I'm saying your belief about what happens after death is a "stuff people like", although I don't think you'll be able to admit that. It's knowledge that is unconfirmable and has no practical use; it's a statement of what you would prefer to be true, rather than something that is true.
To my mind, epistemological flaw of atheism is that it accept as knowledge only one kind of knowledge - based on science. For them that's the only kind of knowledge.
That's not true. If you prefer chocolate to vanilla, that's probably not really based in science -- I mean, sure, I could do an experiment to prove and document which you'll pick more often, but, really, not science. As an atheist I'm capable of treating you preference for chocolate over vanilla as knowledge. If I want to surprise you with a pint of ice cream as a gift, this knowledge helps inform my choices.
However, I'm also capable of drawing a dividing line between "our current best theory of how something works as provided by science" and "stuff people like", and religion goes in the second bucket. Lots of people would like if there was an afterlife, bad people were punished there, and neither they nor people they like were considered to be bad people. Great for them, but I'm not going to decide I should believe that because other people do, just as I'm not going to decide I prefer chocolate just because you do. Scientific knowledge is able to build cars and solve other problems in the physical world; "stuff people like" can't solve the same kind of problems. (Unless you're in marketing, perhaps the wickedest cult of them all.)
No, but since whether solipsism is true or not is irrelevant (if I stab myself with a knife it sure seems to hurt, whether or not the knife or anything else really exists, and I'd prefer to not be in pain), you get on with living your life.
There's absolutely no justification why Windows accomplishes whatever these groups are doing and Linux does not.
However, in at least some cases, Windows is what they are using, and Microsoft is making sure they can do it without going to a Siberian prison for it.
That's a good thing, unless you think people should go to prison for choosing an OS other than the one you like?
- too much information leaked by default ASP.NET implementation
Incidentally, it's not -- the default behavior is to not provide the information in question, except to a user on the server. That is, a developer running both the web browser and the web server on one machine (a common development situation) would get the information about the mangled ciphertexts, but any remote user would not.
It's possible to configure error messages such that every user would get the detailed error messages the exploit needs (or that no user could get them, even running on the web server), but you'd have to go out of your way to do so.
diablo was an almost exact copy of a 1980's arcade game called Gauntlet
I love Gauntlet and spent way too much (time and quarterwise) one summer playing it with three friends, but that's not true at all. Other than both being top-down multiplayer fantasy-themed games they almost couldn't be more different.
Of course, Magic as written (if not necessarily as actually played) had the ante mechanic to balance that out -- so, sure, your deck of awesome expensive cards could probably beat my bargain basement deck most of the time, but when you won, you won one of my worthless cards, whereas when I won, I won a valuable card.
Probably, good examples would include explaining what you thought they were clones of; that would provide the opportunity to counter-point you intelligently.
Otherwise you're practically begging someone to argue against a straw man.
There's nothing stopping the originators from taking a page right out of Zynga's book and adding the social network hooks to their "original" games.
You're misunderstanding the situation.
These are social network games that Zynga's ripping off. FarmVille, for example, is almost (or was at launch) the exact same game as FarmTown. Both were on Facebook etc. Both had very similar social hooks.
What's different is that Zynga at this point has inertia. When FarmVille launched, people who played any of their games were deluged with advertising and promos encouraging them to try out FarmVille for a month or more.
I was thinking, specifically, of the Sandman adaptation that is supposed to be happening at some point in the near future. That's an arty kind of show that needs a large budget and a lot of creative freedom, if it's going to be made at all.
No doubt -- especially with Neverwhere as Exhibit A of trying to do Gaiman on the aforementioned "100 euros and a can of Spaghetti-Os budget" old-school BBC style. Ugh.
Any, no. But certainly there are many, many messages of the same length that would make sense.
To put it another way, let's say a/. sig is 120 characters (I don't know the exact number offhand) and that a million/. users have sigs, all of which are different and make some kind of sense. If I encrypt one with a one-time pad, there's no way for you, using brute force, to figure out which user's sig it is -- each of those million possibilities (and many, many more) would appear equally possible to your best discernment.
You're saying that as long as you come up with a message that looks like words and forms a sentence that's the right length, you've successfully brute forced the pad. That's not remotely the case.
You are correct. (I think the property's called CustomErrors, but otherwise you're dead on.)
You'd have to manually decide you wanted your end users to see unfriendly error messages for the exploit as described to work. In other words, being negligent isn't sufficient for this to work -- you need to do something actively stupid.
I believe the same is true for the JSF exploit this is based on, but it's been a year or two since I've touched JSF at this point.
Basically, what I'm saying (that I don't think I expressed very clearly in my post that you replied to) is that what they're saying in the article is: If you find an ASP.NET web site (or a JSF one, for that matter) that gives back enough detail in its error messages to malformed/misized crypto packets, you can figure out what the size really should be and make it work from there, and then it'll work every time. It's like saying "A third of the time, it works every time!" Well, that's not 100%.
To put it another way, entering 'admin' and 'admin' will give you full access to 100% of machines that have a user called admin with admin privs that also set their password as admin. Or, the Blaster Worm still owns 100% of Windows 98 machines that haven't been patched in a decade. While technically true it's a useless statistic.
I have not personally encountered a site that would be useful to crack (ASP or JSF) that provides the end user with the kind of error messages they're talking about. There's no reason you couldn't, but you just never would.
More details on the "side channels" would've been nice, since the primary vector they talk about is, in practical terms, useless.
Exactly. If the web devs are incompetent enough to let an end user see a stack trace error message, you've got much bigger problems than this hack. Professionally, it's about the equivalent of setting your root password on a machine to 'password'.
TFA has a bizarre idea of a "100% reliable" attack:
"It's worth noting that the attack is 100% reliable, i.e. one can be sure that once they run the attack, they can exploit the target. It's just a matter of time."
By that logic, this attack is 100% reliable against (web platform of your choice) too.
Beyond that, this attack requires fairly verbose error messages be sent back to the user of a web application. While I'm sure there do exist some ASP sites where this is the case, I don't think it has been in any of the non-intranet sites I've seen in my career.
It just is not standard in any exposed web site, especially the kind of web site where you would care about customer information getting out, to allow useful error messages reach the end user. It is by far the standard to catch the exceptions, log them on the server, and show the end user a generic error message which would not be helpful in the case of this exploit.
In other words, you didn't do like I did- look at ALL the "To:" addresses, and send them all an email explaining that they should ignore the sender's message because it's just another hoax/scam/urban legend, and provide links to snopes, etc. You'd be amazed at how quickly people stop sending you stupid stuff when you contact 50 of their friends to say "this is retarded."
Sadly, I've done exactly that. Dozens of times. In a few cases my mother-in-law checked Snopes (because I had drilled it into her head so many times), saw the e-mail was a hoax, and forwarded it anyway.
How would nuking Facebook and Twitter be a bad thing?
Members of my family would go back to forwarding me spam e-mails about how we need to build a giant wall between Texas and Mexico instead of posting on Facebook on the topic.
As things stand today, they're almost only sending me e-mail about things that are actually important. Don't send me back to those dark ages.
Frankly, it's a much better platform to develop for. You could even make a decent case that it's a better (as in, a developer with an equal exposure to the platform can accomplish more, easier/faster) platform to develop for than Android of iPhone.
Is that enough to catch up this late in the game, and despite other shortcomings? Probably not.
Slashdot Mirror
I'm saying your belief about what happens after death is a "stuff people like", although I don't think you'll be able to admit that. It's knowledge that is unconfirmable and has no practical use; it's a statement of what you would prefer to be true, rather than something that is true.
Read the article. It clearly says the same "vulnerability" exists in Java Server Faces.
Except it's a joke of a vulnerability in both cases.
I actually think that would be a pretty funny joke. Thanks for the laugh.
Somebody comes up with "In Soviet Russia, Victorian china set orbits YOU!" and the next thing you know, it's gotten all out of hand.
To my mind, epistemological flaw of atheism is that it accept as knowledge only one kind of knowledge - based on science. For them that's the only kind of knowledge.
That's not true. If you prefer chocolate to vanilla, that's probably not really based in science -- I mean, sure, I could do an experiment to prove and document which you'll pick more often, but, really, not science. As an atheist I'm capable of treating you preference for chocolate over vanilla as knowledge. If I want to surprise you with a pint of ice cream as a gift, this knowledge helps inform my choices.
However, I'm also capable of drawing a dividing line between "our current best theory of how something works as provided by science" and "stuff people like", and religion goes in the second bucket. Lots of people would like if there was an afterlife, bad people were punished there, and neither they nor people they like were considered to be bad people. Great for them, but I'm not going to decide I should believe that because other people do, just as I'm not going to decide I prefer chocolate just because you do. Scientific knowledge is able to build cars and solve other problems in the physical world; "stuff people like" can't solve the same kind of problems. (Unless you're in marketing, perhaps the wickedest cult of them all.)
(you cannot disprove solipsism).
No, but since whether solipsism is true or not is irrelevant (if I stab myself with a knife it sure seems to hurt, whether or not the knife or anything else really exists, and I'd prefer to not be in pain), you get on with living your life.
That doesn't require anything but pragmatism.
With proprietary software, even when there's a billion users, it's still a pile of spyware.
Based on that statement, I submit that you're too much an open source partisan to evaluate this situation rationally.
There's absolutely no justification why Windows accomplishes whatever these groups are doing and Linux does not.
However, in at least some cases, Windows is what they are using, and Microsoft is making sure they can do it without going to a Siberian prison for it.
That's a good thing, unless you think people should go to prison for choosing an OS other than the one you like?
I know this isn't you, but some people care about getting shit done and have no interest in dicking around in the guts of their software.
For most tasks, that includes me, and I've been a programmer since childhood.
- too much information leaked by default ASP.NET implementation
Incidentally, it's not -- the default behavior is to not provide the information in question, except to a user on the server. That is, a developer running both the web browser and the web server on one machine (a common development situation) would get the information about the mangled ciphertexts, but any remote user would not.
It's possible to configure error messages such that every user would get the detailed error messages the exploit needs (or that no user could get them, even running on the web server), but you'd have to go out of your way to do so.
diablo was an almost exact copy of a 1980's arcade game called Gauntlet
I love Gauntlet and spent way too much (time and quarterwise) one summer playing it with three friends, but that's not true at all. Other than both being top-down multiplayer fantasy-themed games they almost couldn't be more different.
Of course, Magic as written (if not necessarily as actually played) had the ante mechanic to balance that out -- so, sure, your deck of awesome expensive cards could probably beat my bargain basement deck most of the time, but when you won, you won one of my worthless cards, whereas when I won, I won a valuable card.
Probably, good examples would include explaining what you thought they were clones of; that would provide the opportunity to counter-point you intelligently.
Otherwise you're practically begging someone to argue against a straw man.
There's nothing stopping the originators from taking a page right out of Zynga's book and adding the social network hooks to their "original" games.
You're misunderstanding the situation.
These are social network games that Zynga's ripping off. FarmVille, for example, is almost (or was at launch) the exact same game as FarmTown. Both were on Facebook etc. Both had very similar social hooks.
What's different is that Zynga at this point has inertia. When FarmVille launched, people who played any of their games were deluged with advertising and promos encouraging them to try out FarmVille for a month or more.
FWIW, it's pretty easy to block all messages from a single app (or user) forever.
I was thinking, specifically, of the Sandman adaptation that is supposed to be happening at some point in the near future. That's an arty kind of show that needs a large budget and a lot of creative freedom, if it's going to be made at all.
No doubt -- especially with Neverwhere as Exhibit A of trying to do Gaiman on the aforementioned "100 euros and a can of Spaghetti-Os budget" old-school BBC style. Ugh.
Any, no. But certainly there are many, many messages of the same length that would make sense.
To put it another way, let's say a /. sig is 120 characters (I don't know the exact number offhand) and that a million /. users have sigs, all of which are different and make some kind of sense. If I encrypt one with a one-time pad, there's no way for you, using brute force, to figure out which user's sig it is -- each of those million possibilities (and many, many more) would appear equally possible to your best discernment.
You're saying that as long as you come up with a message that looks like words and forms a sentence that's the right length, you've successfully brute forced the pad. That's not remotely the case.
You are correct. (I think the property's called CustomErrors, but otherwise you're dead on.)
You'd have to manually decide you wanted your end users to see unfriendly error messages for the exploit as described to work. In other words, being negligent isn't sufficient for this to work -- you need to do something actively stupid.
I believe the same is true for the JSF exploit this is based on, but it's been a year or two since I've touched JSF at this point.
Respectfully, are you sure you understand how a one-time pad works?
Attempting to brute force a one-time pad is as likely to produce a third option:
3) The account numbers to the secret Swiss Bank account are 3435464482 and 363578345. Please do not access the accounts more than once a month.
as your #1. In other words, the same message with totally different account numbers. Or any other message of the same length.
Basically, what I'm saying (that I don't think I expressed very clearly in my post that you replied to) is that what they're saying in the article is: If you find an ASP.NET web site (or a JSF one, for that matter) that gives back enough detail in its error messages to malformed/misized crypto packets, you can figure out what the size really should be and make it work from there, and then it'll work every time. It's like saying "A third of the time, it works every time!" Well, that's not 100%.
To put it another way, entering 'admin' and 'admin' will give you full access to 100% of machines that have a user called admin with admin privs that also set their password as admin. Or, the Blaster Worm still owns 100% of Windows 98 machines that haven't been patched in a decade. While technically true it's a useless statistic.
I have not personally encountered a site that would be useful to crack (ASP or JSF) that provides the end user with the kind of error messages they're talking about. There's no reason you couldn't, but you just never would.
More details on the "side channels" would've been nice, since the primary vector they talk about is, in practical terms, useless.
Exactly. If the web devs are incompetent enough to let an end user see a stack trace error message, you've got much bigger problems than this hack. Professionally, it's about the equivalent of setting your root password on a machine to 'password'.
TFA has a bizarre idea of a "100% reliable" attack:
"It's worth noting that the attack is 100% reliable, i.e. one can be sure that once they run the attack, they can exploit the target. It's just a matter of time."
By that logic, this attack is 100% reliable against (web platform of your choice) too.
Beyond that, this attack requires fairly verbose error messages be sent back to the user of a web application. While I'm sure there do exist some ASP sites where this is the case, I don't think it has been in any of the non-intranet sites I've seen in my career.
It just is not standard in any exposed web site, especially the kind of web site where you would care about customer information getting out, to allow useful error messages reach the end user. It is by far the standard to catch the exceptions, log them on the server, and show the end user a generic error message which would not be helpful in the case of this exploit.
In other words, you didn't do like I did- look at ALL the "To:" addresses, and send them all an email explaining that they should ignore the sender's message because it's just another hoax/scam/urban legend, and provide links to snopes, etc.
You'd be amazed at how quickly people stop sending you stupid stuff when you contact 50 of their friends to say "this is retarded."
Sadly, I've done exactly that. Dozens of times. In a few cases my mother-in-law checked Snopes (because I had drilled it into her head so many times), saw the e-mail was a hoax, and forwarded it anyway.
How would nuking Facebook and Twitter be a bad thing?
Members of my family would go back to forwarding me spam e-mails about how we need to build a giant wall between Texas and Mexico instead of posting on Facebook on the topic.
As things stand today, they're almost only sending me e-mail about things that are actually important. Don't send me back to those dark ages.
I would not like to find out what explaining that to them would be like (let alone what would happen if they don't believe me).
My money's on the $5 wrench. :)
Why will Windows Phone 7 succeed when Kin failed?
Frankly, it's a much better platform to develop for. You could even make a decent case that it's a better (as in, a developer with an equal exposure to the platform can accomplish more, easier/faster) platform to develop for than Android of iPhone.
Is that enough to catch up this late in the game, and despite other shortcomings? Probably not.