True, but AP means so many other things depending on the context. When I was in highschool, AP meant "Advanced Placement". In the technology namespace, it means "Access Point".
Assuming people on slashdot are going to be familiar with acronyms from the journalism namespace is not really appropriate in my opinion.
Still though, googling for "AP" gives the answer on the first hit, or (god forbid) clicking the link to the article.
No, that will not fix this attack. I have not been able to find a copy of his tool online yet, but I am going to assume that he did it right.
This tool should still be able to pull down the html from the https the website, and present it to the user as an http site. No amount of javascript, HTTP redirects, or a href="https://... is going to save you in this case. The MITM proxy is always going to be able to strip any of that out, and replace it with something that keeps the clear session alive.
The way to fix this is to change the way firefox implements SSL. Once firefox has visited a website using SSL, firefox needs to automatically connect to SSL, and never trust unencrypted data from that site again. Even that won't help for websites on the first visit. I think firefox should also give big fat warnings if you attempt to POST a password field over an unencrypted channel (that means you slashdot). Furthermore, I am of the opinion that the SSL fingerprint should be cached at that moment as well, so the user can be warned if the cert ever magically changes. This would protect against the possibility of malicious people getting their hands on a root CA.
Windows 8 will be an ubuntu fork, with a very nicely integrated wine and mono, the only two surviving software projects funded in part by the Microsoft software company.
They sell CANVAS, an exploitation framework. A subscription is pretty expensive (that is, dirt cheap compared to core impact), but it comes complete with python source code, and the licence they use gives full rights to modify any of the code as you need to (sort of a requirement for exploit frameworks).
Even beyond code version control, we needed to have every aspect of the design and even testing under version control, which was constantly monitored, along with email communications, by FDA auditors. I even had to get FDA approval for tools I was using like nmap, webscarab, and wireshark.
I always thought how great it would be if there were more medical devices that were open source, but after working on this project, I can see why it's not so popular. Even if a team of brilliant hobbyists wrote the cleanest and most useful open source apps for hospital usage, it would never be allowed into hospitals because it could never get FDA approval.
I don't think there exists free tools that allow you to leave an audit trail detailed enough to please the FDA. They have to start following you at the beginning of the design cycle, and the moment they think something is out of order, they can shut the project down.
I have have heard your argument so many times, and never understood it. How does implementing a "one person = one vote" policy strip rights away from small towns? If most of the people in the US want someone to be president, shouldn't that person be president?
You seem to be suggesting that the votes of people who live in small towns should be worth more than the votes of people who do not.
People who live in big cities are not out to get you. If I see a candidate who is going to try to screw over middle America, I am not going to vote for them. No one in their right mind would vote for someone intent on dividing the country against itself.
Which is by the way, bullshit. Being left handed, my simple passwords tend towards the left side of the keyboard. Also, fyi, modern mice are shaped in such a way that pretty much everyone uses their right hand to use them.
Also, to add on to what NeoThermic pointed out about the phpbb passwords, when the myspace passwords were dropped onto the Internet, they weren't from a database somewhere, they were phished.
Do any left handed people actually use their left hand on the mouse? I sure as hell don't, and I have never met another left handed person that does either.
It also seems to me that when going back and fourth from the mouse, wouldn't you want your dominant hand on the keyboard? They keyboard is far more complex than the mouse.
In ubuntu, this would be done by adding a new apt repository and signing key. Then company X would have a nice secure way to manage their own updates, in a way that integrates well with the current update environment.
How nice do you think google would need to ask to get microsoft to let them update google apps with microsoft update?
Microsoft and apple really should work on having a more open software update system. It should be trivial to just add the google/adobe/sun catalog to the microsoft update system, and just select the apps you want.
From there it wouldn't be too rough to drop in a payment system, so home users would pay 3 dollars a month for office, and 2 dollars a month for acrobat professional. It could also stimulate the software economy the same way the app store helped out the iphone.
So, google creates a new secure update system that makes sure all apps from google are fully patched all the time, and because of that you are uninstalling it?
What am I missing? Is it phoning home? Is it forcing you to install their latest apps (as with the itunes/safari thing)? What exactly is the problem here? No one is seriously suggesting the resource hit from an update daemon is the problem right?
At Portland State University, the servers are mostly named after segments of norse mythos, which makes sense, seeing as how the school mascot is the vikings. What I found really amusing is that for about 5 years or so, it looks like the sysadmin in charge of naming wasn't aware of the viking theme, so all the servers set up during that period are named after lord of the rings.
Starcraft is over 10 years old and is still one of the most popular online games in the world. Starcraft is still the most popular game at the world cyber games (professional online gamer Olympics). The game has set 4 Guinness records, including "Best Selling PC Strategy Game". Korea has three tv channels that broadcast nothing but Starcraft games 24/7.
All RTS games have balance issues when they start, and over time they are resolved. If you check out the top players in the world, you will notice that the spread for what race they use is pretty even. http://en.wikipedia.org/wiki/StarCraft_professional_competition
Say what you will, but in my opinion, teaching a class like this with any game other than Starcraft would be insanity.
1. pay the doctors via the insurance companies 2. pay the doctors via the government
Insurance companies are multi billion dollar corporations who only answer to their shareholders. Americans pay FAR more for their health care than the rest of the world, even the healthy Americans.
The situation could be worse for desktop apps. When a company stops caring about producing a desktop application, they typically just stop providing updates. Sooner or later, a critical vulnerability starts gaining popularity.
With the company disbanded, you may get no patch, and no warning. Then, even if you do get the warning, if the application is already integrated into the work environment, it might get labeled as an "acceptable risk". One of the HUGE advantages I see in cloud computing is that the burden of maintaining patch level is pushed up a few notches.
I think this event is probably far more significant to people who actually saw the civil rights movement.
I think that to many of the younger kids out there, Obama will just be another guy being sworn into office. They don't notice anything odd or abnormal about a black guy being in power. That in itself might be significant.
I personally never understood the racial hubub of it all. I think first multi-racial is more significant than first black president anyway. I'm just glad that we will soon have a president who actually understands the importance of investing in technology, and won't it be nice to have a sane foreign policy?
I think the jab in the summary was less about Microsoft employees, and more about.NET junkies. In general, most of the people I have met from Microsoft are pretty sharp.
What I have seen quite often are those ethereal companies that flicker in and out of existence, and for some reason they tend towards.NET development. Often some rich kid gets some wacky idea, hires up some.NET programmers, shows off some flashy demo 6 months later, then sells off all the assets, and then starts over again.
The code is only written to impress venture capitalists, or VPs at some megacorp, so the quality of the code is never quite up to par with proper coding standards.
1. Exposing corporations for the evil bastards they are has much less impact when you make up all the numbers.
2. In the Dalles here in Oregon, their project 02 datacenter pulls all of it's power straight from the hydro dam next door. In fact, the whole reason they built there was because of all the dark fiber underneath, and the hydroelectric dam adjacent. Google didn't get rich by making shitty decisions when it comes to power consumption.
While it may be inconvenient that they don't include a software path to disable security, there is still nothing stopping the user from just pulling the keys straight out of the hardware.
I have seen people pull TPM keys with about 1000 dollars worth of gear.
Even in best case scenarios for the RIAA, all it takes is one user cracking their TPM to generate as much clean media as they want, and then we are back to where we started.
Anti piracy groups have already far surpassed the point of diminishing returns, and piracy advocates out number them significantly. The message is clear. If your sales model is based on treating information as if it was actual physical property, you are going to fail miserably.
It might work for some DRM, like passing out a few sealed PDFs etc, but it will never work for mass media distribution, and I think more people are aware of that than you may realize.
When did anyone ever say that the job of a politician is to make everyone happy? Of course politicians aren't going to please all of their supporters all of the time, that's not how it works.
Obama didn't run on a platform of anti-corporatism. He ran on a platform of more government control of corporations, and more public transparency of the government.
We currently have had a vice president for the past 8 years who was the CEO of a major defense contractor. On the other hand, one of the many people that Obama selected for a DOJ position worked for a law firm that represented a company that many of us don't like, and people flip out over that?
Sure, he is going to make some moves that don't fully satisfy the tech sector, but the sky is hardly falling, and I personally don't think the tech sector has had it this good in a long time.
Bullshit, not a single person working on TPM at Intel thinks it will ever work for DRM. I say this as someone who as talked with several of the security architects and TCG liaisons (in a non-professional setting).
TPM does close to nothing to prevent local attacks. What it is meant for is to prevent remote attackers from digging too deep by providing a safe place to store keys.
It is used to sign code. What Joanna did is what she always does, she found a fun way to get arbitrary code to execute when only signed code is supposed to be able to.
It totally depends what you are into, but you can get a totally unrelated masters degree. A CS degree is similar to a math degree in that it compliments unrelated fields very well.
A good friend of mine did his undergrad in CS, then got an MBA, and now works at a consultant firm optimizing and tweaking business hierarchies.
Slashdot Mirror
True, but AP means so many other things depending on the context. When I was in highschool, AP meant "Advanced Placement". In the technology namespace, it means "Access Point".
Assuming people on slashdot are going to be familiar with acronyms from the journalism namespace is not really appropriate in my opinion.
Still though, googling for "AP" gives the answer on the first hit, or (god forbid) clicking the link to the article.
Sorry, but which browsers warn users about sending POST variables from password fields over unencrypted channels?
Maybe you are thinking of the "you are leaving an encrypted web page" warning that IE does.
No, that will not fix this attack. I have not been able to find a copy of his tool online yet, but I am going to assume that he did it right.
This tool should still be able to pull down the html from the https the website, and present it to the user as an http site. No amount of javascript, HTTP redirects, or a href="https:// ... is going to save you in this case. The MITM proxy is always going to be able to strip any of that out, and replace it with something that keeps the clear session alive.
The way to fix this is to change the way firefox implements SSL. Once firefox has visited a website using SSL, firefox needs to automatically connect to SSL, and never trust unencrypted data from that site again. Even that won't help for websites on the first visit. I think firefox should also give big fat warnings if you attempt to POST a password field over an unencrypted channel (that means you slashdot). Furthermore, I am of the opinion that the SSL fingerprint should be cached at that moment as well, so the user can be warned if the cert ever magically changes. This would protect against the possibility of malicious people getting their hands on a root CA.
Windows 8 will be an ubuntu fork, with a very nicely integrated wine and mono, the only two surviving software projects funded in part by the Microsoft software company.
You might want to check out Immunity.
http://www.immunitysec.com/
They sell CANVAS, an exploitation framework. A subscription is pretty expensive (that is, dirt cheap compared to core impact), but it comes complete with python source code, and the licence they use gives full rights to modify any of the code as you need to (sort of a requirement for exploit frameworks).
The problem is that the FDA needs someone to fuck over in the case that a medical device glitches out.
The device we were working back when I had a job was only a class 2, and still the restrictions were insane.
http://www.fda.gov/CDRH/devadvice/3132.html
Even beyond code version control, we needed to have every aspect of the design and even testing under version control, which was constantly monitored, along with email communications, by FDA auditors. I even had to get FDA approval for tools I was using like nmap, webscarab, and wireshark.
I always thought how great it would be if there were more medical devices that were open source, but after working on this project, I can see why it's not so popular. Even if a team of brilliant hobbyists wrote the cleanest and most useful open source apps for hospital usage, it would never be allowed into hospitals because it could never get FDA approval.
I don't think there exists free tools that allow you to leave an audit trail detailed enough to please the FDA. They have to start following you at the beginning of the design cycle, and the moment they think something is out of order, they can shut the project down.
I have have heard your argument so many times, and never understood it. How does implementing a "one person = one vote" policy strip rights away from small towns? If most of the people in the US want someone to be president, shouldn't that person be president?
You seem to be suggesting that the votes of people who live in small towns should be worth more than the votes of people who do not.
People who live in big cities are not out to get you. If I see a candidate who is going to try to screw over middle America, I am not going to vote for them. No one in their right mind would vote for someone intent on dividing the country against itself.
Which is by the way, bullshit. Being left handed, my simple passwords tend towards the left side of the keyboard. Also, fyi, modern mice are shaped in such a way that pretty much everyone uses their right hand to use them.
Also, to add on to what NeoThermic pointed out about the phpbb passwords, when the myspace passwords were dropped onto the Internet, they weren't from a database somewhere, they were phished.
Do any left handed people actually use their left hand on the mouse? I sure as hell don't, and I have never met another left handed person that does either.
It also seems to me that when going back and fourth from the mouse, wouldn't you want your dominant hand on the keyboard? They keyboard is far more complex than the mouse.
In ubuntu, this would be done by adding a new apt repository and signing key. Then company X would have a nice secure way to manage their own updates, in a way that integrates well with the current update environment.
How nice do you think google would need to ask to get microsoft to let them update google apps with microsoft update?
Microsoft and apple really should work on having a more open software update system. It should be trivial to just add the google/adobe/sun catalog to the microsoft update system, and just select the apps you want.
From there it wouldn't be too rough to drop in a payment system, so home users would pay 3 dollars a month for office, and 2 dollars a month for acrobat professional. It could also stimulate the software economy the same way the app store helped out the iphone.
So, google creates a new secure update system that makes sure all apps from google are fully patched all the time, and because of that you are uninstalling it?
What am I missing? Is it phoning home? Is it forcing you to install their latest apps (as with the itunes/safari thing)? What exactly is the problem here? No one is seriously suggesting the resource hit from an update daemon is the problem right?
At Portland State University, the servers are mostly named after segments of norse mythos, which makes sense, seeing as how the school mascot is the vikings. What I found really amusing is that for about 5 years or so, it looks like the sysadmin in charge of naming wasn't aware of the viking theme, so all the servers set up during that period are named after lord of the rings.
Stale software dies. If you don't improve the project yourself, someone else will.
Poor choice?
Starcraft is over 10 years old and is still one of the most popular online games in the world. Starcraft is still the most popular game at the world cyber games (professional online gamer Olympics). The game has set 4 Guinness records, including "Best Selling PC Strategy Game". Korea has three tv channels that broadcast nothing but Starcraft games 24/7.
All RTS games have balance issues when they start, and over time they are resolved. If you check out the top players in the world, you will notice that the spread for what race they use is pretty even. http://en.wikipedia.org/wiki/StarCraft_professional_competition
Say what you will, but in my opinion, teaching a class like this with any game other than Starcraft would be insanity.
The choice is this:
1. pay the doctors via the insurance companies
2. pay the doctors via the government
Insurance companies are multi billion dollar corporations who only answer to their shareholders. Americans pay FAR more for their health care than the rest of the world, even the healthy Americans.
The situation could be worse for desktop apps. When a company stops caring about producing a desktop application, they typically just stop providing updates. Sooner or later, a critical vulnerability starts gaining popularity.
With the company disbanded, you may get no patch, and no warning. Then, even if you do get the warning, if the application is already integrated into the work environment, it might get labeled as an "acceptable risk". One of the HUGE advantages I see in cloud computing is that the burden of maintaining patch level is pushed up a few notches.
I think this event is probably far more significant to people who actually saw the civil rights movement.
I think that to many of the younger kids out there, Obama will just be another guy being sworn into office. They don't notice anything odd or abnormal about a black guy being in power. That in itself might be significant.
I personally never understood the racial hubub of it all. I think first multi-racial is more significant than first black president anyway. I'm just glad that we will soon have a president who actually understands the importance of investing in technology, and won't it be nice to have a sane foreign policy?
I think the jab in the summary was less about Microsoft employees, and more about .NET junkies. In general, most of the people I have met from Microsoft are pretty sharp.
What I have seen quite often are those ethereal companies that flicker in and out of existence, and for some reason they tend towards .NET development. Often some rich kid gets some wacky idea, hires up some .NET programmers, shows off some flashy demo 6 months later, then sells off all the assets, and then starts over again.
The code is only written to impress venture capitalists, or VPs at some megacorp, so the quality of the code is never quite up to par with proper coding standards.
1. Exposing corporations for the evil bastards they are has much less impact when you make up all the numbers.
2. In the Dalles here in Oregon, their project 02 datacenter pulls all of it's power straight from the hydro dam next door. In fact, the whole reason they built there was because of all the dark fiber underneath, and the hydroelectric dam adjacent. Google didn't get rich by making shitty decisions when it comes to power consumption.
While it may be inconvenient that they don't include a software path to disable security, there is still nothing stopping the user from just pulling the keys straight out of the hardware.
I have seen people pull TPM keys with about 1000 dollars worth of gear.
Even in best case scenarios for the RIAA, all it takes is one user cracking their TPM to generate as much clean media as they want, and then we are back to where we started.
Anti piracy groups have already far surpassed the point of diminishing returns, and piracy advocates out number them significantly. The message is clear. If your sales model is based on treating information as if it was actual physical property, you are going to fail miserably.
It might work for some DRM, like passing out a few sealed PDFs etc, but it will never work for mass media distribution, and I think more people are aware of that than you may realize.
.. why is this ridiculous?
It's ridiculous because information isn't stuff, and any attempt to control information as if it was a physical object is going to fail miserably.
Insightful? Sounds to me like cynical flamebait
When did anyone ever say that the job of a politician is to make everyone happy? Of course politicians aren't going to please all of their supporters all of the time, that's not how it works.
Obama didn't run on a platform of anti-corporatism. He ran on a platform of more government control of corporations, and more public transparency of the government.
We currently have had a vice president for the past 8 years who was the CEO of a major defense contractor. On the other hand, one of the many people that Obama selected for a DOJ position worked for a law firm that represented a company that many of us don't like, and people flip out over that?
Sure, he is going to make some moves that don't fully satisfy the tech sector, but the sky is hardly falling, and I personally don't think the tech sector has had it this good in a long time.
Bullshit, not a single person working on TPM at Intel thinks it will ever work for DRM. I say this as someone who as talked with several of the security architects and TCG liaisons (in a non-professional setting).
TPM does close to nothing to prevent local attacks. What it is meant for is to prevent remote attackers from digging too deep by providing a safe place to store keys.
It is used to sign code. What Joanna did is what she always does, she found a fun way to get arbitrary code to execute when only signed code is supposed to be able to.
It totally depends what you are into, but you can get a totally unrelated masters degree. A CS degree is similar to a math degree in that it compliments unrelated fields very well.
A good friend of mine did his undergrad in CS, then got an MBA, and now works at a consultant firm optimizing and tweaking business hierarchies.