Second: That nullifies your argument against his point.
Mod the parent post down.
Re:Ummm... spot the problem...
on
Windows ATMs by 2005
·
· Score: 2, Informative
You've obviously no clue who Bruce Schneier is. He's the author of the (infamous) book "Applied Cryptography", invented the Blowfish and Twofish algorithms, has played a major role in analyzing (cracking/finding weaknesses in) major security algorithms. Bruce is the leader in this field. He is the president of Counterpane (http://www.counterpane.com/). If anybody has a clue about security, it's him. Get a clue before you post.
Unfortunately, this is what's happening. Microsoft has done the same with banks as what they've done with most corporate entities -- 'bid' systems and training to them. The deal is that most banks store information in MS databases, most Internet bank interfaces are ASP applications (.NET will make this worse). Whether or not it's 'secure enough' is not a question...
Believe it or not, there are people who get paid very well to administrate Windows computers and they like Windows very much.
I'm not sure how hackable these machines will be either. ATMs use either dialup or ISDN connections to communicate centrally with banks, so they're not going to be on any public network (check out http://answers.google.com/answers/threadview?id=24 1775 for a good discussion about how credit/ATM cards work and links to many resources on the subject).
Additionally, there isn't much room for hacking an ATM... I mean, without taking the thing apart, you have 21 keys maximum (4 - 8 keys to choose options on the screen, 10 keys for numbers, an OK key, cancel transaction key and backspace key) on most machines. Without opening the thing up, you're not going to get very far.
While Windows may not be secure over a public network with all sorts of services running, on a private direct connection with solid software, there's really no vulnerability here. You should learn a little more about how these machines work... they're not on some wide-open network hole waiting to be exploited.
ATM transactions are also encrypted, and I think we all agree that Microsoft is definitely pro-encryption.
So, before we go bitching about MS getting their stuff put on ATMs, I think we should look at the online interfaces to our accounts which are much more insecure than any ATM that will have Windows (and all the posts here seem to just be whining about how insecure it will be). I guarantee that you losing your ATM card is the most insecure thing that can happen in this regard without taking the ATM apart. A UNIX-based machine would be potentially just as vulnerable if you consider this possibility.
On the other hand, I think poorly written online banking software accessible through web-browsers on any platform is more of a security threat to your banking.
On a final note, in the Netherlands, anyway, banks give you this little device that you put your card in and it generates a hash that you have to type in every transaction. Is anybody aware of what is actually being hashed? I wouldn't think it's any private data on the card, because several banks don't require you to insert the card into the device. The best I can tell it's simply a couple of hashing algorithms hashing the current time (with about a 30 second period -- i.e. two hashes within n seconds generate the same hash) and... ? The PIN? Not sure.
Anyway, food for thought for you overly-hyped cynical freaks.
Being a native English speaker who has learned Dutch, I'm naturally curious as to how this post would look in Dutch. After thinking for a couple of seconds, I decided not to even try.
First of all, there are a lot of letter combinations in Dutch that I think would be pretty important for me to see to be able to correctly interpret the word.
Secondly, depending on the placement of vowels and the desired sound of the word, sometimes a diaresis accent (a.k.a. umlaut, trema, etc.) is necessary. I won't get nitty-gritty with the rules becuase it's irrelevant to explain them here, but I think they'd certainly play a part.
However, I'm curious as to whether native Dutch speakers can read this without problem:
[Bjderif] bdeit de btekkroen celnit de mgolekjhieid zjin lpoboaan te vanedreern of aan te psasen op een wizje die zeowl voor hmezlef als voor de wregkveer bvdreeigned is.
Descrambled, that's:
[Bedrijf] biedt de betrokken client de mogelijkheid zijn loopbaan te veranderen of aan te passen op een wijze die zowel voor hemzelf als voor de werkgever bevredigend is.
Now that I've written that out, I can read it no problem because I know what it says already. But perhaps some of you can post other scrambled Dutch texts and/or give me feedback about this. I'm interested:)
It seems to me that he is stating that he gave it out to people, not that he released it under any type of license. This is sensible, because if this guy wants to make some Apple Is, Woz'll be able to make a couple bucks (like he needs it) from licensing fees. But I don't think he'll open-source it so-to-speak.
However, a BSD license or a release into public domain would be better for this kind of thing than GPL. If you GPL the ROM code, it seems that everything that ended up running on the box would need to be GPL. Which would suck, IMO.
No, I'm not trolling. I don't see why anybody needs it. Ports and pkgsrc can accomplish things just as fast/faster than portage can. I don't see any advantages in portage over ports and pkgsrc. Thus, I don't see it as being an improvement. Judging by the amount of other people who posted here saying "didn't they notice that we already have ports" and other similar things, I'd say I speak for a good few people.
On a different note, I don't like Linux anyway and, unless Gentoo BSD is going to offer some killer features (sorry, portage is *not* a killer feature). And I hope to GOD that they keep a standard FS structure.
Did anybody tell the developers that we already have ports? (That they stole portage from, BTW). Wait, wait, we didn't have packages? No... I thought we had pkgsrc...
Why the hell do we need portage? We've already got our system. It works (for us) better than portage. We don't need it. Stop wasting your time.
You know, I was thinking about this just today. I realized that they can't just do this without providing an option to turn that kind of "encryption" off. The last I heard, they were doing the same thing with Windows Media Player.
I have and continue to produce my own (really bad) music. If I am using Windows Media Player to rip (or burn) a CD of my stuff and I want to distribute it for free (I own every imaginable right to the music), then I should be given the option to turn this off.
I think that if they don't provide an off switch, a lot of companies are going to get pissed off and find viable alternatives.
Another thing to think of: will they be doing this upgrade for Mac as well?
I concur with your points. Documents that I write must be portable. People already get pissed off enough that I use OOo (because it doesn't do all the formatting Word does) -- I don't need to be forced to buy Microsoft products to do my work effectively. This is, shortly stated, what we would call a monopoly. Point blank.
Ever gone to a shrink about that ego problem of yours? I've plenty of experience with BSD (mostly with FreeBSD, but I can manage well in Net or OpenBSD) and I don't agree with this at all. Neither would most of the people on the FreeBSD mailing lists.
I don't think that anybody should just "fuck off". FreeBSD has a lot to offer (for a secure, stable networked future) and if people aren't willing to spread the knowledge, I don't see things coming very far. I'm sure the BOFH mentality gets you far in life and makes you a lot of true friends. I know that if I walked around telling my coworkers to go fuck themselves that they'd absolutely love me. I'm sure I'd stay at that job for a long time.
In any case, a good understanding of successful and appropriate social conduct helps. You really don't come across as a person who's learned either.
Not to troll, but your hostility is completely unnecessary. You could have said you were familiar with the process you needed to take and say thanks anyway. The sarcasm is really unnecessary. It adds to an "elitist" outlook on the BSD community (one that OpenBSD already contributes enough to) and discourages people from migrating. The dude has no way to know you've got such experience with FreeBSD.
Granted Linux has got a whole lot of these pissing contests going on all the time... we don't need them in BSD.
If you knowingly purchase a stolen good, you are committing a crime and that's just the way it is. Thus, if you buy something from the pirate street CD vendor (who you obviously know is pirating, since you're getting your CD for $2), you're committing a theft.
Granted the case is different here -- the users could have NEVER known that they were "thieving" SCOs goods (assuming that SCO has good that can be thefted) since:
a) SCO has never shown these goods and b) There's no proof that they exist.
The absolute best SCO could do as far as suing end users is track down every purchase/download of Linux since their initial announcement and this would only be possible AFTER they have proven that their stuff exists in Linux. But then there's the question: if you know that stuff is getting pirated and you know the source, what sense does it make, then, to catch the end users? *sigh* Admittedly none of this makes sense.
This is the law as I understand it. I don't give a fuck if I'm not a lawyer.
Anyway, my whole point was that you could have used a better analogy. Sorry for the anal retentiveness.
It is so obvious that Microsoft wrote this article
on
Blaster Writer Caught
·
· Score: 2, Interesting
Infected computers were programmed to automatically launch an attack on a Web site operated by Microsoft, which the software maker easily blunted. The site, windowsupdate.com, is used to deliver repairing software patches to Microsoft customers to prevent against these types of infections.
Talk about an advertisement.
Anyway, doesn't it ever occur to the press that Microsoft could actually be doing a better job researching into securifying their products *pre* release? Right now (as everyone knows), they're submitting corporate-level products to corporations, making gazillions of dollars, and ignoring any bugs until someone points them out.
When is somebody going to finally decide to call them on this and force Microsoft to do a security audit?:\
I, personally, would be surprised if this fell in the lap of the Legislature. Businesses will never allow this to happen. Why do they have the right to tax private communications? Are they going to put extra tax on legal pads and pens next?
that system security has more to do with the systems administrator than the underlying software? Of course you can break into all sorts of vulnerable systems. Tons of people run tons of vulnerable applications for various reasons (one of the biggest being compatibility). Others are just smitten with idiot administrators. One can make a Windows system just as secure as any other, required time and effort notwithstanding. So before we go blabbing about who runs the most secure OS, lets talk about system administrators first. Kthx.
I'd love to file an SEC complaint about this but, to be quite honest, I'm somewhat overwhelmed by the amount/type of information they're requesting. There's obviously plenty of information abounding about this lawsuit (much of it on/.) -- are there any suggested links/citations/templates for responses that I can follow when filing a complaint? I'm not oblivious as to what their questions mean; I'm simply finding it difficult to gather all this into some organized fashion (you must admit, this/these lawsuit(s) are so messy that it's hard to get any organization out of it). Any suggestions would be highly appreciated by me (and I'm sure by others as well). I certainly don't want to come across as whiny when filing this complaint.
Feel free to post here and/or email me with suggestions.
I think for them to put out a good product, they should not hope to "release early, release often" but to "release quality, not quantity". Many projects have gone under because the products are buggy. If the developers always feel pressured to get lots of code out there very fast, they're going to be releasing buggy code that they never get time to fix.
You are wrong, sir. Checking the *same guy's* site who wrote the TCP/IP stack -- CALL in EhBASIC is described as:
CALL calls a machine code routine at location address. While this in itself is useful it can be extended by adding parameters to the CALL and parsing them from within the routine. This technique can also be used to pass extra parameters to the USR() function.
system() executes a command specified in string by calling/bin/sh -c string, and returns after the command has been completed. During execution of the command, SIGCHLD will be blocked, and SIGINT and SIGQUIT will be ignored.
What's the similarity here? What version of BASIC are you referring to? Enhanced BASIC certainly doesn't behave in the manner you've described. Please do not patronize me any more. Thank you, sir.
Slashdot Mirror
First: ATMs do not operate on VPNs.
Second: That nullifies your argument against his point.
Mod the parent post down.
You've obviously no clue who Bruce Schneier is. He's the author of the (infamous) book "Applied Cryptography", invented the Blowfish and Twofish algorithms, has played a major role in analyzing (cracking/finding weaknesses in) major security algorithms. Bruce is the leader in this field. He is the president of Counterpane (http://www.counterpane.com/). If anybody has a clue about security, it's him. Get a clue before you post.
Unfortunately, this is what's happening. Microsoft has done the same with banks as what they've done with most corporate entities -- 'bid' systems and training to them. The deal is that most banks store information in MS databases, most Internet bank interfaces are ASP applications (.NET will make this worse). Whether or not it's 'secure enough' is not a question...
4 1775 for a good discussion about how credit/ATM cards work and links to many resources on the subject).
Believe it or not, there are people who get paid very well to administrate Windows computers and they like Windows very much.
I'm not sure how hackable these machines will be either. ATMs use either dialup or ISDN connections to communicate centrally with banks, so they're not going to be on any public network (check out http://answers.google.com/answers/threadview?id=2
Additionally, there isn't much room for hacking an ATM... I mean, without taking the thing apart, you have 21 keys maximum (4 - 8 keys to choose options on the screen, 10 keys for numbers, an OK key, cancel transaction key and backspace key) on most machines. Without opening the thing up, you're not going to get very far.
While Windows may not be secure over a public network with all sorts of services running, on a private direct connection with solid software, there's really no vulnerability here. You should learn a little more about how these machines work... they're not on some wide-open network hole waiting to be exploited.
ATM transactions are also encrypted, and I think we all agree that Microsoft is definitely pro-encryption.
So, before we go bitching about MS getting their stuff put on ATMs, I think we should look at the online interfaces to our accounts which are much more insecure than any ATM that will have Windows (and all the posts here seem to just be whining about how insecure it will be). I guarantee that you losing your ATM card is the most insecure thing that can happen in this regard without taking the ATM apart. A UNIX-based machine would be potentially just as vulnerable if you consider this possibility.
On the other hand, I think poorly written online banking software accessible through web-browsers on any platform is more of a security threat to your banking.
On a final note, in the Netherlands, anyway, banks give you this little device that you put your card in and it generates a hash that you have to type in every transaction. Is anybody aware of what is actually being hashed? I wouldn't think it's any private data on the card, because several banks don't require you to insert the card into the device. The best I can tell it's simply a couple of hashing algorithms hashing the current time (with about a 30 second period -- i.e. two hashes within n seconds generate the same hash) and... ? The PIN? Not sure.
Anyway, food for thought for you overly-hyped cynical freaks.
I've already been getting emails for 3 days with crap from 'Microsoft' and people sending me the patches in .exe form... like I'd trust that.
:P.
But thankfully, I run FreeBSD and don't have to deal with that crap. Just the email overflow
How did this get modded up? What 'more suitable language'-based operating system do you use?
*ahem*
/. still removes them in formatting :X.
Please forgive the lack of an e diaresis in "client" --
--Devon
Being a native English speaker who has learned Dutch, I'm naturally curious as to how this post would look in Dutch. After thinking for a couple of seconds, I decided not to even try.
:)
First of all, there are a lot of letter combinations in Dutch that I think would be pretty important for me to see to be able to correctly interpret the word.
Secondly, depending on the placement of vowels and the desired sound of the word, sometimes a diaresis accent (a.k.a. umlaut, trema, etc.) is necessary. I won't get nitty-gritty with the rules becuase it's irrelevant to explain them here, but I think they'd certainly play a part.
However, I'm curious as to whether native Dutch speakers can read this without problem:
[Bjderif] bdeit de btekkroen celnit de mgolekjhieid zjin lpoboaan te vanedreern of aan te psasen op een wizje die zeowl voor hmezlef als voor de wregkveer bvdreeigned is.
Descrambled, that's:
[Bedrijf] biedt de betrokken client de mogelijkheid zijn loopbaan te veranderen of aan te passen op een wijze die zowel voor hemzelf als voor de werkgever bevredigend is.
Now that I've written that out, I can read it no problem because I know what it says already. But perhaps some of you can post other scrambled Dutch texts and/or give me feedback about this. I'm interested
It seems to me that he is stating that he gave it out to people, not that he released it under any type of license. This is sensible, because if this guy wants to make some Apple Is, Woz'll be able to make a couple bucks (like he needs it) from licensing fees. But I don't think he'll open-source it so-to-speak.
However, a BSD license or a release into public domain would be better for this kind of thing than GPL. If you GPL the ROM code, it seems that everything that ended up running on the box would need to be GPL. Which would suck, IMO.
No, I'm not trolling. I don't see why anybody needs it. Ports and pkgsrc can accomplish things just as fast/faster than portage can. I don't see any advantages in portage over ports and pkgsrc. Thus, I don't see it as being an improvement. Judging by the amount of other people who posted here saying "didn't they notice that we already have ports" and other similar things, I'd say I speak for a good few people.
On a different note, I don't like Linux anyway and, unless Gentoo BSD is going to offer some killer features (sorry, portage is *not* a killer feature). And I hope to GOD that they keep a standard FS structure.
Did anybody tell the developers that we already have ports? (That they stole portage from, BTW). Wait, wait, we didn't have packages? No... I thought we had pkgsrc...
Why the hell do we need portage? We've already got our system. It works (for us) better than portage. We don't need it. Stop wasting your time.
You know, I was thinking about this just today. I realized that they can't just do this without providing an option to turn that kind of "encryption" off. The last I heard, they were doing the same thing with Windows Media Player.
I have and continue to produce my own (really bad) music. If I am using Windows Media Player to rip (or burn) a CD of my stuff and I want to distribute it for free (I own every imaginable right to the music), then I should be given the option to turn this off.
I think that if they don't provide an off switch, a lot of companies are going to get pissed off and find viable alternatives.
Another thing to think of: will they be doing this upgrade for Mac as well?
I concur with your points. Documents that I write must be portable. People already get pissed off enough that I use OOo (because it doesn't do all the formatting Word does) -- I don't need to be forced to buy Microsoft products to do my work effectively. This is, shortly stated, what we would call a monopoly. Point blank.
Ever gone to a shrink about that ego problem of yours? I've plenty of experience with BSD (mostly with FreeBSD, but I can manage well in Net or OpenBSD) and I don't agree with this at all. Neither would most of the people on the FreeBSD mailing lists.
I don't think that anybody should just "fuck off". FreeBSD has a lot to offer (for a secure, stable networked future) and if people aren't willing to spread the knowledge, I don't see things coming very far. I'm sure the BOFH mentality gets you far in life and makes you a lot of true friends. I know that if I walked around telling my coworkers to go fuck themselves that they'd absolutely love me. I'm sure I'd stay at that job for a long time.
In any case, a good understanding of successful and appropriate social conduct helps. You really don't come across as a person who's learned either.
Good day.
So you're suggesting that they be let to stay online and propagate virii? No thanks.
Not to troll, but your hostility is completely unnecessary. You could have said you were familiar with the process you needed to take and say thanks anyway. The sarcasm is really unnecessary. It adds to an "elitist" outlook on the BSD community (one that OpenBSD already contributes enough to) and discourages people from migrating. The dude has no way to know you've got such experience with FreeBSD.
Granted Linux has got a whole lot of these pissing contests going on all the time... we don't need them in BSD.
That "large supplier of streaming media software" didn't happen to be Microsoft, did it? ;)
--Devon
If you knowingly purchase a stolen good, you are committing a crime and that's just the way it is. Thus, if you buy something from the pirate street CD vendor (who you obviously know is pirating, since you're getting your CD for $2), you're committing a theft.
Granted the case is different here -- the users could have NEVER known that they were "thieving" SCOs goods (assuming that SCO has good that can be thefted) since:
a) SCO has never shown these goods and
b) There's no proof that they exist.
The absolute best SCO could do as far as suing end users is track down every purchase/download of Linux since their initial announcement and this would only be possible AFTER they have proven that their stuff exists in Linux. But then there's the question: if you know that stuff is getting pirated and you know the source, what sense does it make, then, to catch the end users? *sigh* Admittedly none of this makes sense.
This is the law as I understand it. I don't give a fuck if I'm not a lawyer.
Anyway, my whole point was that you could have used a better analogy. Sorry for the anal retentiveness.
Infected computers were programmed to automatically launch an attack on a Web site operated by Microsoft, which the software maker easily blunted. The site, windowsupdate.com, is used to deliver repairing software patches to Microsoft customers to prevent against these types of infections.
:\
Talk about an advertisement.
Anyway, doesn't it ever occur to the press that Microsoft could actually be doing a better job researching into securifying their products *pre* release? Right now (as everyone knows), they're submitting corporate-level products to corporations, making gazillions of dollars, and ignoring any bugs until someone points them out.
When is somebody going to finally decide to call them on this and force Microsoft to do a security audit?
I, personally, would be surprised if this fell in the lap of the Legislature. Businesses will never allow this to happen. Why do they have the right to tax private communications? Are they going to put extra tax on legal pads and pens next?
that system security has more to do with the systems administrator than the underlying software? Of course you can break into all sorts of vulnerable systems. Tons of people run tons of vulnerable applications for various reasons (one of the biggest being compatibility). Others are just smitten with idiot administrators. One can make a Windows system just as secure as any other, required time and effort notwithstanding. So before we go blabbing about who runs the most secure OS, lets talk about system administrators first. Kthx.
What, a beowulf robot cluster? :-D
(Sorry, it was obligatory)
Thanks, I'm calling now.
I'd love to file an SEC complaint about this but, to be quite honest, I'm somewhat overwhelmed by the amount/type of information they're requesting. There's obviously plenty of information abounding about this lawsuit (much of it on /.) -- are there any suggested links/citations/templates for responses that I can follow when filing a complaint? I'm not oblivious as to what their questions mean; I'm simply finding it difficult to gather all this into some organized fashion (you must admit, this/these lawsuit(s) are so messy that it's hard to get any organization out of it). Any suggestions would be highly appreciated by me (and I'm sure by others as well). I certainly don't want to come across as whiny when filing this complaint.
Feel free to post here and/or email me with suggestions.
--Devon
I think for them to put out a good product, they should not hope to "release early, release often" but to "release quality, not quantity". Many projects have gone under because the products are buggy. If the developers always feel pressured to get lots of code out there very fast, they're going to be releasing buggy code that they never get time to fix.
You are wrong, sir. Checking the *same guy's* site who wrote the TCP/IP stack -- CALL in EhBASIC is described as:
/bin/sh -c string, and returns after the command has been completed. During execution of the command, SIGCHLD will be blocked, and SIGINT and SIGQUIT will be ignored.
CALL calls a machine code routine at location address. While this in itself is useful it can be extended by adding parameters to the CALL and parsing them from within the routine.
This technique can also be used to pass extra parameters to the USR() function.
Reference here.
System, sir, is defined in the UNIX man page as:
system() executes a command specified in string by calling
What's the similarity here? What version of BASIC are you referring to? Enhanced BASIC certainly doesn't behave in the manner you've described. Please do not patronize me any more. Thank you, sir.
Yes, and asm() is legitimate C, too. Ignoring that, it's assembler.