funding will be tougher to find and more expensive... Really? If your ideas are interesting, Kickstarter will be happy to take on your project.
no local banks... Really? That does not make any sense. The best you can do, then, is to start your own bank in Scotland. Agreed, that is not an easy project to undertake, but, remember... "That's where the money is"! Besides, the City is a den of thieves, Scottish people should vote "Yes" just to get rid of the whole sorry mess.
access to EU markets and the freedom of movement will be curtailed... Really? Even though the leaders of the SNP, campaigning for independence, have said repeatedly that they would apply for EU membership right away? Why would they do that, now, since the EU is in a deep economic and institutional slump, is completely beyond me, but still...
Seriously, this is FUD, pure and simple, from Mr McKenzie. A bit of advice for the "No" camp: you can probably have much better, and much more convincing arguments than that. If this is the best you can do, you deserve to be roundly beaten by the "Yes" camp.
And, on a more personal note: "Votez 'Oui', amis écossais ! Juste pour emmerder les Anglais !". The Auld Alliance shall rise again!;-)
(That last line said firmly tongue in cheek, of course).
Are you trying to imply that people using these exploits are street gangs? Or drug suppliers?:-P
I was more thinking about mob justice - sometimes, the people who were hanged really were innocent.
In a "darker" way, this could start an arms race, with scammers trying to take down machines and hitting innocent people and/or cyberwar getting started because of attacks on scammers and counter-attacks from the scammers tripping automated defense systems due to spiraling conflicts and increasingly sophisticated tools being employed by all sides. Collateral damage and all that. Not a pretty sight.
... Depends if your IP address is dynamic or not. In my case, all I have to do is reset the DSL modem/router and, presto ! New IP!
I am more concerned about the legality of it. Running a live exploit on their network may make some ISPs fidgety. Also not sure about the position of law enforcement agencies...
A server is just a bigger laptop. Don't laugh: technologies such as virtualization, para-virtualization, SSD, dual-type disk drive HDD+SSD, low-power CPUs, multiple high-density CPU cores and even high-end graphical cards can be found in both types of PC (Think OpenCL on the server, and Unreal Tournament -- or whatever the shoot'em up du jour is -- on the laptop for that last one).
Linux and BSDs make this possible, even trivial. Heck, these days, a lot of people even test entire server platforms or AJAX applications on virtual machines on their laptop - I know I do. Ideally, all machine should be both servers and personal machine.
I want my operating system to be flexible and able to adapt to different computing platforms. I want something smart enough not to push a GUI down my throat if I don't need it. Improvements on one platform will also be a benefit to the other. Having a laptop with 24 to 48 CPU cores may still be science-fiction today. But it won't be tomorrow. On the other hand, building a fast SSD-only Petabyte server using nothing but laptop SSDs would allow you to cram way more data... for less price than those slow SATA disks.
In other words: splitting Linux is simply a bad idea. Thanks, but no thanks.
Again, this an emulation of systemd - not the real ugly mess.
This means that the normal configuration files will probably stay, but will probably be parsed on-the-fly (smartly, one hope) to provide some emulation.
The reason this is interesting is that it may prove an escape hatch not just for OpenBSD, the other BSDs, but also for some (sane) Linux distributions that refuse to adopt systemd such as Slackware.
I would have expected that BSD would be deliriously happy that the evil gaze of Poettering hadn't alighted upon their operating system. Why would you voluntarily infest your system with his daemon spawn?
Because bloody systemd will be needed if you want to run some brain-dead Linux-only piece of crap software. That's why.
Emulating systemd allows that software to work on OpenBSD. On the other hand, emulating it means that (a) its working may remain somewhat on the sane side and (b) that emulation will only be installed if the port requires it, therefore limiting the damage.
And, FYI, OpenBSD could not care less about Poettering and his evil gaze.
Research the S.T.E.P. options. Hydro power storage can be scaled, too. Other possbilities are molten salt and compressed air storage for instance.
Yes, there are losses to all these systems, but the ability to store 50% to 90% of electricity produced through renewables makes them well worth considering.
In other words, you live in a country where being an ''egghead'' (your term - not mine) is not respected. As a matter of fact, you live in a country where a large percentage of the population still thinks some invisble man in the sky has created the entire Uinverse in 6 days, and the Earth itself might well be 6000+ years old (instead of 4+ billion years old).
If you are a Tor programmer, and if there are really NSA/GCHQ insiders who actually help you to correct bugs... For Pete sake, just keep quiet about it!!!
Now, both agencies will have to initiate a mole-hunting operation, and you will lose these valuable insiders!
On the other hand, it may paralyze these agencies for months, maybe even years, while they try to figure out who has been leaking invaluable bug information back to the Tor project.
So it might be a wash. Either way, it also probably means that people inside the Puzzle Palace and the Donut are beginning to realize that enough is enough, so that is also encouraging.
So, why is not implemented on a large scale? Because planting trees is not techonologically "sexy" - it is well known, has been well known for centuries, and, for maximum effect, would require rich countries to invest serious money in poorer countries, to save the rainforest (which is where tree-planting would have maximum impact). And we cannot allow these natives to get money to do something as simple as plant a tree, right?
In other words, the wealthiest have decided it is a lot more fun to throw money at dangerous or even foolish and ineffectual solutions rather than provide for jobs and development in the poorest countries of the world -- precisely the countries that will suffer the most due to global warming. Make of that what you will.
No, not extortion against Tails - extortion of money from the NSA or whoever else their ''clients'' are.
I am sure a lot of TLAs right now are salivating -- unless they have discovered these vulnerabilities before Exodus. In which case, silence can be golden, indeed.
I've spent the past 5 years of my life fully employed in the design, creation, testing, and deployment of secure RNGs.
Citation needed. Seriously, this is/. where everyone is a world-class programmer (except me, of course).
The world is full of bad PRNGs, NRNGs, CSPRNGs, DRBGs, TRNGs and any other form of RNG.
I will grant you that one.
LibreSSL doesn't have a leg to stand on. A good secure RNG will return unpredictable output.
Bzzzzt! Sorry, you lose. As I have already said, this is not a LibreSSL problem - it's a Linux PRNG problem. Unless I am mistaken, the same issue is non-existent under OpenBSD, because it's PRNG is different from Linux, better seeded and because PIDs are randomized under that OS.
We know how to do these things. It isn't trivial, but it isn't hard either.
You contradict yourself: if programming PRNGs is, let's say, a medium difficulty task (neither trivial nor too hard), how come you have spent years designing and programnming PRNGs (your words, not mine) and how come the world is full of bad bad bad PRNGs? Surely, by now, everyone would have agreed on a reasonable implementation?
The truth is, PRNGs are HARD to program, because computers are not good at generating truly random numbers. Period. The best implementations all rely on some form of hardware generator. But don't take my word for it, go ahead and read this instead.
Allowing someone to extract predictable behavior from the service end of a security library is a gross failure and an exposition of incompetence.
As opposed to the magnificent job OpenSSL has done all these years, with information leakage, bug reports that went uncorrected for years and accumulated cruft for such modern OS as VMS, DOS and Windows 3.1?
I think you need to tone down the hysteria a notch right here.
I'd say this is almost a best case scenario even, so far the only bug found was one that could not easily exploited. and it was patched, the response from Beck was by OpenBSD standards, tactful.
For different values of "tactful", of course...;-)
Incorrect. If your PRNG is garbage, all crypto is also garbage.
A car analogy - if I know where and when you started driving I can make fairly accurate guesses of your location without having to rely on GPS tracking.
That is absolutely right, but I will note right away that this is a problem specific to the Linux PRNG - OpenBSD does not have this vulnerability (also, because PIDs are randomized under OpenBSD)...
Oh boy, there is so much wrong here... Where to start?
First of all, OpenSSL problems are not ''getting fixed''. Part of the problem is that funding for OpenSSL was primarily based on company XYZ sponsoring function ABC. This gave incentives to the OpenSSL devs to add more functionalities on top of the cruft, the horrible mess that was the code base. More funding equals more developpers equals more eyeballs, but we haven't seen the progress so far.
Second of all, OpenBSD has given a HUGE amount of (BSD licensed) code to the rest of the world, Linux included. Try typing "ssh -V" on any Linux machine and I can guarantee you will get OpenSSH. And if you are like me, this is something you use EVERY. FREAKING. DAY. So please stop the trolling about OpenBSD, mmmmkay?
Third, the amount of code that has been cleaned up, improved, deleted and just plain scrubbed is simply amazing. You can say whatever you want about OpenBSD cranky devs, they know their stuff and they know their way around C code.
Fourth, OpenSSL is BSD/Apache licensed, and not GPL, so stop spouting off about supporting GPL software - not everything has to be blessed by Stallmann to be acceptable. And, yes, the Linux Foundation recognizes this - while you don't.
Slashdot Mirror
So much FUD, so little time...
funding will be tougher to find and more expensive... Really? If your ideas are interesting, Kickstarter will be happy to take on your project.
no local banks... Really? That does not make any sense. The best you can do, then, is to start your own bank in Scotland. Agreed, that is not an easy project to undertake, but, remember... "That's where the money is"! Besides, the City is a den of thieves, Scottish people should vote "Yes" just to get rid of the whole sorry mess.
access to EU markets and the freedom of movement will be curtailed... Really? Even though the leaders of the SNP, campaigning for independence, have said repeatedly that they would apply for EU membership right away? Why would they do that, now, since the EU is in a deep economic and institutional slump, is completely beyond me, but still...
Seriously, this is FUD, pure and simple, from Mr McKenzie. A bit of advice for the "No" camp: you can probably have much better, and much more convincing arguments than that. If this is the best you can do, you deserve to be roundly beaten by the "Yes" camp.
And, on a more personal note: "Votez 'Oui', amis écossais ! Juste pour emmerder les Anglais !". The Auld Alliance shall rise again! ;-)
(That last line said firmly tongue in cheek, of course).
Are you trying to imply that people using these exploits are street gangs? Or drug suppliers? :-P
I was more thinking about mob justice - sometimes, the people who were hanged really were innocent.
In a "darker" way, this could start an arms race, with scammers trying to take down machines and hitting innocent people and/or cyberwar getting started because of attacks on scammers and counter-attacks from the scammers tripping automated defense systems due to spiraling conflicts and increasingly sophisticated tools being employed by all sides. Collateral damage and all that. Not a pretty sight.
Wouldn't you prefer a nice game of chess?
... Depends if your IP address is dynamic or not. In my case, all I have to do is reset the DSL modem/router and, presto ! New IP!
I am more concerned about the legality of it. Running a live exploit on their network may make some ISPs fidgety. Also not sure about the position of law enforcement agencies...
A server is just a bigger laptop. Don't laugh: technologies such as virtualization, para-virtualization, SSD, dual-type disk drive HDD+SSD, low-power CPUs, multiple high-density CPU cores and even high-end graphical cards can be found in both types of PC (Think OpenCL on the server, and Unreal Tournament -- or whatever the shoot'em up du jour is -- on the laptop for that last one).
Linux and BSDs make this possible, even trivial. Heck, these days, a lot of people even test entire server platforms or AJAX applications on virtual machines on their laptop - I know I do. Ideally, all machine should be both servers and personal machine.
I want my operating system to be flexible and able to adapt to different computing platforms. I want something smart enough not to push a GUI down my throat if I don't need it. Improvements on one platform will also be a benefit to the other. Having a laptop with 24 to 48 CPU cores may still be science-fiction today. But it won't be tomorrow. On the other hand, building a fast SSD-only Petabyte server using nothing but laptop SSDs would allow you to cram way more data... for less price than those slow SATA disks.
In other words: splitting Linux is simply a bad idea. Thanks, but no thanks.
Read them and weep: http://www.reddit.com/r/linux/...
TL;DR? Essentially, KDE may end up switching to systemd. Because Gnome (and every other Linux fan-boi) does it.
Thank you, you have just summed up the abomination that is systemd for all of us.
Go tell that to the GNOME dev, who adopted systemd and now require it on all platforms running Gnome.
I don't run that piece of crap myself, but it has been ported under OpenBSD, and some people want to keep using it on OpenBSD.
Again, this an emulation of systemd - not the real ugly mess.
This means that the normal configuration files will probably stay, but will probably be parsed on-the-fly (smartly, one hope) to provide some emulation.
The reason this is interesting is that it may prove an escape hatch not just for OpenBSD, the other BSDs, but also for some (sane) Linux distributions that refuse to adopt systemd such as Slackware.
I would have expected that BSD would be deliriously happy that the evil gaze of Poettering hadn't alighted upon their operating system. Why would you voluntarily infest your system with his daemon spawn?
Because bloody systemd will be needed if you want to run some brain-dead Linux-only piece of crap software. That's why.
Emulating systemd allows that software to work on OpenBSD. On the other hand, emulating it means that (a) its working may remain somewhat on the sane side and (b) that emulation will only be installed if the port requires it, therefore limiting the damage.
And, FYI, OpenBSD could not care less about Poettering and his evil gaze.
Research the S.T.E.P. options. Hydro power storage can be scaled, too. Other possbilities are molten salt and compressed air storage for instance.
Yes, there are losses to all these systems, but the ability to store 50% to 90% of electricity produced through renewables makes them well worth considering.
This might be part of an answer to your question: "Ohio lawmakers want to limit the teaching of the scientific process".
In other words, you live in a country where being an ''egghead'' (your term - not mine) is not respected. As a matter of fact, you live in a country where a large percentage of the population still thinks some invisble man in the sky has created the entire Uinverse in 6 days, and the Earth itself might well be 6000+ years old (instead of 4+ billion years old).
Need I say more? Case closed.
If you are a Tor programmer, and if there are really NSA/GCHQ insiders who actually help you to correct bugs... For Pete sake, just keep quiet about it!!!
Now, both agencies will have to initiate a mole-hunting operation, and you will lose these valuable insiders!
On the other hand, it may paralyze these agencies for months, maybe even years, while they try to figure out who has been leaking invaluable bug information back to the Tor project.
So it might be a wash. Either way, it also probably means that people inside the Puzzle Palace and the Donut are beginning to realize that enough is enough, so that is also encouraging.
Instead of potentially dangerous experiments, may I suggest the oldest known and proven solution to global warming?
This is extremely complicated, so please bear with me for a minute or two:
Plant. More. Trees.
Don't believe me? Fine, don't take my word for it. Heck, even that bastion of free enterprise, The Economist got behind that idea!
So, why is not implemented on a large scale? Because planting trees is not techonologically "sexy" - it is well known, has been well known for centuries, and, for maximum effect, would require rich countries to invest serious money in poorer countries, to save the rainforest (which is where tree-planting would have maximum impact). And we cannot allow these natives to get money to do something as simple as plant a tree, right?
In other words, the wealthiest have decided it is a lot more fun to throw money at dangerous or even foolish and ineffectual solutions rather than provide for jobs and development in the poorest countries of the world -- precisely the countries that will suffer the most due to global warming. Make of that what you will.
Newsflash! Slashdot already has been targeted by NSA!!
Don't take my word for it: Link 1 and Link 2.
Typical conservative knee-jerk selfish ego-centric reaction right here.
What is wrong with serving one's own country and being concerned when a shadowy agency deploys a digital net over everything?
Amen, brother.
(And don't forget the French!)
I think you forgot "FCUK NSA" somewhere in that NSA food... Or is it "FSCK GCHQ''?
Anything that has a USB port, really.
Essentially, anything that is run by NGOs or individuals.
Sure, in a corporate or governmental/military environment, USB ports are usually a big ''no no'' but some of use like them USB gadgets.
(Yes, before anyone ask, there has been infiltration through contaminated USB drives and keys ''abandoned'' in strategic locations...)
No, not extortion against Tails - extortion of money from the NSA or whoever else their ''clients'' are.
I am sure a lot of TLAs right now are salivating -- unless they have discovered these vulnerabilities before Exodus. In which case, silence can be golden, indeed.
how come you have spent years designing and programnming PRNGs
I do them in hardware, where they should be. Software is no place for an RNG.
Good for you. Not everyone can afford an hardware PRNG, though, so software it is for most of us.
Precisely - which is why PIDs are randomized on OpenBSD since... well, a long long time.
Try "ps -auxwww" on, say, Mac OS X and OpenBSD and the difference is truly evident.
I've spent the past 5 years of my life fully employed in the design, creation, testing, and deployment of secure RNGs.
Citation needed. Seriously, this is /. where everyone is a world-class programmer (except me, of course).
The world is full of bad PRNGs, NRNGs, CSPRNGs, DRBGs, TRNGs and any other form of RNG.
I will grant you that one.
LibreSSL doesn't have a leg to stand on. A good secure RNG will return unpredictable output.
Bzzzzt! Sorry, you lose. As I have already said, this is not a LibreSSL problem - it's a Linux PRNG problem. Unless I am mistaken, the same issue is non-existent under OpenBSD, because it's PRNG is different from Linux, better seeded and because PIDs are randomized under that OS.
We know how to do these things. It isn't trivial, but it isn't hard either.
You contradict yourself: if programming PRNGs is, let's say, a medium difficulty task (neither trivial nor too hard), how come you have spent years designing and programnming PRNGs (your words, not mine) and how come the world is full of bad bad bad PRNGs? Surely, by now, everyone would have agreed on a reasonable implementation?
The truth is, PRNGs are HARD to program, because computers are not good at generating truly random numbers. Period. The best implementations all rely on some form of hardware generator. But don't take my word for it, go ahead and read this instead.
Allowing someone to extract predictable behavior from the service end of a security library is a gross failure and an exposition of incompetence.
As opposed to the magnificent job OpenSSL has done all these years, with information leakage, bug reports that went uncorrected for years and accumulated cruft for such modern OS as VMS, DOS and Windows 3.1?
I think you need to tone down the hysteria a notch right here.
I'd say this is almost a best case scenario even, so far the only bug found was one that could not easily exploited. and it was patched, the response from Beck was by OpenBSD standards, tactful.
For different values of "tactful", of course... ;-)
Incorrect. If your PRNG is garbage, all crypto is also garbage.
A car analogy - if I know where and when you started driving I can make fairly accurate guesses of your location without having to rely on GPS tracking.
That is absolutely right, but I will note right away that this is a problem specific to the Linux PRNG - OpenBSD does not have this vulnerability (also, because PIDs are randomized under OpenBSD)...
Oh boy, there is so much wrong here... Where to start?
First of all, OpenSSL problems are not ''getting fixed''. Part of the problem is that funding for OpenSSL was primarily based on company XYZ sponsoring function ABC. This gave incentives to the OpenSSL devs to add more functionalities on top of the cruft, the horrible mess that was the code base. More funding equals more developpers equals more eyeballs, but we haven't seen the progress so far.
Second of all, OpenBSD has given a HUGE amount of (BSD licensed) code to the rest of the world, Linux included. Try typing "ssh -V" on any Linux machine and I can guarantee you will get OpenSSH. And if you are like me, this is something you use EVERY. FREAKING. DAY. So please stop the trolling about OpenBSD, mmmmkay?
Third, the amount of code that has been cleaned up, improved, deleted and just plain scrubbed is simply amazing. You can say whatever you want about OpenBSD cranky devs, they know their stuff and they know their way around C code.
Fourth, OpenSSL is BSD/Apache licensed, and not GPL, so stop spouting off about supporting GPL software - not everything has to be blessed by Stallmann to be acceptable. And, yes, the Linux Foundation recognizes this - while you don't.