Only allow certain clients (IE) to access the challenge/CAPTCHA. This way you know the referrer isn't forged. This discards both the script and the zombie fetching the challenges.
Identify the client/machine uniquely in a way that isn't forgeable. Attach this information to the yahoo.com or hotmail.com account, and keep track of how many accounts are registered per machine.
Remains the attack were the porn site *asks* the user to go and register an account with such membername and such password, before getting access to the porn...
Do you remember the copyrighted anti-spam haiku? Maybe including a copyright notice inside the image would be a way to threaten the porn sites that would "steal" the CAPTACHA. This is definitely not a technical solution but yet another way to leverage the copyright laws to protect against this attack.
Another trick would be to merge a user notice inside the image. The notice would say "Exclusive property of yahoo.com" or "Using outside of Hotmail.com is illegal"? Of course such a notice needs to be readable by humans, while difficult to remove for a computer, which is yet another challenge. The question is what creates the most psychological pressure? Porn or EULAs?;-)
I would add that a solution needs to be "deployable". For example, a completely new (and backward incompatible) "SMTP" protocol is really hard to roll out.
A migration strategy is needed for adoption.
I don't know about the quality of the routes, but in terms of representation, LineDrive is one of the most useful ones out there.
It basically attempts to draw what you would draw on a paper for a friend: very long distances are shortened, useful landscape marks appear, only the useful street names are listed,...
I posted about LineDrive and pointed to a research paper that explains how it works, a little while back. The entry is available here.
I don't have any opinion or evidence as to whether the french president was defending an oil deal.
But I'll tell you that the french people definitely didn't.
The french people, as well as the italian, the british (yup) and others were walking in the capital cities of the EU demonstrating against war to Iraq. Polls actually showed majorities of the people of these countries being opposed to that war.
The EU council (it's majority) rejected that war too, are you gonna argue they were bought by oil deals?
If you were sitting on the other side of the fence (take you/. reader hat for a sec), would you call the eWeek article and Slashdot post FUD?
I'm not saying something doesn't smell fishy here, but why not stop the speculation and live by the high standard of proof that we expect from others (say SCO)?
Suspicion is one thing, but backing it up with data and actual proof is another.
At least both eWeek and Slashdot present it as it is: a question. A valid question for sure, but that seems really speculative at this point...
Let's put it this way: what are the criteria for success for Mono?
Success depends on the goals you are aiming for.
Sure interoperability with MS's version of.NET is nice, but I don't think it is the most fundamental goal of the Mono project.
I think Mono aims to be a great development platform for Linux and other platforms.
If you think Mono isn't justified. Can you argue where the Mono related resources would be better spent instead?
In my mind the main choice is whether to spend time improving Java or developing Mono.
The question then becomes: what are the merits of developing Mono versus trying to improve Java?
Some merits for improving Java:
Java has a large user base and community supported. It's already rather cross-platform.
Mono may help some devs migrate away from Linux.
Some merits for developing Mono:
It may help migrate devs migrate away from Windows. The CLR may have a better support for binding to native libraries and for multiple languages.
There is probably lots of other merits either way and the ones I listed have different weights (some are important merits and some less).
Also some merits might be conditional on some factors (like Microsoft's behavior) which introduces risk in the equation.
Now, I can't solve the equation for you. But so far, nobody convinced me that the value of Mono is less than alternatives.
The parts of.NET that are standard are safe.
The parts that aren't standard aren't required to Mono and can be replaced with other libraries.
Sure MS can keep changing APIs, but that will hurt them and their customers too. But even if they did, Mono is still a big gain as a Linux development plateform.
This is a good idea. Why not apply it to enterprises too? It would allow enterprises to save some bandwith by avoiding every employee use streams from the internet. It would allow the music companies to get some control and money back. I would think the bandwith argument might be enough to make the company pay instead of the employee;-)
Wow, you could imagine making the LCD smaller and portable. You could even carry it in your pocket and put all sorts of useful information on it. Using a computer you could even synch to get the latest information. One could call it a PDA.
Sure the hardware part of making one of these LCD devices probably is fun, but it's not like this was new and there wasn't dozen of people doing similar things out there. What's next, email notification on a LCD, calendar, reminders, movie schedules, temperature, mp3 player status,... ? I really though the bar for 'novelty' was higher than that on Slashdot.
What exactly would you expect by running a recognizer on such drawings? Garbage in, garbage out... The only thing that seems weird is that is would seem possible for the recognizer to know that the approximation he found was really far fetched.
When I wrote a C# grafitti application a couple months back, if the gesture didn't match any letter close enough, the recognizer would not try to match it at all. So if you write a non-sense letter you don't get any result back. Maybe the Tablet recognizer could have had something similar. But on the other hand the user is given a chance to fix whatever the Tablet recognized, so the current model seems fine.
The Tablet seems like a great product, if only I could get the one that I want (it's backordered everywhere in the US). I just wonder why isn't there more reviews and comparisons and testimonials all over the web (like there is for the iPod for example). Are users happy with them? What do they use them for (browsing, reading divx, playing mp3,...)?
I really don't understand why so many people on this forum say the problem lies in the virusscan app or other vendor application. Same for the John Howie in the securityfocus discussion mentioned above.
Sure these apps probably shouldn't run as a localsystem user, but that is not the point of the exploit.
The point of the exploit is *elevation of privilege*. That is: not necessarily to gain localsystem access.
If you have two apps that run with two differents privileges in the same desktop they can steal their privileges from each other. That's bad in itself, and there is nothing wrong with apps needing various levels of privilege.
The problem is not in the vendor apps, although they can worsen the problem by having desktop apps running with un-necessary privileges.
Slashdot Mirror
Palladium/NGSCB is exactly for that. It is hardware-enforced proof/certification that the client isn't tampered with.
Only allow certain clients (IE) to access the challenge/CAPTCHA. This way you know the referrer isn't forged. This discards both the script and the zombie fetching the challenges.
Identify the client/machine uniquely in a way that isn't forgeable. Attach this information to the yahoo.com or hotmail.com account, and keep track of how many accounts are registered per machine.
Remains the attack were the porn site *asks* the user to go and register an account with such membername and such password, before getting access to the porn...
Do you remember the copyrighted anti-spam haiku? Maybe including a copyright notice inside the image would be a way to threaten the porn sites that would "steal" the CAPTACHA.
;-)
This is definitely not a technical solution but yet another way to leverage the copyright laws to protect against this attack.
Another trick would be to merge a user notice inside the image. The notice would say "Exclusive property of yahoo.com" or "Using outside of Hotmail.com is illegal"?
Of course such a notice needs to be readable by humans, while difficult to remove for a computer, which is yet another challenge.
The question is what creates the most psychological pressure? Porn or EULAs?
I would add that a solution needs to be "deployable". For example, a completely new (and backward incompatible) "SMTP" protocol is really hard to roll out.
A migration strategy is needed for adoption.
I don't know about the quality of the routes, but in terms of representation, LineDrive is one of the most useful ones out there.
It basically attempts to draw what you would draw on a paper for a friend: very long distances are shortened, useful landscape marks appear, only the useful street names are listed,...
I posted about LineDrive and pointed to a research paper that explains how it works, a little while back. The entry is available here.
I don't have any opinion or evidence as to whether the french president was defending an oil deal.
But I'll tell you that the french people definitely didn't.
The french people, as well as the italian, the british (yup) and others were walking in the capital cities of the EU demonstrating against war to Iraq. Polls actually showed majorities of the people of these countries being opposed to that war.
The EU council (it's majority) rejected that war too, are you gonna argue they were bought by oil deals?
If you were sitting on the other side of the fence (take you /. reader hat for a sec), would you call the eWeek article and Slashdot post FUD?
I'm not saying something doesn't smell fishy here, but why not stop the speculation and live by the high standard of proof that we expect from others (say SCO)?
Suspicion is one thing, but backing it up with data and actual proof is another.
At least both eWeek and Slashdot present it as it is: a question. A valid question for sure, but that seems really speculative at this point...
Let's put it this way: what are the criteria for success for Mono?
.NET is nice, but I don't think it is the most fundamental goal of the Mono project.
Success depends on the goals you are aiming for.
Sure interoperability with MS's version of
I think Mono aims to be a great development platform for Linux and other platforms.
If you think Mono isn't justified. Can you argue where the Mono related resources would be better spent instead?
In my mind the main choice is whether to spend time improving Java or developing Mono.
The question then becomes: what are the merits of developing Mono versus trying to improve Java?
Some merits for improving Java:
Java has a large user base and community supported. It's already rather cross-platform.
Mono may help some devs migrate away from Linux.
Some merits for developing Mono:
It may help migrate devs migrate away from Windows. The CLR may have a better support for binding to native libraries and for multiple languages.
There is probably lots of other merits either way and the ones I listed have different weights (some are important merits and some less).
Also some merits might be conditional on some factors (like Microsoft's behavior) which introduces risk in the equation.
Now, I can't solve the equation for you. But so far, nobody convinced me that the value of Mono is less than alternatives.
The parts of .NET that are standard are safe.
The parts that aren't standard aren't required to Mono and can be replaced with other libraries.
Sure MS can keep changing APIs, but that will hurt them and their customers too. But even if they did, Mono is still a big gain as a Linux development plateform.
The people from Mono explain this at Mono / FAQ
IANAL and my english isn't that great sometimes, but EFF's release concerning this doesn't match BuisnessWeek's, from what I can tell.
Check out EFF's release: California Supreme Court Upholds Free Speech in DVD Case.
I am misunderstanding it?
This is a good idea. Why not apply it to enterprises too? ;-)
It would allow enterprises to save some bandwith by avoiding every employee use streams from the internet. It would allow the music companies to get some control and money back.
I would think the bandwith argument might be enough to make the company pay instead of the employee
Cheers
Dumky
Wow, you could imagine making the LCD smaller and portable. You could even carry it in your pocket and put all sorts of useful information on it. Using a computer you could even synch to get the latest information.
... ?
One could call it a PDA.
Sure the hardware part of making one of these LCD devices probably is fun, but it's not like this was new and there wasn't dozen of people doing similar things out there. What's next, email notification on a LCD, calendar, reminders, movie schedules, temperature, mp3 player status,
I really though the bar for 'novelty' was higher than that on Slashdot.
Dumky
Sorry if my english is somewhat incorrect.
Hi,
What exactly would you expect by running a recognizer on such drawings? Garbage in, garbage out...
The only thing that seems weird is that is would seem possible for the recognizer to know that the approximation he found was really far fetched.
When I wrote a C# grafitti application a couple months back, if the gesture didn't match any letter close enough, the recognizer would not try to match it at all. So if you write a non-sense letter you don't get any result back.
Maybe the Tablet recognizer could have had something similar. But on the other hand the user is given a chance to fix whatever the Tablet recognized, so the current model seems fine.
The Tablet seems like a great product, if only I could get the one that I want (it's backordered everywhere in the US). I just wonder why isn't there more reviews and comparisons and testimonials all over the web (like there is for the iPod for example).
Are users happy with them? What do they use them for (browsing, reading divx, playing mp3,...)?
See you,
Dumky
Actually you CAN delete a MS Passport.
This functionnality has some limits though: the data partners store about you is not deleted.
I really don't understand why so many people on this forum say the problem lies in the virusscan app or other vendor application. Same for the John Howie in the securityfocus discussion mentioned above.
Sure these apps probably shouldn't run as a localsystem user, but that is not the point of the exploit.
The point of the exploit is *elevation of privilege*. That is: not necessarily to gain localsystem access.
If you have two apps that run with two differents privileges in the same desktop they can steal their privileges from each other. That's bad in itself, and there is nothing wrong with apps needing various levels of privilege.
The problem is not in the vendor apps, although they can worsen the problem by having desktop apps running with un-necessary privileges.
See you,
Dumky