Not strictly true. First of all, you can use Mono instead. Secondly, if managed code is exposed as a COM object, you can interact with them from native code compiled with some other compiler (such as Borland or Intel or g++). Finally, if you're feeling really adventurous, you could try dynamically loading mscoree.dll and invoking CLRCreateInstance, similar to creating a Java runtime for JNI or an embedded perl instance.
If you read the original article, they say that middleboxes actually do behave for at least 80% of the connections they tested (at least 90% when going to a random high port on the server, not port 80). The other 20% can be detected by the fact that they don't pass new TCP options on the initial SYN packets, and so an extension can fall back to "plain vanilla" TCP if appropriate. Hence, the following two extensions should actually work widely (although not universally) on the current Internet:
Multipath TCP (Internet draft). This should allow load-balancing or failover between two hosts where at least one has multiple IP addresses (is multi-homed), including the case where one end has and IPv4 and and IPv6 address or has multiple IPv6 addresses from multiple networks (including, for example, 6to4 and Teredo).
TCP Crypto (Internet draft). A way to encrypt the TCP stream, not as an application running over TCP (as is SSL) but as an option in TCP itself. Redundant if either every protocol is SSL-ized or if IPsec is universally deployed, but perhaps useful at present.
These extensions are deployable now, on TCP/IPv4 and TCP/IPv6 equally. (There is no "TCPv6". RFC 1705 mentions TCPv6, but that was only an "informational" memo written when people were still talking about "IPng".)
Doesn't even have to be full name. My mother-in-law gets calls from bill collectors from time to time looking for a man with the same last name, same first initial. When my wife or I would answer the phone we just said we knew no such person; no idea if there's just one such person or more than one.
Another disadvantage of Teredo is that it's tunneled over UDP (in turn over IPv4), so you have a limit of about 63,500 IPv6 addresses behind a single public IPv4 address. I haven't hit that limit at home yet...
RFC3056, on the other hand, allows 16 bits' worth of IPv6 networks behind a single public IPv4 address. However, it won't work with older consumer-grade firewalls that only pass TCP, UDP and (sometimes, if you're lucky) ICMP.
Neither technology is likely to work behind a corporate firewall that is actively filtering them out.
1. Start with a hosting service you can trust. Either look at the ads in a five-year-old edition of "PC Magazine" and choose one that's still in business, or find a brick-and-mortar business in your hometown. Do a background-check on the owners. Ask for references.
2. Use stable open-source software (Joomla, OScommerce, whatever) as much as possible instead of rolling your own. Watch out for security patches. If you do write your own code for the site, hire another set of eyes to look at it.
3. Develop a backup plan early on... ideally before the site goes live.
... "but that isn't an important feature, so I can infringe on it without paying"... /
Yeah don't they know that's a copyright violators argument: "I'd have never paid for this [terrible] album so it's OK that I downloaded it."
Microsoft is saying in public that the OS infringes their patents. In court, all they brought were these patents over browser and PDF-viewer features. Taking the image-loading feature as a particular case, even if that patent is upheld, they can patch the software to load webpages exactly the same way that NCSA Mosaic did it and at least not have to pay royalties on new devices.
The parent is not talking about running ethernet in the apartment walls — he's talking about apartments so small that an off-the-shelf 25-foot or 50-foot patch cable would stretch everywhere, even if nicely routed close to the baseboard.
I'm not sure that the summary is a bad representation of what the article claims; but after reading the entire bill, I'd say that the article is biased. From the article, "The Senate passed the bill with no dissenting votes Monday."; there was some obviously conservative rhetoric in support of the bill, but the basic purpose of updating the state educational standards to give students the chance to think about different government-structures is sound.
Not a direct answer to your questions, but based on the links on the lower-right of the school's homepage they're using Pearson PowerSchool, which has a teacher's gradebook module as well as several categories of central-administrative functions. I'd guess he shoulder-surfed, found written or guessed someone's password at some point, but as to whether he used the normal system UI or directly edited some back-end database, I wouldn't bet either way.
Based on other public information, last year's senior class was 203 students... so almost 10% wanted to buy higher grades? No wonder he got caught...
Perhaps you know the difference, but just so no one else is confused: the "Matricula Consular" is not the same thing as "a rather unofficial note", which I would assume is a letter on Consulate letterhead or something like that. It's an ID-sized card with a photo, vital data, and an issue and expiration date. To issue one, the consul requires proof of Mexican nationality (birth certificate, naturalization paper, passport), identity (photo ID: Mexican voter registration card, Mexican or American driver's license, Mexican school transcript - which has photos of the student for each year of his studies, passport, or "any other document accepted at the judgement of the Consul"), and residence in the consular district (which could cover more than one state, but the Florida consul should not issue cards for people from Oregon: home-related bills, American driver's license, or proof of paying Social Security and income taxes). The consul keeps a file copy of all probative documents submitted, and the cards are actually produced at the consulate the same day that the applicant appears but the data are submitted electronically to Mexico where they could presumably be used to catch patterns of malfeasance. Full details are in English on a random travel website, or in Spanish on any consul's website, such as the Miami one.
Even if it is easy to get a matricula consular (or other "easy-to-forge" document) and then an Illinois for a made-up or stolen identity, the state of Illinois still has a high-quality original photo of the anonymous individual or thief.
Michigan went the other direction a few years back, and it caused a certain amount of trouble for my wife, who was naturalized in 1995 and had had a state ID card more-or-less continuously since she was 18 (that is, 1997 or so) but didn't seriously pursue a drivers' license until she was about 28. The last time she went to take the written test and renew her learner's permit (after which she could have taken the road test the same day if they issued it), she was told that her marriage license did not quite match her state ID, and thus did not establish a chain of proof between her naturalization certificate and her current name - even though she must have used that marriage license to change her name to get an updated state ID, and an updated social security card, when we we first married five years before! Eventually we got it straightened out, and the end result is that our marriage license is also more accurate, but I was very unhappy with the new law at that time.
"For example, some of the digits of the SSN associate with certain states at certain times"
That will no longer be true for new SSNs issued after this summer... that is, for kids old enough to drive or get a job in 2015 or so.
More relevant to the main question, I still use my college student ID card sometimes when asked to "show ID" for transactions (even though I also have a drivers' license hidden in my wallet)... I've even used it with my voter registration card to vote. I've been out of school for several years now, but it has my name, an issue date, and a still-recognizable picture, so I believe it ought to authenticate me (it helps that I still live in the same town where I went to school). I haven't tried using it to board a plane, though - I have a current passport for that purpose.
And how is an application supposed to check user input? The normal way to check a user-provided floating-point value for validity is to call Double.parseDouble() and catch the NumberFormatException that's thrown if it can't be parsed, then apply any relevant range checks using mathematical operations. The documentation for that method doesn't say anything about entering an infinite loop; it can either return a double, or throw an exception.
An alternative would be to use regular expressions. There might be some apps that are using "double" for large integers, or fixed-point quantities; but the regular expression for a general floating-point number is already pretty hairy. Can you give a regular expression that filters out the strings, and only the strings, that lead to this bug?
224.0.0.0/4 is already in use... for multicast traffic, of course. 224.0.0.1 is link-local all-hosts; 224.0.0.251 is mDNS; 224.0.1.1 is NTP. 233/8 and 234/8 are for use by organizations with AS numbers or/24 IP address allocations, respectively. 239/8 is for private use by an organization, just like the RFC 1918 blocks for unicast.
Did you mean to ask about 240/4? That's "experimental", in other words for traffic that is neither unicast not multicast. I'm not sure what that would be, and I've never heard anyone try to explain it. I'd say it's safe to use those addresses to encode other information in a 32-bit field that previously only held IP addresses; because it's very unlikely that they will be ever be used for unicast. However, you only get 28 bits to work with... not enough for, for example, complete IPv6 addresses.
On popular modern OSes (notably Linux and Windows), the unicast/multicast/experimental split is enforced at a very low level, so you couldn't even use those addresses on your LAN without a custom-rewritten kernel and other software. For instance, on Debian Etch the command "ifconfig wlan0:1 254.1.1.7/24" fails with the error message "SIOCSIFADDR: Invalid argument".
Postgres has data-types for storing MAC addresses and IP addresses: manual section 8.8. Now the only other thing you need is a table of equipment by MAC address and time-range... although maintaining that table would be a big unfunded mandate if you don't do it already.
Reference for that? I can't find an authoritative source for that particular part of Florida, but a random attorney's website describes drawing enough blood to fill a "vial".
From the article, the boundary is based on an 1858 treaty, and both countries have large-scale paper maps that agree with each other and not with Google. I don't see why anyone would rely on a Google for that border; there are places where it's obviously a hundred feet or so from the river that it ought to be following, and 50% of the satellite photos are covered by clouds.
Not sure if it applies to this particular demand, but the TVA and similar were kept going for as long as they've been around because it makes larger economic sense to have city-driven services available out in the far hinterlands. In the U.S., we have nuclear missle silos uniformly distributed away from populated areas so that a single bomb (terrorist or Russian or North Korean or...) can't cripple the country's capacity to respond. Farmers can use computer-controlled plows, check the futures market up to the last non-frost-free day to decide what to plant, and enroll their kids in distance-education at whatever university has the most-relevant courses, no matter how far away it is. None of that would be possible without roads, electric power and some sort of IP service out in rural areas.
Posting a video to YouTube seems like a silly example; but what if the problem is sending a CAT scan or DNA sequence of a sick cow to a veterinary database, for analysis by specialists? Right now the equipment to gather that data is specialized, but it might be found at an agricultural extension station the farmer could drive to...
Well... if it's worse,.mil will still be signed by the US Military,.cn will still be signed by the Chinese government, and.ru will still be signed by the Russian government. I guess it'll just be those pesky.orgs and.nets that will have trouble?
Well said, although there are exceptions. In the U.S. we don't ask our congressmen to be anonymous, but juries and grand juries are, and so are C.I.A. agents. In both cases there's someone accountable and publically known they report to: a judge or the President.
I'll agree that there's a certain amount of fluff, especially in CACM (which was redisigned to look like mid-1990s Byte a couple years ago --- I don't consider that a good sign --- Byte went out of print soon after), but ACM also still has a lot of active technical journals and SIGs. The cost of basic membership seems reasonable. Based on this incident, I'd say it's much more relevant than BCS; but I don't live in Britain.
Now, IEEE's basic membership really is just expensive fluff, and doesn't even include access to the digital library; I still haven't renewed this year, probably won't. I won't say I didn't get anything out of my membership last year, but over the years I've been a member I received a lot less value that I had hoped. One item of note: many of the items I see in the e-mail newsletter IEEE Spectrum Tech Insider have already been discussed on Slashdot by the time I get it.
BTW, it's absolutely the wrong solution to get entropy from another source on the network (for many reasons, but one is that you can't do a secure HTTPS handshake without, you guessed it, unguessable random numbers). The whole point here is that we are looking for a way for 500 Linux instances on EC2 to have different entropy pools before the kernel completes boot.
You could have the central-entropy host run a UDP service that generates new random data per outgoing packet and only respond to requests from the cloud's expected IP range. Ideally the central-entropy host would be co-located with the cloud elements and behind a firewall.
For the specific case of EC2, the deployer should patch/var/lib/urandom/random-seed (as well as the SSH host-keys, etc) on each image from a secure system outside the cloud before boot; but I haven't actually done that, I'm not sure how easy it is with the current API.
The nice thing about Linux is that you can develop whatever entropy-producing process you want and write its output to/dev/urandom to add more entropy to the pool. For instance, a boot script could issue an HTTP request to a website backed by a hardware random-number generator (access-control to only machines in the cloud by IP range). It is something to be worried about, though.
Java code that does cryptography or generates UUIDs (in the hope that they will be a truly universal key for something) operates under similar problems. JavaScript is even worse; all it has is the time, perhaps the user's window-size (not very random if maximised) and mouse-movements, and the built-in random() method, which is not expected to be of cryptographic quality.
Slashdot Mirror
Not strictly true. First of all, you can use Mono instead. Secondly, if managed code is exposed as a COM object, you can interact with them from native code compiled with some other compiler (such as Borland or Intel or g++). Finally, if you're feeling really adventurous, you could try dynamically loading mscoree.dll and invoking CLRCreateInstance, similar to creating a Java runtime for JNI or an embedded perl instance.
These extensions are deployable now, on TCP/IPv4 and TCP/IPv6 equally. (There is no "TCPv6". RFC 1705 mentions TCPv6, but that was only an "informational" memo written when people were still talking about "IPng".)
Doesn't even have to be full name. My mother-in-law gets calls from bill collectors from time to time looking for a man with the same last name, same first initial. When my wife or I would answer the phone we just said we knew no such person; no idea if there's just one such person or more than one.
Another disadvantage of Teredo is that it's tunneled over UDP (in turn over IPv4), so you have a limit of about 63,500 IPv6 addresses behind a single public IPv4 address. I haven't hit that limit at home yet...
RFC3056, on the other hand, allows 16 bits' worth of IPv6 networks behind a single public IPv4 address. However, it won't work with older consumer-grade firewalls that only pass TCP, UDP and (sometimes, if you're lucky) ICMP.
Neither technology is likely to work behind a corporate firewall that is actively filtering them out.
1. Start with a hosting service you can trust. Either look at the ads in a five-year-old edition of "PC Magazine" and choose one that's still in business, or find a brick-and-mortar business in your hometown. Do a background-check on the owners. Ask for references. 2. Use stable open-source software (Joomla, OScommerce, whatever) as much as possible instead of rolling your own. Watch out for security patches. If you do write your own code for the site, hire another set of eyes to look at it. 3. Develop a backup plan early on ... ideally before the site goes live.
Microsoft is saying in public that the OS infringes their patents. In court, all they brought were these patents over browser and PDF-viewer features. Taking the image-loading feature as a particular case, even if that patent is upheld, they can patch the software to load webpages exactly the same way that NCSA Mosaic did it and at least not have to pay royalties on new devices.
The parent is not talking about running ethernet in the apartment walls — he's talking about apartments so small that an off-the-shelf 25-foot or 50-foot patch cable would stretch everywhere, even if nicely routed close to the baseboard.
I'm not sure that the summary is a bad representation of what the article claims; but after reading the entire bill, I'd say that the article is biased. From the article, "The Senate passed the bill with no dissenting votes Monday."; there was some obviously conservative rhetoric in support of the bill, but the basic purpose of updating the state educational standards to give students the chance to think about different government-structures is sound.
Not a direct answer to your questions, but based on the links on the lower-right of the school's homepage they're using Pearson PowerSchool, which has a teacher's gradebook module as well as several categories of central-administrative functions. I'd guess he shoulder-surfed, found written or guessed someone's password at some point, but as to whether he used the normal system UI or directly edited some back-end database, I wouldn't bet either way.
Based on other public information, last year's senior class was 203 students ... so almost 10% wanted to buy higher grades? No wonder he got caught...
Perhaps you know the difference, but just so no one else is confused: the "Matricula Consular" is not the same thing as "a rather unofficial note", which I would assume is a letter on Consulate letterhead or something like that. It's an ID-sized card with a photo, vital data, and an issue and expiration date. To issue one, the consul requires proof of Mexican nationality (birth certificate, naturalization paper, passport), identity (photo ID: Mexican voter registration card, Mexican or American driver's license, Mexican school transcript - which has photos of the student for each year of his studies, passport, or "any other document accepted at the judgement of the Consul"), and residence in the consular district (which could cover more than one state, but the Florida consul should not issue cards for people from Oregon: home-related bills, American driver's license, or proof of paying Social Security and income taxes). The consul keeps a file copy of all probative documents submitted, and the cards are actually produced at the consulate the same day that the applicant appears but the data are submitted electronically to Mexico where they could presumably be used to catch patterns of malfeasance. Full details are in English on a random travel website, or in Spanish on any consul's website, such as the Miami one.
Even if it is easy to get a matricula consular (or other "easy-to-forge" document) and then an Illinois for a made-up or stolen identity, the state of Illinois still has a high-quality original photo of the anonymous individual or thief.
Michigan went the other direction a few years back, and it caused a certain amount of trouble for my wife, who was naturalized in 1995 and had had a state ID card more-or-less continuously since she was 18 (that is, 1997 or so) but didn't seriously pursue a drivers' license until she was about 28. The last time she went to take the written test and renew her learner's permit (after which she could have taken the road test the same day if they issued it), she was told that her marriage license did not quite match her state ID, and thus did not establish a chain of proof between her naturalization certificate and her current name - even though she must have used that marriage license to change her name to get an updated state ID, and an updated social security card, when we we first married five years before! Eventually we got it straightened out, and the end result is that our marriage license is also more accurate, but I was very unhappy with the new law at that time.
That will no longer be true for new SSNs issued after this summer ... that is, for kids old enough to drive or get a job in 2015 or so.
More relevant to the main question, I still use my college student ID card sometimes when asked to "show ID" for transactions (even though I also have a drivers' license hidden in my wallet)... I've even used it with my voter registration card to vote. I've been out of school for several years now, but it has my name, an issue date, and a still-recognizable picture, so I believe it ought to authenticate me (it helps that I still live in the same town where I went to school). I haven't tried using it to board a plane, though - I have a current passport for that purpose.
And how is an application supposed to check user input? The normal way to check a user-provided floating-point value for validity is to call Double.parseDouble() and catch the NumberFormatException that's thrown if it can't be parsed, then apply any relevant range checks using mathematical operations. The documentation for that method doesn't say anything about entering an infinite loop; it can either return a double, or throw an exception.
An alternative would be to use regular expressions. There might be some apps that are using "double" for large integers, or fixed-point quantities; but the regular expression for a general floating-point number is already pretty hairy. Can you give a regular expression that filters out the strings, and only the strings, that lead to this bug?
224.0.0.0/4 is already in use ... for multicast traffic, of course. 224.0.0.1 is link-local all-hosts; 224.0.0.251 is mDNS; 224.0.1.1 is NTP. 233/8 and 234/8 are for use by organizations with AS numbers or /24 IP address allocations, respectively. 239/8 is for private use by an organization, just like the RFC 1918 blocks for unicast.
Did you mean to ask about 240/4? That's "experimental", in other words for traffic that is neither unicast not multicast. I'm not sure what that would be, and I've never heard anyone try to explain it. I'd say it's safe to use those addresses to encode other information in a 32-bit field that previously only held IP addresses; because it's very unlikely that they will be ever be used for unicast. However, you only get 28 bits to work with ... not enough for, for example, complete IPv6 addresses.
On popular modern OSes (notably Linux and Windows), the unicast/multicast/experimental split is enforced at a very low level, so you couldn't even use those addresses on your LAN without a custom-rewritten kernel and other software. For instance, on Debian Etch the command "ifconfig wlan0:1 254.1.1.7/24" fails with the error message "SIOCSIFADDR: Invalid argument".
I was planning to watch it since yesterday, but all I see right now is "Error establishing a database connection".
Postgres has data-types for storing MAC addresses and IP addresses: manual section 8.8. Now the only other thing you need is a table of equipment by MAC address and time-range... although maintaining that table would be a big unfunded mandate if you don't do it already.
Reference for that? I can't find an authoritative source for that particular part of Florida, but a random attorney's website describes drawing enough blood to fill a "vial".
From the article, the boundary is based on an 1858 treaty, and both countries have large-scale paper maps that agree with each other and not with Google. I don't see why anyone would rely on a Google for that border; there are places where it's obviously a hundred feet or so from the river that it ought to be following, and 50% of the satellite photos are covered by clouds.
Posting a video to YouTube seems like a silly example; but what if the problem is sending a CAT scan or DNA sequence of a sick cow to a veterinary database, for analysis by specialists? Right now the equipment to gather that data is specialized, but it might be found at an agricultural extension station the farmer could drive to...
Well... if it's worse, .mil will still be signed by the US Military, .cn will still be signed by the Chinese government, and .ru will still be signed by the Russian government. I guess it'll just be those pesky .orgs and .nets that will have trouble?
Well said, although there are exceptions. In the U.S. we don't ask our congressmen to be anonymous, but juries and grand juries are, and so are C.I.A. agents. In both cases there's someone accountable and publically known they report to: a judge or the President.
I'll agree that there's a certain amount of fluff, especially in CACM (which was redisigned to look like mid-1990s Byte a couple years ago --- I don't consider that a good sign --- Byte went out of print soon after), but ACM also still has a lot of active technical journals and SIGs. The cost of basic membership seems reasonable. Based on this incident, I'd say it's much more relevant than BCS; but I don't live in Britain.
Now, IEEE's basic membership really is just expensive fluff, and doesn't even include access to the digital library; I still haven't renewed this year, probably won't. I won't say I didn't get anything out of my membership last year, but over the years I've been a member I received a lot less value that I had hoped. One item of note: many of the items I see in the e-mail newsletter IEEE Spectrum Tech Insider have already been discussed on Slashdot by the time I get it.
You could have the central-entropy host run a UDP service that generates new random data per outgoing packet and only respond to requests from the cloud's expected IP range. Ideally the central-entropy host would be co-located with the cloud elements and behind a firewall.
For the specific case of EC2, the deployer should patch /var/lib/urandom/random-seed (as well as the SSH host-keys, etc) on each image from a secure system outside the cloud before boot; but I haven't actually done that, I'm not sure how easy it is with the current API.
Java code that does cryptography or generates UUIDs (in the hope that they will be a truly universal key for something) operates under similar problems. JavaScript is even worse; all it has is the time, perhaps the user's window-size (not very random if maximised) and mouse-movements, and the built-in random() method, which is not expected to be of cryptographic quality.
Isn't the left lane on 101 a high-occupancy vehicle lane, thus not relevant to passing?
Maps are also nice to post on the wall ... at least I've done that since I was a kid.