I've been hoping for years that a President will pronounce to the country, like John F. Kennedy did, that he has a serious challenge for our nation and our national security depends on it.
And no I'm not talking about wasting time or money going to the moon. I'm talking about a full mobilation of our nations resources to tackle the problem of alternative fuels. Like NASA was challenged, and the nation was captivated, we need a similar program for alternative fuel research, implementation, and production. I mean massive funding and resource allocation, not a few tax breaks that allows Detroit to say they are working the issue while draggint their feet for another decade.
Unfortunately, I think the true purpose for going to the moon again would be to rape her of her resources and commercialize her. No thanks.
I know verizon lets you switch plans in mid-stream, as long as you get a new term on the selected plan that is longer than what remains on your current agreement.
Yeah, I've changed my service 10 times in the past year trying to find a plan that meets my needs and I've got 20 years worth of contract time now.;)
Oh my, this got posted to slashdot?
on
Real Security?
·
· Score: 1
This has to be nominated for the longestarticlethatcouldhavebeensummedupintwosenten ces award.
Anywho, I purchased a program called Roboform. In comes in a free and a 'pro' version for $30. Its autofills in forms and such. The feature I like is that it includes a random password generator. This has gotten me into the habit of using random passwords for each and every site I log into. Previously I used the same password for many things and if one system gets hacked that would compromise all my passwords. This program stores all your passwords and encrypts them. You can also put them on a USB flash device if you want portability. Mind you, this is a Windows product. But it works for me.
Sometimes there is too much security and it is not proportionate with the risk of the data being protected. I find ING Direct to be annoying. Not only do they require the standard account # and strong password, but each time you visit you are presented with a random question such as first 3 digits of SSN, or last 4, or birthdate, etc. Its a savings account for crying out loud - if someone wants to hack in and deposit money, feel free.
Some other overly secure sites require you to renter passwords multiple times in one session. For example, amazon.com. You can be logged in and goto your 'account status' and have to renter a password despite the fact you just logged in a few moments earlier.
Lastly, if there is no physical security it doesn't really matter does it? If I can reboot the system using a linux/solaris/windows boot cd-rom/disk...
I'm not sure the health care example is a great example. Those security measures are related to a Health privacy (part of HIPPA). Security is taken a bit futher because just because you can logon to a system doesn't mean you have a need-to-know on that patient.
My personal opinion is that we should be using sometype of smartcard which when inserted enables our access in combination with a global PIN #.
What I don't understand is the voting system on his website. It looks like you can vote for each photo on a scale of 1 to 10. However, many of the photos (of say Washington, DC) score only 3,4, or 5. Who are grading these things?
Isn't it called Copyright? That little banner that you cannot skip that tells you that the material is copyrighted, licensed, etc.
Isn't that copyright Sec 1201 of the US code. You might own the DVD (polycarbonate substance), but not the content burned on it. The studios claim that not being able to skip is their right to force you to watch commercials and if you try to circumvent that your are breaking the law.
I'm not sure why I'm arguing this. It just makes me mad, I don't agree with it, but I think those are the studio arguments.
If you purchase something, and you own it, can the company who created it, but who no longer owns it, put restrictions on the manner in which it can be used?
The problem is that you DON'T OWN IT. The content creator is licensing it to you. By opening the shrink wrap you agree to that. I don't agree with it, but that is how it is and your argument about owning it is not really accurate. Its like hitting that 'I Agree' button when you install software.
The whole cannot skip forward in a DVD is rediculous. That shouldn't have even been put in the standard. It is especially annoying on DVD's with commercials/trailers - they get old after a while.
Rumor has it that Wizards of the Coast has threatended suit based on a prior patent art claim. In addition, any attempts by./'rs to reverse engineer the purpos of this die would be a DCMA violation.
I've searched the lkml archives and cannot find any reference to any security related patch in Sept 2003. I can't find it in the bugzilla either. Can anyone point us to the specific patch / lkml announce for this?
I just cannot find it.
So are you saying that it wasn't known back in Sept?
Oh I forgot to mention... Popular Science 'Brilliant 10' award last November 2002 highlighted how nanotechnology which was being researched at Harvard University by Charles Lieber might address Moore's law. Hey spoke of how the current state of semiconducter manufacturing would be considered crude/clumsy if they can perfect the techniques they are working on. See http://www.popsci.com/popsci/science/article/0,125 43,364572,00.html
If you check the science journals you'll find several articles from the team about nanotech and their 'nanowires'.
I find it interested that just because Intel thinks it has reached the limits of its ingenuity that Moores law will become obsolete. As you say, if they don't do it, some other company will. Especially since they have so much money tied up in silicon, another competitor with less capital tied up could emerge.
This problem was found in September by Andrew Morton, but unfortunately that was too late for the 2.4.22 kernel release.
If this was found after 2.4.22 but before 2.4.23 release then it should have been announced and patched. How is this any different than what Microsoft does? We complain (rightfully so) about security through obscurity and lack of transparency. In this case a KNOWN kernel exploit was left in the open for 1-2 months?
Looking at the 2.4.23 CHANGES file I'm still not clear who/what fixed this. The closest think I see is: ": o Add TASK_SIZE check to do_brk()". Nothing from Andrew Morton's CHANGES entry implies a fix to this. Perhaps "make printk more robust with "null" pointers?" How do we know? Why wasn't it reported to the security groups immediately when it was found (or was it?).
That still doesn't get you into the box; you still need to run something in userspace
However, I'm not sure you really need to be logged into the box. After all, the 'apache/httpd' process runs in userspace (as user nobody)? So technically it could even happen remotely. Kudos to them fixing it rapidly and of course the fix/lesson learned is public (unlike other OS vendors) and immediate. However, getting everyone to update their kernel to 2.4.23 is not easy and is the same hurdle other vendors go through when they release fixes.
For those of you who have done embedded development with Wind River OS products (vxWorks) in the past, this looks like too little, too late.
Not only did they fight the open source movement for some time, but now that they are hurting they look to embrace it. Those of you who have tried to work with Wind River tech support to solve problems with device drivers and software issues have probably experienced the frustration and head banging of trying to get results. The lack of support, secretive nature of the internals of their products, and lack of affordable source code (if you shell out a lot of money >$100,000? you could get source code) is what caused me to switch to linux for embedded development. Linux is not perfect, but when I'm trying to deliver a product and a device driver is crashing, I can delve into the source code and get some insights or add some debug statements.
Based on this track record of poor support, I doubt they can develop and support linux development tools that really add value.
Doesn't the whole concept seem kind of Orwellian? Doesn't the following quote from the article disturb you?:
Deployed the way Tennenhouse envisions, the networks will require zero human input. We'll reap the benefits without having to interact with the networks, and Intel will eliminate a long-standing obstacle to its growth: the feebleness of the human brain. "Sensor nets let us relieve the human being of the responsibility of drawing information out of the physical world," says Tennenhouse. "We need to have computers anticipating our needs and sometimes taking action on our behalf."
It bothers me - sounds like SkyNet or something. Not to even mention the environmental waste/radio interference for all these machine.
What gets me is, if it's so expensive and time consuming to do this, why not go straight for level 4 certification?
It costs time and money to do this and what for? All the 'trusted OS' systems have to be rigorously certified on specific hardware and with a specific version of driver, etc. This limits their usefullness. They lag the technology curve by a considerable amount of time. (for example, certification occurs on a 2.4.21 kernel--but if your newest network card requires 2.4.23 too bad)
NSA has worked on securing linux, but it is not to the trusted OS level. My personal opinion is that the only way to have a trusted network is to not connect it to other stuff - dont rely on 'trusted OS's' etc.
Another thing to consider is that a lot of these certification requirements by groups like the 'EU' are really just forms of protectionism. They raise the bar to competition. In many instances these organizations exempt themselves from the standards. Take ISO-9000 for example.
Not everyone, just the people who blatantly rip off Apple designs in an attempt to fool consumers
Apple is all about 'branding'. I agree that they try to lure you in and then stick it to you. As far as 'trade dress', I like to call them 'clones'. Back in the 80's I remember Apple suing everyone who produced a 'clone'. It was the 'clone' industry (aka competition) that we all have affordable computers today. If it weren't for the clones we would still be tied to proprietary busses, power supplies, BIOS's, etc (aka Apple, IBM). I dont understand people willing to shell out the bucks for these things. I bought a cheap Panasonic CD player that looks like a Walkman (ooops. trade dress?) that plays CD-R's with MP-3. I can get thousands of songs on a CD-R in that format and the player was about $60 at costco. Panasonic MP353J.
That is funny - even though I had a C64 I never heard of that game. See http://ready64.altervista.org/english/misc/. Check out the picture of the family enjoying Stroker 2 on their new C64.
I guess merging Stroker with the Palm was only inevitable in this age of frictionless e-technology.
Some tidbits:
In Virginia, an innocent man targeted by a detective, intent on nailing him for a sex
crime, was falsely charged with indecent exposure, was arrested, had his home
scoured in his absence, and had his computer and some family photos removed
from his home (Jackman, 1999).
In Lansing, Michigan, a 26-year-old man was branded as a child molester
incorrectly. His name was immediately placed on a Family Independence Agency's
"undesirables" list. The court ordered his name removed, but the damage had been
done. The man lost jobs, friends, and family respect, and ultimately, his health was
affected (Miner, 1998).
A civil liberties group wants Michigan State Police to notify citizens if their addresses
are placed on the sex offender list on the Internet. Recently, it was discovered that
as many as 25 percent of registry addresses were incorrect, which has resulted in
citizens having their addresses improperly included on the registry (Webster, 1999).
Of course innocent people can get caught up in this and they have no recourse.
In Texas, from 1999, from
DALLAS (AP) -- Faced with a choice between convicts' privacy and the public's right to know about sex offenders, the Texas Legislature sided with the latter.
The decision cost Thinh Pham his front teeth. Now he fears leaving his home.
The 27-year-old Vietnamese refugee was attacked by four men who thought he was a sex offender because his address was listed on the state's Internet registry. But the address was that of a sex-offender who hadn't lived at the home for months.
The vigilante beating came in September, three weeks after the effective date of a new state law mandating more detailed sex-offender information be posted on a Department of Public Safety website. Previously, the state released only block numbers and ZIP codes of sex offenders.
Supporters of the measure said it would help parents protect their children from sex offenders living in their neighborhoods.
But Pham's case raises questions about the state's ability to verify the accuracy of such a vast and detailed database. Top law-enforcement officials acknowledge they have little idea how much of the registry is accurate.
These are not rules, these are guidelines. Even the link that/. included in the article description is
http://usability.gov/guidelines/index.html
There is a big differene between a rule and a guideline. The web-site is from the National Cancer Institute and it appears they wanted to share some lessons learned with the community. I for one appreciate that they took the time to formalize their findings on how to make the web easier to navigate. Unlike some rules, there is an address provided if you feel they have missed something. See their about page: http://usability.gov/guidelines/about.html
Slashdot Mirror
But does it support Ogg!
I've been hoping for years that a President will pronounce to the country, like John F. Kennedy did, that he has a serious challenge for our nation and our national security depends on it.
And no I'm not talking about wasting time or money going to the moon. I'm talking about a full mobilation of our nations resources to tackle the problem of alternative fuels. Like NASA was challenged, and the nation was captivated, we need a similar program for alternative fuel research, implementation, and production. I mean massive funding and resource allocation, not a few tax breaks that allows Detroit to say they are working the issue while draggint their feet for another decade.
Unfortunately, I think the true purpose for going to the moon again would be to rape her of her resources and commercialize her. No thanks.
I know verizon lets you switch plans in mid-stream, as long as you get a new term on the selected plan that is longer than what remains on your current agreement.
;)
Yeah, I've changed my service 10 times in the past year trying to find a plan that meets my needs and I've got 20 years worth of contract time now.
This has to be nominated for the longestarticlethatcouldhavebeensummedupintwosenten ces award.
Anywho, I purchased a program called Roboform. In comes in a free and a 'pro' version for $30. Its autofills in forms and such. The feature I like is that it includes a random password generator. This has gotten me into the habit of using random passwords for each and every site I log into. Previously I used the same password for many things and if one system gets hacked that would compromise all my passwords. This program stores all your passwords and encrypts them. You can also put them on a USB flash device if you want portability. Mind you, this is a Windows product. But it works for me.
Sometimes there is too much security and it is not proportionate with the risk of the data being protected. I find ING Direct to be annoying. Not only do they require the standard account # and strong password, but each time you visit you are presented with a random question such as first 3 digits of SSN, or last 4, or birthdate, etc. Its a savings account for crying out loud - if someone wants to hack in and deposit money, feel free.
Some other overly secure sites require you to renter passwords multiple times in one session. For example, amazon.com. You can be logged in and goto your 'account status' and have to renter a password despite the fact you just logged in a few moments earlier.
Lastly, if there is no physical security it doesn't really matter does it? If I can reboot the system using a linux/solaris/windows boot cd-rom/disk...
I'm not sure the health care example is a great example. Those security measures are related to a Health privacy (part of HIPPA). Security is taken a bit futher because just because you can logon to a system doesn't mean you have a need-to-know on that patient.
My personal opinion is that we should be using sometype of smartcard which when inserted enables our access in combination with a global PIN #.
What I don't understand is the voting system on his website. It looks like you can vote for each photo on a scale of 1 to 10. However, many of the photos (of say Washington, DC) score only 3,4, or 5. Who are grading these things?
That picture is amazing. I asked the photographer to email me a copy of the original but I haven't been able to access my mail server for hours. ;)
Which is of course why ads always say "Own it today on DVD and video!"
The ads also say pick up your copy today, yet they are not selling 'copies'.
Isn't it called Copyright? That little banner that you cannot skip that tells you that the material is copyrighted, licensed, etc.
Isn't that copyright Sec 1201 of the US code. You might own the DVD (polycarbonate substance), but not the content burned on it. The studios claim that not being able to skip is their right to force you to watch commercials and if you try to circumvent that your are breaking the law.
I'm not sure why I'm arguing this. It just makes me mad, I don't agree with it, but I think those are the studio arguments.
If you purchase something, and you own it, can the company who created it, but who no longer owns it, put restrictions on the manner in which it can be used?
The problem is that you DON'T OWN IT. The content creator is licensing it to you. By opening the shrink wrap you agree to that. I don't agree with it, but that is how it is and your argument about owning it is not really accurate. Its like hitting that 'I Agree' button when you install software.
The whole cannot skip forward in a DVD is rediculous. That shouldn't have even been put in the standard. It is especially annoying on DVD's with commercials/trailers - they get old after a while.
Rumor has it that Wizards of the Coast has threatended suit based on a prior patent art claim. In addition, any attempts by ./'rs to reverse engineer the purpos of this die would be a DCMA violation.
I've searched the lkml archives and cannot find any reference to any security related patch in Sept 2003. I can't find it in the bugzilla either. Can anyone point us to the specific patch / lkml announce for this?
I just cannot find it.
So are you saying that it wasn't known back in Sept?
So you're saying that exponential growth can be sustained forever?
;)
Hey, if it applies to our national debt, why not.
Oh I forgot to mention... Popular Science 'Brilliant 10' award last November 2002 highlighted how nanotechnology which was being researched at Harvard University by Charles Lieber might address Moore's law. Hey spoke of how the current state of semiconducter manufacturing would be considered crude/clumsy if they can perfect the techniques they are working on. See http://www.popsci.com/popsci/science/article/0,125 43,364572,00.html
If you check the science journals you'll find several articles from the team about nanotech and their 'nanowires'.
Silicon is dead. Long live diamonds!
Of course, because diamonds are forever!
I find it interested that just because Intel thinks it has reached the limits of its ingenuity that Moores law will become obsolete. As you say, if they don't do it, some other company will. Especially since they have so much money tied up in silicon, another competitor with less capital tied up could emerge.
This problem was found in September by Andrew Morton, but unfortunately that was too late for the 2.4.22 kernel release.
If this was found after 2.4.22 but before 2.4.23 release then it should have been announced and patched. How is this any different than what Microsoft does? We complain (rightfully so) about security through obscurity and lack of transparency. In this case a KNOWN kernel exploit was left in the open for 1-2 months?
Looking at the 2.4.23 CHANGES file I'm still not clear who/what fixed this. The closest think I see is: ": o Add TASK_SIZE check to do_brk()". Nothing from Andrew Morton's CHANGES entry implies a fix to this. Perhaps "make printk more robust with "null" pointers?" How do we know? Why wasn't it reported to the security groups immediately when it was found (or was it?).
That still doesn't get you into the box; you still need to run something in userspace
However, I'm not sure you really need to be logged into the box. After all, the 'apache/httpd' process runs in userspace (as user nobody)? So technically it could even happen remotely. Kudos to them fixing it rapidly and of course the fix/lesson learned is public (unlike other OS vendors) and immediate. However, getting everyone to update their kernel to 2.4.23 is not easy and is the same hurdle other vendors go through when they release fixes.
For those of you who have done embedded development with Wind River OS products (vxWorks) in the past, this looks like too little, too late.
Not only did they fight the open source movement for some time, but now that they are hurting they look to embrace it. Those of you who have tried to work with Wind River tech support to solve problems with device drivers and software issues have probably experienced the frustration and head banging of trying to get results. The lack of support, secretive nature of the internals of their products, and lack of affordable source code (if you shell out a lot of money >$100,000? you could get source code) is what caused me to switch to linux for embedded development. Linux is not perfect, but when I'm trying to deliver a product and a device driver is crashing, I can delve into the source code and get some insights or add some debug statements.
Based on this track record of poor support, I doubt they can develop and support linux development tools that really add value.
This is a really cool idea
Doesn't the whole concept seem kind of Orwellian? Doesn't the following quote from the article disturb you?:
Deployed the way Tennenhouse envisions, the networks will require zero human input. We'll reap the benefits without having to interact with the networks, and Intel will eliminate a long-standing obstacle to its growth: the feebleness of the human brain. "Sensor nets let us relieve the human being of the responsibility of drawing information out of the physical world," says Tennenhouse. "We need to have computers anticipating our needs and sometimes taking action on our behalf."
It bothers me - sounds like SkyNet or something. Not to even mention the environmental waste/radio interference for all these machine.
What gets me is, if it's so expensive and time consuming to do this, why not go straight for level 4 certification?
It costs time and money to do this and what for? All the 'trusted OS' systems have to be rigorously certified on specific hardware and with a specific version of driver, etc. This limits their usefullness. They lag the technology curve by a considerable amount of time. (for example, certification occurs on a 2.4.21 kernel--but if your newest network card requires 2.4.23 too bad)
NSA has worked on securing linux, but it is not to the trusted OS level. My personal opinion is that the only way to have a trusted network is to not connect it to other stuff - dont rely on 'trusted OS's' etc.
Another thing to consider is that a lot of these certification requirements by groups like the 'EU' are really just forms of protectionism. They raise the bar to competition. In many instances these organizations exempt themselves from the standards. Take ISO-9000 for example.
Not everyone, just the people who blatantly rip off Apple designs in an attempt to fool consumers
Apple is all about 'branding'. I agree that they try to lure you in and then stick it to you. As far as 'trade dress', I like to call them 'clones'. Back in the 80's I remember Apple suing everyone who produced a 'clone'. It was the 'clone' industry (aka competition) that we all have affordable computers today. If it weren't for the clones we would still be tied to proprietary busses, power supplies, BIOS's, etc (aka Apple, IBM). I dont understand people willing to shell out the bucks for these things. I bought a cheap Panasonic CD player that looks like a Walkman (ooops. trade dress?) that plays CD-R's with MP-3. I can get thousands of songs on a CD-R in that format and the player was about $60 at costco. Panasonic MP353J.
That is funny - even though I had a C64 I never heard of that game. See http://ready64.altervista.org/english/misc/. Check out the picture of the family enjoying Stroker 2 on their new C64.
I guess merging Stroker with the Palm was only inevitable in this age of frictionless e-technology.
If you want some more in depth details on Megan's law and the risks associated with this stuff see http://www.appa-net.org/revisitingmegan.pdf
Some tidbits:
In Virginia, an innocent man targeted by a detective, intent on nailing him for a sex crime, was falsely charged with indecent exposure, was arrested, had his home scoured in his absence, and had his computer and some family photos removed from his home (Jackman, 1999).
In Lansing, Michigan, a 26-year-old man was branded as a child molester incorrectly. His name was immediately placed on a Family Independence Agency's "undesirables" list. The court ordered his name removed, but the damage had been done. The man lost jobs, friends, and family respect, and ultimately, his health was affected (Miner, 1998).
A civil liberties group wants Michigan State Police to notify citizens if their addresses are placed on the sex offender list on the Internet. Recently, it was discovered that as many as 25 percent of registry addresses were incorrect, which has resulted in citizens having their addresses improperly included on the registry (Webster, 1999).
Of course innocent people can get caught up in this and they have no recourse.
In Texas, from 1999, from
DALLAS (AP) -- Faced with a choice between convicts' privacy and the public's right to know about sex offenders, the Texas Legislature sided with the latter.
The decision cost Thinh Pham his front teeth. Now he fears leaving his home.
The 27-year-old Vietnamese refugee was attacked by four men who thought he was a sex offender because his address was listed on the state's Internet registry. But the address was that of a sex-offender who hadn't lived at the home for months.
The vigilante beating came in September, three weeks after the effective date of a new state law mandating more detailed sex-offender information be posted on a Department of Public Safety website. Previously, the state released only block numbers and ZIP codes of sex offenders.
Supporters of the measure said it would help parents protect their children from sex offenders living in their neighborhoods.
But Pham's case raises questions about the state's ability to verify the accuracy of such a vast and detailed database. Top law-enforcement officials acknowledge they have little idea how much of the registry is accurate.
Hmm. See http://www.sexcriminals.com/news-archive/info-1173 7.html"
(1999)
These are not rules, these are guidelines. Even the link that /. included in the article description is
http://usability.gov/guidelines/index.html
There is a big differene between a rule and a guideline. The web-site is from the National Cancer Institute and it appears they wanted to share some lessons learned with the community. I for one appreciate that they took the time to formalize their findings on how to make the web easier to navigate. Unlike some rules, there is an address provided if you feel they have missed something. See their about page: http://usability.gov/guidelines/about.html