Slashdot Mirror


User: SanityInAnarchy

SanityInAnarchy's activity in the archive.

Stories
0
Comments
12,413
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 12,413

  1. Motive doesn't matter. on Best Buy Confirms 'Secret' Version of its Website · · Score: 4, Insightful

    Honesty is honesty.

    Reminds me of that movie, Miracle on 24th street (I think), where Santa -- the real Santa -- is employed as a Mall Santa. He sits in the mall, and kids come up and tell him what they want, and the management has given him a list of all the Macey's products that he's supposed to be pushing on the parents -- which he then ignores, and tells the parents where to find exactly what the kid wants, at the best price in town.

    At first, the managers are enraged, but then they realize that they've just built up a shitload of customer loyalty. Moms are walking out with bags and bags of stuff, just because they love Macey's so much for having such a great Santa.

    Now, of course, the Managers have the ulterior motive here, and Santa is pure. But does it really matter whether Santa is pure or not?

    In fact, I honestly don't give a damn what's going through the salesman's head. If it actually does mean I'm getting a better deal, and if they consistently try to build brand loyalty in a way which actually benefits me, I win, whether it's out of the goodness of their hearts or because they're planning to rip me off sometime down the road.

  2. Could have been much worse! on Astronaut Has 'Wasabi Spill' in Space · · Score: 3, Funny

    Think about sex in space. Zero gravity sex could be an amazing thing, I imagine, but the cleanup...

    I mean, you could conceivably keep it clean -- swallow it all, I'm sure you can fill in the blanks. Or, someone could get stupid and try to bukakke...

  3. Isn't that a job for the app? on Wordpress 2.1.1 Release Compromised by Cracker · · Score: 1

    Have a really simple index.php, which can then verify the source of the rest of the app (include files, etc)?

    But really, I don't think this accomplishes a hell of a lot. It wouldn't help you know which ones haven't been updated, for one thing...

  4. Worse than XP (for now) on Is Vista a Trap? · · Score: 4, Insightful

    Remember, Microsoft said exactly the same thing about XP and 2000 that they do about Vista, and that they have about every single version of Windows except pehaps 1.0: "Faster, more secure, more personalized, better than ever before!"

    And we say exactly the same thing we've always said: "Bloated, incompatible, too invasive, look at that WGA!" XP has the same privacy issues, 2000 had worse (if possible) compatibility issues.

    But around SP1 or SP2, XP became livable, arguably better than 2000. And probably around SP1, 2000 became stable enough, and was obviously a HUGE upgrade compared to 98 -- so huge that if they hadn't done it when they did, Linux probably would've taken over.

    So, we're going to have the same thing happen here. I predict that in roughly 2 years, around SP1 or SP2, Vista will actually be better than XP. But it isn't yet -- too much stuff isn't compatible, and the "beta" was a laugh; if you buy it now, you are their gamma testers.

    Smart people stick with XP, and let the rest of the world test and debug Vista for us.

    Me? I'll keep dual-booting XP and Linux (Ubuntu here, Gentoo at home).

  5. Informative? on Worm Exploiting Solaris Telnetd Vulnerability · · Score: 1

    What kind of mod is that?... ...Mom, is that you?

  6. Re:I think we did this first... MOD THIS DOWN on Secure Private Key Storage for UNIX? · · Score: 1

    You're right, there needs to be a "-1 Wrong" mod for just this kind of stupidity.

    I apologize.

  7. Re:Proof in the pudding on MacBook Wi-Fi Hijack Details Finally Released · · Score: 1

    I await the promised publishing of the email exchanges with Apple on his blog.

    Not happening. From TFA:

    For legal reasons, Maynor said he could not share e-mails sent from his SecureWorks address.

    In any case, I can say that Apple throws NDAs on every email they send from their bug reporting service. I don't know if it'd hold up in court, but it does make me nervous about even posting the stupid, annoying little bugs that I've reported to Apple... and it is one of the reasons why my next laptop will not be a MacBook.

  8. Re:Computer Security on Worm Exploiting Solaris Telnetd Vulnerability · · Score: 2, Interesting

    It's such a joke that every one claims to be more secure then the next guy. But really they mean if you turn everything off and patch your system every day.

    Which is the default, these days.

    That's what a 0 day exploit means. You have to patch every day or you could be at risk.

    No, a 0 day exploit means even if you patch every day, you're still at risk. But you know what? You're at risk every day simply by being alive. You could be hit by a meteor the next second! Oh noes!

    Grow up and stop fearmongering. There's plenty of real security threats without saying "Everyone's insecure!"

    Having a patch isn't even that great of a deal. The patch usually provides the problem and then it's off to the races.

    I'm sorry, what? The patch provides the problem... I think I know what you mean, but this just makes you sound like an idiot. The patch fixes the problem. It may provide new problems, but it fixes the ones it's meant to fix.

    How long to patch X number of systems versus how long to write an exploit. Even if you are 1% of the market, it's a losing race for the patchers.

    How do you figure? Got any numbers to show me, or is this just blind speculation?

    Here's a hint: If you've got an open source system, someone who finds an exploit is much more likely to send in a patch than to release said exploit into the wild. I know that's the case with me -- given the choice between patching Linux and exploiting Linux, I'll patch it. Given the choice between waiting six months for MS to patch something and exploiting it myself, I'll exploit it. And if you've got everyone's system updating every day, then it truly does become a losing race for someone to find the patch, develop an exploit, and begin using it before my system automatically patches itself.

    Then there are all of the poor orphaned systems out there that don't have any one to maintain them. Who will patch these poor unfortunates?

    Who relies on these poor unfortunates? Not anyone who cares about security. I mean, yeah, if you're running Win98, you're better off leaving the thing unplugged, but...

    The only time a computer is secure these days is when the network cable is unplugged and/or the on/off switch is off.

    I hate hearing this. Not only is it simply wrong (I can still pick the computer up and carry it off), but it's often used as some sort of excuse for computer security being as bad as it is.

    I think Linux and the BSDs are pretty secure. I'm still annoyed at how frequently exploits are found.

    But notice how you took two examples: A zero-day exploit, and old, unmaintained systems. Everything else you mentioned is basically saying the sky is falling because no one is secure, and therefore we can't say anyone is more secure than anyone else? How twisted is that?

    Obviously, if I post my root password and IP address here, I AM less secure than everyone else. So, obviously, there are degrees of security.

    And maybe everyone does become vulnerable at some point. It doesn't mean we're all doomed -- security is entirely based on economics. You're not 0wned unless it's worth it for you to be, and it's just not worth it if I'm running a custom-compiled Linux kernel and Gentoo system, all kinds of stuff tweaked by hand, and no particular reason they'd want me except CPU cycles and bandwidth. As long as there's dozens of Windows boxes they can 0wn automatically, they aren't going to get me.

    Still, if you're so convinced the exploiters will always beat the patchers, go ahead and try. Crack my box, and leave me an email from myself explaining the situation. Until then, I'll reamin convinced you know nothing about security except that old "Nobody's secure" bullshit.

  9. What proverb is that? on Worm Exploiting Solaris Telnetd Vulnerability · · Score: 2, Informative

    proverbial rocket up the backside.

    I'm pretty sure I never heard my mother say, "Son, if you ever expose a Telnet port to the Internet, I'll fire a rocket up your ass!"

  10. Re:Problems with that: on Blizzard Exposes Detailed WoW Character Data · · Score: 2, Interesting

    I hear you.

    I play a small MMO called Nexus TK -- 2D, nice community, and in-game bulletin boards. Every now and then I post on the boards attempting to clear this up, mostly because I feel the GMs and such who post to the board can do more harm than good with their suggestions.

    Essentially, their suggestions are to be paranoid in every way imaginable. Have anti-virus software, firewalls, etc, and don't follow any links anyone gives you, or download any files, at all, the end. So, I suggest that anti-virus is a good idea, but not really necessary if you stay up-to-date, and do follow links, download files, etc, as long as you're not stupid about it (don't use Internet Explorer, don't download and run EXEs, etc)...

    The message other members of the community post is "It's your fault if you get hacked." I have to correct them on that one; the game forces passwords to be 6-8 chars, and it seems to me that many passwords could be brute-forced or dictionary-attacked, and for all I know, they could be sniffed off the wire. So, I say "It's probably your fault, but then again, maybe someone hit you with a MITM attack, etc etc."

    Because the funny thing is, they tell you not to download files, but you do have to download the game as one big EXE.

    So, it would help if people had a good understanding of "hacking" and cracking. In fact, the game has a nice mechanism for educating people, which I do wish was updated every once in awhile -- when entering your guild hall (a place to get minor quests and spells, or choose a path), you get a window popup which tells you to take the Wisdom Test. If you do, it won't bug you for another two weeks. The Wisdom Test is sadly inaccurate and outdated, but it does help with some stupidity -- for instance, "Will buying a cable modem eliminate lag? True or false..."

  11. Easy gold farming, then? on Blizzard Exposes Detailed WoW Character Data · · Score: 1

    It still gives you the "butterfly effect" problem once that money is used, if it's any significant amount. It still means they have a choice: Either artificially inflate the economy, and risk directly funding a scam (you get "hacked", sell/destroy all your stuff, then have Blizzard give it back), or cause a fairly large disruption as they shift all kinds of cash and items around, trying to undo the effect on the economy (which may well have spread throughout the entire system).

    And there's still the problem of how this is usually your own fault that you got "hacked" in the first place.

  12. Re:I think we did this first... on Secure Private Key Storage for UNIX? · · Score: 1

    Aha. Then libssl, which seems to be used by everything but gpg.

    It does seem I was entirely wrong about "attaching" to a running process. Fortunately for me, it doesn't actually affect me, as I don't use passphrases much. If you have physical access, or if you have my local user account, you've 0wned me already.

  13. I think we did this first... on Secure Private Key Storage for UNIX? · · Score: 2, Insightful

    ... but what's magical about the "OS level"? According to Microsoft, Internet Explorer is part of the OS, so anything they say about "OS level" is really irrelevant.

    Offline, it's encrypted by a combination of the user's password and a session key stored on the filesystem.

    We've been mounting home directories on encrypted filesystems for decades, so that's one way to do this. OS X has this built in and very easy to enable.

    When the OS is running, the private keys stored are available to the logged in user, optionally encrypted with another password.

    Which is pretty much how we do this already; just read the file. If the user had a passphrase, use that to decrypt it.

    The keys are stored in protected memory, so no applications can access them without going through the Microsoft CAPI calls.

    Well, on Unix, no application can access any other application's memory, period. End of story.

    There are ways around this -- you could do tricks with kernel memory, or you could read it off the swapfile. However, I believe there is a way to request that a specific chunk of memory never be swapped out, and while it's in RAM, if your kernel's safe, your app is safe. And it's always possible to run without swap, or encrypt your swap.

    On Windows, I believe you can "attach" to a running process with a debugger. On Unix, if you want to debug, you have to start the app in a debugger, because once it's running, the app's memory is its own. Only way you can "attach" then is if the app specifically has a way to do that -- for instance, browser plugins are essentially an app deliberately loading code from somewhere else into itself and running it. But if an app doesn't go out of its way to let you in, you aren't getting in, and if your kernel is owned, so are you, even on Windows.

    MacOS's key-chain functionality is similar, but stores at the application level, and is not FIPS compliant.

    What does FIPS compliance mean?

    And once again, "application level" is a pointless distinction. Yes, there are mechanisms for storing keys at the kernel level, but in my mind, that's less secure because it's much more complex for no good reason.

    An implementation of the protected store functionality will allow applications like Firefox, Thunderbird and gpg to have one common place to obtain private keys and certificates rather than maintaining their own individual key-stores.

    So have them all use libgpg or something. But what is the advantage?

    In Thunderbird, I have a PGP key that I sign my mail with, and I have a password that I use to connect to the server. In Firefox, I have an entirely different set of passwords, and the public keys to some Certificate Authorities. Firefox needs none of the Thunderbird keys/passwords, and vice versa. On the commandline, I have an ssh key, which I use to shell in to other boxes -- which is a key that I don't use in Firefox or Thunderbird.

    What's the advantage of putting these all in the same app? And what's the advantage of that app being "OS level"?

    Ultimately, the only advantage I see is with something like OpenID. It'd be nice if I could use the same keys I use with ssh to gain access to my OpenID server. Unfortunately, I haven't managed to get my hands on a working server implementation of OpenID, so that's moot.

  14. Re:Not Anymore... on Blizzard Exposes Detailed WoW Character Data · · Score: 1

    I'm not sure if it's as slow as you say it is... didn't seem too horrible on my box. But the AJAX is definitely a smart move here, when loading a character page. Most of the information on that page is actually not loaded until you start to mouse over things, and it takes maybe half a second for those to pop up for me.

    I hate AJAX as much as the next guy, but it's the best we've got. I'd much rather they do it this way than with, say, Flash.

  15. Problems with that: on Blizzard Exposes Detailed WoW Character Data · · Score: 1

    They have no way of knowing when your account was hacked; they have only your word for that.

    They may not be keeping track of every single change. Sure, you could screenshot their website, but that wouldn't prove anything.

    Even if they knew with absolute certainty what you had, returning your stuff would be a bad idea. This means they have to track it to whoever has it now, and undo all the transactions that were a result of your account being hacked -- but that could be a fairly large butterfly effect, and could result in a major disruption of all kinds of people who were only very loosely connected to the theft of your items.

    The alternative isn't much better -- simply generate your items out of thin air, which means there are now dupe items. I believe the other poster was suggesting a simple scam -- you let your account be hacked, the hacker gives your equipment away, or sells it or trades it, leaving your char with nothing, then you whine to Blizzard and get all your stuff back -- which means you just GAVE the hacker a pile of free stuff. Rinse and repeat a few times, then you both get rich off of it and start playing the market.

    Anyway, is WoW uniquely "hackable", or are "hacked" accounts still the result of some moron who gave away his password to a phishing site, or snagged by a keylogger, or set it to "LeroyJenkins123"?

  16. Re:Text in XML? on California Joins Open Document Bandwagon · · Score: 1

    How are you going to "define it" as UTF-8?

    By it being a text document. Generally speaking, text today is either ASCII or UTF-8, and UTF-8 is a superset of ASCII. So just read everything as UTF-8, and add useless XML crap if you really, really need to support something strange like UTF-16.

  17. Re:Minnesota also on California Joins Open Document Bandwagon · · Score: 1

    If it is an open Binary based format than doing a conversion to whatever new format arises should be trivial (maybe not fast, but fairly easy with C). SO better put it into binary now and worry about what better format may arise later.

    </sarcasm>

    You obviously haven't been following Microsoft's "Open XML" initiative, which shows you just how closed and proprietary an XML spec can be. I dare you to write an XSLT for that to prove me wrong -- I imagine it'll be about as complex as the binary .doc import filters that OpenOffice, AbiWord, and KWord already use.

    XML is good and useful, but it does not magically make it "open". Unfortunately, you and these state governments may easily be duped into thinking that "Open XML" is the way to go, because it's XML and claims to be open.

  18. Re:oh noes.... on Who Wrote, and Paid For, 2.6.20 · · Score: 1

    Well, audacious is actively maintained, xmms is dead. If they have to choose one, which would you rather have -- the one that has less bugs (for you) now, or the one that can actually improve to the point where it has less bugs for everyone?

    And by the way, it's only floppy tape stuff -- scsi tapes, for instance, are still supported. Oh well, 2 gig tapes are probably more expensive than 4.7 gig DVDs now.

  19. Marylin Manson said it best on Why the Gaming-Violence Connection is So Comforting · · Score: 1

    It also may distract people from getting to know their kids.

    This reminds me of something in Bowling for Columbine. When asked what he would say to "the kids at Columbine or the people in that community", he said:

    I wouldn't say a single word to them, I would listen to what they have to say. And that's what no one did.

    I never much liked his music, but that stuck with me. In all of our rushing around to find a scapegoat, pointing fingers at each other, making political careers out of made-up statistics...

    In all of that, what if we would actually take the time to stop, and listen to some kids? Listen to the kids who play these games. Listen to the kids who play with real guns.

  20. Re:Matt.. Damon.. as Kirk?! on Star Trek To Return Christmas 2008 · · Score: 1

    Kirk was set up and described repeatedly as a Tactical Genius, War Hero, and the best problem-solver the federation had.

    Set up? You could certainly say that. It really does seem that Kirk often just got lucky. Tactical genius a few times, but problem solver? He does seem to get them into problems as much as he gets them out... a bit like Riker.

    But yes, Shatner did Kirk well, and I do think Damon can do Kirk well, though of course it will be a bit different -- a bit like James Bond changing over the years.

  21. Re:Matt.. Damon.. as Kirk?! on Star Trek To Return Christmas 2008 · · Score: 1

    Somehow, I just don't think that would be enough.

  22. No to InstallShield on Dell To Linux Users — Not So Fast · · Score: 1

    If the standard Linux/Unix concept of trusted repositories was more mainstream, we wouldn't have spyware. End of story.

    I don't mean to sound like the "RTFM, n00b" kind of zealot, but it's 4 AM, and I'm tired, and I really think you should try to understand why package management is better than InstallShield or .app/.mpkg (on OS X). Then try to come up with a way to implement that in a user-friendly way, instead of defining "user-friendly" as being "InstallShield-like" and then trying to tack package management on top of that.

    And yes, packages generally do correctly add menu entries on Linux, and they do so without forcing you to reboot.

  23. Re:Matt.. Damon.. as Kirk?! on Star Trek To Return Christmas 2008 · · Score: 4, Insightful

    there is no such thing as a non-Shatner Kirk.

    <trekkie>Actually, you'll find at least one episode in which Kirk switches bodies with a woman. That woman is Kirk, and most definitely is not played by Shatner.</trekkie>

    But seriously, give the man a chance. It could be much worse -- at least they aren't trying to replace Picard. Matt Damon can laugh, I imagine he can act, and he certainly can do physical violence. All he really needs is the arrogant swagger. Because that's really what Kirk did -- swagger arrogantly, get his shirt ripped, beat up the alien, and fuck the hot alien chick -- in other words, just like Riker.

    I don't like them replacing Kirk, but I don't think Matt Damon is such a bad choice.

  24. Re:This *could* be a good move on Star Trek To Return Christmas 2008 · · Score: 1

    throw away all commodities (holodecks, food replicators, etc), start from the point when something terrible happened

    And make it postapocolyptic?

    Alright, between TOS and TNG, we added the holodeck, we fleshed out the transporters and assorted technobabble a LOT, formed an alliance with the Klingons, added cloaking technology, made the communicators tiny, eventually added a holographic version of the viewscreen -- and that's just what our own race discovered.

    It wouldn't necessarily satisfy all Trek fans -- and nothing ever could, really -- but I know for a fact that we have plenty more ideas for what we could do with technology. Certainly, we easily have enough to step a few hundred years into the future, and add completely new technology, people, and plotlines (and kill off some of the old ones).

    Just for starters: Peace with the Romulans, conquer or subdue the Borg. The Dominion isn't theatrical enough, and I'm not entirely sure what to do about them. All of these things are stories which should be told, but not in a movie, and not with a huge budget -- Star Wars tied this kind of thing up nicely by throwing the whole Clone Wars into a cartoon miniseries between ep2 and ep3.

    And what would the enemy be? I don't know. I actually liked the first Star Trek movie, although it was a bit predictable and WAY too slow, and borrows some ideas from one of the episodes. But whether you like it or not, it's the right approach for any more Trek movies: something completely out of nowhere, refreshing and new for longtime fans, and also accessible to newbies (since you can't rely on decades of Trek trivia if you're inventing something truly new).

  25. Re:I hate that on Ten Maxims Every FPS Should Follow · · Score: 1

    However the Combine in HL2 do look like action figures.

    Yes, they're supposed to. They're engineered, and covered in armor.

    Now, the zombies, or the unmasked Combine in Ep1 -- those look a bit more detailed to me, although certainly less than Alyx. But maybe I just like Alyx.

    Point being: I noticed Doom 3 graphics sucking in places, and overall boring and unreal artwork. I didn't notice anything like that in Half-Life 2, at least, certainly not to that extent.