And I mean, with all your reading, and all those smart friends, it never occurred to you, and nobody told you, that somebody ill-intentioned could just replace your library with something that does what it does, but that additionally XmlHttpRequests a copy of the "secure" data to http://evilsite.com?
That's the "secret sauce" so to speak of the library.
Security through obscurity... Given enough time and determination, an attacker can intercept and reverse-engineer your library and add as much salt into your secret sauce as he wishes...
The only way to make it secure is to deliver the client part out-of-band over a known secure channel. Anything else may just delay an attack, but not prevent it.
No. Without any further verifications, self-signed certificates can be spoofed by the common crook, whereas CA-signed certificates can only be spoofed by governments.
With further verification (customer manually checks certificates finger-print), both self-signed and CA-signed would be secure, but then you wouldn't really rely on the signature at all, but rather on the fingerprint.
How would this secure ajax framework work? A (trusted) plugin to be installed in the client's browser?
Because, if the client-side javascript is being served by the server over the Web, it's vulnerable: an attacker could just intercept the javascript and insert whatever he wants inside, and pass that on to the client, who would be none the wiser. And as it is non-standard, there'd be no tell-tale signs such as http instead of https, that an astute user could see.
Many European countries (Germany, Belgium) now have electronic identity cards, which double as PKI signing tokens, with which you can authenticate yourself to web services, such as your bank.
When Luxembourg introduced a similar system they didn't piggy back it on an id card, but issued "signing stick" and smart cards just for the purpose of PKI.
You may wonder why, especially since an electronic id card is already in planning in Luxembourg as well.
The answer is obvious: many customers of Luxembourgish banks are foreigners, couldn't thus get a Luxembourgish id card, but wouldn't trust their own government's id cards, so an ad-hoc system was needed: Luxtrust.
Unfortunately, Luxembourg doesn't have any native smartcard industry, so they had to buy the chips from the French... who just shipped units with a predictable random number generator, dramatically reducing the number of possible private keys. FAIL.
And the BSI institute (which "certified" the cards) "overlooked" this weakness, because the Germans too have a vested interested in spying on communications with Luxembourgish banks. DOUBLE FAIL.
Well, it is understandable that the judge won't tell you about this (although, as a jury it is your right to both judge the accused and whether the law accusing him is just), it amazes me that a Slashdot reader could not be aware of this.
1) The technician did not find probable child porn links. He found links that were entitled "lolita". If you've ever seen porn, you know that the term "lolita" is used in PLENTY of legal porn productions. These are POSSIBLE child porn links, at best.
True enough. The word "Lolita" is not enough on its own to make a link a child porn link. But maybe the Technician knew what this particular link pointed to, because he already visited it on another occasion. You know, like because he is in the same kind of hobby himself, and so he just recognized that link.
The court should order on a raid on the technician's house as well, just to be sure.
We haven't quite sunk that low here in Canada, and I'm thankful for that.
I know a case of a German tourist who was imprisoned for almost three months. His crime?
Accusing a Rotary Club operated shelter house of throwing away bread...
Fortunately, his tourist visa eventually expired, so they had to set him free in order to send him back to Germany.
Yes, your charter may protect you if you are a Canadian national, with people around you who care and know your planned whereabouts, and who will call lawyers and the press if anything is amiss.
But if you are a backpacking tourist, better not cross the all-mighty Rotary Club, even over ridiculously trivial matters.
Can you explain any legitimate accidental reason whatsoever that there would be drugs or illegal weapons in the premises of your vehicle?
A policeman planted them
A former passenger forgot them in the glove compartment
Another driver in front of you (or on a bridge) threw a baggie out of his window, and as good luck would have it, it landed in your car via the sunroof
Alternatively, the baggy landed on the street, burst, and some of the powder stuck to your tyres.
You had bought the car off a police auction of seized property, and some well hidden ware has been left from previous owner
That water bottle you keep with you has last been refilled in a city with poor water treatment, and where traces from the piss of drug users are still left
I've had objectionable stuff pop up through ad-blockers before when randomly surfing as well that I'd like to report (not even sure if it was legit or not, closed windows fast)... but haven't, for that very fear. Sad, but what can you do?
Just save those URLs for planting on politicians' computers.
The matter is already settled in law - child porn is a serious crime in virtually every jurisdiction.
I wonder why that is...
People who are not happy with that, are entitled to lobby for their point of view. But I would caution anyone against doing so.
... that's the reason. Easy to get laws passed if you stifle rational debate.
At this point, if you want to get some sanity put back into these laws, but still care about your safety and reputation, I'd propose a different approach: if you have the skills, plant such pictures on computers of famous and powerful people (politicians, business men, Rotary Club,...), and have them make their case. Resist the temptation to plant them on obvious personal enemy's computers, that'll be to easy to trace back to you.
An animal that's been dead for some time already has started decomposing, and you don't really want to eat (or even touch) that, rather than one you (or one of your buddies) freshly killed yourself. And "yuck" is just the evolutionary mechanism to enforce this.
Paypal "protects" its users the same way that the mafia "protects" its victims. In most of the stories, they are the source of the problem, not the other way round. Please read them.
Slashdot Mirror
And I mean, with all your reading, and all those smart friends, it never occurred to you, and nobody told you, that somebody ill-intentioned could just replace your library with something that does what it does, but that additionally XmlHttpRequests a copy of the "secure" data to http://evilsite.com?
That's the "secret sauce" so to speak of the library.
Security through obscurity... Given enough time and determination, an attacker can intercept and reverse-engineer your library and add as much salt into your secret sauce as he wishes...
The only way to make it secure is to deliver the client part out-of-band over a known secure channel. Anything else may just delay an attack, but not prevent it.
With further verification (customer manually checks certificates finger-print), both self-signed and CA-signed would be secure, but then you wouldn't really rely on the signature at all, but rather on the fingerprint.
Because, if the client-side javascript is being served by the server over the Web, it's vulnerable: an attacker could just intercept the javascript and insert whatever he wants inside, and pass that on to the client, who would be none the wiser. And as it is non-standard, there'd be no tell-tale signs such as http instead of https, that an astute user could see.
Many European countries (Germany, Belgium) now have electronic identity cards, which double as PKI signing tokens, with which you can authenticate yourself to web services, such as your bank.
When Luxembourg introduced a similar system they didn't piggy back it on an id card, but issued "signing stick" and smart cards just for the purpose of PKI.
You may wonder why, especially since an electronic id card is already in planning in Luxembourg as well.
The answer is obvious: many customers of Luxembourgish banks are foreigners, couldn't thus get a Luxembourgish id card, but wouldn't trust their own government's id cards, so an ad-hoc system was needed: Luxtrust.
Unfortunately, Luxembourg doesn't have any native smartcard industry, so they had to buy the chips from the French... who just shipped units with a predictable random number generator, dramatically reducing the number of possible private keys. FAIL.
And the BSI institute (which "certified" the cards) "overlooked" this weakness, because the Germans too have a vested interested in spying on communications with Luxembourgish banks. DOUBLE FAIL.
FWIW, his car insurance eventually paid out because the car was essentially stolen
Lucky that he didn't cancelled the insurance when he "sold" the car...
Well, it is understandable that the judge won't tell you about this (although, as a jury it is your right to both judge the accused and whether the law accusing him is just), it amazes me that a Slashdot reader could not be aware of this.
1) The technician did not find probable child porn links. He found links that were entitled "lolita". If you've ever seen porn, you know that the term "lolita" is used in PLENTY of legal porn productions. These are POSSIBLE child porn links, at best.
True enough. The word "Lolita" is not enough on its own to make a link a child porn link. But maybe the Technician knew what this particular link pointed to, because he already visited it on another occasion. You know, like because he is in the same kind of hobby himself, and so he just recognized that link.
The court should order on a raid on the technician's house as well, just to be sure.
We haven't quite sunk that low here in Canada, and I'm thankful for that.
I know a case of a German tourist who was imprisoned for almost three months. His crime?
Accusing a Rotary Club operated shelter house of throwing away bread...
Fortunately, his tourist visa eventually expired, so they had to set him free in order to send him back to Germany.
Yes, your charter may protect you if you are a Canadian national, with people around you who care and know your planned whereabouts, and who will call lawyers and the press if anything is amiss.
But if you are a backpacking tourist, better not cross the all-mighty Rotary Club, even over ridiculously trivial matters.
The guy is a TOTAL sicko, and so are those people here who think he should be allowed to continue his sick hobby.
What exactly are you trying to do here?
Can you explain any legitimate accidental reason whatsoever that there would be drugs or illegal weapons in the premises of your vehicle?
I've had objectionable stuff pop up through ad-blockers before when randomly surfing as well that I'd like to report (not even sure if it was legit or not, closed windows fast) ... but haven't, for that very fear. Sad, but what can you do?
Just save those URLs for planting on politicians' computers.
The matter is already settled in law - child porn is a serious crime in virtually every jurisdiction.
I wonder why that is...
People who are not happy with that, are entitled to lobby for their point of view. But I would caution anyone against doing so.
... that's the reason. Easy to get laws passed if you stifle rational debate.
At this point, if you want to get some sanity put back into these laws, but still care about your safety and reputation, I'd propose a different approach: if you have the skills, plant such pictures on computers of famous and powerful people (politicians, business men, Rotary Club, ...), and have them make their case. Resist the temptation to plant them on obvious personal enemy's computers, that'll be to easy to trace back to you.
Same applies even moreso to diamonds. So where are all the brave "Anonymous Cowards" clamoring to throw all diamond wearers into jail?
Some male criminals abduct, rape and murder adult women. So should straight sex among adults be criminalized too?
Make that 11. Most men have two hands
Mod parent as Insightful!
I agree, but I can't really say why.
Illnesses, I guess.
An animal that's been dead for some time already has started decomposing, and you don't really want to eat (or even touch) that, rather than one you (or one of your buddies) freshly killed yourself. And "yuck" is just the evolutionary mechanism to enforce this.
No, I still want to see 'hello, world'. Your link doesn't have it right either.
So, what exactly is wrong?
Actually, I believe the point is to print "hello, world".
Actually, her point was to just return an exit status of 42.
However, if you really want to see hello world, add 37 bytes, and use this.
Part of the obesity problem ...
So this gene will be a solution to that problem as well:
You're fat? No problem, just lop off a leg, it'll regrow, and in the process consume the excess belly...
Yeah exactly like with Mono.
Exactly. Wait for enough sheeple to take the bait before springing the trap.
The program output was '42'.
No, that was not the output, that was the exit status.
However, for just 37 bytes more, you can have a real hello world program: http://pastebin.com/bnR8P2Hs
Paypal "protects" its users the same way that the mafia "protects" its victims. In most of the stories, they are the source of the problem, not the other way round. Please read them.