Err, no sorry, getting information from the browser to the page you are visiting is difficult. Still, with a better security design you can still minimize the surface of "attack". History only for the same site, no access to cross site cookies etc. The sandbox may therefore still be of use. But that some information is leaked, yeah well.
But the current problem is that way to much information is given. And a lot of that information (like the history) is simply not needed by the server side.
If you don't want to let JavaScript do anything outside the page you should have it run inside a sand box. Java VM's are equiped with technology for this. You put the JavaScript together with the document object model in a sandbox, enable some security settings and presto. Just let it never open things outside the browser/current site (or, at all).
With a nice combination of SWT together with Apache HTTPClient, a HTML reader and a good renderer, JavaScript under Java and some other components it should not be that hard to build a good Java browser. Only the renderer is missing really, and (native) plugin support. Actually, the last thing would be the hardest part.
Aunt: My computer is broke. Me: Yes, you got IE/Outlook related spyware and viri. Aunt: So what's to do? Me: I'll help you reinstall, put a safer browser on it, and give you a gmail acount. Aunt: OK.
Good thing about infected computers is is that they stop working as they used to after a while. My tech savy friends still use IE, but they never get infected and don't care. The ones that do get infected are much more likely to switch. They don't know the ins and outs anyway, and frankly, some would not even notice (except for the print icon that is suspiciously missing by default).
A lot of innovations are programmed as Plugins for firefox. Although this is great, there should be a distribution (like in linux systems) with a default set of *compatible* Plugins. Currently it is very hard for most users to get a rich feature set for firefox. And even if they do, they run a very big risk of loosing functionality (and getting mindless popups about incompatible plugins on startup in the beta versions) if/when they upgrade the browser. Maybe they can ship it with a welcome page listing the major features of their new browser and letting them choose to enable/disable the Plugins (default "off" of course).
And for crying out loud, create a list of trusted sites that can do anything. Yes, my bank is allowed to create pop-ups, run scripts, load images from their unsecure server and whatnot. Now I have to configure that at about 10 different places. Think how users think, then design, then implement.
Eclipse runs fine on computers below 1 GHz *if* you give it enough memory to use. Eclipse is a parsing IDE (it parses everything you type) with many other advanced features (many more over.NET beta, which is only touching the surface of parsing editors). This is something entirely different than a simple spelling checker. Only the VE is a bit of a memory/CPU hog, but if you see how it works, this should not come as a surprise.
Anyway, as a developer I urge you to use a more recent computer system. Advanced IDE tend to use a lot of processing power. Use that old machine for testing your own applications, to make sure they run smoothly on other people's machines.
Just after 1.1 gets fixed, since for now it is a bit crappy (yes, I know it is beta). I've experienced some hangups, sometimes the back key suddenly doesn't work. Plugins are hard to enable (flash) and hard to get rid off. Besides all that, it is questionable if the new features are enough for a +0.1 update.
So I'm glad that there is an additional +0.0.1 update, even if it is not yet updated automatically. Firefox is one of the nicest browsers out there, but there is still a bit of a way to go for a +0.1 release.
Currently signatures that are placed by a trusted party are quite safe. What can be done with MD5 is generating two messages with more or less any data. You can extend those messages and generate the same hash over both messages. Now you could sign both hashes, and you can e.g. replace one piece of code by another. It's pretty easy to make code do something completely different, even though you have the same hash. So MD5 should not be used for code signing.
I created a small shell script and a script like it with the same hash. They did both something different, but unfortunately the hacked script didn't run because of a bad character at the end of the script (still, running and not running with the same MD5 hash is already something.
No, you don't understand. The fact that the hosts file is in an/etc/ folder is *purely* coincidence.
Of course there is O/S code in TCP/IP. They didn't want that internet thingy in the first place, and then they came to the very late conclusion that they were loosing that particular war.
In "hasta la vista", they will have a new TCP/IP stack it's rumoured. Which is a good thing since it will have hooks for various programs (read: virusscanners and firewalls). Which is a heck of a lot better than the stupid hacks they are using now.
Anyway, this is what I managed to pick up in my spare time.
Yes, we have. AES has not so many rounds, and this is a theoretical weakness. A *very* theoretical weakness indeed. Please read "practical cryptography" by bruce schneier for more details. There a few other very strong ciphers mentioned there as well.
The existence of weak keys as well as the small block size makes cuts your "only weakness" argement -er- *WRONG* as well. Besides that, DES is pretty slow compared to AES and most other modern block ciphers.
The only reason to use 3DES is backwards compatibility. This is a pretty strong argument though, but for new or flexible protocols (like SSL as used in HTTPS), one *SHOULD* use one of AES-128/SHA-256/RSA-2048/EC-160 as minimum.
Why would you want to implement DES 120 times? Or were you planning to do 120 encipherments with 2 or 3 keys? Or with 120 seperate (different) keys?
Maybe you are referring to triple DES, 2 key encipherment in EDE mode? That's 112 bits mind you, not 120 (128 bits, every least significant bit a parity bit over the higher bits in a byte -> 128 - 16 = 112).
The parent had things completely right for RSA. You are trying to put things out of context.
You would not use RSA & private key encryption for message authenticity. But that's something different.
Besides that, almost any cryptographic algorithm depends on a specific scheme or protocol (padding/hashing etc) to protect against crypto-analyses. Nowhere is said that the parent of your post was refering to "plain-vanilla" RSA either. That's like saying that if you talk about AES, you are being foolish, since you have to use CBC instead of ECB to be secure. Yeah, well, duh!
You could use hashing for encryption. Just create a starting value which you call the key. Then hash this key. Hash the hash of the key. Hash the hash of the hash of the key. Concatenate all the hashes and xor with the data you wish to encrypt. You have now invented the slowest stream cipher in history. Enjoy:).
That's about signing things really. Certificates are signed by computing a hash over the certificate. This hash is then encrypted with the private key of the signer, which results in the signature in the certificate.
The receiving party can validate the certificate by hashing the certificate just like the sending party did. If the receiving party then decrypts the signature with the public key he gets the hash as calculated by the sender. He can now validate the certificate by binary comparing the hashes.
The reason why the hash is used here is that it is very time-consuming to encrypt the whole certificate.
XML is also good for converting a config file to a new format without (too much coding).
Anyway, you don't have to edit XML by hand. It's easy to do so if it's formatted towards a user, but I asume there are better ways. And the best thing; once you are familiar with XML, you know the syntax (not the semantics, but at least the syntax) of all the other XML configuration files out there. Especially if they adhere to the schema standards for formatting data values.
I loved editing my channels for the (linux) tvtime application. That was really a place where XML was a time saver.
For a GUI guy, he's complaining on some issues that are very apparent, while there are others that are at least as questionable. - no customization (with key's/menu's including some saved defaults) - should be part of the widget toolkit really - no site centered options (I like to trust my bank site for opening popups, images from other (media) sites, certificates etc) - close tab is featured at the bottom of the drop down list (I don't like clicking the wheel, and most users would not find it anyway) - the find bar is *totally* useless, it's on the spot where my mouse never is, it's small and just typing a search term on the URL bar and clicking "find" would be twenty times easier - the close tab button is somewhere where it should not be - it's pretty hard to take away mime types assigned to certain programs like quicktime (who's interface/plugin I hate with a vengance) - a search feature for options would be nice
I also would like a (seperate) version of firefox for using my bank sites etc. No caching, no saving of history, no sharing of data, no XUL scripts etc. That would really be something to put your trust in.
All this said, I really prefer the GUI of firefox to IE (or most other browsers). It's pretty, you can change the looks and it's really uncluttered. I hate almost every new GUI feature that Microsoft has brought the last years (since windows 2k really).
Somehow (semi-modal) dialog boxes always jump in front of the text I am looking for. This can be fixed, but then the dialox boxes jump around (which is maybe even more anoying - see MS word). Especially hatefull are the modal dialog boxes that jump into view, and make it impossible to read or copy the text one page up/down on the page.
Actually, most of the time modal dialog boxes should not be used at all. This is especially the case with JavaScript errors and the like (it's easy to get those to loop infinitely as well, creating a GUI DoS attack). This is especially anoying on Windows, where the xkill command is unheard of (let's do the process guess game instead, brilliant).
"... We need to focus on the big ones like energy, somehow eradicating the memes that make people vote for monsters or fly planes into buildings and getting the educational system out of the hands of the ideologues..."
Maybe we can blame this on the educational system as well?
Yeah, but what about using that much money to find a renewable energy source instead? Solve the aids problem? These are technical challenges as well, and the will problaby reap the same benefits (side-technology).
It's ok to put a lot of money in a technical project, but it does not mean that NASA needs to be that technical project.
Yeah, and this makes for many scripts with different kind of make up, making all of them hard to read. Even as a computer programmer who knows C++, Java, a bit of PHP, XML, HTML, AWK, JavaScript etc. Perl scripts are a pretty hard read, normally I give up after a few sentences.
You may be able to write readable code, almost no-one actually does.
This will be a bit difficult to explain fully. The other posts have already lightly touched the problems involved (especially latency). But you are talking about the holy grail of parallel computing here; seeing one system while it is running all over the place. My best advice for you is to get a good book on parallel systems and get educated. This is something like asking a doctor why there are still diseases.
You can get RAM drives for Windows as well, although most will get you start paying beyond 64 MB. Which is peanuts on a 1 GB computer (which most slashdotters use in all probability).
I use it mainly for testing speed while still having a program create a log file. Note to self: rewrite sentence:)
Slashdot Mirror
Err, no sorry, getting information from the browser to the page you are visiting is difficult. Still, with a better security design you can still minimize the surface of "attack". History only for the same site, no access to cross site cookies etc. The sandbox may therefore still be of use. But that some information is leaked, yeah well.
But the current problem is that way to much information is given. And a lot of that information (like the history) is simply not needed by the server side.
If you don't want to let JavaScript do anything outside the page you should have it run inside a sand box. Java VM's are equiped with technology for this. You put the JavaScript together with the document object model in a sandbox, enable some security settings and presto. Just let it never open things outside the browser/current site (or, at all).
With a nice combination of SWT together with Apache HTTPClient, a HTML reader and a good renderer, JavaScript under Java and some other components it should not be that hard to build a good Java browser. Only the renderer is missing really, and (native) plugin support. Actually, the last thing would be the hardest part.
Aunt: My computer is broke.
Me: Yes, you got IE/Outlook related spyware and viri.
Aunt: So what's to do?
Me: I'll help you reinstall, put a safer browser on it, and give you a gmail acount.
Aunt: OK.
Good thing about infected computers is is that they stop working as they used to after a while. My tech savy friends still use IE, but they never get infected and don't care. The ones that do get infected are much more likely to switch. They don't know the ins and outs anyway, and frankly, some would not even notice (except for the print icon that is suspiciously missing by default).
A lot of innovations are programmed as Plugins for firefox. Although this is great, there should be a distribution (like in linux systems) with a default set of *compatible* Plugins. Currently it is very hard for most users to get a rich feature set for firefox. And even if they do, they run a very big risk of loosing functionality (and getting mindless popups about incompatible plugins on startup in the beta versions) if/when they upgrade the browser. Maybe they can ship it with a welcome page listing the major features of their new browser and letting them choose to enable/disable the Plugins (default "off" of course).
And for crying out loud, create a list of trusted sites that can do anything. Yes, my bank is allowed to create pop-ups, run scripts, load images from their unsecure server and whatnot. Now I have to configure that at about 10 different places. Think how users think, then design, then implement.
Holy shit, the article has already got the picture inserted in it. Try to get that happening with a commercial encyclopedia :)
Encyclopedia-'r'-us
"...or whether N. Korea gets The Bomb."
Yeah, I worry about that too. Lets hope that Bush jr has just enough braincells not to drop it on North Korea.
Eclipse runs fine on computers below 1 GHz *if* you give it enough memory to use. Eclipse is a parsing IDE (it parses everything you type) with many other advanced features (many more over .NET beta, which is only touching the surface of parsing editors). This is something entirely different than a simple spelling checker. Only the VE is a bit of a memory/CPU hog, but if you see how it works, this should not come as a surprise.
Anyway, as a developer I urge you to use a more recent computer system. Advanced IDE tend to use a lot of processing power. Use that old machine for testing your own applications, to make sure they run smoothly on other people's machines.
Squiggles under spelling mistakes...Grrr....
Yeah, now the question remains what a vtester is exactly.
"MD5 is a 160-bit algorithm, not 32....I have read a lot of Bruce Schneier's writings"
:) SHA-1 is a 160 bit hash, MD5 is a 128 bits hash.
Obviously you haven't read enough
Just after 1.1 gets fixed, since for now it is a bit crappy (yes, I know it is beta). I've experienced some hangups, sometimes the back key suddenly doesn't work. Plugins are hard to enable (flash) and hard to get rid off. Besides all that, it is questionable if the new features are enough for a +0.1 update.
So I'm glad that there is an additional +0.0.1 update, even if it is not yet updated automatically. Firefox is one of the nicest browsers out there, but there is still a bit of a way to go for a +0.1 release.
Currently signatures that are placed by a trusted party are quite safe. What can be done with MD5 is generating two messages with more or less any data. You can extend those messages and generate the same hash over both messages. Now you could sign both hashes, and you can e.g. replace one piece of code by another. It's pretty easy to make code do something completely different, even though you have the same hash. So MD5 should not be used for code signing.
I created a small shell script and a script like it with the same hash. They did both something different, but unfortunately the hacked script didn't run because of a bad character at the end of the script (still, running and not running with the same MD5 hash is already something.
No, you don't understand. The fact that the hosts file is in an /etc/ folder is *purely* coincidence.
Of course there is O/S code in TCP/IP. They didn't want that internet thingy in the first place, and then they came to the very late conclusion that they were loosing that particular war.
In "hasta la vista", they will have a new TCP/IP stack it's rumoured. Which is a good thing since it will have hooks for various programs (read: virusscanners and firewalls). Which is a heck of a lot better than the stupid hacks they are using now.
Anyway, this is what I managed to pick up in my spare time.
Yes, we have. AES has not so many rounds, and this is a theoretical weakness. A *very* theoretical weakness indeed. Please read "practical cryptography" by bruce schneier for more details. There a few other very strong ciphers mentioned there as well.
The existence of weak keys as well as the small block size makes cuts your "only weakness" argement -er- *WRONG* as well. Besides that, DES is pretty slow compared to AES and most other modern block ciphers.
The only reason to use 3DES is backwards compatibility. This is a pretty strong argument though, but for new or flexible protocols (like SSL as used in HTTPS), one *SHOULD* use one of AES-128/SHA-256/RSA-2048/EC-160 as minimum.
"120xDES and AES implemented"
Why would you want to implement DES 120 times? Or were you planning to do 120 encipherments with 2 or 3 keys? Or with 120 seperate (different) keys?
Maybe you are referring to triple DES, 2 key encipherment in EDE mode? That's 112 bits mind you, not 120 (128 bits, every least significant bit a parity bit over the higher bits in a byte -> 128 - 16 = 112).
The parent had things completely right for RSA. You are trying to put things out of context.
You would not use RSA & private key encryption for message authenticity. But that's something different.
Besides that, almost any cryptographic algorithm depends on a specific scheme or protocol (padding/hashing etc) to protect against crypto-analyses. Nowhere is said that the parent of your post was refering to "plain-vanilla" RSA either. That's like saying that if you talk about AES, you are being foolish, since you have to use CBC instead of ECB to be secure. Yeah, well, duh!
You could use hashing for encryption. Just create a starting value which you call the key. Then hash this key. Hash the hash of the key. Hash the hash of the hash of the key. Concatenate all the hashes and xor with the data you wish to encrypt. You have now invented the slowest stream cipher in history. Enjoy :).
That's about signing things really. Certificates are signed by computing a hash over the certificate. This hash is then encrypted with the private key of the signer, which results in the signature in the certificate.
The receiving party can validate the certificate by hashing the certificate just like the sending party did. If the receiving party then decrypts the signature with the public key he gets the hash as calculated by the sender. He can now validate the certificate by binary comparing the hashes.
The reason why the hash is used here is that it is very time-consuming to encrypt the whole certificate.
XML is also good for converting a config file to a new format without (too much coding).
Anyway, you don't have to edit XML by hand. It's easy to do so if it's formatted towards a user, but I asume there are better ways. And the best thing; once you are familiar with XML, you know the syntax (not the semantics, but at least the syntax) of all the other XML configuration files out there. Especially if they adhere to the schema standards for formatting data values.
I loved editing my channels for the (linux) tvtime application. That was really a place where XML was a time saver.
For a GUI guy, he's complaining on some issues that are very apparent, while there are others that are at least as questionable.
- no customization (with key's/menu's including some saved defaults) - should be part of the widget toolkit really
- no site centered options (I like to trust my bank site for opening popups, images from other (media) sites, certificates etc)
- close tab is featured at the bottom of the drop down list (I don't like clicking the wheel, and most users would not find it anyway)
- the find bar is *totally* useless, it's on the spot where my mouse never is, it's small and just typing a search term on the URL bar and clicking "find" would be twenty times easier
- the close tab button is somewhere where it should not be
- it's pretty hard to take away mime types assigned to certain programs like quicktime (who's interface/plugin I hate with a vengance)
- a search feature for options would be nice
I also would like a (seperate) version of firefox for using my bank sites etc. No caching, no saving of history, no sharing of data, no XUL scripts etc. That would really be something to put your trust in.
All this said, I really prefer the GUI of firefox to IE (or most other browsers). It's pretty, you can change the looks and it's really uncluttered. I hate almost every new GUI feature that Microsoft has brought the last years (since windows 2k really).
Somehow (semi-modal) dialog boxes always jump in front of the text I am looking for. This can be fixed, but then the dialox boxes jump around (which is maybe even more anoying - see MS word). Especially hatefull are the modal dialog boxes that jump into view, and make it impossible to read or copy the text one page up/down on the page.
Actually, most of the time modal dialog boxes should not be used at all. This is especially the case with JavaScript errors and the like (it's easy to get those to loop infinitely as well, creating a GUI DoS attack). This is especially anoying on Windows, where the xkill command is unheard of (let's do the process guess game instead, brilliant).
Why is this rambling modded insightfull?
..."
"... We need to focus on the big ones like energy, somehow eradicating the memes that make people vote for monsters or fly planes into buildings and getting the educational system out of the hands of the ideologues
Maybe we can blame this on the educational system as well?
Yeah, but what about using that much money to find a renewable energy source instead? Solve the aids problem? These are technical challenges as well, and the will problaby reap the same benefits (side-technology).
It's ok to put a lot of money in a technical project, but it does not mean that NASA needs to be that technical project.
Yeah, and this makes for many scripts with different kind of make up, making all of them hard to read. Even as a computer programmer who knows C++, Java, a bit of PHP, XML, HTML, AWK, JavaScript etc. Perl scripts are a pretty hard read, normally I give up after a few sentences.
You may be able to write readable code, almost no-one actually does.
This will be a bit difficult to explain fully. The other posts have already lightly touched the problems involved (especially latency). But you are talking about the holy grail of parallel computing here; seeing one system while it is running all over the place. My best advice for you is to get a good book on parallel systems and get educated. This is something like asking a doctor why there are still diseases.
You can get RAM drives for Windows as well, although most will get you start paying beyond 64 MB. Which is peanuts on a 1 GB computer (which most slashdotters use in all probability).
:)
I use it mainly for testing speed while still having a program create a log file. Note to self: rewrite sentence