Security is a holistic thing. The weakest link and all that. It's not that I'm making the protocol 'dependent on the rest of the system,' it's that I'm having each piece of the system do its job.
I'm not suggesting that 'a' and 'b' will be a strong pair in the circumstances, merely that '9d42f3054f4bed06e0f9a982ccaaf383' won't be necessary to the extent that it is in the face of offline attacks. That is, that the amount of entropy you need to be secure goes down substantially when you are resistant to offline attacks and have taken some steps against online attacks.
As for DOS, there are tons of financial sites that have the exact controls I described and so far as I am aware, they don't suffer the way you describe. I suppose if everybody and their uncle started trying online dictionary attacks things might change, but though in theory there's no difference between theory and practice, in practice, there is.
And when you talk of spoofing and resistance to offline attack, I think you may be mixing metaphors. If I can put up a dummy server and collect the credentials that way, why would I bother with an offline attack?
Unfortunately, it's out of warranty, and I didn't AppleCare it, so I'm screwed.
If I flex my TiBook ever so slightly or put a little bit of pressure (not very much) in the wrong spot, I get green "crud" (random horizontal lines) all over the screen. The crud winds up in the VRAM, because if I drag a window, it stays in the same spot *in the window*, even if I take the corrective action (flex the case the other way or tickle the other secret spot). If I drag a window off the screen and back on when the machine is in the good state, then the window redraws correctly.
I mean, it's still usable, but programs with very active displays look horrible when it's happening.
I've also got issues with the Superdrive making disks that are unreadable in other machines and not being able to burn CD-Rs at maximum speed, but that's another post.
We've got 3 macs at home, but this TiBook is the red-headed stepchild of the bunch, I guess.
I'm not sure I agree. If the only attack available is an online dictionary attack, then the bar is significantly lowered if the service does the right things. It can rate limit to raise the cost, it can lock an account after small-n bad passwords are given, it can raise an alarm that can identify (at least to some extent) the intruder... All of these mitigations are useless if an offline attack is possible.
Yes, I know. But it's not just any RADIUS server, it has to be able to participate in the WPA stuff. I believe FreeRadius is the only open-source one that will do it, but configuring it all seems very, very painful.
I'm quite happy with WPA-PSK (with the caveat that you need to pick a very strong passphrase to avoid offline dictionary attacks). My wife has an iBook G4 and I have a TiBook with a Linksys WPC54G in it and they all talk to a Linksys WAP54G. It was all miraculously easy.
Then I had to get a couple of Windows laptops to work. That was misery!
First, you must be running XP. I guess that's fair, since Apple says you must be running Panther.
Next, you have to have a wireless card that has drivers updated with WPA support. Irritatingly enough, a WPC54G with the latest drivers will work, but a WPC55G (A+G card) won't because the drivers aren't updated. Grr!
I did finally get it to go, but it was a whole lot easier on the Mac.
I also wanted to set up WPA "Enterprise" with an eye towards deploying that at the office. I still haven't figured out how to get that to work, unfortunately. But the PSK variety was surprisingly easy.
Not only is there a WPA PSK dictionary attack, it is actually an OFFline dictionary attack - meaning that the attacker can sniff a valid authentication, then take the sniffed data back home and run the dictionary attack on his own without involving the real gatekeeper (who otherwise would see n invalid attempts in a row and have a chance to raise an alarm).
In general, any scheme where you send a random number to the client, he takes that and adds the secret sauce and sends it back for your comparison is vulnerable to offline dictionary attack.
The good news is that you can pretty easily trash an offline dictionary attempt by making up a really long and obscure passphrase.
Exactly... except without the guns and death and disease and robbery and pain and anguish and destruction of human lives part.
Well, I'd count all of the vulnerabilities that let worms, trojans and viruses run rampant through their products a form of cyber-disease, and their conviction under anti-trust laws indicates that they are guilty of a form of robbery. And believe me, they've caused plenty of pain and anguish - arguably as much as drug dealers since they cause that pain and anguish on so many more people (but in smaller doses). They've destroyed plenty of other companies, again through their anti-competitave behavior. Not people, but there the distinction is merely of degree.
I do agree with you about the guns and death thing, though.
OS X Client's USB printer sharing is a completely different mechanism that essentially tricks other computers into thinking that a shared USB printer is in fact connected directly to the local machine. This allows USB printer drivers to work correctly.
The world needs more information on how this is accomplished. I have a Canon i960, which has drivers of that sort which prevents me from sharing it with the one lone Windows machine we have sitting around (for my wife's work), so far as I can tell. What I really want is a little box that will share it as a JetDirect for the Windows machine and make it work as required to do the phony USB style sharing for the macs. Has anyone worked this sort of thing out either with a FreeBSD (or Linux) machine or with the right kind of print server box?
I'll agree that there is no free IDE that can throw up a GUI as quickly and as well as MS
Then you've never used Interface Builder. I've done GUIs in both VS.Net and Xcode/IB, and I can assure you that the latter is faster, easier and results in far better products in less time.
Of course, it depends on what you mean by "free." IB is free as in beer. But, of course, Visual Studio is neither beer- nor speech- type free.
XM puts an "xL" at the end of the channel name if that channel has explicit language on it. Those are pretty much the only channels I care to listen to.
There are 3 comedy stations on XM - one is xL, the other isn't (the 3rd is all morning shows all the time).
I like Squizz the best, and I was listening a couple weeks ago when the DJ accidently started a radio-edit version of a song. As soon as the lyrics started dropping out, he actually interrupted the song with "Oh, fuck that!" and started over the album version - lyrics intact. It was a pretty funny moment.
For those who are challenged by strong words, they will block any station you don't want to hear if you call them up. I'm happy for the same reason I was happy about the V chip and TV ratings: If it's labeled and they can opt-out, then they have no excuse to demand censorship.
There is a standard notation for this sort of question.
Most of us work with enviroments described best as ILP32. That is, ints, longs and pointers are 32 bits.
So far as I have read, most of the time folks talk about 64 bit arches, they mean LP64 (ints are 32 bits, longs and pointers are 64 bits).
Windows 3.1 (without win32 extensions) was IP16, for what that's worth. Ints and pointers were 16 bits, longs were 32.
Microsoft cannot make non-Windows x86 software
on
PC Annoyances
·
· Score: 2, Insightful
Let's go back in time a bit.
A while ago, Microsoft released IE for Solaris. Sparc solaris. Not x86 Solaris. It wouldn't have cost them anything but typing 'make' on a Solaris x86 box, but they would not do it.
If Microsoft were to release software for non-Microsoft x86 operating systems, then they'd be helping to validate the proposition that Microsoft is not the only game in town. They simply cannot afford to do that (there are a couple cases where they have done so - the.Net framework for FreeBSD being one. But there they were trying to build an even bigger replacement monopoly, so it made some sense).
If Microsoft releases Linux office on Monday, Dell will start selling Linux desktops on Tuesday.
Maybe if Microsoft actually loses its monopoly status in operating systems, we might start to see them port their software, but they're working very, very hard (and playing very, very dirty) to make sure that won't happen. Ever.
And every product of theirs anyone uses (note I didn't say "purchases" - even users who pirate their shite help keep them in control) helps make it possible.
Last I heard, the big issue that was going to be the "death of IPv4" was the growth of the non-default routing table.
Almost every internet host and router has a default route pointing to their upstream. At the core of the internet are a collection of routers that do not have default routes, but instead must be able to find the next hop for *all* hosts.
Because of the haphasard allocation of IPv4 addresses, it's relatively difficult to agregate those routes, and so the routing table is very large. It takes very expensive machines to keep up.
IPv6 is not required to fix the problem, per se, but it would require a complete re-addressing of most of the existing Internet. The reason we're where we are is that when those legacy allocations were made, no one had any clue that the Internet would be as pervasive as it is. Now that we know better, we can insist on better agregation. IPv6 was designed with this in mind, but the biggest contribution will be that agregation of routes will be insisted upon from the start. That means that the non-default routing table will be vastly smaller, and the core routers will scale much better.
At the same time, it is true that we've managed to stretch IPv4's address space through abominations like NAT and name based virtual hosting. I'd hardly call that a victory.
There's more to the question than is being stated.
How would Apple have used Intel/AMD chips? Would they have made a unique architecture the way they currently do? If that's the case, then it wouldn't matter all that terribly much which processor they used. I actually blame the performance gap Apple used to suffer on Motorola. Now that Apple's gone with IBM for their processing future, that future looks brighter than it ever has. And as the comment in the article said, could the outcome have been predicted at the time?
Or would Apple have been PC compatible? If Apple did that, they would cease to be a hardware company overnight. They would instead have followed in the illustrious footsteps of BeOS, Solaris x86 and that little thing you may have heard of a while ago called NeXTStep. All compete (or competed) directly with Microsoft and all of them failed to make any inroads. A lot of the blame for that lies in Microsoft's anti-trust violations, but that doesn't alter the outcome. Linux and *BSD have done well, but as open-source software their growth stems from an entirely different mechanism. I don't think that anyone would seriously argue that if Linux had been done as a commercial OS by a traditional OS company it would be where it is today.
Want to make the world a better place? Make it so that it truly does not matter which browser is being used.
Run your pages through http://validator.w3.org . If you use a content creation tool, and its pages don't validate clean, complain to your vendor that their software is broken.
Without exception, every page I have ever seen that didn't render the same on multiple browsers did not do so because it had nonstandard HTML that caused the browsers to resolve the inconsistencies in different ways.
From my perspective, the User-Agent: request header for HTTP was the worst thing that was ever done to the web. It should just. not. matter.
Damn near every channel on TV has one of those stupid logos in the bottom corner. Seems like it would be no problem at all to put a serial number down there. If all of the movies had their screeners numbered this way, then there'd be no way for the judges to 'punish' an individual film for doing it. The pirates would have to black out that corner (and maybe that number could move around from place to place). At best, it would discourage insiders from giving away copies, and at worst it would make the pirated editions look more obvious.
So it's not the NAT that you like, it's the small little box that sits between you and your cable or DSL.
So long as you admit that you would be equally well served if the little box did 6to4, IPv6 firewalling and NATPT, I'll happily agree: It's nice to have a little box from Netgear instead of a PC do the dirty work.
But given your agreement to the above, it's not NAT that you want. You're just willing to put up with it because you don't currently have a choice.
It astonishes me how people believe that they derive security from NAT. It's like saying blind folks are fortunate because they don't have to see ugly things.
It is trivial to achieve the same level of security in a firewall as you get with NAT. IPv6 will need firewalls just like IPv4 does. The difference, however, is that if you *want* to allow a certain type of communication to more than one hosts behind the firewall, you don't have to do a bunch of tortured port mapping nonsense (which often isn't good enough).
NAT breaks the Internet. If you like NAT, you should be using AOL instead.
There is only one thing that keeps the current power structure in control: The widely distributed named.cache file. Perhaps the first thing the alternate root servers can do is filter this abomination. That might get folks to switch in larger numbers. If enough people start using an alternate root, we can begin to break the DNS monopoly (don't think that because there are multiple registrars that there isn't a monopoly). That can only be a good thing.
Although it's not perfect, we all can return to the former state by having our firewalls reject TCP connections to the wildcard address. Something like this (for IPFW users):
add 1 reset TCP from any to 64.94.110.11
Alas, the informational message will say something like "connection refused" instead of "host not found," but in many ways the error condition will be superior to what there is now.
No, what you actually said was that you wanted a replacement *system*. What I said was that the server side of the *system* was already in place and that all that is required is to develop the *client* side.
The fact that you now say that you already knew that "the framework exists" was not entirely obvious, since you said you were not a developer.
So sorry that I mistook what you said for what you meant. I should have known better. After all, this is Slashdot.
The replacement for an exchange server is simply an IMAP server with messages that contain trivial messages that are used to contain the new spec for Contact and Calendar information as a MIME attachment.
What's necessary is for more e-mail / calendar / address book programs to make that paradigm available so that it can become the standard for doing such things.
I actually think the future has the electric grid going away. Instead, each building will have its own fuel cell electric generator supplied at first by natural gas, with the natural gas infrastructure transitioned over time to hydrogen.
One advantage I see is that if people are doing their own generating, they're far more likely to augment with alternative technologies like wind or solar.
Slashdot Mirror
Security is a holistic thing. The weakest link and all that. It's not that I'm making the protocol 'dependent on the rest of the system,' it's that I'm having each piece of the system do its job.
I'm not suggesting that 'a' and 'b' will be a strong pair in the circumstances, merely that '9d42f3054f4bed06e0f9a982ccaaf383' won't be necessary to the extent that it is in the face of offline attacks. That is, that the amount of entropy you need to be secure goes down substantially when you are resistant to offline attacks and have taken some steps against online attacks.
As for DOS, there are tons of financial sites that have the exact controls I described and so far as I am aware, they don't suffer the way you describe. I suppose if everybody and their uncle started trying online dictionary attacks things might change, but though in theory there's no difference between theory and practice, in practice, there is.
And when you talk of spoofing and resistance to offline attack, I think you may be mixing metaphors. If I can put up a dummy server and collect the credentials that way, why would I bother with an offline attack?
Unfortunately, it's out of warranty, and I didn't AppleCare it, so I'm screwed.
If I flex my TiBook ever so slightly or put a little bit of pressure (not very much) in the wrong spot, I get green "crud" (random horizontal lines) all over the screen. The crud winds up in the VRAM, because if I drag a window, it stays in the same spot *in the window*, even if I take the corrective action (flex the case the other way or tickle the other secret spot). If I drag a window off the screen and back on when the machine is in the good state, then the window redraws correctly.
I mean, it's still usable, but programs with very active displays look horrible when it's happening.
I've also got issues with the Superdrive making disks that are unreadable in other machines and not being able to burn CD-Rs at maximum speed, but that's another post.
We've got 3 macs at home, but this TiBook is the red-headed stepchild of the bunch, I guess.
I'm not sure I agree. If the only attack available is an online dictionary attack, then the bar is significantly lowered if the service does the right things. It can rate limit to raise the cost, it can lock an account after small-n bad passwords are given, it can raise an alarm that can identify (at least to some extent) the intruder... All of these mitigations are useless if an offline attack is possible.
Yes, I know. But it's not just any RADIUS server, it has to be able to participate in the WPA stuff. I believe FreeRadius is the only open-source one that will do it, but configuring it all seems very, very painful.
I'm quite happy with WPA-PSK (with the caveat that you need to pick a very strong passphrase to avoid offline dictionary attacks). My wife has an iBook G4 and I have a TiBook with a Linksys WPC54G in it and they all talk to a Linksys WAP54G. It was all miraculously easy.
Then I had to get a couple of Windows laptops to work. That was misery!
First, you must be running XP. I guess that's fair, since Apple says you must be running Panther.
Next, you have to have a wireless card that has drivers updated with WPA support. Irritatingly enough, a WPC54G with the latest drivers will work, but a WPC55G (A+G card) won't because the drivers aren't updated. Grr!
I did finally get it to go, but it was a whole lot easier on the Mac.
I also wanted to set up WPA "Enterprise" with an eye towards deploying that at the office. I still haven't figured out how to get that to work, unfortunately. But the PSK variety was surprisingly easy.
Not only is there a WPA PSK dictionary attack, it is actually an OFFline dictionary attack - meaning that the attacker can sniff a valid authentication, then take the sniffed data back home and run the dictionary attack on his own without involving the real gatekeeper (who otherwise would see n invalid attempts in a row and have a chance to raise an alarm).
In general, any scheme where you send a random number to the client, he takes that and adds the secret sauce and sends it back for your comparison is vulnerable to offline dictionary attack.
The good news is that you can pretty easily trash an offline dictionary attempt by making up a really long and obscure passphrase.
Well, I'd count all of the vulnerabilities that let worms, trojans and viruses run rampant through their products a form of cyber-disease, and their conviction under anti-trust laws indicates that they are guilty of a form of robbery. And believe me, they've caused plenty of pain and anguish - arguably as much as drug dealers since they cause that pain and anguish on so many more people (but in smaller doses). They've destroyed plenty of other companies, again through their anti-competitave behavior. Not people, but there the distinction is merely of degree.
I do agree with you about the guns and death thing, though.
The world needs more information on how this is accomplished. I have a Canon i960, which has drivers of that sort which prevents me from sharing it with the one lone Windows machine we have sitting around (for my wife's work), so far as I can tell. What I really want is a little box that will share it as a JetDirect for the Windows machine and make it work as required to do the phony USB style sharing for the macs. Has anyone worked this sort of thing out either with a FreeBSD (or Linux) machine or with the right kind of print server box?
Here's what I am using now instead (no, I didn't steal my wife's. I bought another one).
I may bin the keyboard too. The jury is still out. But the rest of the hardware is, how shall I put it, "Insanely Great."
Then you've never used Interface Builder. I've done GUIs in both VS.Net and Xcode/IB, and I can assure you that the latter is faster, easier and results in far better products in less time.
Of course, it depends on what you mean by "free." IB is free as in beer. But, of course, Visual Studio is neither beer- nor speech- type free.
XM puts an "xL" at the end of the channel name if that channel has explicit language on it. Those are pretty much the only channels I care to listen to.
There are 3 comedy stations on XM - one is xL, the other isn't (the 3rd is all morning shows all the time).
I like Squizz the best, and I was listening a couple weeks ago when the DJ accidently started a radio-edit version of a song. As soon as the lyrics started dropping out, he actually interrupted the song with "Oh, fuck that!" and started over the album version - lyrics intact. It was a pretty funny moment.
For those who are challenged by strong words, they will block any station you don't want to hear if you call them up. I'm happy for the same reason I was happy about the V chip and TV ratings: If it's labeled and they can opt-out, then they have no excuse to demand censorship.
Oops. I've been corrected... Win31 was LP32. I found a page that talks about all of this stuff.
There is a standard notation for this sort of question.
Most of us work with enviroments described best as ILP32. That is, ints, longs and pointers are 32 bits.
So far as I have read, most of the time folks talk about 64 bit arches, they mean LP64 (ints are 32 bits, longs and pointers are 64 bits).
Windows 3.1 (without win32 extensions) was IP16, for what that's worth. Ints and pointers were 16 bits, longs were 32.
Let's go back in time a bit.
.Net framework for FreeBSD being one. But there they were trying to build an even bigger replacement monopoly, so it made some sense).
A while ago, Microsoft released IE for Solaris. Sparc solaris. Not x86 Solaris. It wouldn't have cost them anything but typing 'make' on a Solaris x86 box, but they would not do it.
If Microsoft were to release software for non-Microsoft x86 operating systems, then they'd be helping to validate the proposition that Microsoft is not the only game in town. They simply cannot afford to do that (there are a couple cases where they have done so - the
If Microsoft releases Linux office on Monday, Dell will start selling Linux desktops on Tuesday.
Maybe if Microsoft actually loses its monopoly status in operating systems, we might start to see them port their software, but they're working very, very hard (and playing very, very dirty) to make sure that won't happen. Ever.
And every product of theirs anyone uses (note I didn't say "purchases" - even users who pirate their shite help keep them in control) helps make it possible.
Last I heard, the big issue that was going to be the "death of IPv4" was the growth of the non-default routing table.
Almost every internet host and router has a default route pointing to their upstream. At the core of the internet are a collection of routers that do not have default routes, but instead must be able to find the next hop for *all* hosts.
Because of the haphasard allocation of IPv4 addresses, it's relatively difficult to agregate those routes, and so the routing table is very large. It takes very expensive machines to keep up.
IPv6 is not required to fix the problem, per se, but it would require a complete re-addressing of most of the existing Internet. The reason we're where we are is that when those legacy allocations were made, no one had any clue that the Internet would be as pervasive as it is. Now that we know better, we can insist on better agregation. IPv6 was designed with this in mind, but the biggest contribution will be that agregation of routes will be insisted upon from the start. That means that the non-default routing table will be vastly smaller, and the core routers will scale much better.
At the same time, it is true that we've managed to stretch IPv4's address space through abominations like NAT and name based virtual hosting. I'd hardly call that a victory.
How would Apple have used Intel/AMD chips? Would they have made a unique architecture the way they currently do? If that's the case, then it wouldn't matter all that terribly much which processor they used. I actually blame the performance gap Apple used to suffer on Motorola. Now that Apple's gone with IBM for their processing future, that future looks brighter than it ever has. And as the comment in the article said, could the outcome have been predicted at the time?
Or would Apple have been PC compatible? If Apple did that, they would cease to be a hardware company overnight. They would instead have followed in the illustrious footsteps of BeOS, Solaris x86 and that little thing you may have heard of a while ago called NeXTStep. All compete (or competed) directly with Microsoft and all of them failed to make any inroads. A lot of the blame for that lies in Microsoft's anti-trust violations, but that doesn't alter the outcome. Linux and *BSD have done well, but as open-source software their growth stems from an entirely different mechanism. I don't think that anyone would seriously argue that if Linux had been done as a commercial OS by a traditional OS company it would be where it is today.
Want to make the world a better place? Make it so that it truly does not matter which browser is being used.
Run your pages through http://validator.w3.org . If you use a content creation tool, and its pages don't validate clean, complain to your vendor that their software is broken.
Without exception, every page I have ever seen that didn't render the same on multiple browsers did not do so because it had nonstandard HTML that caused the browsers to resolve the inconsistencies in different ways.
From my perspective, the User-Agent: request header for HTTP was the worst thing that was ever done to the web. It should just. not. matter.
Damn near every channel on TV has one of those stupid logos in the bottom corner. Seems like it would be no problem at all to put a serial number down there. If all of the movies had their screeners numbered this way, then there'd be no way for the judges to 'punish' an individual film for doing it. The pirates would have to black out that corner (and maybe that number could move around from place to place). At best, it would discourage insiders from giving away copies, and at worst it would make the pirated editions look more obvious.
So it's not the NAT that you like, it's the small little box that sits between you and your cable or DSL.
So long as you admit that you would be equally well served if the little box did 6to4, IPv6 firewalling and NATPT, I'll happily agree: It's nice to have a little box from Netgear instead of a PC do the dirty work.
But given your agreement to the above, it's not NAT that you want. You're just willing to put up with it because you don't currently have a choice.
It astonishes me how people believe that they derive security from NAT. It's like saying blind folks are fortunate because they don't have to see ugly things.
It is trivial to achieve the same level of security in a firewall as you get with NAT. IPv6 will need firewalls just like IPv4 does. The difference, however, is that if you *want* to allow a certain type of communication to more than one hosts behind the firewall, you don't have to do a bunch of tortured port mapping nonsense (which often isn't good enough).
NAT breaks the Internet. If you like NAT, you should be using AOL instead.
There is only one thing that keeps the current power structure in control: The widely distributed named.cache file. Perhaps the first thing the alternate root servers can do is filter this abomination. That might get folks to switch in larger numbers. If enough people start using an alternate root, we can begin to break the DNS monopoly (don't think that because there are multiple registrars that there isn't a monopoly). That can only be a good thing.
Alas, the informational message will say something like "connection refused" instead of "host not found," but in many ways the error condition will be superior to what there is now.
No, what you actually said was that you wanted a replacement *system*. What I said was that the server side of the *system* was already in place and that all that is required is to develop the *client* side.
The fact that you now say that you already knew that "the framework exists" was not entirely obvious, since you said you were not a developer.
So sorry that I mistook what you said for what you meant. I should have known better. After all, this is Slashdot.
The replacement for an exchange server is simply an IMAP server with messages that contain trivial messages that are used to contain the new spec for Contact and Calendar information as a MIME attachment.
What's necessary is for more e-mail / calendar / address book programs to make that paradigm available so that it can become the standard for doing such things.
I actually think the future has the electric grid going away. Instead, each building will have its own fuel cell electric generator supplied at first by natural gas, with the natural gas infrastructure transitioned over time to hydrogen.
One advantage I see is that if people are doing their own generating, they're far more likely to augment with alternative technologies like wind or solar.