From my experience, Ubuntu LTS would have had to stick to and maintain firefox 2 for that entire time period.
For example, thunderbird 2 was released a few days after feisty went stable, so feisty stuck with 1.5. I waited for 2 months for them to upgrade (really looking forward to the tagging feature). After the 2 months, I asked the devs what was up, and they said they 1.5 was permanent because of the feature freeze.
I then upgraded to gutsy which busted everything to holy hell because I was unaware that development releases are only supposed to work in the last couple months before they are released.
I went back to gentoo for 6 or so months to cool down from that experience.
Presumably, they will just be using the standard ATA password extensions. Instead of just unlocking the device when the password is entered, it would also set the key in whatever hardware device is doing the crypto, and wipe it when the hard drive is powered down.
Note that I have not read the specs, that just seems to be the most logical way to design something like this.
There's always going to be jealousy and that jealousy is more the fault of the have-nots than the haves. Guess what? If you are stupid, you will not get rich.
I would argue that economic factors play a much larger role than some notion of "intelligence". Sure there are plenty of drug addicts that rob random people to get their next higher fix, but a large portion of crime, especially information crime is done by intelligent people who simply have a hard time making a decent living by more conventional means.
Also, if you think that people who are "stupid" are capable of running even small scams or criminal organizations, you are sorely mistaken. Poor intelligent people don't steal from dumb rich people because they are "jealous". They often just believe that wealth has been misappropriated.
When I was in highschool (maybe 5 or so years ago), we learned it in a history portion of our biology class, along with 5 or so other theories proposed throughout the years to explain the origin of man.
What I always thought PETA should do is start up a rating system for companies that sell animal products. They could still do all their sneaky undercover data gathering, but they really need to start rewarding companies that practice due diligence.
A bunch of vegans boycotting meat really doesn't work as any sort of incentive to these companies. If I saw that one chicken company treated their chickens better (free range, well fed, etc) I would be happy to pay more for that product. Companies that get high PETA ratings would be able to label their products as such, and I believe that it would actually create some real market pressure to treat animals better.
Small disclaimer, I detest PETA. They use shock imagery to manipulate and confuse people who just want to be good citizens, and from everything I have seen, it is all to feed their bottom line. I have lost a few friends, otherwise good people, who now refuse to speak to anyone who would consider that eating animal products could be acceptable.
A large number of different operating systems? You do understand that what this means is that no matter what new vulnerabilities are discovered, something of yours can get hit. This is bad.
The proper solution is to minimise attack surface. Run minimal services that expose minimal resources.
Furthermore, onion analogies only work in cartoons. The problem with "layered security" is that it implies that more layers is always better. Honeypots, complex email scanners, and IDS can be helpful in the right situation, but also give the attacker much more to hit.
I am from Oregon (no sales tax), so I am having some trouble wrapping my mind around this.
So, if I run a bookstore, and someone from Washington buys a book from me, I suddenly owe the state of Washington money now?
I can almost understand a state taxing merchants that operate within the state, but a state attempting to tax merchants in other states just for doing business with their citizens? That seems a bit much.
What I think really needs to happen, is ISO 17799 (or something similar) needs to be made public, clarified for practical usage, required for all government offices / registered businesses, and enforced.
They could have pulled a kid off the street that would have found this flaw for 50 dollars and an ice cream cone.
No one needs NSA style airgaps, or firewalls that will fry the attackers eyeballs out etc. The problem is that fuzzy line between 0% secure, and 100% secure. Managers know that they aren't going to hit 100%, but there are no solid standards for what they do need to protect.
PCI DSS (http://en.wikipedia.org/wiki/PCI_DSS) is a good example of defining practical security. If they were storing credit card numbers in that pedo database, it never would have gotten broken into.
Unfortunately, pretty much every intro to SQL book I have looked at encourages the use of command strings. People get used to them, and then interacting with a SQL database becomes equivalent to string parsing, which they all learned how to do in the last book.
You would be surprised what you can find grepping for cmd_str, command_string, cmdStr, etc. Please developers, parametrize your variables. This won't prevent all attacks, but there is NEVER an excuse to use command strings, especially when you are doing any sort of string manipulation on it. http://en.wikipedia.org/wiki/SQL_injection#Preventing_SQL_Injection
I work in product security, so I am often the first security pass for code as it comes from the developers. It still shocks me that senior level database engineers express scepticism that an attacker would go to all the trouble to manipulate POST data, and tell me that they have never heard of SQL injection.
As a fun side note, it has given me multiple chances to email out links to xkcd 327:-)
Think of it this way. Imagine there are 10 doors to choose from. You chose door #1, which has a 10% chance of being a car. Now imagine 8 other doors were opened revealing goats.
The one remaining door now has a 90% chance of having the car behind it. All of the remaining doors have now been compressed into a single door, so "switching" would be the same as if you were able to select 9 doors on the first turn.
In this example, the advantages of switching should be much more apparent.
ISPs really should have better IDS on outgoing traffic. At the very least they should be dropping the malicious traffic, and I would hope some ISPs would go as far as redirecting users to a webpage that tells them how to remove the malware, and gives them the tools to do so.
Also, anyone who thinks that macs are comhow invunlerable probabally has a couple other mental disabilities as well, but you should look into it some time and see just how easy windows makes it for the virus writers. The complexity of a windows system gives one a million places and ways to hide, and also makes it extremely hard to prevent an attacker from escalating privileges.
Interestingly, Provigil (Modafinil) is more effective, safer, less addictive, and has less side effects when compared in side by side studies with caffeine.
Modafinil should be in soft drinks, and the fact that you can't buy it over the counter is ridiculous.
The whole point of learning to be "always on" is that constant communication is expected, so nothing is an interruption. An interruption is when you abruptly shift from one reality to another. As long as you constantly stay in open communication mode ("always on"), you know what to expect, and there is a certain rhythm to it.
Of course I go into my noise proof chamber from time to time when I need to focus on a particularly complicated piece of code or something, but we live in an information age, and people unwilling to learn modern collaboration techniques will be left behind.
I believe you would be protected by your third amendment rights at that point:-)
"No Soldier shall, in time of peace be quartered in any house, without the consent of the Owner, nor in time of war, but in a manner to be prescribed by law."
True that there is not much social righteousness in messing with tom green or girl talk (although I think they do point out some of the inherant "flaws" in voip), but plenty of invasions go after racist websites, hatemongers, or corporate fuckups like walmart.
That said, I did get in plenty of lulz with chanology:-)
I hate scientology as much as the next guy, but yes, this is the same Anonymous.
1. I saw this last week on 4chan, it was fucked up then, and is fucked up now.
2. Anonymous is not a group. It is not even an agenda. Anonymous is a way to rally for a cause, whatever that cause may be. I have been a part of many invasions, and if it is a cause I believe in, I will do more. Obviously I sat this one out.
3. Almost every anonymous invasion has the theme of "getting the word out". This is exactly in the MO of anonymous. In this case, I believe the message is that no one, not even a web forum designed to help the sick, should be ignorant of security. Anonymous was able to inject CSS to get the theme to flash random colors, and do various XSS attacks to redirect users to all sorts of malicious visuals. The epilepsy board also apparently had no sense of incident response. Some people are willing to hurt innocent people to make this point.
I think this attack also brings up an interesting point. For my day job, I do security testing for networked medical devices attempting to get HIPPA or iso13485 compliance. Should web based tools like this forum be forced to meet the same security standards? Just a thought.
Tipping point is in the business of buying 0day. The like to know who has it, and what can be done with it. That is all that is really going on here, but with the added media circus for some nice cheap publicity.
When I was down protesting on the 10th of February, I realized something disturbing. I had always thought of Scientology as something of a cult that suckers dumb people into believing that they are sick, and need to pay money to get better.
To some extent it is that, but there is a much creepier aspect. From what I have seen, Scientology seems to be more of a social club for wealthy people who are interested in learning how to use aggressive psychological attacks such as hypnotism.
I started reading Dianetics, and it really does seem like a manual for using psychological attacks. A thetan is like a soul, but also like an influence. Non scientologists are infected with alien thetans, and once you are "clear" of them, you can become an "operating thetan". Then you can begin infecting the minds of others. Before it had always confused me that non scientologists have to rid themselves of thetans, but scientologists refer to eachother as thetans.
It was pretty sickening to realize that so many scientologists know exactly what it is all about. They develop new psychological attacks. Then they train their followers. The followers then use those attacks to manipulate those around them so they can become more successful in their careers, and increase the size of the church. This money is then reinvested in developing new psychological attack methods.
Someone please correct me if any part of this is inaccurate.
On the contrary, this is exactly what I believe the "National Security Agency" should be doing. They should be using their vast economic and intellectual resources to help the people. Currently my tax dollars pay for a huge amount of internal research, just so they can use the knowledge against perceived enemies should the need arise.
The resources that they spend on static analysis and cryptanalysis should be put to work making the nation more secure. By locking up information, they are making everyone less secure. I am sure they will realize this in time, but I hope it is sooner rather than later.
Slashdot Mirror
From my experience, Ubuntu LTS would have had to stick to and maintain firefox 2 for that entire time period.
For example, thunderbird 2 was released a few days after feisty went stable, so feisty stuck with 1.5. I waited for 2 months for them to upgrade (really looking forward to the tagging feature). After the 2 months, I asked the devs what was up, and they said they 1.5 was permanent because of the feature freeze.
I then upgraded to gutsy which busted everything to holy hell because I was unaware that development releases are only supposed to work in the last couple months before they are released.
I went back to gentoo for 6 or so months to cool down from that experience.
Presumably, they will just be using the standard ATA password extensions. Instead of just unlocking the device when the password is entered, it would also set the key in whatever hardware device is doing the crypto, and wipe it when the hard drive is powered down.
Note that I have not read the specs, that just seems to be the most logical way to design something like this.
There's always going to be jealousy and that jealousy is more the fault of the have-nots than the haves. Guess what? If you are stupid, you will not get rich.
I would argue that economic factors play a much larger role than some notion of "intelligence". Sure there are plenty of drug addicts that rob random people to get their next higher fix, but a large portion of crime, especially information crime is done by intelligent people who simply have a hard time making a decent living by more conventional means.
Also, if you think that people who are "stupid" are capable of running even small scams or criminal organizations, you are sorely mistaken. Poor intelligent people don't steal from dumb rich people because they are "jealous". They often just believe that wealth has been misappropriated.
When I was in highschool (maybe 5 or so years ago), we learned it in a history portion of our biology class, along with 5 or so other theories proposed throughout the years to explain the origin of man.
What I always thought PETA should do is start up a rating system for companies that sell animal products. They could still do all their sneaky undercover data gathering, but they really need to start rewarding companies that practice due diligence.
A bunch of vegans boycotting meat really doesn't work as any sort of incentive to these companies. If I saw that one chicken company treated their chickens better (free range, well fed, etc) I would be happy to pay more for that product. Companies that get high PETA ratings would be able to label their products as such, and I believe that it would actually create some real market pressure to treat animals better.
Small disclaimer, I detest PETA. They use shock imagery to manipulate and confuse people who just want to be good citizens, and from everything I have seen, it is all to feed their bottom line. I have lost a few friends, otherwise good people, who now refuse to speak to anyone who would consider that eating animal products could be acceptable.
A large number of different operating systems? You do understand that what this means is that no matter what new vulnerabilities are discovered, something of yours can get hit. This is bad.
The proper solution is to minimise attack surface. Run minimal services that expose minimal resources.
Furthermore, onion analogies only work in cartoons. The problem with "layered security" is that it implies that more layers is always better. Honeypots, complex email scanners, and IDS can be helpful in the right situation, but also give the attacker much more to hit.
full disclosure
full-disclosure@lists.grok.org.uk
I am from Oregon (no sales tax), so I am having some trouble wrapping my mind around this.
So, if I run a bookstore, and someone from Washington buys a book from me, I suddenly owe the state of Washington money now?
I can almost understand a state taxing merchants that operate within the state, but a state attempting to tax merchants in other states just for doing business with their citizens? That seems a bit much.
What I think really needs to happen, is ISO 17799 (or something similar) needs to be made public, clarified for practical usage, required for all government offices / registered businesses, and enforced.
They could have pulled a kid off the street that would have found this flaw for 50 dollars and an ice cream cone.
No one needs NSA style airgaps, or firewalls that will fry the attackers eyeballs out etc. The problem is that fuzzy line between 0% secure, and 100% secure. Managers know that they aren't going to hit 100%, but there are no solid standards for what they do need to protect.
PCI DSS (http://en.wikipedia.org/wiki/PCI_DSS) is a good example of defining practical security. If they were storing credit card numbers in that pedo database, it never would have gotten broken into.
Unfortunately, pretty much every intro to SQL book I have looked at encourages the use of command strings. People get used to them, and then interacting with a SQL database becomes equivalent to string parsing, which they all learned how to do in the last book.
:-)
You would be surprised what you can find grepping for cmd_str, command_string, cmdStr, etc. Please developers, parametrize your variables. This won't prevent all attacks, but there is NEVER an excuse to use command strings, especially when you are doing any sort of string manipulation on it.
http://en.wikipedia.org/wiki/SQL_injection#Preventing_SQL_Injection
I work in product security, so I am often the first security pass for code as it comes from the developers. It still shocks me that senior level database engineers express scepticism that an attacker would go to all the trouble to manipulate POST data, and tell me that they have never heard of SQL injection.
As a fun side note, it has given me multiple chances to email out links to xkcd 327
Writing a large number of pop-science books is not what makes a physics superhero.
Put simply, CPUs are optimized for things like boolean operations, and GPUs are optimized for things like matrix operations.
CoCeG-PONNCERCOTDCT
Think of it this way. Imagine there are 10 doors to choose from. You chose door #1, which has a 10% chance of being a car. Now imagine 8 other doors were opened revealing goats.
The one remaining door now has a 90% chance of having the car behind it. All of the remaining doors have now been compressed into a single door, so "switching" would be the same as if you were able to select 9 doors on the first turn.
In this example, the advantages of switching should be much more apparent.
ISPs really should have better IDS on outgoing traffic. At the very least they should be dropping the malicious traffic, and I would hope some ISPs would go as far as redirecting users to a webpage that tells them how to remove the malware, and gives them the tools to do so.
Also, anyone who thinks that macs are comhow invunlerable probabally has a couple other mental disabilities as well, but you should look into it some time and see just how easy windows makes it for the virus writers. The complexity of a windows system gives one a million places and ways to hide, and also makes it extremely hard to prevent an attacker from escalating privileges.
Interestingly, Provigil (Modafinil) is more effective, safer, less addictive, and has less side effects when compared in side by side studies with caffeine.
Modafinil should be in soft drinks, and the fact that you can't buy it over the counter is ridiculous.
http://en.wikipedia.org/wiki/Modafinil
http://en.wikipedia.org/wiki/Reprap
The whole point of learning to be "always on" is that constant communication is expected, so nothing is an interruption. An interruption is when you abruptly shift from one reality to another. As long as you constantly stay in open communication mode ("always on"), you know what to expect, and there is a certain rhythm to it.
Of course I go into my noise proof chamber from time to time when I need to focus on a particularly complicated piece of code or something, but we live in an information age, and people unwilling to learn modern collaboration techniques will be left behind.
I believe you would be protected by your third amendment rights at that point :-)
"No Soldier shall, in time of peace be quartered in any house, without the consent of the Owner, nor in time of war, but in a manner to be prescribed by law."
True that there is not much social righteousness in messing with tom green or girl talk (although I think they do point out some of the inherant "flaws" in voip), but plenty of invasions go after racist websites, hatemongers, or corporate fuckups like walmart.
:-)
That said, I did get in plenty of lulz with chanology
I hate scientology as much as the next guy, but yes, this is the same Anonymous.
1. I saw this last week on 4chan, it was fucked up then, and is fucked up now.
2. Anonymous is not a group. It is not even an agenda. Anonymous is a way to rally for a cause, whatever that cause may be. I have been a part of many invasions, and if it is a cause I believe in, I will do more. Obviously I sat this one out.
3. Almost every anonymous invasion has the theme of "getting the word out". This is exactly in the MO of anonymous. In this case, I believe the message is that no one, not even a web forum designed to help the sick, should be ignorant of security. Anonymous was able to inject CSS to get the theme to flash random colors, and do various XSS attacks to redirect users to all sorts of malicious visuals. The epilepsy board also apparently had no sense of incident response. Some people are willing to hurt innocent people to make this point.
I think this attack also brings up an interesting point. For my day job, I do security testing for networked medical devices attempting to get HIPPA or iso13485 compliance. Should web based tools like this forum be forced to meet the same security standards? Just a thought.
Tipping point is in the business of buying 0day. The like to know who has it, and what can be done with it. That is all that is really going on here, but with the added media circus for some nice cheap publicity.
When I was down protesting on the 10th of February, I realized something disturbing. I had always thought of Scientology as something of a cult that suckers dumb people into believing that they are sick, and need to pay money to get better.
To some extent it is that, but there is a much creepier aspect. From what I have seen, Scientology seems to be more of a social club for wealthy people who are interested in learning how to use aggressive psychological attacks such as hypnotism.
I started reading Dianetics, and it really does seem like a manual for using psychological attacks. A thetan is like a soul, but also like an influence. Non scientologists are infected with alien thetans, and once you are "clear" of them, you can become an "operating thetan". Then you can begin infecting the minds of others. Before it had always confused me that non scientologists have to rid themselves of thetans, but scientologists refer to eachother as thetans.
It was pretty sickening to realize that so many scientologists know exactly what it is all about. They develop new psychological attacks. Then they train their followers. The followers then use those attacks to manipulate those around them so they can become more successful in their careers, and increase the size of the church. This money is then reinvested in developing new psychological attack methods.
Someone please correct me if any part of this is inaccurate.
On the contrary, this is exactly what I believe the "National Security Agency" should be doing. They should be using their vast economic and intellectual resources to help the people. Currently my tax dollars pay for a huge amount of internal research, just so they can use the knowledge against perceived enemies should the need arise.
The resources that they spend on static analysis and cryptanalysis should be put to work making the nation more secure. By locking up information, they are making everyone less secure. I am sure they will realize this in time, but I hope it is sooner rather than later.
Maybe they will finally film "Revolt in the Start", LRH's screenplay explaining OTIII.
http://www.suburbia.com.au/~fun/scn/pers/fun/xenu/revolt.html
http://en.wikipedia.org/wiki/Revolt_in_the_Stars