So it's OK if a corporation does anything within the law to profit? Even if that includes legal bribery to have laws changed to make new kinds of theft illegal? What about poisoning villagers in third world countries?
If people can't remember, or correctly type in a sentence without it being echoed, what the hell are they doing in front of a keyboard.
Irrelevant. The people who believe that only intelligent people should be allowed to use computers are not the same people in charge of deciding who is allowed to use a computer.
On my biggest attack box even a 10 character password is brute forceable within a day.
Nonsense. The smallest reasonable space is ' '-'~', that's (128-32)=96 characters. If you can do 10^9 tries per second, the attack will take you 96^10/10^9/86400/365.25=2106.7 years. And since no one should be making their hashed passwords available in modern times, a rate of 10^9/s should be impossible anyway.
Re:hard problems ... human factors
on
Real Security?
·
· Score: 1
Did it ever occur to you that maybe the "human factors" are a "hard problem?"
Not in the same sense. The human factors present completely unsolvable problems.
Re:People can make them whatever they like.
on
Real Security?
·
· Score: 1
You use the same password on different systems. It is already compromised.
To bad many sites are disallowing special characters for fear of sql injection attacks.
Ah, that's why they do it. They don't know how to use their database library properly.
I've seen seriously limited password space because of this. For example, a requirement that three characters be non-alphanumeric, but the only non-alphanumeric character supported be _, but it can't be the first or last character. Insane things like that.
Re:Two minds about it
on
Real Security?
·
· Score: 4, Informative
Thanks for providing a classic example of a bad security idea. Your voice is not unique to you. Anyone can record it and play it back.
Also, biometrics are worthless as the sole factor because if copied they can not be changed.
If you care this much about security, use s/key (or OPIE) or any similar algorithm. Let the user carry around a device that calculates the next password. RSA securid is nice if you don't trust your users not to share their passwords, though not as secure as s/key.
All the hard problems are solved. Everything that's left is human factors.
Re:Two minds about it
on
Real Security?
·
· Score: 2, Informative
Most people are not able to type a full sentence without making an error. Now you have to either echo the password, or accept similar passwords as correct, both of which are horribly dangerous.
Those that are, probably also type the password too many times a day to make this practical.
The fact of the matter is that guessed passwords make up far less than a tenth of a percent of all intrusions.
By the way, all reasonable systems support long passwords. There's really no excuse. I don't know what "if systems supported it" is supposed to mean. I can't think of a modern system that doesn't support long passwords.
Any Unix already provides the protected memory space protecting from messing with the core OS. Assuming that it's run as a regular user that doesn't have access to use the network (I think netfilter can do this) and you have reasonable filesystems everywhere, it's pretty safe. To prevent DOS attacks he'll also need a per-user process and memory limit. Not sure if any unix can do a per user memory limit, but at least a user can't use more than (max number of processes * max size per process) of memory.
Something like user mode linux would be safest. But people who really care about security run each daemon in a separate uml environment.
Well i dont know, do they?? Have you ever used redhat's "enterprise support"?
Yes. They are sometimes (not always) able to answer the simplest of questions. If it is at all nontrivial they are guaranteed to either get it wrong or not give any answer at all. Mostly they just don't help by either playing dumb or actually being horribly dumb.
You can do a mouse pointer in text mode. You take a four character square and change those characters two four high-ascii characters you're not otherwise using. Change the font for these characters to position the pointer within that block.
Don't take this the wrong way, but the purpose of a LUG isn't to provide hardcore engineering-level help. That's what a support contract with the vendor is for.
You think that Redhat's support contracts will provide "hardcore engineering-level help"?
The next generation of this is an advanced elizabot to spam you on IM. The next generation after that is a highly advanced AI bot that you can't tell is not human. (No need for the kind of strong AI that would pass a turing test, however. The standard on an IM network is rather lower.)
My boss has since been rubbed the wrong way when RHN failed to "work as advertized" on August 29th.
They have no excuse for allowing the certificate to expire beyond gross incompetence. The distro should have been released with a certificate that lasts longer than the EOL for the distro.
Some people (not neccessarily me) don't consider Windows to be Linux's enemy.
I'm curious who might think this, considering that Microsoft has declared Linux their biggest enemy. If I'm someone's enemy, they are my enemy. That's just how it works.
This also puts us in the unfortunate situation of having our hobby destroyed by corporate interests. Oh well.
You're suggesting one tool for every job. This hasn't been the case for a very long time. The same Linux flavor used as a server should not be the same Linux flavor used as a desktop.
Why? It's easier to maintain one OS than two. If there's one OS that can do the job very well on both, and there's no downside to using the same OS on both besides wasted disk space from unused packages, why not?
I'm a Red Hat Enterprise Linux customer, with several AS and a dozen ES subscriptions. We chose to purchase support to allay the fears of those in our organization concerned about using unsupported software. All of the factors that made us choose Red Hat for this are caused by the large installed base. (Familiarity within the organzation, community support, stability, approved by certain software vendors such as Sybase, and ability to run a very similar distribution on important servers, desktops, and home machines). The quality, accuracy, and response time of Redhat's support generally pales in comparison to the quality of web searches and "community" support. Clearly Redhat made a business decision to hire cheaper rather than more knowledgable support staff. As the installed base of Redhat decreases due to recent changes, I worry that the quality of support I am able to receive on my Red Hat Enterprise Linux systems will similarly decrease. I'm also concerned that I will no longer be able to run a similar distribution on both important servers and desktops / test servers / my machines at home. I'm now seriously investigating other Linux distributions due to these issues.
My feelings are the same as those of every Red Hat Enterprise Linux customer I've talked to. What will Red Hat do to retain the benefits that were caused by its market dominance when it has clearly indicated that it no longer wants to maintain such market dominance?
Does Redhat have anything on these discs that can't be redistributed? For example, little pictures of a guy wearing a hat? Or BSD-licensed software that Redhat has re-licensed under a more restrictive license?
Sure, Red Hat Enterprise Linux will be all but bulletproof and stable, but what about those of us who aren't using linux to displace Solaris or NT Servers?
No it won't. It wasn't any more stable in the first place. But now they're losing a HUGE base of testers. What is going to make RHEL stable? It is going to get LESS stable!
Mandrake was #2 on my list, but I was a bit taken aback by the LG-CD fiasco,
It's a valuable lesson of why to use the official kernel and not one with a bunch of random patches.
Most distributions have this problem. I don't know why even supposedly "stable" distros have nonstandard kernel patches. It just happened to bite Mandrake in a hardware-damaging way. Random crashing can easily cost more than a CDROM drive.
Slashdot Mirror
So it's OK if a corporation does anything within the law to profit? Even if that includes legal bribery to have laws changed to make new kinds of theft illegal? What about poisoning villagers in third world countries?
Indeed. In fact, the US public education system was designed to keep people uneducated and docile.
Irrelevant. The people who believe that only intelligent people should be allowed to use computers are not the same people in charge of deciding who is allowed to use a computer.
On my biggest attack box even a 10 character password is brute forceable within a day.
Nonsense. The smallest reasonable space is ' '-'~', that's (128-32)=96 characters. If you can do 10^9 tries per second, the attack will take you 96^10/10^9/86400/365.25=2106.7 years. And since no one should be making their hashed passwords available in modern times, a rate of 10^9/s should be impossible anyway.
Not in the same sense. The human factors present completely unsolvable problems.
You use the same password on different systems. It is already compromised.
Ah, that's why they do it. They don't know how to use their database library properly.
I've seen seriously limited password space because of this. For example, a requirement that three characters be non-alphanumeric, but the only non-alphanumeric character supported be _, but it can't be the first or last character. Insane things like that.
Thanks for providing a classic example of a bad security idea. Your voice is not unique to you. Anyone can record it and play it back.
Also, biometrics are worthless as the sole factor because if copied they can not be changed.
If you care this much about security, use s/key (or OPIE) or any similar algorithm. Let the user carry around a device that calculates the next password. RSA securid is nice if you don't trust your users not to share their passwords, though not as secure as s/key.
All the hard problems are solved. Everything that's left is human factors.
Most people are not able to type a full sentence without making an error. Now you have to either echo the password, or accept similar passwords as correct, both of which are horribly dangerous.
Those that are, probably also type the password too many times a day to make this practical.
The fact of the matter is that guessed passwords make up far less than a tenth of a percent of all intrusions.
By the way, all reasonable systems support long passwords. There's really no excuse. I don't know what "if systems supported it" is supposed to mean. I can't think of a modern system that doesn't support long passwords.
In that picture you can also see sprinklers! Oh my.
Any Unix already provides the protected memory space protecting from messing with the core OS. Assuming that it's run as a regular user that doesn't have access to use the network (I think netfilter can do this) and you have reasonable filesystems everywhere, it's pretty safe. To prevent DOS attacks he'll also need a per-user process and memory limit. Not sure if any unix can do a per user memory limit, but at least a user can't use more than (max number of processes * max size per process) of memory.
Something like user mode linux would be safest. But people who really care about security run each daemon in a separate uml environment.
Yes. They are sometimes (not always) able to answer the simplest of questions. If it is at all nontrivial they are guaranteed to either get it wrong or not give any answer at all. Mostly they just don't help by either playing dumb or actually being horribly dumb.
You can do a mouse pointer in text mode. You take a four character square and change those characters two four high-ascii characters you're not otherwise using. Change the font for these characters to position the pointer within that block.
You think that Redhat's support contracts will provide "hardcore engineering-level help"?
Really? Where can I download the latest SuSE?
Is the average desktop user even going to be able to tell the difference between graphics mode and text moed with curses(-like) menus?
Sweet!
Is there any way to mass-download music from mp3.com? Seems rather a good idea now.
The next generation of this is an advanced elizabot to spam you on IM. The next generation after that is a highly advanced AI bot that you can't tell is not human. (No need for the kind of strong AI that would pass a turing test, however. The standard on an IM network is rather lower.)
I can't wait!
They have no excuse for allowing the certificate to expire beyond gross incompetence. The distro should have been released with a certificate that lasts longer than the EOL for the distro.
I'm curious who might think this, considering that Microsoft has declared Linux their biggest enemy. If I'm someone's enemy, they are my enemy. That's just how it works.
This also puts us in the unfortunate situation of having our hobby destroyed by corporate interests. Oh well.
Why? It's easier to maintain one OS than two. If there's one OS that can do the job very well on both, and there's no downside to using the same OS on both besides wasted disk space from unused packages, why not?
I'm a Red Hat Enterprise Linux customer, with several AS and a dozen ES subscriptions. We chose to purchase support to allay the fears of those in our organization concerned about using unsupported software. All of the factors that made us choose Red Hat for this are caused by the large installed base. (Familiarity within the organzation, community support, stability, approved by certain software vendors such as Sybase, and ability to run a very similar distribution on important servers, desktops, and home machines). The quality, accuracy, and response time of Redhat's support generally pales in comparison to the quality of web searches and "community" support. Clearly Redhat made a business decision to hire cheaper rather than more knowledgable support staff. As the installed base of Redhat decreases due to recent changes, I worry that the quality of support I am able to receive on my Red Hat Enterprise Linux systems will similarly decrease. I'm also concerned that I will no longer be able to run a similar distribution on both important servers and desktops / test servers / my machines at home. I'm now seriously investigating other Linux distributions due to these issues.
My feelings are the same as those of every Red Hat Enterprise Linux customer I've talked to. What will Red Hat do to retain the benefits that were caused by its market dominance when it has clearly indicated that it no longer wants to maintain such market dominance?
Does Redhat have anything on these discs that can't be redistributed? For example, little pictures of a guy wearing a hat? Or BSD-licensed software that Redhat has re-licensed under a more restrictive license?
No it won't. It wasn't any more stable in the first place. But now they're losing a HUGE base of testers. What is going to make RHEL stable? It is going to get LESS stable!
It's a valuable lesson of why to use the official kernel and not one with a bunch of random patches.
Most distributions have this problem. I don't know why even supposedly "stable" distros have nonstandard kernel patches. It just happened to bite Mandrake in a hardware-damaging way. Random crashing can easily cost more than a CDROM drive.