Well yes that should work provided you configure your HTTPS proxy to speak those broken protocols. It has to be an HTTPS proxy too can't be HTTP because using the CONNECT method means you are still doing HTTPS directly with the foreign peer.
I suspect the biggest problem (and this is problem even on XP VMs if you build them from sp2 or older media) is that it does not support current TLS protocols. Now that practically everything is HTTPS and everyone has disabled SSL3.x and older because of POODLE and in a lot of cases even TLS1.0 you can't connect to most HTTPS servers
The more different the architecture is from the x86 strain the better since it would cause more trouble for those trying to utilize flaws
I find this claim questionable. Do you have some examples to back that up. Certainly reproducing it in the lab with some other chip would be more effort you'd have to basically start over. I am not sure that its appreciably harder to actually perform an attack in a life environment. I don't me just a POC where you read some memory that did not belong to you. I am talking an actual useful attack on a live system.
That to me has a few requirements and alternatives. 1) You have something you can deliver as shell code or as payload to include in malware. So its got be small and not look super suspicious to heuristic tools or signature based AV. 2) Its got to have a useful level of reliability. IE its go to work at least 1 in 10K tries. That is to be minimally useful weaponized as worm etc; its got to be much better for target attacks 3) Either you need to be able to target specific memory so you obtain 'crown jewls' or you need be able to dump a lot of memory (sort thru the haystack for something useful theory). If you do the later that brings us to 3a 3a) you can't be the hottest process on the system for hours on end because you'd be detected in an instant.
So I think we talking a major effort by what is actually not that big a pool of folks with the technical know how to build something workable. I have been a developer for decades working in the security segment and I certainly would not have the skills to design something like that. I know people who do but not very many. A couple of them are ex-NSA and when we were discussing this they suggest even the NSA only has handful of people with the expertise to use these types of attacks in the wild; perhaps a handful more who could be brought up to speed quickly; if they were pulled from other areas of research.
I agree but lets be really honest about something else while we are on that subject. Those skeletons are left to lay in their closets unless unless you extol the wrong politics or tick off the wrong person. The CoC / #meToo crowd has a some legitimately aggrieved folks in it who deserve justice but to pretend that the majority of people banding those terms about on twitter are not using as either a person or political weapon for entirely selfish motives is nonsense.
For a country that has recorded history going back, what, 3000 years
Don't give them that! Its Chinese propaganda. The Chinese nation as it exists today dates to October 1, 1949. In fact as far a "developed" they are whippersnappers. There is no meaningful connection to the China that came before. They ensure that themselves with the 'great leap forward'
The quality of flash isn't the point. My point is flash is basically gone not because others delivered superior solutions that people preferred; but because a few gate keeps decided to sabotage the environment it runs in.
There is a line between keeping users safe and essentially singling out a technology for destruction.
However, in Chrome 69, every time users restart Chrome, they'll need to give permission for sites to use Flash.
Google is more or less deciding that anyone delivering anything with flash will not be permitted to give their users a good experience. Some would argue singling out the flash and java plugins for special treatment at all crossed this line; though I would argue gross negligence on the part of Adobe and Sun/Oracle kinda forced that.
I really doubt flash would have been killed off so soon if Apple had not started an outright attack on it and Google and Mozilla having not decided to pile on.
Chrome is malware - there are no two ways about it and Google is abusive. Consumers would do well to not reward them for abuse. Don't run Chrome - period. Its evil.
Well he who controls the language controls the debate. The words we use matter in that they tend to shape our opinions and might very well move us one way or the other given the same set of facts. Clearly calling them undocumented immigrants rather than illegal immigrants or illegal aliens - is an attempt by people with an agenda to distract from the fact the discussion is about people who are in active commission of a crime - being in the United States without either citizenship or a valid visa.
By the same token token people who just call them illegals etc are plainly attempting to place focus on their criminality and pulling attention away from both their person-hood and the nature of their crime.
Ultimately the facts are facts and most people who stop to think about the issue know the important facts; however I suspect in a lot cases the langue used to present those facts had a significant effect on their opinion as to what the resolution should be.
Disagree strongly. A democratic society or a representative society does get to vote on how much safety is enough when it comes to our shared space and shared resources like roads.
There city councils deal with speed limits in various places all the time. We could just make all interstate highways 25mph zones and probably all but eliminate collisions but that does not make it right - it makes it safe - but not correct.
Or here is a crazy thought we could actually just increase the posted speeds to the rates most people want to drive at now. The fact is there are places were most people speed. Those places should have the speed limits increased. Most people are breaking the law therefor so thefore the law is undesirable as viewed by the public. The democratic thing to do is change it. Sure it might be "less safe" but the vote has gone against reducing traffic deaths and increasing speeds - so there
Not a civil or structural engineer but I know for roofs and stuff you usually build for 1.4 times the estimated required carrying capacity (weight of covers and potential snow loads etc). That is 1.4 times the max weight you ever think you'd need to support.
Assuming the same convention is used for bridges; a 20% weakening still means it would be adequate to support loads it was designed to carry. However from the sounds of things it was also over loaded. Taken those two issues together -> problems.
Still the headline may or may not be misleading. For example all kinds of bridges in this country are classified as deficient; but that just mean they don't meet certain safety margins - not that anyone thinks they are in danger of failure. If one did fail though people would no doubt say "engineers knew there were problems."
I guess the take away here is those safety margins exist for a reason - its good to keep them as it prevents disasters like this from happening!
Right and Christianity has an odd intersection with environmentalism. Humans are special. Humans are to have dominion over the earth. All of creation is a gift from God.
Some Christians take the sad view this means the earth is ours we are free to do whatever we like.
Some take the view the world is a gift and we must reverently preserve it as is.
Finally there are those that take my view the world is a garden we were given to tend. We should treat it respectfully but we may mold it to our desires and our benefit. The way a gardener selects and shapes plants; the way a landscape architect forms the terrain. We had just better be sure not to abuse it not thru pridefully thinking we know best all the time and not thru neglect - The world has a purpose and to abuse it is sinful. Because of free will if we sin in that way we will bear the consequences for that sin.
That's the problem you assholes are pinning your entire argument on. The pure increase in temperature caused solely by the CO2? Yes, that's quite easy to calculate. All of the other feedbacks are not, because they're simply not all known or completely understood.
Right that's out point - you don't know what will happen but you feel entitled to demand we change our entire lives and in some cases livelihoods to address your unproven fears.
Designs reflect this with easy access (like frame crossmembers permitting in-frame overhaul
My point exactly they were designed to be maintained and it was assumed that when things wore out they would be replaced and or rebuild.
Its true they had shorter life spans; but that was not 'planned obsolescence' It was more a function of the manufacturing and materials capability of the era.
I would like to suggest the problem is actually the consumer. Consumers want neatly little packaged integrated things as products mature. They want their own knowledge requirements for the devices operation to decrease as products mature.
Consider cars. There was a period of pre-war auto manufacturing where it was non-longer bespoke but at the same time people expected to buy a car and own it for a long time - maybe indefinitely. They anticipated maintaining and repairing it. If you look at engine designs right up thru the early post war periods you see things like lined cylinders and valve guides. Basically all wearing parts were built to be replaceable. Granted it still might have major work in terms of labor but compare that to most modern mass market automobile engines - you'd have machine the block today once things like valve guides or cylinder walls wear or crack etc. Essentially they are now disposable devices. On the other hand you can now own and operate a car with virtually zero knowledge of how it works - they even have built in monitors to tell you when to get the oil changed now.
Think about how home stereo equipment evolved from 1960 - 2018. Discrete often home assembled components to integrated systems to one giant reciever with everything built in driven by your smart phone to "IoT Speaker"
We have seen the same thing with computers. Even if you bought something like a Northgate back in the early 90s it was in a standard box. You could replace the motherboard and CPU and retain the chassis and power supply. You might even keep the main board and slap and "overdrive" process on it. Granted you can still get "project box" style cases today and certainly there is a plenty big market for motherboards and stuff in standard sizes - but if you buy a brand name PC odds are pretty good its now some custom miniature case like a Mac min - or similar offering from HP or Dell.
So lets look at mobile. You use to manually sync your iPaq, Cassiopeia, or Palm with your laptop. You either manually cabled it up or careful started some IR sync tool and line up all the devices. Every application was side loaded; or you had a RIM that just did e-mail. Now yes its all integrated in your phone. You don't need to know how anything works. You don't need to really even learn any software tools - but you have way way less choice about how you are going to manage things. Want to backup your iPhone? - its iTunes or nothing (okay iCloud now). I used to be able to eject the CF card from my Cassiopeia and back it up however I wanted! Which is not say I'd go back!
What do we do now - we integrated the PDA / portable gaming devices into our phone - its all online - its mostly automagical. The consequence is people don't really know anything about them. I would suggest consumers don't really want replaceable batteries because they don't really want to be at the battery store flipping thru "phone books" of part numbers looking for a suitable replacement on Saturday afternoon - they rather just get a new phone!
What you don't understand is that you just described virtually every web page. This is essentially the same attacks that worked on SSL3.0 and TLS1.0 when compression was enabled.
The reason it works is that the attacker has access to 99% (roughly) of the plain text. Lets say I want to discover you bank routing number on a web page. As the attacker I register myself and discover the size and all the non-dynamic content on the page. I can inject my own content say a short string of numeric characters and compress the data. I can than observe the change in size.
Now if I am observing your network traffic and I know what site your pulling say based on the IP address. I can sit and look at the transfer size. When I see a server response the same size as one of my candidate compression tests; I now know at least one possible value for the dynamic content.
Its not a problem with the encryption algorithm. The message would not be recoverable unless I already knew almost all of it. Without thousands of cipher texts I can even begin to work out the change content. TLS address this by padding the responses with a little random length data.The trouble is the plain protocol has no padding and the VPN does not either. This can be fixed easily but its going to have a negative performance impact.
Actually I think that might make for a rather neat attraction; especially given American's historic car culture.
I think it would be pretty neat if someone 1) bought some land in the AZ desert (affordable and the climate will keep the signs for deteriorating) 2) paved 20 or 40 miles of road thru it 3) Acquired historic signage from culturally significant organizations defunct and not 4) Made one of the GPS phone apps that reads out a little historic information about each sign when you get near it for people to download. 5) Charged a little toll to support / profit on the thing for folks that want to drive down it.
I was mainly speaking of things where the risks can be externalized / the transport be weaponized. Planes for example as we saw. Locked cockpit doors and no single man at a time rules are good security measures to address that for example.
Cars are also easily weaponized - which is why we license drivers and probably should put some rules in place the prevent the sale of cars to non-license holders.
never intended to let non-land-owners have a vote in 1789
Which was entirely sensible at the time. Land ownership meant you had skin in the game your interests where the countries interests.
I don't think that land ownership is necessarily a good model for today but we absolutely should have some bar to enfranchisement beyond mere citizenship. I would suggest for example "net tax payers" at whatever level the election is at be given the vote.
So my take away here is that in about 10 years I am going to have to listen to my kids prattling on about how bigoted my wife and I are because we don't trust robots...
Yes well than real solution would be to let the mangroves etc move back it; If you get rid of the coastal golf courses, lawns, and artificial sandy beaches there will be no man-made fertilizers to deployed to run anywhere. As per usual this is just one typically left leaning group saying "your environmentally destructive practices are unacceptable but mine are perfectly alright because my intentions and feelings..and by the way you can't build that wind turbine in view of my house."
One could make the argument all those "collaborators" have enabled the expansion of the totalitarian regime to the point where your only-viable transport system now has this crap installed. Maybe had they resisted back when they should have we would not be here today.
This definition of voluntary has bothered me for a long time. We have explicit constitutional rights. I am not even talking about the ones courts like to imagine here. A pretty plain read says we have the right to assemble and we have the right be secure against unreasonable search.
I also thinks its abundantly clear the frames never intended that exercise of one right might require one waive another right. It kind of goes against the definition of right it self. In order to assemble one must be able to go to where the assembly is taking place. As it stands today in America there is essentially no means of transportation where you are subject to "voluntary" search. Even driving your own car you might be stopped at a "random" checkpoint and search. In many cities even walking you could be subjected to "stop and frisk."
When there are no remaining options and I believe we are at the point point search is no longer "voluntary" by any definition. Obviously some types of travel pose risks that demand security and I don't know what all the answers are but if the present situation continues to be viewed as meeting the legal standard - our Constitution might as well be toilet paper.
Where did I draw any moral equivalence. I am speaking from a purely human nature action - reaction perspective. My main point is just that nobody should be surprised.
Slashdot Mirror
Well yes that should work provided you configure your HTTPS proxy to speak those broken protocols. It has to be an HTTPS proxy too can't be HTTP because using the CONNECT method means you are still doing HTTPS directly with the foreign peer.
I suspect the biggest problem (and this is problem even on XP VMs if you build them from sp2 or older media) is that it does not support current TLS protocols. Now that practically everything is HTTPS and everyone has disabled SSL3.x and older because of POODLE and in a lot of cases even TLS1.0 you can't connect to most HTTPS servers
The more different the architecture is from the x86 strain the better since it would cause more trouble for those trying to utilize flaws
I find this claim questionable. Do you have some examples to back that up. Certainly reproducing it in the lab with some other chip would be more effort you'd have to basically start over. I am not sure that its appreciably harder to actually perform an attack in a life environment. I don't me just a POC where you read some memory that did not belong to you. I am talking an actual useful attack on a live system.
That to me has a few requirements and alternatives.
1) You have something you can deliver as shell code or as payload to include in malware. So its got be small and not look super suspicious to heuristic tools or signature based AV.
2) Its got to have a useful level of reliability. IE its go to work at least 1 in 10K tries. That is to be minimally useful weaponized as worm etc; its got to be much better for target attacks
3) Either you need to be able to target specific memory so you obtain 'crown jewls' or you need be able to dump a lot of memory (sort thru the haystack for something useful theory). If you do the later that brings us to 3a
3a) you can't be the hottest process on the system for hours on end because you'd be detected in an instant.
So I think we talking a major effort by what is actually not that big a pool of folks with the technical know how to build something workable. I have been a developer for decades working in the security segment and I certainly would not have the skills to design something like that. I know people who do but not very many. A couple of them are ex-NSA and when we were discussing this they suggest even the NSA only has handful of people with the expertise to use these types of attacks in the wild; perhaps a handful more who could be brought up to speed quickly; if they were pulled from other areas of research.
I agree but lets be really honest about something else while we are on that subject. Those skeletons are left to lay in their closets unless unless you extol the wrong politics or tick off the wrong person. The CoC / #meToo crowd has a some legitimately aggrieved folks in it who deserve justice but to pretend that the majority of people banding those terms about on twitter are not using as either a person or political weapon for entirely selfish motives is nonsense.
For a country that has recorded history going back, what, 3000 years
Don't give them that! Its Chinese propaganda. The Chinese nation as it exists today dates to October 1, 1949. In fact as far a "developed" they are whippersnappers. There is no meaningful connection to the China that came before. They ensure that themselves with the 'great leap forward'
The quality of flash isn't the point. My point is flash is basically gone not because others delivered superior solutions that people preferred; but because a few gate keeps decided to sabotage the environment it runs in.
There is a line between keeping users safe and essentially singling out a technology for destruction.
However, in Chrome 69, every time users restart Chrome, they'll need to give permission for sites to use Flash.
Google is more or less deciding that anyone delivering anything with flash will not be permitted to give their users a good experience. Some would argue singling out the flash and java plugins for special treatment at all crossed this line; though I would argue gross negligence on the part of Adobe and Sun/Oracle kinda forced that.
I really doubt flash would have been killed off so soon if Apple had not started an outright attack on it and Google and Mozilla having not decided to pile on.
Chrome is malware - there are no two ways about it and Google is abusive. Consumers would do well to not reward them for abuse. Don't run Chrome - period. Its evil.
Well he who controls the language controls the debate. The words we use matter in that they tend to shape our opinions and might very well move us one way or the other given the same set of facts. Clearly calling them undocumented immigrants rather than illegal immigrants or illegal aliens - is an attempt by people with an agenda to distract from the fact the discussion is about people who are in active commission of a crime - being in the United States without either citizenship or a valid visa.
By the same token token people who just call them illegals etc are plainly attempting to place focus on their criminality and pulling attention away from both their person-hood and the nature of their crime.
Ultimately the facts are facts and most people who stop to think about the issue know the important facts; however I suspect in a lot cases the langue used to present those facts had a significant effect on their opinion as to what the resolution should be.
Disagree strongly. A democratic society or a representative society does get to vote on how much safety is enough when it comes to our shared space and shared resources like roads.
There city councils deal with speed limits in various places all the time. We could just make all interstate highways 25mph zones and probably all but eliminate collisions but that does not make it right - it makes it safe - but not correct.
Or here is a crazy thought we could actually just increase the posted speeds to the rates most people want to drive at now. The fact is there are places were most people speed. Those places should have the speed limits increased. Most people are breaking the law therefor so thefore the law is undesirable as viewed by the public. The democratic thing to do is change it. Sure it might be "less safe" but the vote has gone against reducing traffic deaths and increasing speeds - so there
Where we do studies to learn things that became obvious thru pizza deliver in the 1970s!
Not a civil or structural engineer but I know for roofs and stuff you usually build for 1.4 times the estimated required carrying capacity (weight of covers and potential snow loads etc). That is 1.4 times the max weight you ever think you'd need to support.
Assuming the same convention is used for bridges; a 20% weakening still means it would be adequate to support loads it was designed to carry. However from the sounds of things it was also over loaded. Taken those two issues together -> problems.
Still the headline may or may not be misleading. For example all kinds of bridges in this country are classified as deficient; but that just mean they don't meet certain safety margins - not that anyone thinks they are in danger of failure. If one did fail though people would no doubt say "engineers knew there were problems."
I guess the take away here is those safety margins exist for a reason - its good to keep them as it prevents disasters like this from happening!
Right and Christianity has an odd intersection with environmentalism. Humans are special. Humans are to have dominion over the earth. All of creation is a gift from God.
Some Christians take the sad view this means the earth is ours we are free to do whatever we like.
Some take the view the world is a gift and we must reverently preserve it as is.
Finally there are those that take my view the world is a garden we were given to tend. We should treat it respectfully but we may mold it to our desires and our benefit. The way a gardener selects and shapes plants; the way a landscape architect forms the terrain. We had just better be sure not to abuse it not thru pridefully thinking we know best all the time and not thru neglect - The world has a purpose and to abuse it is sinful. Because of free will if we sin in that way we will bear the consequences for that sin.
That's the problem you assholes are pinning your entire argument on. The pure increase in temperature caused solely by the CO2? Yes, that's quite easy to calculate. All of the other feedbacks are not, because they're simply not all known or completely understood.
Right that's out point - you don't know what will happen but you feel entitled to demand we change our entire lives and in some cases livelihoods to address your unproven fears.
Designs reflect this with easy access (like frame crossmembers permitting in-frame overhaul
My point exactly they were designed to be maintained and it was assumed that when things wore out they would be replaced and or rebuild.
Its true they had shorter life spans; but that was not 'planned obsolescence' It was more a function of the manufacturing and materials capability of the era.
I would like to suggest the problem is actually the consumer. Consumers want neatly little packaged integrated things as products mature. They want their own knowledge requirements for the devices operation to decrease as products mature.
Consider cars. There was a period of pre-war auto manufacturing where it was non-longer bespoke but at the same time people expected to buy a car and own it for a long time - maybe indefinitely. They anticipated maintaining and repairing it. If you look at engine designs right up thru the early post war periods you see things like lined cylinders and valve guides. Basically all wearing parts were built to be replaceable. Granted it still might have major work in terms of labor but compare that to most modern mass market automobile engines - you'd have machine the block today once things like valve guides or cylinder walls wear or crack etc. Essentially they are now disposable devices. On the other hand you can now own and operate a car with virtually zero knowledge of how it works - they even have built in monitors to tell you when to get the oil changed now.
Think about how home stereo equipment evolved from 1960 - 2018. Discrete often home assembled components to integrated systems to one giant reciever with everything built in driven by your smart phone to "IoT Speaker"
We have seen the same thing with computers. Even if you bought something like a Northgate back in the early 90s it was in a standard box. You could replace the motherboard and CPU and retain the chassis and power supply. You might even keep the main board and slap and "overdrive" process on it. Granted you can still get "project box" style cases today and certainly there is a plenty big market for motherboards and stuff in standard sizes - but if you buy a brand name PC odds are pretty good its now some custom miniature case like a Mac min - or similar offering from HP or Dell.
So lets look at mobile. You use to manually sync your iPaq, Cassiopeia, or Palm with your laptop. You either manually cabled it up or careful started some IR sync tool and line up all the devices. Every application was side loaded; or you had a RIM that just did e-mail. Now yes its all integrated in your phone. You don't need to know how anything works. You don't need to really even learn any software tools - but you have way way less choice about how you are going to manage things. Want to backup your iPhone? - its iTunes or nothing (okay iCloud now). I used to be able to eject the CF card from my Cassiopeia and back it up however I wanted! Which is not say I'd go back!
What do we do now - we integrated the PDA / portable gaming devices into our phone - its all online - its mostly automagical. The consequence is people don't really know anything about them. I would suggest consumers don't really want replaceable batteries because they don't really want to be at the battery store flipping thru "phone books" of part numbers looking for a suitable replacement on Saturday afternoon - they rather just get a new phone!
What you don't understand is that you just described virtually every web page. This is essentially the same attacks that worked on SSL3.0 and TLS1.0 when compression was enabled.
The reason it works is that the attacker has access to 99% (roughly) of the plain text. Lets say I want to discover you bank routing number on a web page. As the attacker I register myself and discover the size and all the non-dynamic content on the page. I can inject my own content say a short string of numeric characters and compress the data. I can than observe the change in size.
Now if I am observing your network traffic and I know what site your pulling say based on the IP address. I can sit and look at the transfer size. When I see a server response the same size as one of my candidate compression tests; I now know at least one possible value for the dynamic content.
Its not a problem with the encryption algorithm. The message would not be recoverable unless I already knew almost all of it. Without thousands of cipher texts I can even begin to work out the change content. TLS address this by padding the responses with a little random length data.The trouble is the plain protocol has no padding and the VPN does not either. This can be fixed easily but its going to have a negative performance impact.
Actually I think that might make for a rather neat attraction; especially given American's historic car culture.
I think it would be pretty neat if someone 1) bought some land in the AZ desert (affordable and the climate will keep the signs for deteriorating) 2) paved 20 or 40 miles of road thru it 3) Acquired historic signage from culturally significant organizations defunct and not 4) Made one of the GPS phone apps that reads out a little historic information about each sign when you get near it for people to download. 5) Charged a little toll to support / profit on the thing for folks that want to drive down it.
Wish I had the capital
I was mainly speaking of things where the risks can be externalized / the transport be weaponized. Planes for example as we saw. Locked cockpit doors and no single man at a time rules are good security measures to address that for example.
Cars are also easily weaponized - which is why we license drivers and probably should put some rules in place the prevent the sale of cars to non-license holders.
never intended to let non-land-owners have a vote in 1789
Which was entirely sensible at the time. Land ownership meant you had skin in the game your interests where the countries interests.
I don't think that land ownership is necessarily a good model for today but we absolutely should have some bar to enfranchisement beyond mere citizenship. I would suggest for example "net tax payers" at whatever level the election is at be given the vote.
So my take away here is that in about 10 years I am going to have to listen to my kids prattling on about how bigoted my wife and I are because we don't trust robots...
Yes well than real solution would be to let the mangroves etc move back it; If you get rid of the coastal golf courses, lawns, and artificial sandy beaches there will be no man-made fertilizers to deployed to run anywhere. As per usual this is just one typically left leaning group saying "your environmentally destructive practices are unacceptable but mine are perfectly alright because my intentions and feelings..and by the way you can't build that wind turbine in view of my house."
One could make the argument all those "collaborators" have enabled the expansion of the totalitarian regime to the point where your only-viable transport system now has this crap installed. Maybe had they resisted back when they should have we would not be here today.
This definition of voluntary has bothered me for a long time. We have explicit constitutional rights. I am not even talking about the ones courts like to imagine here. A pretty plain read says we have the right to assemble and we have the right be secure against unreasonable search.
I also thinks its abundantly clear the frames never intended that exercise of one right might require one waive another right. It kind of goes against the definition of right it self. In order to assemble one must be able to go to where the assembly is taking place. As it stands today in America there is essentially no means of transportation where you are subject to "voluntary" search. Even driving your own car you might be stopped at a "random" checkpoint and search. In many cities even walking you could be subjected to "stop and frisk."
When there are no remaining options and I believe we are at the point point search is no longer "voluntary" by any definition. Obviously some types of travel pose risks that demand security and I don't know what all the answers are but if the present situation continues to be viewed as meeting the legal standard - our Constitution might as well be toilet paper.
Where did I draw any moral equivalence. I am speaking from a purely human nature action - reaction perspective. My main point is just that nobody should be surprised.