Indeed, and it sounds more like a programming flaw (.....) It may not always be obvious, but if you work with unverified user input, chances are that you need some level of cryptographic strength.
True. The question, though, is: how much cryptographic strength ??
I admit this is an eye-opening vuln. I'd never thought twice about using tainted strings as hash keys.
Amen & agreed upon. Same here. Still and again, I DO consider this enough and sufficient reason to consider the design, prototyping, testing and implementation of a new hash function in java.lang.Object. Period.
Be advised that there IS collision resolution present in e.g. java.util.Hashtable; the default load factor is 0.75, which in practical use ( I've been playing with that class for over 12 years now ) is very close to optimal for run-of-the-mill uses. Also, there is the stratetegy of internal collision recording. I do agree, though, that it is not feasible to implement such tactics in the hashCode() method of any POJO. Which is, IMHO, a re-design of the java.lang.Object.hashCode() method would be worth thinking of.
You have managed to become a liability to your employer. Something they need is closed up in software they neither have the source code of nor control over. You are now in the position to create a major conflict, from which you will both emerge as losers: you, because you will likely lose your job, as your employer can not afford to keep a destabilizing factor like you on board; your employer, because they face a transitional period in which your successor(s) will take over.
You would be well-advised to look around for mediation or arbitration. Moreover, the "software is not important" argument above points toward a clever way out.
...as was remarked in other comments, for people who do not want to be on Facebook. Or, as said above: "Facebook destroys everything that is not Facebook".
Is there a remedy against Facebook taking over the lion's part of what many people consider as "social life" ? Can we bring Facebook down ?
This announcement comes only days after all the hey-ho and brouhaha around the Higgs Boson created so much media exposure for European-based and non-US-funded CERN. Coincidence ?
that this comment, on/. Kazakhstan story ony days earlier, was modded "-1: Troll": on Kazakh practices with foreign nationals This story seems to provide an eerie confirmation....
....is a godawfully forsaken country. I once had an affair with a Parisian lady whose husband had gone, for work, to Kazakhstan, a year earlier. He happened to take a picture of the wrong building. The Kazakh secret service arrested him, locked him up for six months and beat him senseless. On the testicles, that is.
Obviously not much has changed in Kazakhstan, yet.
I don't know if the word is in the OED yet, but if it is then it is a proper word. The OED is the bastion of the English Language and what it say goes. It is the only definitive source for the language and therefore any word therein is a part of the language.
I immediately looked it up on reading your comment. I happen to be the proud possessor of a paper OED copy. The word "hacktivistst"not in there, alas, among pretty words like "hackmanite" and "hackbushier". But then, the latest OED version is from 1989....
By running for the office of judge ourselves, we, geeks ( in countries where judges are elected, of course ). Or by raising the level of technology-awareness through education, in countries where judge / magistrate is a career choice and a profession.
There are two ways, it seems, to "3D-print" parts of equipment: either top-down, which is basically what 3D printers do, or bottom-up, which is how it would be done by nano-manufacturing. One wonders which method will win ?
Both of you are not exactly wrong, nor are you exactly right IMHO.
As you guy talk about existence and non-existence proofs ( there are other types of proof ), let me jump on your bandwaggon:
Proving negatives sometimes *is* possible, e.g. in mathematics, as in : "There exists no natural number n satisfying such and such properties...". Proving the non-existence of the Higgs Boson is another and much stronger cup of tea. First, the proof domain would be physics, not mere and pure mathematics. Second, the Higgs Boson is a construct within a theory. Proving the HB not to exist would require the theory to be falsified, the outlook for which is, gently said, scant. Third, the mathematics under the theory is sound, provenly so.
Therefore, both of you are ( not so exactly ) wrong.
...at the YouTube video.
At the moment you realize what actually is going on here ( you *SEE* a wave front travelling over or through an object ), you gawk and think "how godawfully beautiful". I mean: wow.
Slashdot Mirror
d) CowboyNeal made me do it
Indeed, and it sounds more like a programming flaw (.....) It may not always be obvious, but if you work with unverified user input, chances are that you need some level of cryptographic strength.
True. The question, though, is: how much cryptographic strength ??
I admit this is an eye-opening vuln. I'd never thought twice about using tainted strings as hash keys.
Amen & agreed upon. Same here. Still and again, I DO consider this enough and sufficient reason to consider the design, prototyping, testing and implementation of a new hash function in java.lang.Object. Period.
Agreed. Still, many people WILL depend on hashCode() always returning the same value between runs, you can bet your little finger on that.
Be advised that there IS collision resolution present in e.g. java.util.Hashtable; the default load factor is 0.75, which in practical use ( I've been playing with that class for over 12 years now ) is very close to optimal for run-of-the-mill uses. Also, there is the stratetegy of internal collision recording. I do agree, though, that it is not feasible to implement such tactics in the hashCode() method of any POJO. Which is, IMHO, a re-design of the java.lang.Object.hashCode() method would be worth thinking of.
First of all the function is not hard to reverse.
Really ? Well, I would like to see your best attempt at reversal. Feel free to email me. This is getting interesting.
1) be at least as "strong" ( read: as hard to reverse ) as the old one
2) a manifest patch against the bug described in the OP's references, which, indeed, *does* look like a serious bug
3) be thoroughly tested against criteria 1 and 2
That is a helluvajob.
You have managed to become a liability to your employer. Something they need is closed up in software they neither have the source code of nor control over. You are now in the position to create a major conflict, from which you will both emerge as losers: you, because you will likely lose your job, as your employer can not afford to keep a destabilizing factor like you on board; your employer, because they face a transitional period in which your successor(s) will take over.
You would be well-advised to look around for mediation or arbitration. Moreover, the "software is not important" argument above points toward a clever way out.
My gawd, the poor woman !! I now understand why she so sparingly appears in public. Being so overweight must be horrible.
...it must be. Yet, a question occurs to me: who finances Santa's technological wet dreams ?
...as was remarked in other comments, for people who do not want to be on Facebook. Or, as said above: "Facebook destroys everything that is not Facebook". Is there a remedy against Facebook taking over the lion's part of what many people consider as "social life" ? Can we bring Facebook down ?
...tomcat !
This announcement comes only days after all the hey-ho and brouhaha around the Higgs Boson created so much media exposure for European-based and non-US-funded CERN. Coincidence ?
that this comment, on /. Kazakhstan story ony days earlier, was modded "-1: Troll": on Kazakh practices with foreign nationals This story seems to provide an eerie confirmation....
....is a godawfully forsaken country. I once had an affair with a Parisian lady whose husband had gone, for work, to Kazakhstan, a year earlier. He happened to take a picture of the wrong building. The Kazakh secret service arrested him, locked him up for six months and beat him senseless. On the testicles, that is. Obviously not much has changed in Kazakhstan, yet.
I don't know if the word is in the OED yet, but if it is then it is a proper word. The OED is the bastion of the English Language and what it say goes. It is the only definitive source for the language and therefore any word therein is a part of the language.
I immediately looked it up on reading your comment. I happen to be the proud possessor of a paper OED copy. The word "hacktivistst"not in there, alas, among pretty words like "hackmanite" and "hackbushier". But then, the latest OED version is from 1989....
By running for the office of judge ourselves, we, geeks ( in countries where judges are elected, of course ). Or by raising the level of technology-awareness through education, in countries where judge / magistrate is a career choice and a profession.
"...after they have assured there are no issues..." Besides the faulty English, this little line sends shivers all over my spine.
There are two ways, it seems, to "3D-print" parts of equipment: either top-down, which is basically what 3D printers do, or bottom-up, which is how it would be done by nano-manufacturing. One wonders which method will win ?
If iBahn finds no proof of a breach, the hackers were really good....
C'mon, slashdot.... Is this news ? Does this matter ? Slow news day ?
....but what if I prove that "you can't prove a negative ?" Then what, gentlemen ?
Both of you are not exactly wrong, nor are you exactly right IMHO. As you guy talk about existence and non-existence proofs ( there are other types of proof ), let me jump on your bandwaggon: Proving negatives sometimes *is* possible, e.g. in mathematics, as in : "There exists no natural number n satisfying such and such properties...". Proving the non-existence of the Higgs Boson is another and much stronger cup of tea. First, the proof domain would be physics, not mere and pure mathematics. Second, the Higgs Boson is a construct within a theory. Proving the HB not to exist would require the theory to be falsified, the outlook for which is, gently said, scant. Third, the mathematics under the theory is sound, provenly so. Therefore, both of you are ( not so exactly ) wrong.
...at the YouTube video. At the moment you realize what actually is going on here ( you *SEE* a wave front travelling over or through an object ), you gawk and think "how godawfully beautiful". I mean: wow.
You can "see" a photon, although the act of "seeing" it destroys it. You can, however, definitely NOT "observe" a photon. Ever.