Naah, no-one would be stupid enough to embed a plaintext user password directly into an authentication cookie. Well, maybe Microsoft and Hotmail, but no-one who had the slightest clue about the issues Slashdotters care about.
Would they?
#!/usr/bin/perl -w
open COOKIE, $ENV{HOME} . "/.netscape/cookies" or die;
while (<COOKIE>) { if (/slashdot/) { chomp; my @args = split; my $cookie = pop @args; $cookie =~ s/\%25//g; print pack("H*", $cookie), "\n"; }
Postscript is the second worst programming language I have ever encountered after Sendmail (which has Turing complete rewrite rules). All the slowness and unpredictability of a very high level language and all the incomprehensibility of assembly. Even Adobe seem to be keen to kill it in favour of PDF.
And Postscript has *way* too much extra shit in it. Java doesn't have "save/restore", for example, which was always madness and looks madder than ever when looking at interactive stuff.
Java is certainly the right fit for this problem. I agree that this would be very desirable. Not Swing or whatever, just the core Java language combined with a rendering model designed for this problem. --
Why is MySQL more popular than PostgreSQL?
on
Why Not MySQL?
·
· Score: 4
MySQL seems to be pretty much the default choice for people (who aren't companies) building a database-driven website. Can someone explain to me why? Unlike Postgres, it isn't a real RDBMS as the article explains, it isn't that much faster and sometimes it's slower, and it's not Open Source. What's behind its popularity?
I'm not trying to be provocative; I really don't know the answer!
I've been trying to design a strong hand cipher myself, though I've set my goals rather higher than this guy. My current proposal is http://www.cluefactory.org.uk/paul/mirdek/ . If you've seen Schneier's Solitaire, you're familiar with the idea. --
The way you (and others) portray the way you work, I get the impression you find it very hard to finish a writing job unless you're actually looking starvation in the face if you don't deliver tomorrow. You've described some innovative and elaborate forms of procrastination, and you certainly don't produce new work at the same rate as you did when H^2G^2 was first being written. Do you see it as a problem? Or are you finding procrastination easier to overcome?
See the Espe-Ranto for a breathtaking list of serious problems with Esperanto that pretty much negate most of the advantages its supporters claim for it. While you're there, learn how to be be like Bill Gates... --
Otherwise known as "homosexual panic". It amazes me the terror of anything gay that people are prepared to show. Chill. I don't run NetBSD, but I'm prepared to look at www.netbsd.org if there's an interesting article there. I'm guessing you'd find it difficult to select the link to my Website because you'll run a mile from anything with "clue" in the name. --
Out*cast*, not OutRage. As it happens this has many factual inaccuracies about OutRage, but that's not the issue since you're just railing at the wrong organisation. --
It won't work. First, the Pink is free, and left in big piles at gay venues; few subscribe. Second, everyone already knows it's a nasty rag, but it's free so they read it anyway. Third, Millivres, the publisher, already own half the gay press.
The Pink survives by selling the Pink Pound to advertisers: lots of dual-income no-kids people to sell lifestyle shit to.
As for "gay community leaders": Peter Tatchell, probably the best known gay campaigner in the country, is already involved in creating Outcast, so I expect he'll be making his opinion known. However, that the Pink is bad news is not news at all. --
You don't have to actually get sued for it to be censorship. If you pull the plug on content yourself because you're afraid of what the state will do to you if you don't, that's censorship too.
That's why *every* news report from heavily censored territories ends with "This news report was compiled under the reporting restrictions of (the local regime)" even if no content in that particular report was pulled, because those who compile it are aware of the restrictions all the time.
You can accuse the ISPs of extraordinary craven spinelessness in the face of even the tiniest push, but in the end they're just covering their asses; the real censors are still the judges who decide on and enforce censorship legislation. --
DHMO is used as a weapon by UK riot police
on
Hoax-a-go-go!
·
· Score: 2
UK riot police use DHMO-firing "cannons" to attack rioters. Many people have suffered severe injuries as a result.
I don't think it can be said to pollute sewage, but it's certainly a major component in toxic sludge.
I don't think you mean it that way around. British libel law is generally agreed to be the worst in the West. Many journalists knew very well what press baron Robert Maxwell was up to with stealing pension funds, but they couldn't afford the libel case that would inevitably follow if they were to publish it, so millions were embezzled in safety until Maxwell's fortunate death. However a dead man can't be defamed, so as soon as he was dead the whole details could be published and were quickly found to be entirely true.
It's been a mainstay of villains and scoundrels for many years. Recently it's not all been going the way of the bad guys: Jonathan Aitken and Neil Hamilton were recent prominent losers in libel cases and Aitken deservedly went to prison for perjury after suing a paper for publishing the truth. --
It was the February issue that discussed this. I agree with you and him, and I think Netscape could avoid this whole row by promising a fixed "sunset" after which bugs will be publicized no matter what. A month should do it - most security problems that can be fixed with patches at all seem to be "d'oh!"s that get fixed very rapidly after identification.
I would recommend that all open source projects do the same. If you spot a security bug in the Linux kernel, or Apache, or sendmail or whatever, let the maintainers know quietly and give them a chance to announce and fix in good order; tell the world only if this procedure doesn't seem to work. --
Lots of work has been done that could be useful to the GC, just the same was as done for FLT. The winnings will go not to the person who does the most work towards it, but whoever supplies the piece of the puzzle that happens to be last.
Mathematics is a great cooperative venture. It wouldn't be easy to identify one mathematician who did the largest share of the work even if they tried to do it that way, and if they did it would probably be Gauss or Poincare or some other dead heavyweight genius.
This might encourage work on the GC, but it also might discourage publication of such work, because the mathematicians haven't quite finished the proof. --
I agree, but look at the funny side...
on
Date Pagers
·
· Score: 5
I wouldn't get one of these devices myself, but hey! Supposing two violent homophobes with baseball bats get the same idea... --
SRP is the secure one - cryptographic reasons
on
SSH v. SRP
·
· Score: 2
SSH is secure only if the client has the server's public key with which to authenticate it - and even then there are problems. SSH works in three stages: 1) negotiate an encrypted session with the other party 2) authenticate the other party 3) the client sends the password in the encrypted session.
Clearly, if you can spoof the server you can get the Holy Grail: the real, plaintext password. This is why SSH flashes up big warnings saying "THIS SERVER IS UNAUTHENTICATED: REALLY PROCEED?" when you log on to a server the client hasn't seen before. To which everyone just presses "yes", defeating the so-called security. You can also get the Holy Grail if you can subvert a server to which the target logs on.
Contrariwise, SRP offers real network password security. SRP was designed around the assumption that the normal situation for network security was that people went up to new, vanilla clients and used only their passwords to log on to servers the clients had never seen before, and any protocl that wasn't secure under these assumptions just wasn't secure. SRP does damn cunning public key manipulations to allow the password to be used to verify both the client *and the server*, while only storing a password verifier on the server. Eavesdropping real connections, spoofing clients, or spoofing servers will leave you no better off than when you started; you can't even launch a dictionary attack, in contrast to disastrous protocols like CHAP which don't work for the low-entropy passphrases used in the real world. You can mount a dictionary attack if you subvert the server (this is unavoidable), but that's still more work than just reading the plaintext-equivalent phrase from the password file as is the case with challenge-response protocols; even subverting the server doesn't help.
SRP (and its cousin, B-SPEKE) solved the real, difficult problems of network password security. Accept no substitutes.
I only wish Slashdot didn't prioritise being first over being right so much, so more people could see the good information... --
Yes. this has been widely demonstrated in academia and other experiments. Two good sources are The Complete, Unofficial TEMPEST Information Page by Joel McNamara, and Ross Anderson's Soft Tempest pages. The latter is particularly mindbending and everyone on/. should give it a read.... --
Hang on. A 12in record has a couple of inches inside for the label, so let's say 5in ~= 120mm radius of playable vinyl. One side might play for, say, 25 mins; at 33 1/3 RPM that means about 800 grooves have to fit in that space, so each groove is about 0.15 mm wide. Clearly the groove can't wiggle by more than 0.15 mm, and probably much less - let's be generous and say 100 um (microns). Reading that with, say, 100nm light, you get a resolution of 100 um/100nm = 1000 - ie you can distinguish 1000 different displacements. That doesn't compare well to the resolution of a CD player - 65,536 possible displacements.
I'm not an expert on this stuff, and my math may be screwy - but this doesn't check out on my calculator... --
I live in the UK, and I get mobile internet by letting my Palm III talk to my Motorola Timeport (L7089) over IR. When I got the Palm I even got a cheap carrying case with an elastic strap that conveniently (and coincidentally, I think) holds the phone facing the Palm, so I can read Slashdot on the bus.
Now the neat thing is, the Timeport is triple-band, so it should work in the US or anywhere in Europe. I haven't tried that bit yet though. I use Orange as my mobile network provider and Free-Net as my ISP; I think I can make Orange calls from the USA but I'm not sure.
I got mine really cheap from AVR Mobiles, but shop around, prices change all the time.
You can get SSH and a Web browser for the Palm. --
Is vulnerability to DDoS-type attacks due to a flaw in the design of TCP or IP, or is the design of a network that's inherently resistant to such attacks an unsolved problem? Is it possible to imagine a fix that would address this, or a protocol that wouldn't be vulnerable even when many machines are compromised? --
Harlequin went into receivership late last year and has been bought out by a firm called Global Graphics, who wanted the Scriptworks Postscript RIP (which I used to work on). GG aren't really interested in selling programming languages, so IIRC that arm of the company has been sold off as a different firm, whose name I forget.
However, the really interesting story is Dylan. Harlequin put huge amounts of work into a high-quality Dylan implementation; it's one of the things that sunk the company. When GG took over, they decided that they'd have an impossible task selling the product either to end users or to a company - so they made a *gift* of the source to the developers. They've now set up a company, Functional Objects, to develop it further.
It seems they don't currently plan to open source their implementation; personally I think they're doomed unless they do... --
It's well recognised that FreeBSD's networking stack is an outstanding piece of engineering which the Linux kernel folks are racing to catch up with, and certainly as capable of withstanding this DoS as any OS out there. However, Glass overstates the problems with Linux here: there are no known ways of crashing a Linux server running the most recent production kernels over the network without special privilege, even using a coordinated DoS.
This is because Glass is a fulminating anti-GPL fanatic; facts unfortunately come second. Let the reader beware. --
Hopefully, the lessons Corel learns in binding the KDE UI to Wine will be useful to be abstract UI team for working out what the abstract layer should look like.
Slashdot Mirror
Naah, no-one would be stupid enough to embed a plaintext user password directly into an authentication cookie. Well, maybe Microsoft and Hotmail, but no-one who had the slightest clue about the issues Slashdotters care about.
Would they?
#!/usr/bin/perl -w
open COOKIE, $ENV{HOME} . "/.netscape/cookies" or die;
while (<COOKIE>) {
if (/slashdot/) {
chomp;
my @args = split;
my $cookie = pop @args;
$cookie =~ s/\%25//g;
print pack("H*", $cookie), "\n";
}
}
--
Postscript is the second worst programming language I have ever encountered after Sendmail (which has Turing complete rewrite rules). All the slowness and unpredictability of a very high level language and all the incomprehensibility of assembly. Even Adobe seem to be keen to kill it in favour of PDF.
And Postscript has *way* too much extra shit in it. Java doesn't have "save/restore", for example, which was always madness and looks madder than ever when looking at interactive stuff.
Java is certainly the right fit for this problem. I agree that this would be very desirable. Not Swing or whatever, just the core Java language combined with a rendering model designed for this problem.
--
MySQL seems to be pretty much the default choice for people (who aren't companies) building a database-driven website. Can someone explain to me why? Unlike Postgres, it isn't a real RDBMS as the article explains, it isn't that much faster and sometimes it's slower, and it's not Open Source. What's behind its popularity?
I'm not trying to be provocative; I really don't know the answer!
--
Try http://www.cluefactory.org.uk/paul/crypto/mirdek/. Bugger, I tried to cancel but too late!
--
I've been trying to design a strong hand cipher myself, though I've set my goals rather higher than this guy. My current proposal is http://www.cluefactory.org.uk/paul/mirdek/ . If you've seen Schneier's Solitaire, you're familiar with the idea.
--
The way you (and others) portray the way you work, I get the impression you find it very hard to finish a writing job unless you're actually looking starvation in the face if you don't deliver tomorrow. You've described some innovative and elaborate forms of procrastination, and you certainly don't produce new work at the same rate as you did when H^2G^2 was first being written. Do you see it as a problem? Or are you finding procrastination easier to overcome?
cheers!
--
See the Espe-Ranto for a breathtaking list of serious problems with Esperanto that pretty much negate most of the advantages its supporters claim for it. While you're there, learn how to be be like Bill Gates...
--
Otherwise known as "homosexual panic". It amazes me the terror of anything gay that people are prepared to show. Chill. I don't run NetBSD, but I'm prepared to look at www.netbsd.org if there's an interesting article there. I'm guessing you'd find it difficult to select the link to my Website because you'll run a mile from anything with "clue" in the name.
--
Out*cast*, not OutRage. As it happens this has many factual inaccuracies about OutRage, but that's not the issue since you're just railing at the wrong organisation.
--
It won't work. First, the Pink is free, and left in big piles at gay venues; few subscribe. Second, everyone already knows it's a nasty rag, but it's free so they read it anyway. Third, Millivres, the publisher, already own half the gay press.
The Pink survives by selling the Pink Pound to advertisers: lots of dual-income no-kids people to sell lifestyle shit to.
As for "gay community leaders": Peter Tatchell, probably the best known gay campaigner in the country, is already involved in creating Outcast, so I expect he'll be making his opinion known. However, that the Pink is bad news is not news at all.
--
I know exactly what's really going on. And I'd love to tell you. Unfortunately, for legal reasons, I can't comment.
--
You don't have to actually get sued for it to be censorship. If you pull the plug on content yourself because you're afraid of what the state will do to you if you don't, that's censorship too.
That's why *every* news report from heavily censored territories ends with "This news report was compiled under the reporting restrictions of (the local regime)" even if no content in that particular report was pulled, because those who compile it are aware of the restrictions all the time.
You can accuse the ISPs of extraordinary craven spinelessness in the face of even the tiniest push, but in the end they're just covering their asses; the real censors are still the judges who decide on and enforce censorship legislation.
--
UK riot police use DHMO-firing "cannons" to attack rioters. Many people have suffered severe injuries as a result.
I don't think it can be said to pollute sewage, but it's certainly a major component in toxic sludge.
Ban DHMO!
--
I don't think you mean it that way around. British libel law is generally agreed to be the worst in the West. Many journalists knew very well what press baron Robert Maxwell was up to with stealing pension funds, but they couldn't afford the libel case that would inevitably follow if they were to publish it, so millions were embezzled in safety until Maxwell's fortunate death. However a dead man can't be defamed, so as soon as he was dead the whole details could be published and were quickly found to be entirely true.
It's been a mainstay of villains and scoundrels for many years. Recently it's not all been going the way of the bad guys: Jonathan Aitken and Neil Hamilton were recent prominent losers in libel cases and Aitken deservedly went to prison for perjury after suing a paper for publishing the truth.
--
It was the February issue that discussed this. I agree with you and him, and I think Netscape could avoid this whole row by promising a fixed "sunset" after which bugs will be publicized no matter what. A month should do it - most security problems that can be fixed with patches at all seem to be "d'oh!"s that get fixed very rapidly after identification.
I would recommend that all open source projects do the same. If you spot a security bug in the Linux kernel, or Apache, or sendmail or whatever, let the maintainers know quietly and give them a chance to announce and fix in good order; tell the world only if this procedure doesn't seem to work.
--
Lots of work has been done that could be useful to the GC, just the same was as done for FLT. The winnings will go not to the person who does the most work towards it, but whoever supplies the piece of the puzzle that happens to be last.
Mathematics is a great cooperative venture. It wouldn't be easy to identify one mathematician who did the largest share of the work even if they tried to do it that way, and if they did it would probably be Gauss or Poincare or some other dead heavyweight genius.
This might encourage work on the GC, but it also might discourage publication of such work, because the mathematicians haven't quite finished the proof.
--
I wouldn't get one of these devices myself, but hey! Supposing two violent homophobes with baseball bats get the same idea...
--
SSH is secure only if the client has the server's public key with which to authenticate it - and even then there are problems. SSH works in three stages:
1) negotiate an encrypted session with the other party
2) authenticate the other party
3) the client sends the password in the encrypted session.
Clearly, if you can spoof the server you can get the Holy Grail: the real, plaintext password. This is why SSH flashes up big warnings saying "THIS SERVER IS UNAUTHENTICATED: REALLY PROCEED?" when you log on to a server the client hasn't seen before. To which everyone just presses "yes", defeating the so-called security. You can also get the Holy Grail if you can subvert a server to which the target logs on.
Contrariwise, SRP offers real network password security. SRP was designed around the assumption that the normal situation for network security was that people went up to new, vanilla clients and used only their passwords to log on to servers the clients had never seen before, and any protocl that wasn't secure under these assumptions just wasn't secure. SRP does damn cunning public key manipulations to allow the password to be used to verify both the client *and the server*, while only storing a password verifier on the server. Eavesdropping real connections, spoofing clients, or spoofing servers will leave you no better off than when you started; you can't even launch a dictionary attack, in contrast to disastrous protocols like CHAP which don't work for the low-entropy passphrases used in the real world. You can mount a dictionary attack if you subvert the server (this is unavoidable), but that's still more work than just reading the plaintext-equivalent phrase from the password file as is the case with challenge-response protocols; even subverting the server doesn't help.
SRP (and its cousin, B-SPEKE) solved the real, difficult problems of network password security. Accept no substitutes.
I only wish Slashdot didn't prioritise being first over being right so much, so more people could see the good information...
--
Yes. this has been widely demonstrated in academia and other experiments. Two good sources are The Complete, Unofficial TEMPEST Information Page by Joel McNamara, and Ross Anderson's Soft Tempest pages. The latter is particularly mindbending and everyone on /. should give it a read....
--
Hang on. A 12in record has a couple of inches inside for the label, so let's say 5in ~= 120mm radius of playable vinyl. One side might play for, say, 25 mins; at 33 1/3 RPM that means about 800 grooves have to fit in that space, so each groove is about 0.15 mm wide. Clearly the groove can't wiggle by more than 0.15 mm, and probably much less - let's be generous and say 100 um (microns). Reading that with, say, 100nm light, you get a resolution of 100 um /100nm = 1000 - ie you can distinguish 1000 different displacements. That doesn't compare well to the resolution of a CD player - 65,536 possible displacements.
I'm not an expert on this stuff, and my math may be screwy - but this doesn't check out on my calculator...
--
I live in the UK, and I get mobile internet by letting my Palm III talk to my Motorola Timeport (L7089) over IR. When I got the Palm I even got a cheap carrying case with an elastic strap that conveniently (and coincidentally, I think) holds the phone facing the Palm, so I can read Slashdot on the bus.
Now the neat thing is, the Timeport is triple-band, so it should work in the US or anywhere in Europe. I haven't tried that bit yet though. I use Orange as my mobile network provider and Free-Net as my ISP; I think I can make Orange calls from the USA but I'm not sure.
I got mine really cheap from AVR Mobiles, but shop around, prices change all the time.
You can get SSH and a Web browser for the Palm.
--
Is vulnerability to DDoS-type attacks due to a flaw in the design of TCP or IP, or is the design of a network that's inherently resistant to such attacks an unsolved problem? Is it possible to imagine a fix that would address this, or a protocol that wouldn't be vulnerable even when many machines are compromised?
--
Harlequin went into receivership late last year and has been bought out by a firm called Global Graphics, who wanted the Scriptworks Postscript RIP (which I used to work on). GG aren't really interested in selling programming languages, so IIRC that arm of the company has been sold off as a different firm, whose name I forget.
However, the really interesting story is Dylan. Harlequin put huge amounts of work into a high-quality Dylan implementation; it's one of the things that sunk the company. When GG took over, they decided that they'd have an impossible task selling the product either to end users or to a company - so they made a *gift* of the source to the developers. They've now set up a company, Functional Objects, to develop it further.
It seems they don't currently plan to open source their implementation; personally I think they're doomed unless they do...
--
It's well recognised that FreeBSD's networking stack is an outstanding piece of engineering which the Linux kernel folks are racing to catch up with, and certainly as capable of withstanding this DoS as any OS out there. However, Glass overstates the problems with Linux here: there are no known ways of crashing a Linux server running the most recent production kernels over the network without special privilege, even using a coordinated DoS.
This is because Glass is a fulminating anti-GPL fanatic; facts unfortunately come second. Let the reader beware.
--
Hopefully, the lessons Corel learns in binding the KDE UI to Wine will be useful to be abstract UI team for working out what the abstract layer should look like.
--