If the stack already tells you (through different alert codes) which one of those happened, you don't have to bother with a timing attack.
And if that was the case then why would they go through all work of determining the errors based on the timing? They're not idiots. It's because that's not the case. The errors are encrypted. The attacker can't read them.
The error messages are encrypted. The attacker can't read them. All his information is based on timing. Because of the implementation a padding error will return faster than a MAC error. After sufficient attempts the attacker can statistically guess which error he's getting. That info can be used to crack the cipher.
I don't know the details of the OpenSSL fix, but they don't have to change the error message to fix the problem. They just have to change the timing. So it's purely an implementation problem; nothing to do with the protocol.
I don't know why Vaudenay said (in the interview) that it was a problem with the protocol because according to the LASEC memo, it's not. Vaudenay didn't write the memo, so it's hard to guess how directly involved he was with the work. The project is based on a method of attacking SSL developed by Vaudenay though. From the memo:
In 2002, Vaudenay [10] presented an attack which enables the decryption of blocks provided that error messages are available (as a side channel attack) and sessions do not abort. This is not the case with TLS/SSL. We can solve the latter problem in the case where a TLS/SSL session includes a/several critical plaintext block which is/are always the same (e.g. a password). The former problem of availability of error messages (encrypted in TLS/SSL) is solved by performing a timing attack i.e. by measuring the taken for error messages to come back from the server. It is then possible to perform the attack over several sessions of TLS/SSL.
I guess you were never subjected to this beast [sun.com]
I assume that's the one he's talking about. It's great. I love it too. Perhaps your post was meant to be sarcastic... I can't tell.
Esc
Control
CAPS
tilde
backslash
backspace
What about them? They're in a different place than on a PC keyboard. Is that your point?
Help
Do you think the Help key is a bad thing? I think it's an excellent idea.
The blank key between Help and F1 isn't there in every model I think. Besides, I can't imagine it bothering anyone.
Anyway, the reason I love it is because of the cut/copy/past/find/front/open..etc keys on the left. Once you get used to using them you'll wonder how you ever navigated without them.
And 16 million colours is more than the eye can see, and 44,100 samples per second is more than the ear can hear. Throughout the march of technology we've heard these ridiculously arbitrary "limits" of our senses, and invariably they are discounted at a future time.
You seem to be suggesting that our senses have no limits. That is ridiculous. Our senses most definetly have limits. Here is a good graph showing our sensitivity to colors.
When people say that we can't see 16 million colors, that doesn't mean that the 16 million colors we get with 24 bits includes all the colors that we can see.
Well, it's not just about the installation though. It's also about the ease of updgrading programs or installing new programs.
In my personal experience I've found Mandrake very easy to install, but there's been no end to my troubles in trying to updgrade the components or install new programs. I can install simple programs, sure, but larger programs (e.g. gnu cash) give me tons of failed dependancy and dependancy conflict errors. And trying to upgrade the programs that come with Mandrake to the current versions give me similar problems.
Debian, however, is exactly the opposite. The install process is ancient. You really have to be a Linux guru to get it installed and initially configured. But once it's up and running then it rocks. Package managment is a breeze. I love it. Adding new programs, removing programs, or upgrading programs is easy.
My point is simply that some distributions (e.g. Debian) make some things easier and others (e.g. Mandrake) make other things easier. And (slightly offtopic for this thread) the problem that's keeping Linux off the desktop is that Joe User needs it to be easy across the board and Windows does all of these things much better than any Linux distribution.
First of all, I loved the TV series and I felt that Nemisis sucked hard.
Now, on to this comment:
Solicit top-quality writers and spend the time and money to produce an original, engaging and intelligent script that is not simply a formulaic, rehashed TV episode
I agree with your intended point but.... did you watch the TV show much? Most of the episodes were considerably more original, engaging, and intelligent than Nemesis. That's why it was so popular.
Except for First Contact (which was "OK") I don't feel any of the movies are in the same class as the TV show. It's too bad. I wish they could close the franchise with a movie that had the same qualities that made the TV show great.
However, to disallow these channels DALnet must explicitly moderate content.
No, they don't have to moderate. You've misunderstood.
Thier policy doesn't say anything about content. They don't say "you can't transfer warez", or "you can't transfer porn". They prohibit "Using a channel for the primary purpose of facilitating the transfer of files", regardless of content. It doesn't matter what you're sharing. It could be warez, scientific papers, or recipes for meatloaf. If you have a channel dedicated to file sharing then it gets shut down. No moderation required.
Slashdot proclaims itself as a good site for people to get their views out. How the heck does the moderation system make sure that everyone's views are represented appropriately? Lets put it this way, the Slashdot moderation system is flawed for this reason. There is nothing stopping someone from demoding someone just because that person doesn't agree with his or her views. Add the fact, the moderators as a whole have the same powers 24/7 that 400 Slashdot members have 5 times for a period of 5 days at any given time.
The entire universe is immersed in Space-time (kinda like water in a pond).
There is actually a debate about this. Some physicics suggest that space-time doesn't actually exist as an independent "medium" or "thing"; but rather that it is more of a mathematical abstraction which describes matter and energy interact.
Try this explanation. Go back a couple hundred years and recall what we believed time to be. It wasn't considered a "physical thing"; it was more of an idea that described reality in a way we could understand. People understood that you can't "touch" time, or "see" it. Well, it's been suggested that space (in fact, space-time) works exactly that way too. It may not actually exist by itself; it may just be a convient way for us to describe how we observe matter and enery interactions. Because nobody has actually "seen" space-time, or even proved it's existance.
According to this [wired.com] Wired article, Ford has developed one of these systems (they're calling it the third age suit), designed to add thirty years to your age so that their designers can get a sense of how old people feel in their cars. The guys that designed the Focus all had to wear these things for a while and play with Ford's other cars when they were in the design stages of teh interior, to get a sens of what worked and what didn't for older people.
Reviews of the stablility and performance of these drivers will probably be a major factor in my decision on whether or not to buy a 9700. I've been hesitating because of all the bad things I hear about their drivers. I use NVidia now and I've never had a problem with the drivers, so I'm a little worried about switching.
This refers to the article on the Register I believe. The paper itself doesn't conclude with those remarks, the article does. However that phrase is used in the paper. The phrase is not used (as far as I can tell) to bash MS products in any way. In the very first section (the "Project Overview" section), though, not the conclusion.
I may as well post it here so you can see the context:
Project Overview
Microsoft acquired Hotmail at the end of 1997 as a going concern. The service's creators had defined a two-layer architecture built around various UNIX systems:
- Front end web servers, built with dual Pentium systems on racked motherboards, running Apache on FreeBSD (a configuration with no need to install licensed software)
- Back end file stores, built with Sun Enterprise 4500 servers, running Solaris 2.6 (Sun's UNIX) and with all user data stored on RAID arrays, accessed using very simple filing semantics
- Incoming mail listeners, built on Sun Sparc 5 processors, and interacting directly with the back end
- Name/password verification engines, build on Enterprise 4500 servers
- Member Directory, built on PCs with NT and SQL
The conversion of the Hotmail web servers to Windows is an ongoing project with several rationales. The team was hoping for better utilization of the existing hardware resources. The superior development and internationalization tools are important. A Microsoft property should eat its own dogfood. Finally, we wished to use the conversion experience as a model for other UNIX conversions that we hope to carry out in the future.
The first phase of the conversion, described here, was limited to the web servers. Appropriate hardware was already in place, and the planning and development staff were confident that they already understood how to perform the conversion successfully.
There were several constraints on the conversion process, which are probably typical of the average Internet site:
- Hotmail has established an 8-week cycle of version upgrades, and there was a desire (and some partner pressure) to keep that cycle going.
- It is essential to keep the service running continuously.
- The staff is small, and there was not an opportunity to add staff.
Generations? I'm not going to comment on that. Other responses have summed it up.
I'll just say that [I feel] First Contact was the only good TNG movie. It's the only one I've watched more than once and it's the only one good enough that I'll probably watch it again sometime.
High level languages like Ruby, Python, or even Java are strongly recommended for all new projects.
This sentence should be continued "..for mediocre programmers.". Professional experts should use whatever language they are best at as long as it's reasonable for the project.
This article looks like he's giving advice on how to take a group of wanna-be progammers and try and get useful results from them. I think that's the wrong approach. What you should do is hire real experts. That way all the wanna-be programmers won't be able to get jobs and so they might realize "hmm.. maybe I should go back to school and get some real skills". Then we wont have as many of the problems that this guy talks about. Though maybe the schools aren't teaching the skills properly, but that's a different topic.
To the extent that MS' video game division looks like it's bleeding money, it augers poorly - in Joe Public's mind - as to the XBox's future.
Where'd you get that idea? "Market and mind share", as you put it, may be a major part of the video game industry but they're not going to be affected much by accounting details.
'Joe Public Gamer" doesn't give a rat's ass what Microsoft's profits are. He cares about the games. He cares about what kind of reviews the xbox and it's games get on his favorite web sites (gamespot, gamespy, penny-arcade, etc..). When Joe Gamer goes to decide whether or not to buy an xbox or a ps2, the last thing he's going to do is compare Sony and Microsoft's earnings the past quarter.
Microsoft's success depends on them being able to keep the xbox in the spotlight long enough to get companies to make a lot of really good games for it (especially for xbox live). Their profits now don't matter. Public or not.
Why is this worthy of a slashdot article? Nearly every single movie is leaked to the net before it's released. And any movie can be found on IRC the day after it hits the theater. This is non-news.
There are a lot of bootlegged Chinese VCDs that do that. They put Mandarin on one channel and Cantonese on the other.
(If you don't know, those are the two primary Chinese dialects. Cantonese is used in Hong Kong and southern parts of the mainland, and Mandarin is used in the rest of the mainland, including Beijing)
First of all, WHO are these people are getting distressed and intimidated by spam? They need some help.
Actually, this is a very good piece of spam because it's designed to look almost exactly like a bill. And since it's only sent to people who actually have registered domains then it's not surprising that people are confused and fooled. Certianly intimidated.
Being a successful musician does not always equate to a video on MTV
Certianly. There tons of local bands everywhere that do well. But the more promotion a band has then the better they do. Somebody with a music video on MTV will sell a lot more albums than a local band.
I'm sure most local bands would leap at the opportunity for national promotion if they could. Most musicians if given the choice between "being successful" and "being successful and rich", would choose the latter.
Slashdot Mirror
If the stack already tells you (through different alert codes) which one of those happened, you don't have to bother with a timing attack.
And if that was the case then why would they go through all work of determining the errors based on the timing? They're not idiots. It's because that's not the case. The errors are encrypted. The attacker can't read them.
The error messages are encrypted. The attacker can't read them. All his information is based on timing. Because of the implementation a padding error will return faster than a MAC error. After sufficient attempts the attacker can statistically guess which error he's getting. That info can be used to crack the cipher.
I don't know the details of the OpenSSL fix, but they don't have to change the error message to fix the problem. They just have to change the timing. So it's purely an implementation problem; nothing to do with the protocol.
I don't know why Vaudenay said (in the interview) that it was a problem with the protocol because according to the LASEC memo, it's not. Vaudenay didn't write the memo, so it's hard to guess how directly involved he was with the work. The project is based on a method of attacking SSL developed by Vaudenay though. From the memo:
I guess you were never subjected to this beast [sun.com]
I assume that's the one he's talking about. It's great. I love it too. Perhaps your post was meant to be sarcastic... I can't tell.
Esc
Control
CAPS
tilde
backslash
backspace
What about them? They're in a different place than on a PC keyboard. Is that your point?
Help
Do you think the Help key is a bad thing? I think it's an excellent idea.
The blank key between Help and F1 isn't there in every model I think. Besides, I can't imagine it bothering anyone.
Anyway, the reason I love it is because of the cut/copy/past/find/front/open..etc keys on the left. Once you get used to using them you'll wonder how you ever navigated without them.
And 16 million colours is more than the eye can see, and 44,100 samples per second is more than the ear can hear. Throughout the march of technology we've heard these ridiculously arbitrary "limits" of our senses, and invariably they are discounted at a future time.
You seem to be suggesting that our senses have no limits. That is ridiculous. Our senses most definetly have limits. Here is a good graph showing our sensitivity to colors.
When people say that we can't see 16 million colors, that doesn't mean that the 16 million colors we get with 24 bits includes all the colors that we can see.
Well, it's not just about the installation though. It's also about the ease of updgrading programs or installing new programs.
In my personal experience I've found Mandrake very easy to install, but there's been no end to my troubles in trying to updgrade the components or install new programs. I can install simple programs, sure, but larger programs (e.g. gnu cash) give me tons of failed dependancy and dependancy conflict errors. And trying to upgrade the programs that come with Mandrake to the current versions give me similar problems.
Debian, however, is exactly the opposite. The install process is ancient. You really have to be a Linux guru to get it installed and initially configured. But once it's up and running then it rocks. Package managment is a breeze. I love it. Adding new programs, removing programs, or upgrading programs is easy.
My point is simply that some distributions (e.g. Debian) make some things easier and others (e.g. Mandrake) make other things easier. And (slightly offtopic for this thread) the problem that's keeping Linux off the desktop is that Joe User needs it to be easy across the board and Windows does all of these things much better than any Linux distribution.
First of all, I loved the TV series and I felt that Nemisis sucked hard.
Now, on to this comment:
Solicit top-quality writers and spend the time and money to produce an original, engaging and intelligent script that is not simply a formulaic, rehashed TV episode
I agree with your intended point but.... did you watch the TV show much? Most of the episodes were considerably more original, engaging, and intelligent than Nemesis. That's why it was so popular.
Except for First Contact (which was "OK") I don't feel any of the movies are in the same class as the TV show. It's too bad. I wish they could close the franchise with a movie that had the same qualities that made the TV show great.
However, to disallow these channels DALnet must explicitly moderate content.
No, they don't have to moderate. You've misunderstood.
Thier policy doesn't say anything about content. They don't say "you can't transfer warez", or "you can't transfer porn". They prohibit "Using a channel for the primary purpose of facilitating the transfer of files", regardless of content. It doesn't matter what you're sharing. It could be warez, scientific papers, or recipes for meatloaf. If you have a channel dedicated to file sharing then it gets shut down. No moderation required.
Slashdot proclaims itself as a good site for people to get their views out. How the heck does the moderation system make sure that everyone's views are represented appropriately? Lets put it this way, the Slashdot moderation system is flawed for this reason. There is nothing stopping someone from demoding someone just because that person doesn't agree with his or her views. Add the fact, the moderators as a whole have the same powers 24/7 that 400 Slashdot members have 5 times for a period of 5 days at any given time.
I don't hear you suggesting a better alternative
The entire universe is immersed in Space-time (kinda like water in a pond).
There is actually a debate about this. Some physicics suggest that space-time doesn't actually exist as an independent "medium" or "thing"; but rather that it is more of a mathematical abstraction which describes matter and energy interact.
Try this explanation. Go back a couple hundred years and recall what we believed time to be. It wasn't considered a "physical thing"; it was more of an idea that described reality in a way we could understand. People understood that you can't "touch" time, or "see" it. Well, it's been suggested that space (in fact, space-time) works exactly that way too. It may not actually exist by itself; it may just be a convient way for us to describe how we observe matter and enery interactions. Because nobody has actually "seen" space-time, or even proved it's existance.
According to this [wired.com] Wired article, Ford has developed one of these systems (they're calling it the third age suit), designed to add thirty years to your age so that their designers can get a sense of how old people feel in their cars. The guys that designed the Focus all had to wear these things for a while and play with Ford's other cars when they were in the design stages of teh interior, to get a sens of what worked and what didn't for older people.
Why didn't they just hire old people?
Congrats on rehashing the point of the article.
I can double my Karma score my posting an interesting question and then replying with an informative response! Sweet.
(Not that I think the poster did that on purpose, but it's still funny)
Let's hope they got it right.
Reviews of the stablility and performance of these drivers will probably be a major factor in my decision on whether or not to buy a 9700. I've been hesitating because of all the bad things I hear about their drivers. I use NVidia now and I've never had a problem with the drivers, so I'm a little worried about switching.
This refers to the article on the Register I believe. The paper itself doesn't conclude with those remarks, the article does. However that phrase is used in the paper. The phrase is not used (as far as I can tell) to bash MS products in any way. In the very first section (the "Project Overview" section), though, not the conclusion.
I may as well post it here so you can see the context:
Project Overview
Microsoft acquired Hotmail at the end of 1997 as a going concern. The service's creators had defined a two-layer architecture built around various UNIX systems:
- Front end web servers, built with dual Pentium systems on racked motherboards, running Apache on FreeBSD (a configuration with no need to install licensed software)
- Back end file stores, built with Sun Enterprise 4500 servers, running Solaris 2.6 (Sun's UNIX) and with all user data stored on RAID arrays, accessed using very simple filing semantics
- Incoming mail listeners, built on Sun Sparc 5 processors, and interacting directly with the back end
- Name/password verification engines, build on Enterprise 4500 servers
- Member Directory, built on PCs with NT and SQL
The conversion of the Hotmail web servers to Windows is an ongoing project with several rationales. The team was hoping for better utilization of the existing hardware resources. The superior development and internationalization tools are important. A Microsoft property should eat its own dogfood. Finally, we wished to use the conversion experience as a model for other UNIX conversions that we hope to carry out in the future.
The first phase of the conversion, described here, was limited to the web servers. Appropriate hardware was already in place, and the planning and development staff were confident that they already understood how to perform the conversion successfully.
There were several constraints on the conversion process, which are probably typical of the average Internet site:
- Hotmail has established an 8-week cycle of version upgrades, and there was a desire (and some partner pressure) to keep that cycle going.
- It is essential to keep the service running continuously.
- The staff is small, and there was not an opportunity to add staff.
Generations? I'm not going to comment on that. Other responses have summed it up.
I'll just say that [I feel] First Contact was the only good TNG movie. It's the only one I've watched more than once and it's the only one good enough that I'll probably watch it again sometime.
I find trailers that give away too much of the movie to be very annoying. Thanks for the warning! I'm going to stay away this time.
It should be a crime to teach people C/C++.
This guy is a little rough I think.
High level languages like Ruby, Python, or even Java are strongly recommended for all new projects.
This sentence should be continued "..for mediocre programmers.". Professional experts should use whatever language they are best at as long as it's reasonable for the project.
This article looks like he's giving advice on how to take a group of wanna-be progammers and try and get useful results from them. I think that's the wrong approach. What you should do is hire real experts. That way all the wanna-be programmers won't be able to get jobs and so they might realize "hmm.. maybe I should go back to school and get some real skills". Then we wont have as many of the problems that this guy talks about. Though maybe the schools aren't teaching the skills properly, but that's a different topic.
I'm completely lost as to how this post is relevant to the xbox.
To the extent that MS' video game division looks like it's bleeding money, it augers poorly - in Joe Public's mind - as to the XBox's future.
Where'd you get that idea? "Market and mind share", as you put it, may be a major part of the video game industry but they're not going to be affected much by accounting details.
'Joe Public Gamer" doesn't give a rat's ass what Microsoft's profits are. He cares about the games. He cares about what kind of reviews the xbox and it's games get on his favorite web sites (gamespot, gamespy, penny-arcade, etc..). When Joe Gamer goes to decide whether or not to buy an xbox or a ps2, the last thing he's going to do is compare Sony and Microsoft's earnings the past quarter.
Microsoft's success depends on them being able to keep the xbox in the spotlight long enough to get companies to make a lot of really good games for it (especially for xbox live). Their profits now don't matter. Public or not.
Why is this worthy of a slashdot article? Nearly every single movie is leaked to the net before it's released. And any movie can be found on IRC the day after it hits the theater. This is non-news.
There are a lot of bootlegged Chinese VCDs that do that. They put Mandarin on one channel and Cantonese on the other.
(If you don't know, those are the two primary Chinese dialects. Cantonese is used in Hong Kong and southern parts of the mainland, and Mandarin is used in the rest of the mainland, including Beijing)
1. Get first post
2. Write lame business-model joke
3. ?
4. Profit!?
Hehe. I laughed.
First of all, WHO are these people are getting distressed and intimidated by spam? They need some help.
Actually, this is a very good piece of spam because it's designed to look almost exactly like a bill. And since it's only sent to people who actually have registered domains then it's not surprising that people are confused and fooled. Certianly intimidated.
Being a successful musician does not always equate to a video on MTV
Certianly. There tons of local bands everywhere that do well. But the more promotion a band has then the better they do. Somebody with a music video on MTV will sell a lot more albums than a local band.
I'm sure most local bands would leap at the opportunity for national promotion if they could. Most musicians if given the choice between "being successful" and "being successful and rich", would choose the latter.