My experience is that when a large organization decides not to do something they promised to do the way they promised to do it, there's usually a good reason for it - it's not to salve the egos of the participants, at least in a situation like this (nonprofits salving the egos of donors is another story!). Maybe they didn't want to deal with the extra logistics. Maybe they intended to observe more closely than they could afford to do if there were 100 competitors. Maybe they couldn't afford the additional insurance in the budget they'd written (this is a really big problem in government organizations - you can't break the budget).
There's really no way of knowing, but I think it's a safe bet that they did not just decide to do it "because". I also doubt that they decided to do it because they wanted to shut out the little guy. More likely they were genuinely surprised by the number of people who jumped at the chance to enter, realized that they'd made a mistake in not specifying entry criteria, and did what they could under the circumstances.
It really sucks when you are in the position of saying "oops, we goofed" to a bunch of people who've already invested some emotion, money and time into your goof, but unfortunately it's not always possible to just Do The Right Thing after a goof like this.
This outcome is actually a really good result, IMHO. It will be interesting to see how the two competitions go.
...beyond their wildest dreams. Not only do they get to have their own competition, which may produce some interesting results, but in addition they get to see another competition that they don't have to pay for, and if anything cool comes of it they can always step in and make an offer on the technology. Plus, a new hobby is born. Sounds like everybody wins here.
Where did you get it? It looks like it's actually controlled over a serial port - is that right? Seems like it would be pretty easy, if that's true, to come up with a driver for it - you wouldn't even need a device driver, but just a control library that knows how to talk to the serial port. Are you using it from Windows or from Linux? If Windows, wouldn't getting it running on Linux be a fun hack job?:')
This would be handy for me because it'd provide a way to master tapes for duplication without requiring me to put my hands on the machine all the time to cue up master tapes.
Anyway, stop fooling with your silly tape writing project and get going on telling us how this thing works! You can always write the tape using by running a Z80 emulator and running Tarbell BASIC on it, can't you?
Aside from the "bored, lonely young geek in a dorm" scenario, I think the most likely scenario for this attack is a targeted attack, so we're not likely to hear about it unless the result of the attack is that someone's ssh keys to some important repository get grabbed. Even then, it probably won't be clear how they got grabbed. This particular attack isn't really conducive to a Blaster-style worm, fortunately, although you could use a virus to hop the firewall and plant the attack in the chewy interior...
Totally. It's like a dream come true! It makes all the years of sacrifice suddenly worth it. I'd like to start by thanking the little people who helped me over the years, and of course my mother and father, and my lovely wife...:')
If you keep dodging, you'll probably be able to keep missing my point indefinitely. The point is that I don't want to have to rebuild a compromised machine. The level of sophistication of hacks has gone up a lot recently. We can't just rest on our laurels and say "because nobody's exploited this *yet*, we're safe."
Security's about stopping The Bad Thing from happening. The way to do that is to engineer out known hacks before they get exploited, not to laboriously rebuild after the exploit.
Kerberos is also an open standard. Apple actually supports Kerberos, but configures its systems to use LDAP for security by default, thus unfortunately not taking advantage of the secure open standard that they could be using.:'(
DHCP is a broadcast protocol. Any device connected to the network can be a DHCP server, and there is no way to prevent it unless you have a really smart managed network. Smart managed networks are nice, but by no means ubiquitous. BTW, I actually wrote the book on this...:')
The problem is that the average user never reads bugtraq, and has no idea that s/he needs to do something special to avoid getting rooted while drinking a latte at Starbucks.
So the well-reasoned article explaining why Apple's way of doing things is okay basically says "they're following RFC2131, so they're okay." But it is a well-known and much-lamented fact that DHCP provides no security. So if you depend on DHCP to be secure, you are not secure. At all. That's not well-reasoned, at least in my book.
I'm sorry, but saying "but the RFC doesn't provide security, so it's not our fault that our setup isn't secure" is no good. The mistake Apple is making is precisely that if you try to build a secure system whose security depends on a non-secure protocol, you can't possibly wind up with a system that's secure.
This has nothing to do with Microsoft, and everything to do with bad system design. It'd be fine if Apple was using DHCP to get the address of the LDAP server, and then verifying the identity of the LDAP server, but they aren't currently doing this. This is what's missing. It is really, honest to god, a problem that Apple is shipping systems wide open like this. It is easy for me to get root on your laptop if you haven't disabled LDAP passwords (which are enabled by default) and you bring it onto an open network.
I agree with the general idea that the PC guy who wrote the article was out of line, but that doesn't mean we should turn a blind eye to an actual security problem just because it's on MacOS X and not on Windows. If we do that often enough, we'll be fulfilling this guy's prophecy.
And I'm sorry, but I don't care if leaving this security hole makes Macs a tiny bit easier to administer. Get over it. The first time someone compromises all the Macs on your network by setting up a fake LDAP/DHCP service, you'll be wishing you'd had the opportunity to spend a minute longer setting up each shiny new Mac in exchange for spending an hour less rebuilding each compromised Mac.
It's obvious in the sense that the first time I got a multisession CD player, I thought, "hm, need to represent the filesystem as a linked list back starting with the most recently written session going back to the first session, presented as the union of the files in each node on the list." It's obvious. It's CS 201. It's not even something that requires an expert in the field - it's something that any second-year CS student worth his or her salt would come up with within a few minutes of seeing the base technology (multisession CD writers).
Troil? Patents are required not to be obvious. This one is obvious - if you are writing a multisession CD, there is really only one way to present a uniform directory, and this is it. It should have been thrown out, but nobody at the PTO is qualified to determine what is and is not obvious, so they simply don't apply the obviousness test.
HTTP is a really lousy transport for a bidirectional chat. It's really a question-and-response protocol, and things that speak it generally follow that way of doing things. So when you try to chat over HTTP, you wind up having to have some kind of timeout mechanism that refetches the web page every second in order to get decent interactivity, and it still provides a lousy user experience.
I would recommend instead that you go with the Jabber protocol, which is a much better choice for chatting. Nice, friendly, free clients are available for all popular operating systems. If you really want it to look webbish, you can always use a java web app that speaks jabber. This should give you a much nicer user experience.
Most FM radios use superheterodyne receivers (actually, I'm not sure how true this is anymore, what with software-defined radios, but it certainly has been historically true). There's a pretty good quick explanation of how this works at this site. Look at the text around the first diagram.
The key is that the frequency of the local oscillator varies, so if you can detect the output of the local oscillator, you can tell to what frequency the radio is tuned. I'm oversimplifying greatly, and the article I've referred to is a pretty rough overview - if you really want to know how this stuff works, you need to do some serious studying.:'}
What do you think about the censors? They must have to play the game a lot, probably beat it. They must have to play a lot of games like this. Should they recieve therapy?
First, I doubt they played it for very long. Second, they played it critically, rather than for fun. So I think they probably came out okay. Of course, I realize you were speaking somewhat tongue in cheek...
I pretty much agree with what you're saying, except that I think that some intervention (I agree government intervention is a slippery slope, so I'm not suggesting that) is worthwhile.
I don't think playing Manhunt is going to turn you into a psychopath. But what I do believe it will do is to desensitize you to this sort of violence. It will make you maybe 10% less able to be compassionate towards others. It will maybe reduce your impulse control a little. In your life, this may never make a difference. Or it may be the difference between you being happy and unhappy, because of what it does, e.g., to your ability to form functional relationships with MOTAS.
Okay then, use the Red Dragon. I didn't see the film but I read the book. Starling's character in that book allows Lecter to go on the loose and commit murder. She is an accessory at best. And there's a romance that blossoms between Starling and Lecter. Given your premise that we're supposed to identify with Starling - she's a murderer in that chronicle. Still a big difference?
I didn't see Red Dragon, so I can't really comment in depth. But again, I think the degree of identification is different - in the movie, you're watching the protagonists do stuff, and even if they're doing stuff that's immoral, there's some distance between you and the act - it's not *you* doing it. If anything, it sounds like Red Dragon illustrates my point pretty nicely - hang out with a psychopath for a while, and their way of thinking starts to make sense.
Whereas with a first-person-strangler game, it is most definitely *you* who is doing the killing, and there's no opportunity to distance yourself from it at all.
The larger question of whether we should interfere when people try to experience the viewpoint of a psychopath is another question. I tend to think we should - I think this kind of practice is potentially dangerous. The human mind is quite malleable, and just as you can work to become a better person, so you can also work to become a worse person. I think these games jump over the line into actually practicing to become a worse person.
Should they be censored? I don't know. Should someone give you a friendly head's up when you buy one of these things that you're putting yourself in danger? I think so. I'm not big on government enforcement, personally, but I do find this stuff worrisome, and am not sure how to react, other than that I think not reacting at all is not a particularly good choice.
This is why I don't read Patricial Cornwell anymore, BTW - I find her first-person descriptions of the thinking of psychopaths disturbing and worrisome. Also the idea that this sort of thinking is common or normal - I don't think it is, and I think these books can lead us to become more paranoid than is justified, and then to react irrationally to things we see based on that paranoia. To the extent that this kind of stuff helps us to develop compassion for psychopaths, I think it's a good thing, but I think it's more likely to help us to become psychopaths, and that's obviously (at least to me!) a bad thing.
Really? I thought apple turned off all uneeded services by default, such as ssh and root. I thought that one of the reasons this 'whole' was not uber-critical was because these services WERE turned off by default, and thus have a much more secure system.
Well, yes, but you can use the DHCP+LDAP attack to get access to Apple or SMB filesharing, which are pretty commonly turned on.
on a final note, if an attacker can get away with running a dhcp server on your network by hijacking a computer on that network(or plugging his own pc in and running it from there), you have bigger problems then the default settings Apple gave you...
It's not unusual to be on networks where this is *possible*. Hopefully it is *unusual* to be attacked in this way, but why rely on hope to avoid attack when you can instead rely on a securely configured machine that is actually *resistant* to attack?
In Silence of the Lambs, you're supposed to identify with Jodie Foster's character. In this game, it sounds like you're supposed to identify with the guy wearing the human skin suit. Big difference. Really big difference. It's true that somebody who's got some issues might identify with one of the psychopaths in Silence, but that's different than being in a situation where your only choice is to identify with Mr. Skinsuit.
If you have to change your configuration from the default in order to have a secure system, then you have a security hole. Most of the really big microsoft security hacks are things just like this - the system is configured open by default when it should be configured closed by default.
The rationale for configuring the system this way is that it's easier to administer - you just plug it in and it starts working. This is why Microsoft used to configure the system insecure by default. This is why Apple is still configuring the system insecure by default. But part of what you're plugging in, with no authentication at all, is your authentication system. So if the thing that tells you what authentication system to use lies, you're hosed.
This is less severe than the recent Microsoft bugs because the attack is hard to do from the outside of a firewall. So probably Apple is not going to get the kind of bad publicity for this security hole that Microsoft has gotten for, e.g., the Blaster worm. But this is actually a much worse security hole, in a sense, because there is no Software Update coming down the pike that fixes it - Apple has, so far, taken the position that this is a feature, not a bug.
Because the number of people who run software update automatically is much higher than the number of people who pay attention to security alerts and do what is recommended in them, this particular security hole is going to remain on pretty much every MacOS X install in existence. So I can see why the guy from the PC magazine is acting all smug.
The right thing would be for Apple to fix this, but I don't see them doing it - there's no way to secure the DHCP transaction, and there's no way to secure the LDAP transactions either. I hope there's someone in a back room at Apple working on closing this gap, but they've been silent on the issue so far, other than maintaining that because it's a configuration thing, it's not a problem.
Naw, that's not a derivative work - it's fair use. Admittedly, the percentage of use of the work is high, but if you look into the precedents, I think you'll see that, at least in common law, 50% is considered customary.
So you'd only really have a case in a situation where more than 50% of the copyrighted genes were used - e.g., a double Y chromosome or something. Even then, I think you'd have trouble getting any sympathy from a jury. Of course, with good representation, anything is possible, I guess.
Maybe the reason football players don't pull guns on each other is because they know what it feels like to be badly injured - that is, because playing football actually helps them to develop compassion, at least for their fellow players.
The problem with games is that they're life "like", but they aren't life. So you're practicing killing, but you're unable to identify with the result. So you start to see pulling the trigger as something with no real consequences, but something that's desirable to do - that produces positive results.
Personally, I don't think first person shooters _always_ turn people into murderers, but I do think that they can amplify an existing tendency, while at the same time providing excellent training in how to do it efficiently. I have to admit that I do find this worrisome.
This does weaken MD5 slightly, but it's still stronger than crypt(). To put it in perspective, MD5 is still widely specified in new protocols - it's not being phased out.
Slashdot Mirror
My experience is that when a large organization decides not to do something they promised to do the way they promised to do it, there's usually a good reason for it - it's not to salve the egos of the participants, at least in a situation like this (nonprofits salving the egos of donors is another story!). Maybe they didn't want to deal with the extra logistics. Maybe they intended to observe more closely than they could afford to do if there were 100 competitors. Maybe they couldn't afford the additional insurance in the budget they'd written (this is a really big problem in government organizations - you can't break the budget).
There's really no way of knowing, but I think it's a safe bet that they did not just decide to do it "because". I also doubt that they decided to do it because they wanted to shut out the little guy. More likely they were genuinely surprised by the number of people who jumped at the chance to enter, realized that they'd made a mistake in not specifying entry criteria, and did what they could under the circumstances.
It really sucks when you are in the position of saying "oops, we goofed" to a bunch of people who've already invested some emotion, money and time into your goof, but unfortunately it's not always possible to just Do The Right Thing after a goof like this.
This outcome is actually a really good result, IMHO. It will be interesting to see how the two competitions go.
...beyond their wildest dreams. Not only do they get to have their own competition, which may produce some interesting results, but in addition they get to see another competition that they don't have to pay for, and if anything cool comes of it they can always step in and make an offer on the technology. Plus, a new hobby is born. Sounds like everybody wins here.
Where did you get it? It looks like it's actually controlled over a serial port - is that right? Seems like it would be pretty easy, if that's true, to come up with a driver for it - you wouldn't even need a device driver, but just a control library that knows how to talk to the serial port. Are you using it from Windows or from Linux? If Windows, wouldn't getting it running on Linux be a fun hack job? :')
This would be handy for me because it'd provide a way to master tapes for duplication without requiring me to put my hands on the machine all the time to cue up master tapes.
Anyway, stop fooling with your silly tape writing project and get going on telling us how this thing works! You can always write the tape using by running a Z80 emulator and running Tarbell BASIC on it, can't you?
Aside from the "bored, lonely young geek in a dorm" scenario, I think the most likely scenario for this attack is a targeted attack, so we're not likely to hear about it unless the result of the attack is that someone's ssh keys to some important repository get grabbed. Even then, it probably won't be clear how they got grabbed. This particular attack isn't really conducive to a Blaster-style worm, fortunately, although you could use a virus to hop the firewall and plant the attack in the chewy interior...
Totally. It's like a dream come true! It makes all the years of sacrifice suddenly worth it. I'd like to start by thanking the little people who helped me over the years, and of course my mother and father, and my lovely wife... :')
If you keep dodging, you'll probably be able to keep missing my point indefinitely. The point is that I don't want to have to rebuild a compromised machine. The level of sophistication of hacks has gone up a lot recently. We can't just rest on our laurels and say "because nobody's exploited this *yet*, we're safe."
Security's about stopping The Bad Thing from happening. The way to do that is to engineer out known hacks before they get exploited, not to laboriously rebuild after the exploit.
Never run a university network, have you?
Kerberos is also an open standard. Apple actually supports Kerberos, but configures its systems to use LDAP for security by default, thus unfortunately not taking advantage of the secure open standard that they could be using. :'(
DHCP is a broadcast protocol. Any device connected to the network can be a DHCP server, and there is no way to prevent it unless you have a really smart managed network. Smart managed networks are nice, but by no means ubiquitous. BTW, I actually wrote the book on this... :')
The problem is that the average user never reads bugtraq, and has no idea that s/he needs to do something special to avoid getting rooted while drinking a latte at Starbucks.
So the well-reasoned article explaining why Apple's way of doing things is okay basically says "they're following RFC2131, so they're okay." But it is a well-known and much-lamented fact that DHCP provides no security. So if you depend on DHCP to be secure, you are not secure. At all. That's not well-reasoned, at least in my book.
I'm sorry, but saying "but the RFC doesn't provide security, so it's not our fault that our setup isn't secure" is no good. The mistake Apple is making is precisely that if you try to build a secure system whose security depends on a non-secure protocol, you can't possibly wind up with a system that's secure.
This has nothing to do with Microsoft, and everything to do with bad system design. It'd be fine if Apple was using DHCP to get the address of the LDAP server, and then verifying the identity of the LDAP server, but they aren't currently doing this. This is what's missing. It is really, honest to god, a problem that Apple is shipping systems wide open like this. It is easy for me to get root on your laptop if you haven't disabled LDAP passwords (which are enabled by default) and you bring it onto an open network.
I agree with the general idea that the PC guy who wrote the article was out of line, but that doesn't mean we should turn a blind eye to an actual security problem just because it's on MacOS X and not on Windows. If we do that often enough, we'll be fulfilling this guy's prophecy.
And I'm sorry, but I don't care if leaving this security hole makes Macs a tiny bit easier to administer. Get over it. The first time someone compromises all the Macs on your network by setting up a fake LDAP/DHCP service, you'll be wishing you'd had the opportunity to spend a minute longer setting up each shiny new Mac in exchange for spending an hour less rebuilding each compromised Mac.
It's obvious in the sense that the first time I got a multisession CD player, I thought, "hm, need to represent the filesystem as a linked list back starting with the most recently written session going back to the first session, presented as the union of the files in each node on the list." It's obvious. It's CS 201. It's not even something that requires an expert in the field - it's something that any second-year CS student worth his or her salt would come up with within a few minutes of seeing the base technology (multisession CD writers).
So many of the patents we've seen on software since Diamond v. Diehr fall into this category.
Troil? Patents are required not to be obvious. This one is obvious - if you are writing a multisession CD, there is really only one way to present a uniform directory, and this is it. It should have been thrown out, but nobody at the PTO is qualified to determine what is and is not obvious, so they simply don't apply the obviousness test.
Sigh.
HTTP is a really lousy transport for a bidirectional chat. It's really a question-and-response protocol, and things that speak it generally follow that way of doing things. So when you try to chat over HTTP, you wind up having to have some kind of timeout mechanism that refetches the web page every second in order to get decent interactivity, and it still provides a lousy user experience.
I would recommend instead that you go with the Jabber protocol, which is a much better choice for chatting. Nice, friendly, free clients are available for all popular operating systems. If you really want it to look webbish, you can always use a java web app that speaks jabber. This should give you a much nicer user experience.
The key is that the frequency of the local oscillator varies, so if you can detect the output of the local oscillator, you can tell to what frequency the radio is tuned. I'm oversimplifying greatly, and the article I've referred to is a pretty rough overview - if you really want to know how this stuff works, you need to do some serious studying. :'}
MOTAS == Member Of The Appropriate Sex. It's a usenet acronym - I'm showing my age... :'}
First, I doubt they played it for very long. Second, they played it critically, rather than for fun. So I think they probably came out okay. Of course, I realize you were speaking somewhat tongue in cheek...
I pretty much agree with what you're saying, except that I think that some intervention (I agree government intervention is a slippery slope, so I'm not suggesting that) is worthwhile.
I don't think playing Manhunt is going to turn you into a psychopath. But what I do believe it will do is to desensitize you to this sort of violence. It will make you maybe 10% less able to be compassionate towards others. It will maybe reduce your impulse control a little. In your life, this may never make a difference. Or it may be the difference between you being happy and unhappy, because of what it does, e.g., to your ability to form functional relationships with MOTAS.
I didn't see Red Dragon, so I can't really comment in depth. But again, I think the degree of identification is different - in the movie, you're watching the protagonists do stuff, and even if they're doing stuff that's immoral, there's some distance between you and the act - it's not *you* doing it. If anything, it sounds like Red Dragon illustrates my point pretty nicely - hang out with a psychopath for a while, and their way of thinking starts to make sense.
Whereas with a first-person-strangler game, it is most definitely *you* who is doing the killing, and there's no opportunity to distance yourself from it at all.
The larger question of whether we should interfere when people try to experience the viewpoint of a psychopath is another question. I tend to think we should - I think this kind of practice is potentially dangerous. The human mind is quite malleable, and just as you can work to become a better person, so you can also work to become a worse person. I think these games jump over the line into actually practicing to become a worse person.
Should they be censored? I don't know. Should someone give you a friendly head's up when you buy one of these things that you're putting yourself in danger? I think so. I'm not big on government enforcement, personally, but I do find this stuff worrisome, and am not sure how to react, other than that I think not reacting at all is not a particularly good choice.
This is why I don't read Patricial Cornwell anymore, BTW - I find her first-person descriptions of the thinking of psychopaths disturbing and worrisome. Also the idea that this sort of thinking is common or normal - I don't think it is, and I think these books can lead us to become more paranoid than is justified, and then to react irrationally to things we see based on that paranoia. To the extent that this kind of stuff helps us to develop compassion for psychopaths, I think it's a good thing, but I think it's more likely to help us to become psychopaths, and that's obviously (at least to me!) a bad thing.
Well, yes, but you can use the DHCP+LDAP attack to get access to Apple or SMB filesharing, which are pretty commonly turned on.
It's not unusual to be on networks where this is *possible*. Hopefully it is *unusual* to be attacked in this way, but why rely on hope to avoid attack when you can instead rely on a securely configured machine that is actually *resistant* to attack?
In Silence of the Lambs, you're supposed to identify with Jodie Foster's character. In this game, it sounds like you're supposed to identify with the guy wearing the human skin suit. Big difference. Really big difference. It's true that somebody who's got some issues might identify with one of the psychopaths in Silence, but that's different than being in a situation where your only choice is to identify with Mr. Skinsuit.
If you have to change your configuration from the default in order to have a secure system, then you have a security hole. Most of the really big microsoft security hacks are things just like this - the system is configured open by default when it should be configured closed by default.
The rationale for configuring the system this way is that it's easier to administer - you just plug it in and it starts working. This is why Microsoft used to configure the system insecure by default. This is why Apple is still configuring the system insecure by default. But part of what you're plugging in, with no authentication at all, is your authentication system. So if the thing that tells you what authentication system to use lies, you're hosed.
This is less severe than the recent Microsoft bugs because the attack is hard to do from the outside of a firewall. So probably Apple is not going to get the kind of bad publicity for this security hole that Microsoft has gotten for, e.g., the Blaster worm. But this is actually a much worse security hole, in a sense, because there is no Software Update coming down the pike that fixes it - Apple has, so far, taken the position that this is a feature, not a bug.
Because the number of people who run software update automatically is much higher than the number of people who pay attention to security alerts and do what is recommended in them, this particular security hole is going to remain on pretty much every MacOS X install in existence. So I can see why the guy from the PC magazine is acting all smug.
The right thing would be for Apple to fix this, but I don't see them doing it - there's no way to secure the DHCP transaction, and there's no way to secure the LDAP transactions either. I hope there's someone in a back room at Apple working on closing this gap, but they've been silent on the issue so far, other than maintaining that because it's a configuration thing, it's not a problem.
Naw, that's not a derivative work - it's fair use. Admittedly, the percentage of use of the work is high, but if you look into the precedents, I think you'll see that, at least in common law, 50% is considered customary.
So you'd only really have a case in a situation where more than 50% of the copyrighted genes were used - e.g., a double Y chromosome or something. Even then, I think you'd have trouble getting any sympathy from a jury. Of course, with good representation, anything is possible, I guess.
Maybe the reason football players don't pull guns on each other is because they know what it feels like to be badly injured - that is, because playing football actually helps them to develop compassion, at least for their fellow players.
The problem with games is that they're life "like", but they aren't life. So you're practicing killing, but you're unable to identify with the result. So you start to see pulling the trigger as something with no real consequences, but something that's desirable to do - that produces positive results.
Personally, I don't think first person shooters _always_ turn people into murderers, but I do think that they can amplify an existing tendency, while at the same time providing excellent training in how to do it efficiently. I have to admit that I do find this worrisome.
This does weaken MD5 slightly, but it's still stronger than crypt(). To put it in perspective, MD5 is still widely specified in new protocols - it's not being phased out.