So you're telling me that with XP SP2, I will get a warning before running a valid signed exe, while with all the unsigned exes I run I will get nothing? No wonder noone signs their executables.
No, with XP SP2 you will get a warning before running any downloaded exe, that either states that the executable is signed and that you should verify the supplied credentials OR that the executable is not signed at all and should not be trusted unless you're really really really sure.
Most of the major outlets already sign their installers, and those that don't will probably follow... SP2 isn't that old, and it takes some time for people to adapt.
Assuming that you don't have firefox installed yet, and have XP/SP2:
1. Open internet explorer.
2. Browse to http://www.getfirefox.com.
3. Click on the link "Free Download".
4. Wait until you have the file download popup.
5. Either save the file to disk and open it, or select "Run from here".
6. A popup will tell you that you are about to run downloaded software from a known source (i.e.: Mozilla Foundation), with verified signature. By clicking a button, you can see the signature details and certification path.
This kind of integration with the SP2 security features would be a definite gain for Firefox (on the windows platform). It does not restrict functionality in any kind of way, and makes it simpler for Joe Sixpack to validate that the software he downloaded from whatever source is unmodified from the actual source.
It's not going to solve problems automagically, but it is a step in the right direction.
I have a firstname.lastname account at gmail that I only used to mail to one close friend (thanks for the invitation David;-), and haven't communicated it to anybody else.
My name is particular enough that when you search for it on google (i.e.: "Firstname Lastname"), almost all returned links are relevant so it wouldn't seem to me that auto-generated addresses should easily match and yet I get spam into my gmail inbox
No, since the hacker set/blow the security bit/fuse one can't flash the proms any more.
AFAIK, setting the "IP" bit on the controller prohibits reading out the current contents of the flash via the ISP port, but it does not prohibit flashing new firmware into the chip (with or without the IP flag raised).
So, other than a firmware update (which I suspect may have to happen to all bikes regularly anyhow), those hackers haven't done any physical damage that can't be easily undone.
Arguably, they have caused revenue loss for the DB from the bikes that were used for free, but since there is no description on how the backdoor works or how it is advertised, I would assume that only a select group of people knows of this.
In the article itself they made some "ethical" decisions (i.e.: not able to grab a currently rented bike, not able to park a freebie without giving a regular customer the chance to phone it in), which indicates that they want to preserve the utility value for regular customers as much as possible.
All in all:
Is this legal ? No siree, definitely not...
Did the hackers do it to get free bikes, or just for the challenge of it? My guess would be the latter.
Is this a nice hack in the spirit of the hackers of the old days? Definitely: this hack required a lot of skill and creativity, for that they deserve some respect.
The point is very simple: Firefox is distributed by a number of volunteered mirror sites, because the Mozilla Foundation does not have the resources to host everything centrally.
By signing the (windows) installer, the user can very easily verify that the software he downloaded from whatever mirror server (or e.g. via BitTorrent or another P2P network) is actual, unmodified mozilla code.
Since you get the source code of Firefox, it would be relatively easy to include whatever malware you'd like in the browser, and roll your own installer without giving the user any(*) chance of checking the integrity of the package.
The author's point in this case: with a minimum amount of cost and trouble, the Mozilla foundation should be able to create an installer that plays nice with the existing windows security features and would give the user extra reassurance when downloading the software from an unknown source.
So yeah: the guy is pointing out a number of functional flaws in Firefox, and IMHO he raises some very valid points. It's not a firefox-bashing-session, but a (well-written) summary of his experience installing Firefox with major focus on his pet peeves. Whining that "IE sucks" (even though it does...) does not make the raised issues any less worthy of investigation...
(*) Yes I'm aware of the MD5/SHA-1 checksums, but 99% of the target audience on the windows platform doesn't know what it means, let alone how to perform such a check.
Re:What if they are not just wasting time?
on
Metered HTTP Proxy?
·
· Score: 1
When I was in high school I had many projects that required me to pull late nites on the computer using the internet for research. It is not fair to set a static limit for internet access.
<tongue-in-cheek>
Well if you wouldn't be on the PC so damn much you wouldn't have to pull late nites to get your projects done.
</tongue-in-cheek>
Seriously: the poster did not tell he wanted to set a "static limit" for internet access. He just want a means to be able to enforce a "contract" on internet time/bandwidth.
The simplest way to get along with teenage kids on these kind of issues is by negotatiating a "contract" on what is acceptable, and what is not. This way they are assured that you're not just pulling the plug arbitrarily because you are the parent, and they have some responsibility in enforcement (i.e.: with monthly limits it's up to them to spend their alloted time wisely).
Strangely, a lot of kids tend to accept the objective ruling of a device (router says: bandwidth's up for this month) better than that of a parent telling them to get off the PC.
If they really do need the internet access for school, they can do it on the family computer in plain view. The goal is to get a good balance in life and (presumeably) better results in school.
This is about getting back at people who profit from copyright infringement, without hurting the end user (who may have been ripped off in the first place).
Yeah, it's hard to swallow if MS comes knocking on your doors because of this, but so is the ticket you get if you're caught speeding. You (should) know the risks, and decided to take chances. If you can't make it in PC retail without pirating software, you probably don't belong there.
The family member scenario won't cut it, since a proof of purchase is required (which you won't give to them).
Joe jobs can be relatively easily avoided:
A proof of purchase for the system is required
If only a very low percentage of the customers for a given vendor complains, there's probably not much going on
If a bigger percentage complains, you can easily verify this with a sting operation (ie: you send someone to the shop that buys a PC).
If a really big percentage complains, or the sting op resulted in a PC with pirated software you send in the BSA to audit the vendor, and sue the sucker out of existance.
So yeah, I can image some guys are seriously going to sweat this out if they did the pirate-thingy. The fact that a small shop-owner did this, does not make it legal though...
I'm European, and (as most of us over here) simply can't wrap my head round this... why you guys let this happen...
Up until yesterday, you got the benefit of the doubt: you surely couldn't predict what a newly-chosen president was going to do, especially with the 9/11 aftermath... When the day comes to hold him accountable for his actions, you don't...
I'm really wondering if the average US citizen is really convinced that George W. Bush did a good job and is the best choice to represent them for another four years.
Hint: if you feed random data to a buffer overflow, the application will most likekly crash, unless that data contains valid executable code that manages to do something bad and magically resume execution.
If IE does not crash, it means that either:
The random number generator managed to crank out an exploit all by its own
IE parsing engine does proper checking on the HTML and recovers gracefully from any baddies in the data
An application should never crash when fed bad data: it should deal with it gracefully, even if that means showing an error message and closing the application, not just trying to execute whatever the garbage may contain (which firefox seems to be doing).
I don't see why everybody is whining about how unsecure IE is, and that Firefox et al. are better. This test raises a valid concern: if you succeed in crashing Firefox by feeding it malformed HTML, chances are that you can exploit that vulnerability. This is a bad thing and warrants attention from the the Mozilla team.
Re:Teletext to HTTP gateways?
on
Ceefax Turns 30
·
· Score: 1
IIRC RSA uses a sliding window to correct for time drift.
In an ideal world, the server and the fob are perfectly synchronized, meaning that the server knows which number the fob will generate at any given time. In the real world, the fob creeps behind/before schedule and generate a number x entries before/after the expected entry. If this is the case, the server looks up if number x is in the vicinity (e.g.: within 5 minutes) of the expected number. If that's the case, the server assumes that the clock has drifted and marks the amount of time that the fob has drifted for next authentications.
If x is outside that range, but inside a much broader range (e.g.: one hour), it will request the number that the fob generates next, and checks if that number matches the one that should come after x. Then it marks the drift amount and allows access.
The server automatically compensates for inaccurate clocks in the fobs; as long as you use it regularly. Only if you have,'t used your fob for quite some time, and it has a really lousy clock they de-synchronize, requiring a hardware swap (and/or manual intervention from the sysadmin).
If I get into your PC, I can copy your certificate without you ever knowing it until it's too late.
I obviously can't steal your RSA token without you finding out pretty soon.
nuclear fusion as a source of electricity and hydrogen.
To create hydrogen to be used as fuel (i.e.: break up H20 into 2H2 + 02), you need (a lot of) electricity, which fusion would be able to supply big time.
Main Entry: fis-sile Pronunciation: 'fi-s&l, 'fi-"sIl Function: adjective Etymology: Latin fissilis, from findere 1 : capable of being split or divided in the direction of the grain or along natural planes of cleavage 2 : capable of undergoing fission
(Yup, it's a word).
Bush's campaing people know how to write...
It's a brand name, c'ptain.... so anybody who mentions Duck Tape® is equally correct as the people who're talking about duct tape. Some even might argue that Duck Tape® is better, since most non-English speaking folks haven't got the faintest idea what a 'duct' is, but they do know what Duck Tape® (the brand) is and where they can find it in the hardware store.
If your description of France is correct, then France does not have "free speech".
Even while the US has "free speech" in the constitution, how much of it do you guys get in real life? (assuming that you are from the USA, of course)
Besides the whole Political Correctness issue (which seems to have risen to Kafka-esque levels in the US), I'm pretty sure that there are dozens of laws that can be used to shut somebody up (including sending 'm off to a prison many countries consider to be infringing against Human Rights conventions!). When defending 'free speech', in the end it all comes down to who has the best (most expensive) lawyers, or has paid the most campaign money.
France has anti-nazi laws because of the horrible impact WW2 had on all people involved, just as you guys have made your own country less free to nail them terrorists after 9/11.
Are these good laws? For some they are, for others they aren't... But they both were the result of a 'democratic' process, and ultimately it is up to you (the individual voter) to overturn them if they are not in your best interests.
Although I thoroughly disagree with these malicious programs, and any virus of any discription, they do encourage people to create neater code and to develop better code that is invulnerable to these kinds of exploits.
Dude... It's a virus, not a worm.
You can write your code as secure and neat and clean as you want, that doesn't protect you from a virus that injects some code into your compiled executable.
Operating systems may be part of the solution, but IIRC we are weary of proposed solutions (ie: TPC).
Nevertheless, most insurance companies have no qualms about charging all males and all young people higher rates, because of a greater statistical likelihood they will be involved in an accident.
I'm nitpicking here:
Actually statistics have shown that female drivers have more accidents than male drivers; but the resulting damage of the average accident caused by a man is far bigger than that of a women.
Men tend to get into bigger accidents (ie: crashes) because they are overconfident of their own skills and take more risks. Women mostly have the parking-lot kind of accidents (ie: low-speed, dings and scratches).
Slashdot Mirror
Remember: the North Pole is all ice and no land, but the South Pole is a pretty big landmass with the ice on top of it.
I do agree with the other points though.
Most of the major outlets already sign their installers, and those that don't will probably follow... SP2 isn't that old, and it takes some time for people to adapt.
1. Open internet explorer.
2. Browse to http://www.getfirefox.com.
3. Click on the link "Free Download".
4. Wait until you have the file download popup.
5. Either save the file to disk and open it, or select "Run from here".
6. A popup will tell you that you are about to run downloaded software from a known source (i.e.: Mozilla Foundation), with verified signature. By clicking a button, you can see the signature details and certification path.
This kind of integration with the SP2 security features would be a definite gain for Firefox (on the windows platform).
It does not restrict functionality in any kind of way, and makes it simpler for Joe Sixpack to validate that the software he downloaded from whatever source is unmodified from the actual source.
It's not going to solve problems automagically, but it is a step in the right direction.
My name is particular enough that when you search for it on google (i.e.: "Firstname Lastname"), almost all returned links are relevant so it wouldn't seem to me that auto-generated addresses should easily match and yet I get spam into my gmail inbox
Boggles the mind...
So, other than a firmware update (which I suspect may have to happen to all bikes regularly anyhow), those hackers haven't done any physical damage that can't be easily undone.
Arguably, they have caused revenue loss for the DB from the bikes that were used for free, but since there is no description on how the backdoor works or how it is advertised, I would assume that only a select group of people knows of this.
In the article itself they made some "ethical" decisions (i.e.: not able to grab a currently rented bike, not able to park a freebie without giving a regular customer the chance to phone it in), which indicates that they want to preserve the utility value for regular customers as much as possible.
All in all:
Is this legal ? No siree, definitely not...
Did the hackers do it to get free bikes, or just for the challenge of it? My guess would be the latter.
Is this a nice hack in the spirit of the hackers of the old days? Definitely: this hack required a lot of skill and creativity, for that they deserve some respect.
By signing the (windows) installer, the user can very easily verify that the software he downloaded from whatever mirror server (or e.g. via BitTorrent or another P2P network) is actual, unmodified mozilla code.
Since you get the source code of Firefox, it would be relatively easy to include whatever malware you'd like in the browser, and roll your own installer without giving the user any(*) chance of checking the integrity of the package.
The author's point in this case: with a minimum amount of cost and trouble, the Mozilla foundation should be able to create an installer that plays nice with the existing windows security features and would give the user extra reassurance when downloading the software from an unknown source.
So yeah: the guy is pointing out a number of functional flaws in Firefox, and IMHO he raises some very valid points. It's not a firefox-bashing-session, but a (well-written) summary of his experience installing Firefox with major focus on his pet peeves. Whining that "IE sucks" (even though it does...) does not make the raised issues any less worthy of investigation...
(*) Yes I'm aware of the MD5/SHA-1 checksums, but 99% of the target audience on the windows platform doesn't know what it means, let alone how to perform such a check.
Well if you wouldn't be on the PC so damn much you wouldn't have to pull late nites to get your projects done.
</tongue-in-cheek>
Seriously: the poster did not tell he wanted to set a "static limit" for internet access. He just want a means to be able to enforce a "contract" on internet time/bandwidth.
The simplest way to get along with teenage kids on these kind of issues is by negotatiating a "contract" on what is acceptable, and what is not. This way they are assured that you're not just pulling the plug arbitrarily because you are the parent, and they have some responsibility in enforcement (i.e.: with monthly limits it's up to them to spend their alloted time wisely).
Strangely, a lot of kids tend to accept the objective ruling of a device (router says: bandwidth's up for this month) better than that of a parent telling them to get off the PC.
If they really do need the internet access for school, they can do it on the family computer in plain view. The goal is to get a good balance in life and (presumeably) better results in school.
Yeah, it's hard to swallow if MS comes knocking on your doors because of this, but so is the ticket you get if you're caught speeding. You (should) know the risks, and decided to take chances. If you can't make it in PC retail without pirating software, you probably don't belong there.
The family member scenario won't cut it, since a proof of purchase is required (which you won't give to them).
Joe jobs can be relatively easily avoided:
- A proof of purchase for the system is required
- If only a very low percentage of the customers for a given vendor complains, there's probably not much going on
- If a bigger percentage complains, you can easily verify this with a sting operation (ie: you send someone to the shop that buys a PC).
- If a really big percentage complains, or the sting op resulted in a PC with pirated software you send in the BSA to audit the vendor, and sue the sucker out of existance.
So yeah, I can image some guys are seriously going to sweat this out if they did the pirate-thingy. The fact that a small shop-owner did this, does not make it legal though...Up until yesterday, you got the benefit of the doubt: you surely couldn't predict what a newly-chosen president was going to do, especially with the 9/11 aftermath... When the day comes to hold him accountable for his actions, you don't...
I'm really wondering if the average US citizen is really convinced that George W. Bush did a good job and is the best choice to represent them for another four years.
Just mindboggling...
Of course the icky bits of the rootkit are in the installer, not in the supplied RPM (which isn't used).
If IE does not crash, it means that either:
- The random number generator managed to crank out an exploit all by its own
- IE parsing engine does proper checking on the HTML and recovers gracefully from any baddies in the data
An application should never crash when fed bad data: it should deal with it gracefully, even if that means showing an error message and closing the application, not just trying to execute whatever the garbage may contain (which firefox seems to be doing).I don't see why everybody is whining about how unsecure IE is, and that Firefox et al. are better. This test raises a valid concern: if you succeed in crashing Firefox by feeding it malformed HTML, chances are that you can exploit that vulnerability. This is a bad thing and warrants attention from the the Mozilla team.
In an ideal world, the server and the fob are perfectly synchronized, meaning that the server knows which number the fob will generate at any given time. In the real world, the fob creeps behind/before schedule and generate a number x entries before/after the expected entry.
If this is the case, the server looks up if number x is in the vicinity (e.g.: within 5 minutes) of the expected number. If that's the case, the server assumes that the clock has drifted and marks the amount of time that the fob has drifted for next authentications.
If x is outside that range, but inside a much broader range (e.g.: one hour), it will request the number that the fob generates next, and checks if that number matches the one that should come after x. Then it marks the drift amount and allows access.
The server automatically compensates for inaccurate clocks in the fobs; as long as you use it regularly. Only if you have,'t used your fob for quite some time, and it has a really lousy clock they de-synchronize, requiring a hardware swap (and/or manual intervention from the sysadmin).
I obviously can't steal your RSA token without you finding out pretty soon.
Bush's campaing people know how to write...
It's a brand name, c'ptain.... so anybody who mentions Duck Tape® is equally correct as the people who're talking about duct tape. Some even might argue that Duck Tape® is better, since most non-English speaking folks haven't got the faintest idea what a 'duct' is, but they do know what Duck Tape® (the brand) is and where they can find it in the hardware store.
Besides the whole Political Correctness issue (which seems to have risen to Kafka-esque levels in the US), I'm pretty sure that there are dozens of laws that can be used to shut somebody up (including sending 'm off to a prison many countries consider to be infringing against Human Rights conventions!). When defending 'free speech', in the end it all comes down to who has the best (most expensive) lawyers, or has paid the most campaign money.
France has anti-nazi laws because of the horrible impact WW2 had on all people involved, just as you guys have made your own country less free to nail them terrorists after 9/11.
Are these good laws? For some they are, for others they aren't... But they both were the result of a 'democratic' process, and ultimately it is up to you (the individual voter) to overturn them if they are not in your best interests.
You can write your code as secure and neat and clean as you want, that doesn't protect you from a virus that injects some code into your compiled executable.
Operating systems may be part of the solution, but IIRC we are weary of proposed solutions (ie: TPC).
Actually statistics have shown that female drivers have more accidents than male drivers; but the resulting damage of the average accident caused by a man is far bigger than that of a women.
Men tend to get into bigger accidents (ie: crashes) because they are overconfident of their own skills and take more risks. Women mostly have the parking-lot kind of accidents (ie: low-speed, dings and scratches).