My whole company stopped using Novell the second they went with Microsoft and switched to Debian and Ubuntu.
Good for you. You did also stop using Microsoft, right?
Re:Still not safe to use Suse of any sort
on
openSUSE Launches 11.1
·
· Score: 5, Insightful
How does the Novell/Microsoft deal affect your rights? You have not signed it.
If it did affect your rights in some nefarious way, how would not using Suse counteract that?
But still, being aware to look after your rights is a good instinct. Just make sure it is based on facts not FUD. The Free Software Foundation has a list of free distributions which meet their standards. The FSF is generally the most legally conservative and ideologically pure outfit in the free software world, so if you use something they have approved you can be pretty certain of peace of mind.
A reasonable alternative is to use a distribution which keeps a clear distinction between free software and non-free. Debian is famous for this, but Fedora (which is what I use) also has a policy to include only free software (in recent releases anyway). The difference with the FSF-approved distributions lies in loadable firmware, but you may not be concerned about that.
(If you don't want to use Suse because you dislike Novell's business practices and their deal with Microsoft, that's your choice, but just say so rather than inventing stuff about 'legal risks'. Or if you do know of legal risks, please explain what they are so that people can fix the problem.)
This assumes there is even a difference between the address bar and the search box, which is not the case for Google Chrome, and barely the case for other browsers (since they will do a search when you enter a non-URI into the address bar).
Perhaps we will get closer once more to Tim B-L's original web browser, where URIs were considered implementation details and not shown to the user. If the desktop's clipboard supports a 'URI' data type (falling back to just text for apps that don't understand it) then you could just highlight a 'link' object and paste it into your mail client or instant messaging program. Less error-prone to do that than to highlight all of the text.
And that's good? It sounds terrible to me. Computers booted in thirty seconds fifteen years ago. By now it should be almost instant. How long did it take before the SSD?
In the mid 1990s 'disk doubler' programs were popular, compressing data on the fly as it was saved to disk. After a few years, however, disk sizes increased sharply and the relationship between price and disk size is much steeper than linear (a 1Gibyte disk does not cost twice as much as a 500Gibyte disk). So hardly anyone bothers with dynamic compression any more. It is much easier to spend $40 more and get a drive that's twice as big.
However, with SSDs, even when the price falls, there is still an almost linear relationship between capacity and cost (since to get twice the capacity you need twice as many flash memory chips). And while the transfer speed is fast, it's still not keeping pace with the increase in CPU speeds. Compressing on-disk data with a fast compression scheme such as LZO is often faster than reading or writing to disk uncompressed. With SSDs you need much less complexity in the filesystem to get good performance, since minimizing seek time is no longer as important. Perhaps, then, adding file compression can be done more straightforwardly than the earlier compressed filesystems designed for rotating disks.
It won't do anything for your movie collection, but for virtual machine images and other bloat we put on our disks nowadays it could make quite a difference.
Thanks to everyone who corrected me on this. Of course I was considering only the desktop so I forgot ARM. Particularly bad of me since I used to have an ARM-based Archimedes system as my main desktop;-p.
Of course you can define a subset of x86 code which is 'safe'. The difficulty comes in defining one which is both safe and still powerful enough for useful work.
x86 code runs natively on 90% of the processors out there. Java or.NET bytecode runs natively on about 0% of them (Sun did have a Java chip once but it is long dead). So it is hardly any worse than the alternatives. There are many x86 emulators and some of them have reasonable performance.
If we were starting from scratch now, nobody would choose the barnacle-encrusted i386 instruction set as a way to distribute programs. But given the hardware and software that exists, it's not such a bad choice.
On the security side, I'll just quote Google's description: "modules may not contain certain instruction sequences". That doesn't sound like a robust way to detect malicious code.
Of course, the way to do it is to define what instruction sequences are safe and allow only those. I assume that's what they are doing and 'modules may not contain certain instruction sequences' is just the one-line summary.
That said, you can make any instruction sequence you like using the assembler and run it on your Linux system, and it cannot break out of the process virtual machine to access hardware or memory belonging to other processes or the kernel. If it can, this would be a bug in Linux. So there is no reason why arbitrary instruction sequences couldn't be allowed in principle, if you let the operating system do the work of sandboxing the process. After all why reinvent the wheel?
Is there a reason why they did not test Cardinal, the Ruby implementation for Parrot? I know it is not production-ready yet but it would be interesting to see how performance compares.
If the new Javascript engine is turned on, does this mean that the new Firefox beta gives a larger e-penis than Chrome or the latest Safari?
Seriously, I am thinking it might be time to start learning Javascript (to a higher level than just being able to copy and paste snippets to autoscroll the page and other simple effects). It's not perfect but it has wide support and mindshare, which is more important than any technical criterion. What I want to do is display simple graphs in the browser of things like stock prices, based on information fetched over SOAP (yeah I know SOAP is a bit clunky, but it's the interface I have). Can more experienced programmers recommend Javascript tutorial sites (at a higher level than 'copy and paste this snippet of code to get cool smilies!') or a good set of libraries?
Any idea why they didn't just use X11 thin clients or other free remoting systems like VNC or NX? What is so great about Virtual Bridges? I hadn't heard of it before.
- Most users are not techies and do not know about kill(1) or even Windows task manager. Firefox is intended for everyone, not just propellerheads.
- Even if in some magical world the kill(1) command were understood by everybody, Firefox should not rely on you using it for something that should be taken care of in the browser; just like it purges its disk cache automatically and does not expect the user to manually run 'df' and 'rm'.
- Even in that magical world, kill(1) will not terminate the running Javascript in a single tab. All it can do is signal the entire process. If you kill the Firefox process then you lose all your work in other tabs. (If you ask to restore the tabs on startup, then you get back to the same endless loop of Javascript...)
- Firefox is designed to be able to operate in 'kiosk' setups where the task manager or command prompt is not available.
Of course you are much too smart to be coerced into installing anything by an endless series of Javascript popups. But it does work a lot of the time; otherwise the malware authors wouldn't do it.
I'll assume you were talking about the private key for the dongle first, and then the private key for the bank. Otherwise it makes no sense.
Yes, that's what I meant.
In that case, it's a classic key-sharing problem.
The key sharing is done when the bank sends the security device to the customer. Yes, somebody could intercept it, just as they could steal a credit card sent through the post.
I agree that using a secure authentication device does not make the whole system secure.
1. Yeah I know marketing departments being what they are, there will be many devices marketed as 'secure' which aren't. That does not imply that no secure authentication devices exist. They do exist.
2. No, the key is not on the banking server, at least not necessarily; it's a public/private key pair, so the banking server has the public key (which, as you know, can be distributed widely) while the private key is on the device. Similarly each device has the bank's public key but only the bank has its private key.
2a. If the bank's secure server is compromised then all account security is lost anyway, so the whole discussion kind of assumes the bank is able to avoid their systems getting hacked. (By and large, they do.)
>The end user will lose the dongle.
Yeah - in which case someone who picks it up has a chance of getting into the person's account if they know the account number and password. That's what we were discussing: that you have to possess the smartcard or other device to access the account.
>The dongle will be cracked.
That gives access to one account only (the private key or secret stored on the smartcard is just for that account).
>The dongle will malfunction.
That could happen. In which case the user loses access to their account.
>Malware to attack the dongle without physical access will be written.
Not possible for the reasons given. The device *is not connected to the computer at all*. Typically, they work by the bank site displaying a number on screen; the user types in the number using a keypad on the device and the device shows a response code for the user to type into the computer and send back to the site.
I am not saying that malware can't interfere in other ways, for example, it could sniff the bank balance displayed on screen, or change the user's keystrokes so that the account number to transfer to is different. To avoid that, you would need to have all interaction with the site go through the device.
>Your encryption scheme has weaknesses.
Indeed, that is another thing that can go wrong. But the kinds of secure devices sold by companies like RSA (for at least fifteen years now) are unlikely to be cracked any time soon. If the crypto is successfully broken, then we are all in trouble.
And the banking site should be implemented in a such a way that hackers can't hack it.
That is already the case. AFAIK, almost no online banking fraud is done by attacking the bank's website. It is the user's PC that gets hacked.
What the other poster suggests is quite possible, and has been done for years. There are many smartcards and authentication devices made by companies like RSA that you use to log in with challenge-response. Because the secret key is held on the device and is never disclosed to the outside world, you cannot copy a device without physically disassembling it and getting out the key by probing the electronics.
Because you can't download free smileys or animated cursors to install on your smartcard, or indeed load any software onto it at all, it cannot be attacked with downloadable malware.
Yes, the page has been taken down since it was mentioned in the bug report. I don't know what exactly it was trying to make the user run (perhaps just a Windows executable not a Firefox extension) but it was something unpleasant.
The cool thing about Firefox is that you can basically force users into installing malware by exploiting bug 59314. Just keep popping up a dialogue box (with no way to stop it or switch to another tab) until the user gives in and says yes.
Well, OK, the terminology I've always seen is to say 'two sockets' when you mean to say that there are two separate chips on the motherboard, rather than two cores in the same chip (which is another way of providing 'two processors'). But I take your point.
Does that mean that the Opteron cannot be used in a single-socket configuration? In the old days the Pentium Pro was SMP capable, but often used in single-socket motherboards.
A lot of desktops these days have dual core processors as standard, so I don't think you can say that this is a server feature by definition. If AMD doesn't have a reasonably priced desktop chip that competes on performance with Intel's Core Duo and Core i7 then they lose out on the large market segment in between low-end desktops and servers.
I'm not wise to all the marketing names that chip vendors use these days: will this 'Opteron' chip be priced competitively as an alternative to the Core i7, or will it just be an expensive server processor? I know that having the fastest top-end chip has a halo effect on the rest of the range but with Intel's mid-range processors being good and cheap, that's where AMD most needs to make an improvement.
Slashdot Mirror
Good for you. You did also stop using Microsoft, right?
How does the Novell/Microsoft deal affect your rights? You have not signed it.
If it did affect your rights in some nefarious way, how would not using Suse counteract that?
But still, being aware to look after your rights is a good instinct. Just make sure it is based on facts not FUD. The Free Software Foundation has a list of free distributions which meet their standards. The FSF is generally the most legally conservative and ideologically pure outfit in the free software world, so if you use something they have approved you can be pretty certain of peace of mind.
A reasonable alternative is to use a distribution which keeps a clear distinction between free software and non-free. Debian is famous for this, but Fedora (which is what I use) also has a policy to include only free software (in recent releases anyway). The difference with the FSF-approved distributions lies in loadable firmware, but you may not be concerned about that.
(If you don't want to use Suse because you dislike Novell's business practices and their deal with Microsoft, that's your choice, but just say so rather than inventing stuff about 'legal risks'. Or if you do know of legal risks, please explain what they are so that people can fix the problem.)
This assumes there is even a difference between the address bar and the search box, which is not the case for Google Chrome, and barely the case for other browsers (since they will do a search when you enter a non-URI into the address bar).
Perhaps we will get closer once more to Tim B-L's original web browser, where URIs were considered implementation details and not shown to the user. If the desktop's clipboard supports a 'URI' data type (falling back to just text for apps that don't understand it) then you could just highlight a 'link' object and paste it into your mail client or instant messaging program. Less error-prone to do that than to highlight all of the text.
And that's good? It sounds terrible to me. Computers booted in thirty seconds fifteen years ago. By now it should be almost instant. How long did it take before the SSD?
In the mid 1990s 'disk doubler' programs were popular, compressing data on the fly as it was saved to disk. After a few years, however, disk sizes increased sharply and the relationship between price and disk size is much steeper than linear (a 1Gibyte disk does not cost twice as much as a 500Gibyte disk). So hardly anyone bothers with dynamic compression any more. It is much easier to spend $40 more and get a drive that's twice as big.
However, with SSDs, even when the price falls, there is still an almost linear relationship between capacity and cost (since to get twice the capacity you need twice as many flash memory chips). And while the transfer speed is fast, it's still not keeping pace with the increase in CPU speeds. Compressing on-disk data with a fast compression scheme such as LZO is often faster than reading or writing to disk uncompressed. With SSDs you need much less complexity in the filesystem to get good performance, since minimizing seek time is no longer as important. Perhaps, then, adding file compression can be done more straightforwardly than the earlier compressed filesystems designed for rotating disks.
It won't do anything for your movie collection, but for virtual machine images and other bloat we put on our disks nowadays it could make quite a difference.
Thanks to everyone who corrected me on this. Of course I was considering only the desktop so I forgot ARM. Particularly bad of me since I used to have an ARM-based Archimedes system as my main desktop ;-p.
Of course you can define a subset of x86 code which is 'safe'. The difficulty comes in defining one which is both safe and still powerful enough for useful work.
x86 code runs natively on 90% of the processors out there. Java or .NET bytecode runs natively on about 0% of them (Sun did have a Java chip once but it is long dead). So it is hardly any worse than the alternatives. There are many x86 emulators and some of them have reasonable performance.
If we were starting from scratch now, nobody would choose the barnacle-encrusted i386 instruction set as a way to distribute programs. But given the hardware and software that exists, it's not such a bad choice.
Of course, the way to do it is to define what instruction sequences are safe and allow only those. I assume that's what they are doing and 'modules may not contain certain instruction sequences' is just the one-line summary.
That said, you can make any instruction sequence you like using the assembler and run it on your Linux system, and it cannot break out of the process virtual machine to access hardware or memory belonging to other processes or the kernel. If it can, this would be a bug in Linux. So there is no reason why arbitrary instruction sequences couldn't be allowed in principle, if you let the operating system do the work of sandboxing the process. After all why reinvent the wheel?
Is there a reason why they did not test Cardinal, the Ruby implementation for Parrot? I know it is not production-ready yet but it would be interesting to see how performance compares.
If the new Javascript engine is turned on, does this mean that the new Firefox beta gives a larger e-penis than Chrome or the latest Safari?
Seriously, I am thinking it might be time to start learning Javascript (to a higher level than just being able to copy and paste snippets to autoscroll the page and other simple effects). It's not perfect but it has wide support and mindshare, which is more important than any technical criterion. What I want to do is display simple graphs in the browser of things like stock prices, based on information fetched over SOAP (yeah I know SOAP is a bit clunky, but it's the interface I have). Can more experienced programmers recommend Javascript tutorial sites (at a higher level than 'copy and paste this snippet of code to get cool smilies!') or a good set of libraries?
Which shows why https connections should be the default.
Actually, there is a java-gnome interface that is reasonably complete.
Any idea why they didn't just use X11 thin clients or other free remoting systems like VNC or NX? What is so great about Virtual Bridges? I hadn't heard of it before.
- Most users are not techies and do not know about kill(1) or even Windows task manager. Firefox is intended for everyone, not just propellerheads.
- Even if in some magical world the kill(1) command were understood by everybody, Firefox should not rely on you using it for something that should be taken care of in the browser; just like it purges its disk cache automatically and does not expect the user to manually run 'df' and 'rm'.
- Even in that magical world, kill(1) will not terminate the running Javascript in a single tab. All it can do is signal the entire process. If you kill the Firefox process then you lose all your work in other tabs. (If you ask to restore the tabs on startup, then you get back to the same endless loop of Javascript...)
- Firefox is designed to be able to operate in 'kiosk' setups where the task manager or command prompt is not available.
Of course you are much too smart to be coerced into installing anything by an endless series of Javascript popups. But it does work a lot of the time; otherwise the malware authors wouldn't do it.
Yes, that's what I meant.
The key sharing is done when the bank sends the security device to the customer. Yes, somebody could intercept it, just as they could steal a credit card sent through the post.
I agree that using a secure authentication device does not make the whole system secure.
1. Yeah I know marketing departments being what they are, there will be many devices marketed as 'secure' which aren't. That does not imply that no secure authentication devices exist. They do exist.
2. No, the key is not on the banking server, at least not necessarily; it's a public/private key pair, so the banking server has the public key (which, as you know, can be distributed widely) while the private key is on the device. Similarly each device has the bank's public key but only the bank has its private key.
2a. If the bank's secure server is compromised then all account security is lost anyway, so the whole discussion kind of assumes the bank is able to avoid their systems getting hacked. (By and large, they do.)
>The end user will lose the dongle.
Yeah - in which case someone who picks it up has a chance of getting into the person's account if they know the account number and password. That's what we were discussing: that you have to possess the smartcard or other device to access the account.
>The dongle will be cracked.
That gives access to one account only (the private key or secret stored on the smartcard is just for that account).
>The dongle will malfunction.
That could happen. In which case the user loses access to their account.
>Malware to attack the dongle without physical access will be written.
Not possible for the reasons given. The device *is not connected to the computer at all*. Typically, they work by the bank site displaying a number on screen; the user types in the number using a keypad on the device and the device shows a response code for the user to type into the computer and send back to the site.
I am not saying that malware can't interfere in other ways, for example, it could sniff the bank balance displayed on screen, or change the user's keystrokes so that the account number to transfer to is different. To avoid that, you would need to have all interaction with the site go through the device.
>Your encryption scheme has weaknesses.
Indeed, that is another thing that can go wrong. But the kinds of secure devices sold by companies like RSA (for at least fifteen years now) are unlikely to be cracked any time soon. If the crypto is successfully broken, then we are all in trouble.
That is already the case. AFAIK, almost no online banking fraud is done by attacking the bank's website. It is the user's PC that gets hacked.
What the other poster suggests is quite possible, and has been done for years. There are many smartcards and authentication devices made by companies like RSA that you use to log in with challenge-response. Because the secret key is held on the device and is never disclosed to the outside world, you cannot copy a device without physically disassembling it and getting out the key by probing the electronics.
Because you can't download free smileys or animated cursors to install on your smartcard, or indeed load any software onto it at all, it cannot be attacked with downloadable malware.
Yes, the page has been taken down since it was mentioned in the bug report. I don't know what exactly it was trying to make the user run (perhaps just a Windows executable not a Firefox extension) but it was something unpleasant.
The cool thing about Firefox is that you can basically force users into installing malware by exploiting bug 59314. Just keep popping up a dialogue box (with no way to stop it or switch to another tab) until the user gives in and says yes.
That's good news, but high definition playback is still blocked by Apple.
Apple have started sucking already: the newest Macbooks block you from playing back movies you own on a non-Hollywood-approved display, and there is no way to turn off this 'feature'. Once you start getting a captive market you forget who your real customers are.
Well, OK, the terminology I've always seen is to say 'two sockets' when you mean to say that there are two separate chips on the motherboard, rather than two cores in the same chip (which is another way of providing 'two processors'). But I take your point.
Does that mean that the Opteron cannot be used in a single-socket configuration? In the old days the Pentium Pro was SMP capable, but often used in single-socket motherboards.
A lot of desktops these days have dual core processors as standard, so I don't think you can say that this is a server feature by definition. If AMD doesn't have a reasonably priced desktop chip that competes on performance with Intel's Core Duo and Core i7 then they lose out on the large market segment in between low-end desktops and servers.
Not always. Take the original Mini or Beetle for example.
I'm not wise to all the marketing names that chip vendors use these days: will this 'Opteron' chip be priced competitively as an alternative to the Core i7, or will it just be an expensive server processor? I know that having the fastest top-end chip has a halo effect on the rest of the range but with Intel's mid-range processors being good and cheap, that's where AMD most needs to make an improvement.