"Why is this modded funny? Apparently someone's forgotten that IE6 was released in August 2001; it's taken just over eight years for its market share to be superseded by another browser, and it's still firmly entrenched in some corporate environments."
Yeah, well, I even saw a Java development environment that was fully dependent on IE6 and ActiveX. You only need a single PHB that is wowed by the web graphics and all your developers are f*cked for years (I'm wondering which software they use now, although people investing in that should go bust). But that does not mean other software hasn't moved on.
Not unencrypted, just unauthenticated. The attacker will do the initial connection in which the client is not yet authenticated. Any data send at that time should not be trusted to come from the client, including any GET requests. This is a problem when the page is in a protected domain *and* the first page is accepting information from e.g. a GET request to fill in forms and such. Then the response will be encrypted for the authenticated user only, but the attacker still could inject information to the server.
This also goes for other protocols that use the same mechanism (accepting yet unauthenticated information) and also works when key-renegotiation takes place.
There are tree ways to fix this: 1) servers should not treat the initial request information as authenticated, 2) servers should not do renegotiation and 3) fix the TLS protocol so that the initial request *can* be trusted. The last one would be the best option, but fixing a protocol takes time.
Apples market has been Apple hardware and software only for as long as I have known it. Sure, there are software applications and services that got so popular that even Apple caved in on this principle (e.g. their movie player and multimedia applications). There were some licensed manufacturers of Apple hardware as well, but even that did not please Apple.
And after having literally tens to hundreds of issues with Linux on PC hardware one can see why. Currently my Lenovo SL300 laptop does not play nice with the screen settings because somewhere the hardware/firmware does not keep to specs. It's one of those hundreds of PITA's that will you get when you couple "generic" hardware with an unsuspecting OS.
Apple selling OSX to non-Apple hardware? They will go bust if they go that path now. If only because current consumer PC's have been tested for one OS family only.
That's weird, because any time I cut anything around a page border, a table or more or less any other break in the page, everything gets screwed up. I won't even go into what happens when there is a watermark on the page. And with screwed up, I mean screwed up. Missing parts of text, text in wrong order, you name it. That and it crashes every so often, it doesn't live through power saving state on my computer, to name something. I won't go into the way it handles tabs, or form input or search or pop ups because we could be discussing their crapware for hours on end.
"Further, the recent PDF specifications add DRM which shouldn't be allowed in government publications. If the govt agrees to use a PDF version that open source software can completely read, parse, and convert, then it is fine PROVIDED the raw data is available in open formats too."
No, it's not fine because, as others have pointed out, PDF is mainly use for formatting documents. It's doing a pretty adequate job on that as well, and you can use third party software that can actually display it without the drawbacks of the *HORRIBLE* Adobe software. But that does not make it a good mechanism for storing information that can be indexed in any useful way (except simply parsing the text). Hell, you can't even/select/ text normally using most PDF readers.
The error was something that should have been caught by the system designers. I'm in no doubt that the Patriot system is a large project, and the designers could have been more careful - even taken the limited initial target.
Computer scientists are required when creating a floating point API. Computer Scientists are those whom this article was for.
The developers (programming is only a part of a development process) are those who should have used the API created by the Computer Scientists, using the specs created by the designers.
In extreme cases one person can do multiple roles of course, but for larger projects it might be inadvisable; you'll need persons that are professionals in their particular field.
That said, my role has been designer/developer for 8 years, and I agree that I'm severely underpaid.
"and yet, they are ever so easy to hack from inside the room."
Yes, but I would not expect for instance your neighbour to have easy access to the drawer inside a room.
"You are dramatically more secure using a dictionary word password of less than ten characters, without mixed case, numbers or special characters than using a long and complex password that you have to write down somewhere to remember."
Are you nuts? These are passwords that can be cracked online! Anyone with access to the signal can happily try a dictionary attack!
"The people who are most likely to try to break into your internet are people you know and especially people you live and/or work with."
If you are afraid they get into your room or drawer, then you can use something like a lock (or your door, drawer or in my case, both) or a burglary alarm. As someone else noted, your internet connection is probably not the first thing they'll target if they have malicious intent.
"As a security professional you may encounter people being attacked by wardrivers and dictionary attacks all the time but as an individual you are probably more likely to be struck by lightning than have someone more sophisticated than your average random idiot looking for an open wifi link to check his email try to get in."
I don't know about that. Most people hacking into WiFi are likely people looking for an internet connection to abuse. Wardrivers and dictionary attacks are certainly not limited to specific systems.
"As a freelance network technician I've encountered ONE count them, ONE server running any operating system that has actually been deliberately hacked in ten years on the job. Despite having proof on the box my co-workers were skeptical because despite each having between 20 and 40 years of experience administering small business systems none of them had ever seen a hacked box."
And you are actively looking for WiFi connections that have been broken into? How? Are you looking at the authentication logs of the routers? Really?
"That of course doesn't count worms, spyware, virus, and other automated attacks; open relays; or the kids/underling employees figuring out how to get around the proxy server."
All of which defeat the security measures taken by the author that I was replying on. Putting things in a text file on the computer is infinitely less secure than putting it in a (locked) drawer.
I'm afraid that you have lost the perspective yourself. Storing a password on a piece of paper put away somewhere in the house is infinitely more secure than putting it in plain on a computer, choosing a bad password, choosing the wrong protocol or letting your neighbours near your WiFi router, choosing the wrong brand of router (do you need more?).
You are of course correct. "performing calculations" and "pointing in the wrong direction" would be more to the point. That said, I don't think "we" are the problem here, you are preaching to the wrong church. You'd better contact the author of the article instead.
If you go this way, use a library that implements fixed point arithmetic. This way you can always see what actual type the variable represents and - in many languages - it can prevent overflows. For Java, you could for instance use BigDecimal. Only if such a class is too resource intensive you could switch to a normal integer, but in that case make sure that the name of the variable is well chosen and document its use everywhere.
Never mind that - I was a university student 9 years ago. But can you imagine having goodmanj as a physics teacher, "spend the entire lecture correcting minor mistakes by erasing with the heel of my hand, changing variable notations, and editing diagrams and drawings halfway through working a problem".
I always made notes while in class. Not because I wanted to write down everything, but to write down what I found important or taxing. Writing things down makes you remember things better. You can also write things down your way and not in the way the teacher writes things down, with side notes and all.
Personally, forbidding students to write things down is downright patronizing. Students will create their own personal method of studying and it does not help if they are dictated in each and every class on how to do things. I'm also afraid that if you don't keep a good tab on your students, only the good ones will benefit with your approach.
I must admit though that for maths you might very well be right. Writing down the equations is a waste of time if they are already jotted down, and writing down only part of the equation makes not so much sense in most cases. Chances on errors is also larger.
If you don't let people write things down you MUST supply them with a copy of the material, making sure that you include each and every step. If possible you should show this to a novice student before distributing to make sure that you include things that are obvious to you, but may not be so obvious to others. Adding a page with some things discussed in class would also help.
Because Clearview was created by a bunch of people that know what they are doing. Because Clearview is likely to be a much smaller target than the monitored software packages. Because Clearview is not directly connected to the web. Because Clearview may not even be easily detectable.
20 characters? That's an entropy of 244 bits if it is completely random (using/only/ upper- and lower case characters). That's a bit much for a complex password like the one mentioned. If the password consists of much easier to guess characters, than 20 characters is probably on the low side. I can understand such a recommendation from some point of view (we'll at least let them choose a long passphrase), but I think it is a bit over the top for well chosen passwords...
And I would recommend to write down the password and put it in a drawer. Chances are that you only need to type it in after your system went fubar, and if that happens, you may have lost your password. Drawers are also very difficult to hack from the internet.
"If this market is to mature they need a company to step in with the emphasis on quality."
Funny, most people would think that company could be Intel. I would be very surprised if this issue was in any way expected by Intel. There were a few articles on the thorough testing performed on the G1 (firmware). With the G2 Intel seems to have lost some of that.
Paranoid much? There may be companies out there that haven't got a lot to loose and can play that testing game. Intel is certainly not one of them. Anyway, SSD's have been on the market quite a while, although market penetration was always low. And do you think that OS support for TRIM would be there if we had to wait for another year?
Anyway, let's wait and see what causes the (alleged) problems and we'll know what to think of it. It's a bit early to put this to corporate greed. These are complex products.
Come to think of it, that may be a very small population. For some reason I don't think the Prius is a car that would be liked by dog owners. I've certainly never seen a dog in a Prius.
Or for some reason have a defective firmware, like I have on my Intel G2 SSD. Of course, that was maybe to be expected for any early adopter. Be aware though that this is a rather new technology. Some things are still developing like TRIM support and fast(er) writes.
Even in a democracy people have limited power to what a government actually does. Because of lack of information, lack of influence in decisions after they are made. Hell, we can't even keep them to the promises they made during election time. And of course we can't predict the future either, so if there is some scandal then we can't turn back our vote.
The only thing we can do is demonstrate for important issues and vote when the time comes, for the party/person which matches our ideas best. Even then important decisions will still be made regardless of the party in power because of pressure from lobbyists and such.
Blaming everybody for each decision made by (somebody in) a government is just plain ignorant. One of the most distinguishing things I find important in politicians is whether they can explain their ideals and put them at work while still handling the complexities of everyday life.
It's also very easy to use this to distinguish between "real" politicians and populists - populists always dumb down the world to a level that their (would be) followers are comfortable with, instead of attacking the complexities.
Slashdot Mirror
"Why is this modded funny? Apparently someone's forgotten that IE6 was released in August 2001; it's taken just over eight years for its market share to be superseded by another browser, and it's still firmly entrenched in some corporate environments."
Yeah, well, I even saw a Java development environment that was fully dependent on IE6 and ActiveX. You only need a single PHB that is wowed by the web graphics and all your developers are f*cked for years (I'm wondering which software they use now, although people investing in that should go bust). But that does not mean other software hasn't moved on.
Someone please mark this funny...
Not unencrypted, just unauthenticated. The attacker will do the initial connection in which the client is not yet authenticated. Any data send at that time should not be trusted to come from the client, including any GET requests. This is a problem when the page is in a protected domain *and* the first page is accepting information from e.g. a GET request to fill in forms and such. Then the response will be encrypted for the authenticated user only, but the attacker still could inject information to the server.
This also goes for other protocols that use the same mechanism (accepting yet unauthenticated information) and also works when key-renegotiation takes place.
There are tree ways to fix this: 1) servers should not treat the initial request information as authenticated, 2) servers should not do renegotiation and 3) fix the TLS protocol so that the initial request *can* be trusted. The last one would be the best option, but fixing a protocol takes time.
Hope that explains it.
I think this blog site explains best:
http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html
Apples market has been Apple hardware and software only for as long as I have known it. Sure, there are software applications and services that got so popular that even Apple caved in on this principle (e.g. their movie player and multimedia applications). There were some licensed manufacturers of Apple hardware as well, but even that did not please Apple.
And after having literally tens to hundreds of issues with Linux on PC hardware one can see why. Currently my Lenovo SL300 laptop does not play nice with the screen settings because somewhere the hardware/firmware does not keep to specs. It's one of those hundreds of PITA's that will you get when you couple "generic" hardware with an unsuspecting OS.
Apple selling OSX to non-Apple hardware? They will go bust if they go that path now. If only because current consumer PC's have been tested for one OS family only.
That's weird, because any time I cut anything around a page border, a table or more or less any other break in the page, everything gets screwed up. I won't even go into what happens when there is a watermark on the page. And with screwed up, I mean screwed up. Missing parts of text, text in wrong order, you name it. That and it crashes every so often, it doesn't live through power saving state on my computer, to name something. I won't go into the way it handles tabs, or form input or search or pop ups because we could be discussing their crapware for hours on end.
"Further, the recent PDF specifications add DRM which shouldn't be allowed in government publications. If the govt agrees to use a PDF version that open source software can completely read, parse, and convert, then it is fine PROVIDED the raw data is available in open formats too."
No, it's not fine because, as others have pointed out, PDF is mainly use for formatting documents. It's doing a pretty adequate job on that as well, and you can use third party software that can actually display it without the drawbacks of the *HORRIBLE* Adobe software. But that does not make it a good mechanism for storing information that can be indexed in any useful way (except simply parsing the text). Hell, you can't even /select/ text normally using most PDF readers.
The error was something that should have been caught by the system designers. I'm in no doubt that the Patriot system is a large project, and the designers could have been more careful - even taken the limited initial target.
Computer scientists are required when creating a floating point API. Computer Scientists are those whom this article was for.
The developers (programming is only a part of a development process) are those who should have used the API created by the Computer Scientists, using the specs created by the designers.
In extreme cases one person can do multiple roles of course, but for larger projects it might be inadvisable; you'll need persons that are professionals in their particular field.
That said, my role has been designer/developer for 8 years, and I agree that I'm severely underpaid.
"and yet, they are ever so easy to hack from inside the room."
Yes, but I would not expect for instance your neighbour to have easy access to the drawer inside a room.
"You are dramatically more secure using a dictionary word password of less than ten characters, without mixed case, numbers or special characters than using a long and complex password that you have to write down somewhere to remember."
Are you nuts? These are passwords that can be cracked online! Anyone with access to the signal can happily try a dictionary attack!
"The people who are most likely to try to break into your internet are people you know and especially people you live and/or work with."
If you are afraid they get into your room or drawer, then you can use something like a lock (or your door, drawer or in my case, both) or a burglary alarm. As someone else noted, your internet connection is probably not the first thing they'll target if they have malicious intent.
"As a security professional you may encounter people being attacked by wardrivers and dictionary attacks all the time but as an individual you are probably more likely to be struck by lightning than have someone more sophisticated than your average random idiot looking for an open wifi link to check his email try to get in."
I don't know about that. Most people hacking into WiFi are likely people looking for an internet connection to abuse. Wardrivers and dictionary attacks are certainly not limited to specific systems.
"As a freelance network technician I've encountered ONE count them, ONE server running any operating system that has actually been deliberately hacked in ten years on the job. Despite having proof on the box my co-workers were skeptical because despite each having between 20 and 40 years of experience administering small business systems none of them had ever seen a hacked box."
And you are actively looking for WiFi connections that have been broken into? How? Are you looking at the authentication logs of the routers? Really?
"That of course doesn't count worms, spyware, virus, and other automated attacks; open relays; or the kids/underling employees figuring out how to get around the proxy server."
All of which defeat the security measures taken by the author that I was replying on. Putting things in a text file on the computer is infinitely less secure than putting it in a (locked) drawer.
I'm afraid that you have lost the perspective yourself. Storing a password on a piece of paper put away somewhere in the house is infinitely more secure than putting it in plain on a computer, choosing a bad password, choosing the wrong protocol or letting your neighbours near your WiFi router, choosing the wrong brand of router (do you need more?).
They should of course have used Swiss build computers instead.
You are of course correct. "performing calculations" and "pointing in the wrong direction" would be more to the point. That said, I don't think "we" are the problem here, you are preaching to the wrong church. You'd better contact the author of the article instead.
If you go this way, use a library that implements fixed point arithmetic. This way you can always see what actual type the variable represents and - in many languages - it can prevent overflows. For Java, you could for instance use BigDecimal. Only if such a class is too resource intensive you could switch to a normal integer, but in that case make sure that the name of the variable is well chosen and document its use everywhere.
Can you feel the bugs appearing already?
Never mind that - I was a university student 9 years ago. But can you imagine having goodmanj as a physics teacher, "spend the entire lecture correcting minor mistakes by erasing with the heel of my hand, changing variable notations, and editing diagrams and drawings halfway through working a problem".
Gosh, I can already imagine the fun.
"Why? Antivirus programs serve a very similar function and yet they are under attack all the time."
And still all those firms keep installing those antivirus programs. And I doubt that is because it makes the computer less safe now does it?
Somehow you come over as (quite) a bit of a show-off. Show-offs are not good teachers.
I always made notes while in class. Not because I wanted to write down everything, but to write down what I found important or taxing. Writing things down makes you remember things better. You can also write things down your way and not in the way the teacher writes things down, with side notes and all.
Personally, forbidding students to write things down is downright patronizing. Students will create their own personal method of studying and it does not help if they are dictated in each and every class on how to do things. I'm also afraid that if you don't keep a good tab on your students, only the good ones will benefit with your approach.
I must admit though that for maths you might very well be right. Writing down the equations is a waste of time if they are already jotted down, and writing down only part of the equation makes not so much sense in most cases. Chances on errors is also larger.
If you don't let people write things down you MUST supply them with a copy of the material, making sure that you include each and every step. If possible you should show this to a novice student before distributing to make sure that you include things that are obvious to you, but may not be so obvious to others. Adding a page with some things discussed in class would also help.
Because Clearview was created by a bunch of people that know what they are doing. Because Clearview is likely to be a much smaller target than the monitored software packages. Because Clearview is not directly connected to the web. Because Clearview may not even be easily detectable.
20 characters? That's an entropy of 244 bits if it is completely random (using /only/ upper- and lower case characters). That's a bit much for a complex password like the one mentioned. If the password consists of much easier to guess characters, than 20 characters is probably on the low side. I can understand such a recommendation from some point of view (we'll at least let them choose a long passphrase), but I think it is a bit over the top for well chosen passwords...
And I would recommend to write down the password and put it in a drawer. Chances are that you only need to type it in after your system went fubar, and if that happens, you may have lost your password. Drawers are also very difficult to hack from the internet.
"If this market is to mature they need a company to step in with the emphasis on quality."
Funny, most people would think that company could be Intel. I would be very surprised if this issue was in any way expected by Intel. There were a few articles on the thorough testing performed on the G1 (firmware). With the G2 Intel seems to have lost some of that.
Paranoid much? There may be companies out there that haven't got a lot to loose and can play that testing game. Intel is certainly not one of them. Anyway, SSD's have been on the market quite a while, although market penetration was always low. And do you think that OS support for TRIM would be there if we had to wait for another year?
Anyway, let's wait and see what causes the (alleged) problems and we'll know what to think of it. It's a bit early to put this to corporate greed. These are complex products.
New movie coming to a cinema near you: "Wok the Dog".
Come to think of it, that may be a very small population. For some reason I don't think the Prius is a car that would be liked by dog owners. I've certainly never seen a dog in a Prius.
Then again, if you've got more than 5 defect pixels, you can return the screen. Ugh, can't believe I just typed that.
Or for some reason have a defective firmware, like I have on my Intel G2 SSD. Of course, that was maybe to be expected for any early adopter. Be aware though that this is a rather new technology. Some things are still developing like TRIM support and fast(er) writes.
Even in a democracy people have limited power to what a government actually does. Because of lack of information, lack of influence in decisions after they are made. Hell, we can't even keep them to the promises they made during election time. And of course we can't predict the future either, so if there is some scandal then we can't turn back our vote.
The only thing we can do is demonstrate for important issues and vote when the time comes, for the party/person which matches our ideas best. Even then important decisions will still be made regardless of the party in power because of pressure from lobbyists and such.
Blaming everybody for each decision made by (somebody in) a government is just plain ignorant. One of the most distinguishing things I find important in politicians is whether they can explain their ideals and put them at work while still handling the complexities of everyday life.
It's also very easy to use this to distinguish between "real" politicians and populists - populists always dumb down the world to a level that their (would be) followers are comfortable with, instead of attacking the complexities.