This isn't so much a flaw with the hashes as it is a way of exploiting certain kinds of documents to take advantage of a hash collision.
Plain text messages, HTML documents, and the like don't appear to be exploitable with this type of attack. But executable files and postscript files can be exploited -- to a certain extent.
You can't exploit arbitrary files -- the file has to be specially constructed to allow for the exploit. The problem isn't with using MD5sums to verify the integrity of programs on your machine. The problem here is digitally signing untrusted data -- it only raises the bar for what you need to check before you sign data. In the article, what Caesar should have done is indicated that he'd type up the letter for Alice and send her a signed version by the end of the day. (Although I'm not sure how to handle the social niceties involved)
Re:Big woop now it's only 3 years behind. FP and F
on
Sarge is Now Frozen
·
· Score: 2, Interesting
I realize a lot of the posts here are in jest, but what's wrong with being a little slow on the release schedule? There hasn't been a release of Microsoft's desktop OS since 2001 (wow, comparing Debian to Windows XP - kind of like comparing __insert appropriate metaphor__).
There's a word in yiddish - that word is l'havdil (it approximately means "pardon the comparison")
So you're asking "What's wrong with being a little slow to release. L'havdil, Microsoft hasn't released since 2001."
The UC system has required since the fall that such sensitive data on portable equipment be encrypted. But in this case, the information was downloaded onto a new laptop the day before it was stolen, and was scheduled for encryption the afternoon a thief walked off with it, said campus spokeswoman Marie Felde.
Encryption takes 5 minutes. It's bad policy to need to schedule encryption, and its bad policy to keep the data on the laptop before it's encrypted, even for a day.
If you want to make children treat computers as a tool, then teach them to use the tool... teach them how to program!
It should be said that I think teaching users to program is the most important way for them to be able to use a computer as a tool. If you can't program, then none of the computer's strengths for automation will be available to you.
And programming teaches really useful problem solving skills, cheaply.
I am a Computer Science student. A good number of my classes, were done without computers. Theory of Computation, for example, and Algorithms were done without a computer. That said, many more needed computers.
But back in the old days (before interactive computers) a person had to check their work carefully -- double check and triple check -- to make sure there were no errors (e.g. syntax errors), because their job would only get to run once. There's something to be said for the reliability those days promoted.
Debian only has releases once in a blue moon. July was a blue moon, therefore the Debian project started the release process by freezing the base system. The developers now figure that the release will get out the door when Sarge freezes over!
Before I write a letter to my senators, in the interests of not looking totally stupid, could someone explain why the senate is handling a bill numbered with an HR - a House Resolution? Shouldn't the senate have an SR number for this bill?
I recently posted a list of the VNC's in debian, with a description of how each one serves a different purpose to LUGOD's vox-tech mailing list. The post is quoted here in full, so that you do not need to click the link, thereby slashdotting their server.
I was asked "Is there one implementation that's better than the others? Why did this piece of software fork so many times?"
And I answered as follows:
Because they're all different. Some for framebuffers, some serve differently, some compressed, some not. Read on, and I think you'll getthe idea.
(Search packages.debian.org for vnc, and you'll see all of these pop up.)
TightVNC uses JPEG or zlib to compress the data stream to optimize for lower bandwidth connections. It is under the GPL. Packages: tightvncserver, and xtightvncviewer
The default VNC viewer (packages vncserver and xvncviewer) are (c) 2002 RealVNC, and (C)1994-2000 AT&T. They are under the GPL. This seems to be what you alien'ed.
x2vnc - use a vnc server as a second screen, so you can move the mouse between the local machine and a machine across the network that is running the vnc client.
directvnc - doesn't require x - uses libdirectfb-0.9-20. Depends on zlib and libjpeg, so it may work with tightvnc's protocol
svncviewer - depends on svgalib
x11vnc - the x11vnc server works the same way the Windows 2000 vnc server does - mirroring the physical screen over vnc
linuxvnc - "With linuxvnc you can export your currently running text sessions to any VNC client. So it can be useful, if you want to move to another computer without having to log out and if you've forgotten to attach a 'screen' session to it, or to help a distant colleague to solve a problem."
3dwm-vncclient - I think you get the picture
vnc-java - I think you know what this is. Why bother with it? Probably so you can serve yourself a vnc client over HTTP, probably.
This should equal the popular vote, assuming electoral votes are distributed perfectly proportionally among the states. (So the farther along we go in a 10 year cycle, the farther off it gets - and 2000 is near the end of the 10 year cycle)
Try some of the district-based systems, where there is 1 elector for the winner of each congressional district + 2 that represent the statewide winner.
Not every corporation with a large number of computers to administer is a Microsoft premium customer, so it's not just individuals with 2 or 3 computers that have to wait. The premium customers are paying Microsoft to be more prepared competitively against the bug guys- not for advance information that the little guys don't need.
I generally do my word processing in (g)vim + LaTeX. Why? Because I frequently like to do my work from the command line (eg. over SSH connections), and LaTeX lets me do that.
I'm disappointed that fewer and fewer new programs (eg ncurses type stuff) are being written for the command line - I'd like to be able to run a commandline PIM to hotsync with my palmpilot, among other things, but that software just isn't out there.
If any of you want a right to privacy, ever, then you'd better respect their right to privacy, whether you agree with their views or not, and whether you think that you are using this knowledge for some greater good.
Moral relativism is evil, and it is wrong to assume that the ends justify the means. Ever.
These people are not your representatives. The political parties are not the government.
They will decide what the views of the party are, and then you will decide whether to vote for that party. If you don't like it that way, then move to another country.
Microsoft's command interpreter will be harder to use, and it will do less unless a lot of programmers are willing to recode their applications to expose programming interfaces.
By contrast, Linux's shells let me write one small utility that can be run from a command shell, and it can automatically be integrated with other people's small utilities.
Slashdot Mirror
Be careful with MD5, don't worry about SHA1 yet.
This isn't so much a flaw with the hashes as it is a way of exploiting certain kinds of documents to take advantage of a hash collision.
Plain text messages, HTML documents, and the like don't appear to be exploitable with this type of attack. But executable files and postscript files can be exploited -- to a certain extent.
You can't exploit arbitrary files -- the file has to be specially constructed to allow for the exploit. The problem isn't with using MD5sums to verify the integrity of programs on your machine. The problem here is digitally signing untrusted data -- it only raises the bar for what you need to check before you sign data. In the article, what Caesar should have done is indicated that he'd type up the letter for Alice and send her a signed version by the end of the day. (Although I'm not sure how to handle the social niceties involved)
I realize a lot of the posts here are in jest, but what's wrong with being a little slow on the release schedule? There hasn't been a release of Microsoft's desktop OS since 2001 (wow, comparing Debian to Windows XP - kind of like comparing __insert appropriate metaphor__).
There's a word in yiddish - that word is l'havdil (it approximately means "pardon the comparison")
So you're asking "What's wrong with being a little slow to release. L'havdil, Microsoft hasn't released since 2001."
That's why we have the word "open standard". if all standards were open, why would we need to say "open" specifically?
I personally think that being able to describe something as being both "UNIX" and "simple" is quite an achievement that you shouldn't pooh-pooh.
Encryption takes 5 minutes. It's bad policy to need to schedule encryption, and its bad policy to keep the data on the laptop before it's encrypted, even for a day.
It should be said that I think teaching users to program is the most important way for them to be able to use a computer as a tool. If you can't program, then none of the computer's strengths for automation will be available to you.
And programming teaches really useful problem solving skills, cheaply.
I am a Computer Science student. A good number of my classes, were done without computers. Theory of Computation, for example, and Algorithms were done without a computer. That said, many more needed computers.
But back in the old days (before interactive computers) a person had to check their work carefully -- double check and triple check -- to make sure there were no errors (e.g. syntax errors), because their job would only get to run once. There's something to be said for the reliability those days promoted.
I might just test this by signing in hebrew next time.
it's 1111111111 right now!
[bloom@cat-in-the-hat ~]$ for x in $(seq 1 87); do
> echo $(( (1111111111 - $( date +%s)) ))
> sleep 1
> done
shouldn't ICANN sue Microsoft over trademark infringement? Or is .NET just not trademarked?
How do you think he got involved in the anti-spam scene? He doesn't want false positives!
Debian only has releases once in a blue moon. July was a blue moon, therefore the Debian project started the release process by freezing the base system. The developers now figure that the release will get out the door when Sarge freezes over!
Before I write a letter to my senators, in the interests of not looking totally stupid, could someone explain why the senate is handling a bill numbered with an HR - a House Resolution? Shouldn't the senate have an SR number for this bill?
I recently posted a list of the VNC's in debian, with a description of how each one serves a different purpose to LUGOD's vox-tech mailing list. The post is quoted here in full, so that you do not need to click the link, thereby slashdotting their server.
I was asked "Is there one implementation that's better than the others? Why did this piece of software fork so many times?"
And I answered as follows:
Because they're all different. Some for framebuffers, some serve differently, some compressed, some not. Read on, and I think you'll getthe idea.
(Search packages.debian.org for vnc, and you'll see all of these pop up.)
TightVNC uses JPEG or zlib to compress the data stream to optimize for lower bandwidth connections. It is under the GPL. Packages: tightvncserver, and xtightvncviewer
The default VNC viewer (packages vncserver and xvncviewer) are (c) 2002 RealVNC, and (C)1994-2000 AT&T. They are under the GPL. This seems to be
what you alien'ed.
x2vnc - use a vnc server as a second screen, so you can move the mouse between the local machine and a machine across the network that is running the vnc client.
directvnc - doesn't require x - uses libdirectfb-0.9-20. Depends on zlib and libjpeg, so it may work with tightvnc's protocol
svncviewer - depends on svgalib
x11vnc - the x11vnc server works the same way the Windows 2000 vnc server does - mirroring the physical screen over vnc
linuxvnc - "With linuxvnc you can export your currently running text sessions to any VNC client. So it can be useful, if you want to move to another computer without having to log out and if you've forgotten to attach a 'screen' session to it, or to help a distant colleague to solve a problem."
3dwm-vncclient - I think you get the picture
vnc-java - I think you know what this is. Why bother with it? Probably so you can serve yourself a vnc client over HTTP, probably.
tkvnc - a wrapper for xvncviewer
This should equal the popular vote, assuming electoral votes are distributed perfectly proportionally among the states. (So the farther along we go in a 10 year cycle, the farther off it gets - and 2000 is near the end of the 10 year cycle)
Try some of the district-based systems, where there is 1 elector for the winner of each congressional district + 2 that represent the statewide winner.
Great. Now someone will use this as FUD against public security alert email lists.
This is dangerous stuff. Mod the parent article down (which includes a working link to the malicious address) so that people don't click on it.
You're safe. Google.se is just an international version of google.
What is goatse? Look it up on wikipedia. The entry is goatse.cx. You'll be glad you didn't have to see the image.
Not every corporation with a large number of computers to administer is a Microsoft premium customer, so it's not just individuals with 2 or 3 computers that have to wait. The premium customers are paying Microsoft to be more prepared competitively against the bug guys- not for advance information that the little guys don't need.
Is it possible that they use some other information (like the card number) as a salt to make it harder to perform the dictionary attack?
I generally do my word processing in (g)vim + LaTeX. Why? Because I frequently like to do my work from the command line (eg. over SSH connections), and LaTeX lets me do that.
I'm disappointed that fewer and fewer new programs (eg ncurses type stuff) are being written for the command line - I'd like to be able to run a commandline PIM to hotsync with my palmpilot, among other things, but that software just isn't out there.
If any of you want a right to privacy, ever, then you'd better respect their right to privacy, whether you agree with their views or not, and whether you think that you are using this knowledge for some greater good.
Moral relativism is evil, and it is wrong to assume that the ends justify the means. Ever.
These people are not your representatives. The political parties are not the government.
They will decide what the views of the party are, and then you will decide whether to vote for that party. If you don't like it that way, then move to another country.
Microsoft's command interpreter will be harder to use, and it will do less unless a lot of programmers are willing to recode their applications to expose programming interfaces. By contrast, Linux's shells let me write one small utility that can be run from a command shell, and it can automatically be integrated with other people's small utilities.
By the time I've populated the system with metadata for a file, I'll remember where I put the file.