Some RNGs are seeded with "folder data" in this way. Mozilla's NSS, for example, looks at temp directories and mixes that data in as a seed.
Using this as the *output* of a PRNG? Nope, not a good idea -- we've got a handful of CSPRNGs that have strong security proofs associated with them. For example, Blum Blum Shub is secure so long as integer factorization is hard. This is the same assumption we make for RSA, for example. Your RNG lacks any such guarantee.
Plus, your idea falls down when you say "choose 5 folders at random". How do you do that?
Did the patch (http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44) not fix the second exploit?
If you are facing trial for any "garden variety internet crime" -- fraud, CP, whatever -- you don't have to worry about the NSA. Even if they've broken the algorithms, there is _no way in hell_ the NSA will ever get involved -- if it comes out in court that AES256 or any other cipher is cracked, everyone stops using it instantly. The NSA will never tip their hand.
Grandparent was right -- one layer is all you need. And the great-grandparent was wrong -- by current standards, the sun should be a cold dark chunk of rock before the first layer is ever broken.
If, on the other hand, you are a foreign national performing espionage... all bets are off as to what the NSA does to you:)
Nah. They know the system is horribly broken. The CC lobbyists would ensure absolutely nothing happens. Seriously -- right now, the system works for the CC company, with the merchants paying the cost.
And what happens if that changes anytime soon? The average person's APR gets bumped up higher, or the companies start adding a "fraud protection surcharge" to their bill.
The only way the change will really start is when merchants begin to stop doing business with the credit card companies -- when the companies start getting hit in the wallet, you can bet we will see a massive overhaul of the existing system. But, of course, we know that won't happen either.
"I've read the article before. The cop simply stated he didn't know WHICH law it was. He did believe a law was being broken, however. Rather than looking it up and then finding a way to tie the man to the wifi access, he went and had the man confess to him without ever even indicating a law was being broken (despite his belief there was one being broken).
The fact is a police officer questioned the man while under the belief that he had committed a crime (it is not uncommon for the police to not know what law a defendant will be charged under) and failed to inform him of his right to an attorney before answering his questions."
Short answer: you are wrong, please examine Miranda v. Arizona and the concept of statements against penal interest
You are thinking of the Miranda rights, and completely misunderstanding them. The Miranda warning is only used in custodial situations -- eg, when an arrest is made.
Example: I am walking down the street, and an officer says "What's up?". I tell him I just killed my girlfriend. No problem -- I get arrested right there. I cannot claim a Miranda violation because:
1. I could've walked away without talking to the officer. 2. I made a statement against penal interest, volunteering the incriminating information.
Now, if the officer placed me in a custodial situation, different ball of wax.
But, the main point is this -- your rights are your own. The Miranda warning is a prophylaxis designed to "remind" a person of their rights, not a guaranteed right in se.
Step 3: Create a lawsuit guaranteed to last for at least four or five good years. Sue everyone who touches Linux, including high-publicity companies that use it, companies that contribute code, and so forth. Drag it out as long as physically possible.
When all is said and done, SCO's offices will have a For Rent sign on the door, the board of directors will be either rich or indicted. And Microsoft? Microsoft walks away with clean hands, without directly paying SCO.
Really, it is a beautiful strategy -- best case, enough uncertainty is created that companies buy Windows licenses for their servers. Worst case, Microsoft gives Baystar a wink and a nod, as well as an investment that will more than offset the SCO fiasco. Everyone wins but SCO.
Pen and paper?
Exactly how long has it been since you've attended college? 10pt Times is a standard at every school I've seen -- most professors do not accept handwritten papers.
I understand you support the actions of the university (from reading your many replies), but answer me this -- by forcing underachievers to perform, do we not risk handing people who are ill-prepared for real-life jobs a diploma? Does this not severely devalue a university education?
But realize that we are talking about college students -- adults, not children. Providing them with unlimited internet access is an excellent idea -- it ensures that the lazy slackers wash out of college.
For my sophomore year, I had a freshman roommate who used the campus internet to play WoW all night long. Literally -- I went to bed at 2 after finishing engineering homework, was up by 8, and he hadn't moved. Because of that he slept in all day, only to wake up later and play more WoW. Went to classes once a week at best. Guess who dropped out with a GPA below 2.0? Guess who wasn't ready for the real world, and wouldn't be able to hold a job for ten minutes with that approach to life?
An American high-school education is highly devalued from where it was years ago. Social promotions and strict rulesets are eliminating the gap that previously existed between the achieving students and the ones who would fail out. If you narrow that same gap in college, you end up doing the same thing -- churning out students who cannot manage time or priorities, students who stand no chance of surviving in the buisiness world.
All PhishTank has to do is to inject known phishing messages. For example, each 1/10 messages the user rates are known to be phishing by PhishTank. If a user repeatedly marks that message as legit, we know that user is trying to game the system.
Alternatively, (or perhaps additionally) a few trusted PhishTank users in the beginning can seed the system. Anyone who consistently votes against them will be gaming the system.
What, I said your argument was old clothing stuffed with straws?;-)
Having no formal logic education, I largely based my assertion that your original argument was a straw man on my interpretation of... you guessed it, that same Wikipedia article!
Hm, go figure, using a Wikipedia article to try and refute what a (I am assuming) Wikipedian is saying.
"We're not talking about credit card data here, anyway -- creating a Wikipedia account takes 20 seconds and doesn't even require a valid email address. All that it contains are a bunch of user preferences."
I have to agree with you until you use an obvious straw man.
Your argument is "the security doesn't matter because it protects something unimportant. Therefore, why should we care if security for something unimportant is breached?"
The security, however, is very important. That same password could be conceivably be used to protect a users credit card data.
One would hope, of course, that users use one password for Wikipedia, and one for banking, but we can't be so sure of that.
Any exploitable program you run as another user will still need a local escilation exploit in order to do anything harmful.
That's fine, but he has a point. How much actual real-world good does that do? It does plenty of theoretical good, but so does making the speed limit 10 MPH. By far the better solution is to make sure that the system is safe from remote attacks.
By far the better solution for safe sex is to get rid of all STD's.
Seriously. Answer me this -- do you administer servers?
I run *all* my daemons in chroot jails as non-root users. Why? If someone hacks in through an exploit in Apache, they have compromised a small subset of my system. I notice and react quickly, and they don't actually do any damage. But if I run as root, and someone compromises Apache, my system is not under my control anymore. At least, without a lot of hard work.
Verify that the code used in a Linux distro on the desktop is secure from all vulnerabilities. I would start with the kernel, then move to the X server and the window manager, and then the applications.
"The Congress shall have power to lay and collect taxes, duties, imposts and excises"
...
"To make all laws which shall be necessary and proper for carrying into execution the foregoing powers, and all other powers vested by this Constitution in the government of the United States, or in any department or officer thereof."
1. Congress can do this: raise an army and navy, build post offices, etc.
2. Congress CAN'T do this: give titles of nobility, pull habeas corpus, etc.
3. Oh yeah, they can also do anything necessary and proper to further the goals of the constitution.
The problem with existing as a pure IP company that used to produce semiconductors... well, does it really work?
One of the first examples I thought of was MIPS Technologies. MIPS processors have seen widespread adoption, and exist everywhere. SGI bought the company in the late 80's/early 90's to keep the processors vital to their systems.
They existed for a while as a purely IP company -- they licensed the core designs to companies like Toshiba and NEC, who actually made the cores.
"Fully half of MIPS' income today comes from licensing their designs, while much of the rest comes from contract design work on cores that will then be produced by 3rd parties." (Wikipedia)
Now, MIPS Technologies was able to exist as an IP company for two reasons: 1. SiliconGraphics was pumping in cash to keep them floating and desigining processors for their systems 2. MIPS processors have become entrenched everywhere -- printers, routers, computers... it was (and is)one of the most widely used embedded processors.
Transmeta will exist without a large company backing them up. So that means you have to ask if they are as entrenched as MIPS. If they are, they stand a chance.
For example... God save you if you are running IRIX for anything mission critical, sans root, and this happens. It isn't pretty. You need the CD's to go single user to fix the problem.
And if you don't have the CD...
I ran into this after using my Origin200 for a while:)
Slashdot Mirror
Some RNGs are seeded with "folder data" in this way. Mozilla's NSS, for example, looks at temp directories and mixes that data in as a seed. Using this as the *output* of a PRNG? Nope, not a good idea -- we've got a handful of CSPRNGs that have strong security proofs associated with them. For example, Blum Blum Shub is secure so long as integer factorization is hard. This is the same assumption we make for RSA, for example. Your RNG lacks any such guarantee. Plus, your idea falls down when you say "choose 5 folders at random". How do you do that?
You missed Daniel Glazman, who contributes code for Mozilla.
Apologies for my pedantry.
Did the patch (http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44) not fix the second exploit?
If you are facing trial for any "garden variety internet crime" -- fraud, CP, whatever -- you don't have to worry about the NSA. Even if they've broken the algorithms, there is _no way in hell_ the NSA will ever get involved -- if it comes out in court that AES256 or any other cipher is cracked, everyone stops using it instantly. The NSA will never tip their hand.
:)
Grandparent was right -- one layer is all you need. And the great-grandparent was wrong -- by current standards, the sun should be a cold dark chunk of rock before the first layer is ever broken.
If, on the other hand, you are a foreign national performing espionage... all bets are off as to what the NSA does to you
The Mork file format was one of the most braindead database systems ever. Coding to access it is ridiculously difficult.
Mork is dead... thank the gods.
Nah. They know the system is horribly broken. The CC lobbyists would ensure absolutely nothing happens. Seriously -- right now, the system works for the CC company, with the merchants paying the cost. And what happens if that changes anytime soon? The average person's APR gets bumped up higher, or the companies start adding a "fraud protection surcharge" to their bill. The only way the change will really start is when merchants begin to stop doing business with the credit card companies -- when the companies start getting hit in the wallet, you can bet we will see a massive overhaul of the existing system. But, of course, we know that won't happen either.
"I've read the article before. The cop simply stated he didn't know WHICH law it was. He did believe a law was being broken, however. Rather than looking it up and then finding a way to tie the man to the wifi access, he went and had the man confess to him without ever even indicating a law was being broken (despite his belief there was one being broken).
The fact is a police officer questioned the man while under the belief that he had committed a crime (it is not uncommon for the police to not know what law a defendant will be charged under) and failed to inform him of his right to an attorney before answering his questions."
Short answer: you are wrong, please examine Miranda v. Arizona and the concept of statements against penal interest
You are thinking of the Miranda rights, and completely misunderstanding them. The Miranda warning is only used in custodial situations -- eg, when an arrest is made.
Example: I am walking down the street, and an officer says "What's up?". I tell him I just killed my girlfriend. No problem -- I get arrested right there. I cannot claim a Miranda violation because:
1. I could've walked away without talking to the officer.
2. I made a statement against penal interest, volunteering the incriminating information.
Now, if the officer placed me in a custodial situation, different ball of wax.
But, the main point is this -- your rights are your own. The Miranda warning is a prophylaxis designed to "remind" a person of their rights, not a guaranteed right in se.
Microsoft needed a quick and easy way to scare businesses away from Linux. But, oh no, their normal smear campaigns haven't been working. What to do?
Step 1: Find an old UNIX company that isn't adapting well to computing where big-iron and *NIX workstations aren't the hot technology on the block.
Step 2: Get an investment company to pour cash into the company at your bidding.
Step 3: Create a lawsuit guaranteed to last for at least four or five good years. Sue everyone who touches Linux, including high-publicity companies that use it, companies that contribute code, and so forth. Drag it out as long as physically possible.
When all is said and done, SCO's offices will have a For Rent sign on the door, the board of directors will be either rich or indicted. And Microsoft? Microsoft walks away with clean hands, without directly paying SCO.
Really, it is a beautiful strategy -- best case, enough uncertainty is created that companies buy Windows licenses for their servers. Worst case, Microsoft gives Baystar a wink and a nod, as well as an investment that will more than offset the SCO fiasco. Everyone wins but SCO.
Pen and paper? Exactly how long has it been since you've attended college? 10pt Times is a standard at every school I've seen -- most professors do not accept handwritten papers. I understand you support the actions of the university (from reading your many replies), but answer me this -- by forcing underachievers to perform, do we not risk handing people who are ill-prepared for real-life jobs a diploma? Does this not severely devalue a university education?
But realize that we are talking about college students -- adults, not children. Providing them with unlimited internet access is an excellent idea -- it ensures that the lazy slackers wash out of college.
For my sophomore year, I had a freshman roommate who used the campus internet to play WoW all night long. Literally -- I went to bed at 2 after finishing engineering homework, was up by 8, and he hadn't moved. Because of that he slept in all day, only to wake up later and play more WoW. Went to classes once a week at best. Guess who dropped out with a GPA below 2.0? Guess who wasn't ready for the real world, and wouldn't be able to hold a job for ten minutes with that approach to life?
An American high-school education is highly devalued from where it was years ago. Social promotions and strict rulesets are eliminating the gap that previously existed between the achieving students and the ones who would fail out. If you narrow that same gap in college, you end up doing the same thing -- churning out students who cannot manage time or priorities, students who stand no chance of surviving in the buisiness world.
All PhishTank has to do is to inject known phishing messages. For example, each 1/10 messages the user rates are known to be phishing by PhishTank. If a user repeatedly marks that message as legit, we know that user is trying to game the system. Alternatively, (or perhaps additionally) a few trusted PhishTank users in the beginning can seed the system. Anyone who consistently votes against them will be gaming the system.
What, I said your argument was old clothing stuffed with straws? ;-)
Having no formal logic education, I largely based my assertion that your original argument was a straw man on my interpretation of... you guessed it, that same Wikipedia article!
Hm, go figure, using a Wikipedia article to try and refute what a (I am assuming) Wikipedian is saying.
I have to agree with you until you use an obvious straw man.
Your argument is "the security doesn't matter because it protects something unimportant. Therefore, why should we care if security for something unimportant is breached?"
The security, however, is very important. That same password could be conceivably be used to protect a users credit card data.
One would hope, of course, that users use one password for Wikipedia, and one for banking, but we can't be so sure of that.
You should check out the HP ZV5000/Compaq R3000 series.
I just got a refurbished R3470US -- totally awesome system. It has an Athlon 64 3400+, 1 gig ram, 100 gig hdd, dvd+- rw.
And the best news? I popped in the Ubuntu CD, and everything just worked.
HP doesn't seem to need to put much work into these systems to make them "Ubuntu compatible."
... and the best question is how in the heck you can get a count of something undiscovered. Cuz when you count it, it isn't undiscovered ;-)
The root account is disabled automatically.
You read that right. You want to do something that requires root access?
sudo.
Anything that requires root prompts you with a dialog box, explaining in mostly clear language.
Running as root is like running with scissors.
Any exploitable program you run as another user will still need a local escilation exploit in order to do anything harmful.
That's fine, but he has a point. How much actual real-world good does that do? It does plenty of theoretical good, but so does making the speed limit 10 MPH. By far the better solution is to make sure that the system is safe from remote attacks.
By far the better solution for safe sex is to get rid of all STD's.
Seriously. Answer me this -- do you administer servers?
I run *all* my daemons in chroot jails as non-root users. Why? If someone hacks in through an exploit in Apache, they have compromised a small subset of my system. I notice and react quickly, and they don't actually do any damage. But if I run as root, and someone compromises Apache, my system is not under my control anymore. At least, without a lot of hard work.
Any program run as root/suid root can cause a hole, no matter how small or trivial the program is.
So, As Seen On TV, you now have a new project.
Verify that the code used in a Linux distro on the desktop is secure from all vulnerabilities. I would start with the kernel, then move to the X server and the window manager, and then the applications.
See you in thirty years!
1. Congress can do this: raise an army and navy, build post offices, etc.
2. Congress CAN'T do this: give titles of nobility, pull habeas corpus, etc.
3. Oh yeah, they can also do anything necessary and proper to further the goals of the constitution.
Hard disks. Lots of hard disks.
Want to solve the patent problem right away? Everyone converge on the Patent and Trademark office. Bring magnets.
Big magnets.
The problem with existing as a pure IP company that used to produce semiconductors... well, does it really work?
One of the first examples I thought of was MIPS Technologies. MIPS processors have seen widespread adoption, and exist everywhere. SGI bought the company in the late 80's/early 90's to keep the processors vital to their systems.
They existed for a while as a purely IP company -- they licensed the core designs to companies like Toshiba and NEC, who actually made the cores.
"Fully half of MIPS' income today comes from licensing their designs, while much of the rest comes from contract design work on cores that will then be produced by 3rd parties." (Wikipedia)
Now, MIPS Technologies was able to exist as an IP company for two reasons:
1. SiliconGraphics was pumping in cash to keep them floating and desigining processors for their systems
2. MIPS processors have become entrenched everywhere -- printers, routers, computers... it was (and is)one of the most widely used embedded processors.
Transmeta will exist without a large company backing them up. So that means you have to ask if they are as entrenched as MIPS. If they are, they stand a chance.
For example... God save you if you are running IRIX for anything mission critical, sans root, and this happens. It isn't pretty. You need the CD's to go single user to fix the problem.
:)
And if you don't have the CD...
I ran into this after using my Origin200 for a while