. Anyone relying on a strange filename or a full disk to hide their RSA keys now has even more need to worry:)
This is not a new "break", it just make security-through-obscurity even less obscure/secure.
On the other hand, regularly sweeing crack.linuxppc.org with security scanners, to see if there are any holes there could be construed as cheating, as it would present a moving target, which is virtually guaranteed to stay ahead of all currently-known exploits.
Why would this be cheating? Any competent sysadmin should be doing exactly this. ProFTPd has had multiple vulnerabilites found since 1.2.0pre4, all of which were reported to bugtraq and other places.
IMO the organisers of the contest have let the Linux community down by leaving a known vulnerability on such a prominent box. I hope that they weren't relying on the obscurity of PPC shellcode for security.
So he wrote TeX and is nominated because of it. My point was that his acheivements in the field of computer science are not particularly relevant to THIS award. His comp sci acheivements are why some posters seem to think he should have won...
Despite what some free software zealots believe, free software is based on what has come before it. Knuth is one of the largest contributers to this pool of knowledge. Dismissing his contributions as irrelevant is revisionist and disrespectful.
Furthermore, Knuth has always taken a stand against software patents and has advocated open algorithms.
_Why_ should the consult religous leaders at all? It is this very experiment which is going to prove them irrelevant once and for all. After all, if man can create life, then what makes "god" so special?
The experiment that you mention was an attempt to simulate the so-called "primordial soup". A glass globe was filles with gasses (mainly CH4, CO2 & N) and liquids which were theorised to be similar to those prevalent on Earth several billion years ago. This globe was carefully sterilised to prevent contamination by modern organisms.
This mixture was then subjected to electrical discharges (in the form of a spark gap) and ultraviolet radiation. The contents were then analysed and found to contain several fundamental amino acids.
As the "guy in Australia" who made the changes you mentioned, I cannot agree with your view. The OpenBSD developers have been very accomodating and we have been actively swapping patches and bug reports. I have not been "improving the code" as it is of good (and improving) quality already.
I have no expectation that the OpenBSD developers choke their CVS tree up with cross-platform cruft. Part of the reason why their OS is so clean and secure is that there is none of that junk in there. As mentioned previously, we do exchange patches to close bugs and add features.
Finally I find it ironic that, in a diatribe about how others failed to give me due credit, you didn't even bother to use my real name.
The first problem with your statement is the assumption that no one has servers running loads like this on a regular basis. I'm sure that Amazon.com and Yahoo would argue that for their purposes, these loads are unrealistically low.
The load levels were probably not unrealistic, but the load *pattern* was.
Amazon.com and Yahoo clients are not milliseconds away on a LAN, they are a mix if high and low latencies, high and low bandwidths, lossy and clean links and variously buggy and featureful TCP/IP stacks.
I wonder how NT would do under these *real world* conditions? Perhaps a clue can be found from your examples:
Slashdot Mirror
They won't until DJB releases djbdns with a real, open-source license (not likely).
Why on earth would we want to support and perpetuate the horror that is ActiveX? The more platforms it is supported by, the more legitimacy it has as a "de-facto standard".
For years clueful IT people have been saying that end users should be more conscious of their security. Now that people are actually showing signs of doing this (albeit in a silly manner) they get criticised?
Not everyone wants to, needs to or has the time to know everything about network security. Don't jump down their throats just because they happen to care about the traffic traversing their networks.
That right, the author should have said that it is complete and bug free - then it would surely be acceptable! After all, free software projects are always born whole.
... and by linking to it, Slashdot validates this style of gutter journalism through the only metric which matters to the publishers - page impressions.
It really is a case of "ignore it and it will go away."
I ran OpenBSD 2.6 on an old 486-25 laptop for about six months. It was very stable and I only decomissioned it becuase I needed a faster machine to do IPsec.
Yes, it sucks, yes, there are probably motivations to enforce it NOW all of the sudden. But that doesn't make it less enforceable or less of an argument.
Actually it does - one of the central principles of trademark law is that you have to actively defend your trademark. You cannot, for example, wait for your trademark to come into general use and then demand it back.
You should try emailing the developers at openssh-unix-dev@mindrot.org. We can only fix problems that we know about.
It is in the CVS snapshots
There is also a project underway to allow OpenSSH to use keys distributed by DNSSEC.
This attack then comes back to user apathy (i.e not bothering to verify key fingerprints). An alternative (not yet implemented) is some form of PKI, which has its own problems (complexity, centralised trust, revocation issues).
Rubbish.
We have had LaTeX for many years and papers are independantly published in LaTeX format. Have a look at arXiv.
At first it seems too predictable
Duh. The software that these people write is responsible for *lives*. If I had to depend on the code of some "pizza and coke" programmer for my existance I would want the development process to be predictable too.
Most programming isn't sexy. Deal with it
I have been making music with Linux on and off for about five years using Csound. Csound is a venerable piece of synthesis software. Its origins date back to some of the earliest formalised computer music at MIT.
Writing music in csound is pretty difficult, but very rewarding. Instruments are written in a flexible and powerful language (think of a language for describing modular synths and you are halfway there). The score is written in a seperate tabular file and there exist tools to convert MIDI files to Csound scores and back.
Recently Csound has picked up realtime capabilities. It is now possible to play Csound using a MIDI keyboard and hear the results by a soundcard. It is also possible to use Csound as a realtime effects unit.
There is a Linux version here
OpenBSD isn't just NetBSD with a bit of crypto thrown in for good measure. OpenBSD is the first free operating system engineered with security as its primary goal.
Every line of code in OpenBSD has been audited, crypto has been used pervasively (not just applications, but in libc and the kernel) and the team is more than willing to say "no" to features which would negatively impact on security.
The first and last of the above points make integration difficult. Most people cannot be bothered and are not able to perform real security reviews and most people are more interested in features than security.
New != better.
I am happy that the crypt() code needed no changes - this indicates that it is stable. Stable crypto code = good.
SSH and (IIRC) IPsec use two-party authentication. That means anyone can talk to anyone else, but as another article pointed out it also opens the door to "man-in-the-middle" attacks.
Both SSH and IPsec also include mechanisms for prevention of MITM attacks. SSH uses RSA host keys which can be pre-exchanged (OpenSSH extends this to include PGP-style key fingerprints), IPsec can use a variety of methods including preshared symmetric or PK keys or certificates for various forms (OpenPGP, X509, DNSSEC).
It's not not the female hackers are needed on open source projects, but people who are outside of the religious circles that are so common among Linux programmers and users. Being inside such a circle is a primary cause of design errors and business mistakes.
Care to back this up with some concrete examples? Most of the projects I have been involved with (as a user and/or developer) suffer from lack of human resources rather than groupthink.
All of your gripes can be explained by the fact that the software in question is written by developers who donate their time. I will probably never write a C++ API for any of the software that I work on, because it is uninteresting to me, not because of groupthink or an inherent hatred of C++.
Perhaps a contribution in the form of code, money or even a polite request would get these projects cleaned up to your satisfaction. Bitching at the people who are actually doing something certainly won't.
The "attack", detailed in:
f
:)
http://www.nciph er.com/products/files/papers/anguilla/keyhide2.pd
appears to be a better search algorithm for finding keys in already-compromised media. Anyone relying on a strange filename or a full disk to hide their RSA keys now has even more need to worry
This is not a new "break", it just make security-through-obscurity even less obscure/secure.
On the other hand, regularly sweeing crack.linuxppc.org with security scanners, to see if there are any holes there could be construed as cheating, as it would present a moving target, which is virtually guaranteed to stay ahead of all currently-known exploits.
Why would this be cheating? Any competent sysadmin should be doing exactly this. ProFTPd has had multiple vulnerabilites found since 1.2.0pre4, all of which were reported to bugtraq and other places.
IMO the organisers of the contest have let the Linux community down by leaving a known vulnerability on such a prominent box. I hope that they weren't relying on the obscurity of PPC shellcode for security.
So he wrote TeX and is nominated because of it. My point was that his acheivements in the field of computer science are not particularly relevant to THIS award. His comp sci acheivements are why some posters seem to think he should have won...
Despite what some free software zealots believe, free software is based on what has come before it. Knuth is one of the largest contributers to this pool of knowledge. Dismissing his contributions as irrelevant is revisionist and disrespectful.
Furthermore, Knuth has always taken a stand against software patents and has advocated open algorithms.
is this simple point really that tough to follow?
No, you are just wrong.
So let him continue to win Computer Science awards - this award was for the advancement of free software.
Which he has done. Have you ever looked at the license for TeX?
_Why_ should the consult religous leaders at all? It is this very experiment which is going to prove them irrelevant once and for all. After all, if man can create life, then what makes "god" so special?
The experiment that you mention was an attempt to simulate the so-called "primordial soup". A glass globe was filles with gasses (mainly CH4, CO2 & N) and liquids which were theorised to be similar to those prevalent on Earth several billion years ago. This globe was carefully sterilised to prevent contamination by modern organisms.
This mixture was then subjected to electrical discharges (in the form of a spark gap) and ultraviolet radiation. The contents were then analysed and found to contain several fundamental amino acids.
As the "guy in Australia" who made the changes you mentioned, I cannot agree with your view. The OpenBSD developers have been very accomodating and we have been actively swapping patches and bug reports. I have not been "improving the code" as it is of good (and improving) quality already.
I have no expectation that the OpenBSD developers choke their CVS tree up with cross-platform cruft. Part of the reason why their OS is so clean and secure is that there is none of that junk in there. As mentioned previously, we do exchange patches to close bugs and add features.
Finally I find it ironic that, in a diatribe about how others failed to give me due credit, you didn't even bother to use my real name.
The first problem with your statement is the assumption that no one has servers running loads like this on a regular basis. I'm sure that Amazon.com and Yahoo would argue that for their purposes, these loads are unrealistically low.
The load levels were probably not unrealistic, but the load *pattern* was.
Amazon.com and Yahoo clients are not milliseconds away on a LAN, they are a mix if high and low latencies, high and low bandwidths, lossy and clean links and variously buggy and featureful TCP/IP stacks.
I wonder how NT would do under these *real world* conditions? Perhaps a clue can be found from your examples:
Amazon.com: Server: Stronghold/2.4.2 Apache/1.3.6 C2NetEU/2412 (Unix)
Yahoo.com: (nmap -O) Remote operating system guess: FreeBSD 2.2.1 - 3.0