No need to be condescending. I use FOSS all the time. Yet, AFAIK, there is no such mechanism that lets a developer introduce security fingerprints which "tag" a critical section of code, and which the compiler adds to the binaries, in such a way that after compiling source locally, you can check critical parts of your binaries on compliance with the "official" fingerprints. Or am I mistaken ?
There is no mechanism in most compilers/linkers that allows you to recreate the exact same executable that someone else built, byte by byte. You would need a compiler to be hundred percent deterministic. I could imagine some optimisation algorithms working better with some randomisation, so that wouldn't be possible. a+b could sometimes translate to "load a, add b" and sometimes "load b, add a". Things like the __FILE__ macro in C or C++ include the full path of the file, which is different on your machine than on mine. And of course you'd need the exact same build environment. Exact same version of every library that is used.
This is why the FIRMWARE of phone radio CPUs needs to be fully open-sourced. Until they are, there is no way to audit them for privacy concerns nor modify them to close such loopholes.
"Fully open sourced" means at best you get the source code for what is claimed to be the firmware. The question is whether an open source or close source implementation makes it harder for an attacker to insert malicious code. Obviously assuming that the attack code would be in the source code that you get is more than naÃve.
Interesting how your opinion forgets that Samsung has been trying to stop Apple from selling iPhones. Samsung has actually been threatened by the EU with a fine of up to thirteen billion dollars if they continue patent trolling against Apple and others.
All this is to say, anyone who believes they are superior because they were born X or Y is missing the point. People of any ethnic or religious background can achieve the same "level" by helping to make the world a better place. You are judged by your deeds, not your words. That's all that matters.
I think the point was that people who _believe_ they are superior will also believe they _can_ achieve something that others can't and _sometimes_ will succeed, while people who don't believe this may not believe that they can achieve something and not even try.
There are the victims of the Dunning-Kruger effect; those who are quite good at something but don't believe they are, and who may be held back by this. Same person but feeling superior may succeed.
Wrong. Four words, out of 20,000 or so words that a typical literate person would know, gives 20,000^4 combinations, or a total of 1.6e17 possible combinations. That's about 57 bits of randomness right there, harder to crack than a DES key, and that's only if you *know* for certain that they're using an XKCD 936-style password. Yeah, I know that's in range of a massive distributed cluster: a DES cracker can be built for US$10,000, that can recover a key in six days, but it's still a fair sight better than the rubbish we have today. If you really care, use more words. Nine words is all you need to get to 128 bits of entropy.
You can also use hashing algorithms that take longer. Apply the hashing algorithm a few million times, for example. For example, the iOS passcode hashing algorithm is calibrated to take about 1/10th of a second (and uses a 256 bit key burnt into the CPU and not extractable, so you can't run it on an array of GPU's, only on the original iPhone).
If a website knows enough about my password to know it's not secure, it knows too much about my password. All it should ever get is my password hash. Of course, they could build some logic into the endpoint code that checks for the obvious, but that should be as far as they're able to go.
On the other hand, password strength could be checked on your computer with some JavaScript. Which might not be safe enough, so it could be a function of the browser itself.
The real problem is that the government has *not* done this. Instead, they have threatened the ISPs that they *will* if it isn't done voluntarily. And all thanks to one shrill unelected bitch on a committee who got some reason has a direct line to Cameron. The "support of millions" is from the hypocritical mouth breathers at the Daily Fail and the cretins who read it.
Just saying: If you have BT as your ISP, every time you connect a new computer to the router you will be asked whether you want censorship mode turned on or not, you click on "no", and that's it. It happens only once per computer. (Might happen again if your WiFi card in a computer breaks and you buy a new one).
What's the bigger problem here - that people choose insecure passwords, or that the systems involved ALLOW them to choose known insecure passwords?
You didn't read anything here, did you? Using a totally insecure password to download some rubbish stuff from the Adobe password _is not a problem_. What's the worst thing that can happen _to you_ if someone guesses your password on that site?
Now take passwords on Slashdot. That's just _slightly_ more serious. Someone could post rubbish under my username, which would be annoying but no big deal really. I bet the number of 123456 passwords on Slashdot is a lot lower. Now take passwords on Paypal. If you get my Paypal username and password, that could be mighty inconvenient and possibly costly. I bet that Paypal passwords are a lot more secure. And I would really, really hope that Paypal keeps my password a lot more secure than Adobe does.
How about "Create a mixed-case password at least 8 characters long, having at least one upper case letter that is not in the initial position, at least one lower case letter, and at least one digit and one special symbol that are not in either of the final two positions, and which contains no english word that is more than 4 characters"?
Note that for mobile users (iPad, iPhone, etc. ) it is much more convenient and just as secure to have a _long_ password just with lowercase letters than a shorter password with all this rubbish.
Now for something like an iPhone where the keyboard is bloody small compared to my fingers, it would be great if the OS knew my passwords and secretly corrected it. Lets say if my correct password contains an L and my finger lands between K and L, but slightly closer to the K (no visible indication so an attacker cannot use it). We can discuss security.
Right. If you call yourself a C programmer with 15 years experience, and you don't know C11, then you're outdated. Junk heap.
You should be able to find your way around in C++ code. Even in jobs that are supposedly C jobs, you will run into C++ code. Someone with 15 years of C experience _who is good at it_ will learn C++ in a very short time.
Check out the Stanford iOS programming course on iTunes University. Good introduction to Objective-C which should be relatively easy if you know C, and iOS programming, and I suppose you will learn lots of new things (all the object oriented and event based programming) that will be useful in Android, MacOS X and Windows application programming.
Get a prepaid debit card, such as a GreenDot or similar.
Only put money on the card when you need to pay a bill, never link it to a bank account/credit card.
Since the card isn't linked to a bank account, there is no automatic charge mechanism that will work.
There is no legal contract between the guy and the ISP about this service. They offered a contract to use this service. You can't agree to a contract by doing nothing, so there is no contract between them. There should be no reason to go through hoops to prevent them from taking your money, just take them to court and get the money back.
Doesn't that mean that it's not a valid trademark? I thought that trademarks had to be defended, always, or they lost their status.
It doesn't say anywhere how hard you have to try. They can send a company with an established use of the name a letter "please stop using the name candy". A year later a letter "please stop using the name candy, because we have a trademark". A year later a letter "please stop using the name candy, or we tell our lawyer". A year later a letter "please stop using the name candy, we have a lawyer now".
The issue isn't that Hasbro should have already trademarked "candy", it's that "candy" shouldn't be able to be trademarked at all. It's a common freakin' word and should be able to be used in game titles and clothing w/o licensing.
Which shows you don't understand what trademarking is about. In the food industry, or sweets industry, "Candy" would be a commonly used word that couldn't be trademarked. In the computer games industry, it is very strongly associated with one specific game, and there will be many who try to capitalise and that name.
Single-core performance has gone from doubling every 15-18 months to taking 8-12 years to double. That means machines from the mid-2000s are only 30-40% slower at single-threaded tasks then modern machines.
Comparing a 2006 MacBook with Core Duo, a 2010 MacBook Pro with Core2 Duo, and a 2012 MacBook Pro, that's definitely not the case. There's at least a factor two in single core performance with each change.
I read your translation, which quite hits the mark. To me, Windows 8 has two problems:
1. While earlier Windows versions somehow managed to make the user feel like it was their fault if they couldn't figure out something, Windows 8 makes it look like it is Windows 8's fault. And vehemently so. That's why people hate it.
2. If you are an experienced Windows 7 user, learning how to use a computer with MacOS X is _easier_ than learning how to use a computer with Windows 8.
This is really creepy. Imagine twenty years ago that the feds would be able to detain you in a private place and get to inspect all your private photo's, your call log, your agenda, friends, (snail) mail, basically all your private data, on suspicion of a copyright violation. What happened to 'presumed innocent until proven guilty by a court of law'?
You are quite ignorant about what is going on there. While being under suspicion of having committed a crime, you can be investigated, there can be search warrants, and so on, all while you are "presumed innocent". Then you may go to court. And there the judge tells the jury "the fact that this man is here in court and accused of a crime, and the fact that these policemen spent many hours looking for evidence, doesn't mean he is guilty. You start looking at him as 'presumed innocent'. Then the prosecution will show evidence against him, and the defence will show evidence for him, and then you decide based on the evidence and nothing else".
The situation that happened was one where someone who was actually guilty and not investigated immediately would easily be able to destroy all evidence against them. You will be denied the basic human right of taking a shower if you are found near a body who was stabbed, with blood on your hands, and quite rightfully so.
Except the part where the EU has nothing waiting in the wings that comes anywhere near to the package Google offers.
Lets face it, Google cutting off the EU would bring the continent to its knees for months and months.
Not at all. Microsoft adds a few thousand servers to Bing, sells a copy of their server software to Amazon and Apple, and we'll never need Google again.
Marginalized people like Neo Nazis* aren't allowed to speak in countries like France and Germany, they know there a minority so voting won't work, and no way that they would be allowed on a Jury. With that in mind it's surprising that we haven't seen more violence out of people like them.
Neo-nazis are quite handy in Germany. When kids decide to have a fight, they look for some neo-nazis to beat up instead of law-abiding citizens, so everyone is happy.
If people who disagreed with the NSA were arrested, or lost their jobs, or were audited, or were deported, or disappeared in the middle of the night, we would know about it. Those things can't be kept secret.
The NSA doesn't care whether you agree or disagree with them. They care about other things. For example, they might care that you once had a phone conversation with someone who once sat on the same bus as someone who is related to a terrorist. If you then disappeared, without having ever disagreed with the NSA, without ever having had anything to do with terrorists as far as you know, who would connect your disappearance with the NSA?
Convinced people things were secure when in fact it's significantly weakened to allow the NSA to spy on people.
Not sure what's the right thing to do, though. If the NSA tries that again on the RSA conference, wouldn't we want to have as many security experts present as possible?
Well you are correct, but other languages just throw an exception or error when you do something that ought to be undefined behavior. Many C / C++ undefined behaviors allow your program to keep running when you do something stupid.
Well, in some cases. Problems like a [i] = i++; go away in Java because it defines what should happen: The expression is evaluated strictly left to right, so the old value of i is stored into a [i], then i is increased by 1. Bad array indexes an nil pointers throw exceptions (which themselves will cause trouble if this was unexpected). But there are things like "restrict" in C which causes undefined behaviour if used wrong, but that is explicitly intended because it allows serious compiler optimisations.
I think I've seen two in twenty years. So they happen, but not often, and usually only when they run into very unusual code.
That's about my rate. Including one where the compiler gave a warning, which didn't match the actual C code, but did match the code generated by the compiler. But add a few occasions where a few people did swear it was a compiler bug and were proved wrong. One where converting -sizeof (int) to "long" produced a value of 65534. One (many years ago) where actually Sun compiler engineers explained sequence points to us:-( One where the same header file was included with different #defines which changed the size of a struct - for that one I could have killed someone.
He actually observed that different assembler code was generated - well how do you think can you generate _faster_ assembler code without generating _different_ assembler code?
The article does _not_ make any claim that any code would be working incorrectly, or give different results. The article _doesn't_ examine any user-reported issues. So on two accounts, the article summary is totally wrong.
Slashdot Mirror
No need to be condescending. I use FOSS all the time. Yet, AFAIK, there is no such mechanism that lets a developer introduce security fingerprints which "tag" a critical section of code, and which the compiler adds to the binaries, in such a way that after compiling source locally, you can check critical parts of your binaries on compliance with the "official" fingerprints. Or am I mistaken ?
There is no mechanism in most compilers/linkers that allows you to recreate the exact same executable that someone else built, byte by byte. You would need a compiler to be hundred percent deterministic. I could imagine some optimisation algorithms working better with some randomisation, so that wouldn't be possible. a+b could sometimes translate to "load a, add b" and sometimes "load b, add a". Things like the __FILE__ macro in C or C++ include the full path of the file, which is different on your machine than on mine. And of course you'd need the exact same build environment. Exact same version of every library that is used.
This is why the FIRMWARE of phone radio CPUs needs to be fully open-sourced. Until they are, there is no way to audit them for privacy concerns nor modify them to close such loopholes.
"Fully open sourced" means at best you get the source code for what is claimed to be the firmware. The question is whether an open source or close source implementation makes it harder for an attacker to insert malicious code. Obviously assuming that the attack code would be in the source code that you get is more than naÃve.
Interesting how your opinion forgets that Samsung has been trying to stop Apple from selling iPhones. Samsung has actually been threatened by the EU with a fine of up to thirteen billion dollars if they continue patent trolling against Apple and others.
All this is to say, anyone who believes they are superior because they were born X or Y is missing the point. People of any ethnic or religious background can achieve the same "level" by helping to make the world a better place. You are judged by your deeds, not your words. That's all that matters.
I think the point was that people who _believe_ they are superior will also believe they _can_ achieve something that others can't and _sometimes_ will succeed, while people who don't believe this may not believe that they can achieve something and not even try.
There are the victims of the Dunning-Kruger effect; those who are quite good at something but don't believe they are, and who may be held back by this. Same person but feeling superior may succeed.
Wrong. Four words, out of 20,000 or so words that a typical literate person would know, gives 20,000^4 combinations, or a total of 1.6e17 possible combinations. That's about 57 bits of randomness right there, harder to crack than a DES key, and that's only if you *know* for certain that they're using an XKCD 936-style password. Yeah, I know that's in range of a massive distributed cluster: a DES cracker can be built for US$10,000, that can recover a key in six days, but it's still a fair sight better than the rubbish we have today. If you really care, use more words. Nine words is all you need to get to 128 bits of entropy.
You can also use hashing algorithms that take longer. Apply the hashing algorithm a few million times, for example. For example, the iOS passcode hashing algorithm is calibrated to take about 1/10th of a second (and uses a 256 bit key burnt into the CPU and not extractable, so you can't run it on an array of GPU's, only on the original iPhone).
If a website knows enough about my password to know it's not secure, it knows too much about my password. All it should ever get is my password hash. Of course, they could build some logic into the endpoint code that checks for the obvious, but that should be as far as they're able to go.
On the other hand, password strength could be checked on your computer with some JavaScript. Which might not be safe enough, so it could be a function of the browser itself.
The real problem is that the government has *not* done this. Instead, they have threatened the ISPs that they *will* if it isn't done voluntarily. And all thanks to one shrill unelected bitch on a committee who got some reason has a direct line to Cameron. The "support of millions" is from the hypocritical mouth breathers at the Daily Fail and the cretins who read it.
Just saying: If you have BT as your ISP, every time you connect a new computer to the router you will be asked whether you want censorship mode turned on or not, you click on "no", and that's it. It happens only once per computer. (Might happen again if your WiFi card in a computer breaks and you buy a new one).
What's the bigger problem here - that people choose insecure passwords, or that the systems involved ALLOW them to choose known insecure passwords?
You didn't read anything here, did you? Using a totally insecure password to download some rubbish stuff from the Adobe password _is not a problem_. What's the worst thing that can happen _to you_ if someone guesses your password on that site?
Now take passwords on Slashdot. That's just _slightly_ more serious. Someone could post rubbish under my username, which would be annoying but no big deal really. I bet the number of 123456 passwords on Slashdot is a lot lower. Now take passwords on Paypal. If you get my Paypal username and password, that could be mighty inconvenient and possibly costly. I bet that Paypal passwords are a lot more secure. And I would really, really hope that Paypal keeps my password a lot more secure than Adobe does.
How about "Create a mixed-case password at least 8 characters long, having at least one upper case letter that is not in the initial position, at least one lower case letter, and at least one digit and one special symbol that are not in either of the final two positions, and which contains no english word that is more than 4 characters"?
Note that for mobile users (iPad, iPhone, etc. ) it is much more convenient and just as secure to have a _long_ password just with lowercase letters than a shorter password with all this rubbish.
Now for something like an iPhone where the keyboard is bloody small compared to my fingers, it would be great if the OS knew my passwords and secretly corrected it. Lets say if my correct password contains an L and my finger lands between K and L, but slightly closer to the K (no visible indication so an attacker cannot use it). We can discuss security.
Thought will die in the next twenty years or so.
Earth will die in a billion years or so.
Earth won't die as soon as thought.
That's not news.
Mind if I ask what sorts of issues?
A trivial one would be to use strncpy or the "safer" strlcpy to copy strings, and the result isn't valid UTF-8.
A programming language for the ages: C11
Right. If you call yourself a C programmer with 15 years experience, and you don't know C11, then you're outdated. Junk heap.
You should be able to find your way around in C++ code. Even in jobs that are supposedly C jobs, you will run into C++ code. Someone with 15 years of C experience _who is good at it_ will learn C++ in a very short time.
Check out the Stanford iOS programming course on iTunes University. Good introduction to Objective-C which should be relatively easy if you know C, and iOS programming, and I suppose you will learn lots of new things (all the object oriented and event based programming) that will be useful in Android, MacOS X and Windows application programming.
Get a prepaid debit card, such as a GreenDot or similar.
Only put money on the card when you need to pay a bill, never link it to a bank account/credit card.
Since the card isn't linked to a bank account, there is no automatic charge mechanism that will work.
There is no legal contract between the guy and the ISP about this service. They offered a contract to use this service. You can't agree to a contract by doing nothing, so there is no contract between them. There should be no reason to go through hoops to prevent them from taking your money, just take them to court and get the money back.
Doesn't that mean that it's not a valid trademark? I thought that trademarks had to be defended, always, or they lost their status.
It doesn't say anywhere how hard you have to try. They can send a company with an established use of the name a letter "please stop using the name candy". A year later a letter "please stop using the name candy, because we have a trademark". A year later a letter "please stop using the name candy, or we tell our lawyer". A year later a letter "please stop using the name candy, we have a lawyer now".
The issue isn't that Hasbro should have already trademarked "candy", it's that "candy" shouldn't be able to be trademarked at all. It's a common freakin' word and should be able to be used in game titles and clothing w/o licensing.
Which shows you don't understand what trademarking is about. In the food industry, or sweets industry, "Candy" would be a commonly used word that couldn't be trademarked. In the computer games industry, it is very strongly associated with one specific game, and there will be many who try to capitalise and that name.
Single-core performance has gone from doubling every 15-18 months to taking 8-12 years to double. That means machines from the mid-2000s are only 30-40% slower at single-threaded tasks then modern machines.
Comparing a 2006 MacBook with Core Duo, a 2010 MacBook Pro with Core2 Duo, and a 2012 MacBook Pro, that's definitely not the case. There's at least a factor two in single core performance with each change.
I read your translation, which quite hits the mark. To me, Windows 8 has two problems:
1. While earlier Windows versions somehow managed to make the user feel like it was their fault if they couldn't figure out something, Windows 8 makes it look like it is Windows 8's fault. And vehemently so. That's why people hate it.
2. If you are an experienced Windows 7 user, learning how to use a computer with MacOS X is _easier_ than learning how to use a computer with Windows 8.
This is really creepy. Imagine twenty years ago that the feds would be able to detain you in a private place and get to inspect all your private photo's, your call log, your agenda, friends, (snail) mail, basically all your private data, on suspicion of a copyright violation. What happened to 'presumed innocent until proven guilty by a court of law'?
You are quite ignorant about what is going on there. While being under suspicion of having committed a crime, you can be investigated, there can be search warrants, and so on, all while you are "presumed innocent". Then you may go to court. And there the judge tells the jury "the fact that this man is here in court and accused of a crime, and the fact that these policemen spent many hours looking for evidence, doesn't mean he is guilty. You start looking at him as 'presumed innocent'. Then the prosecution will show evidence against him, and the defence will show evidence for him, and then you decide based on the evidence and nothing else".
The situation that happened was one where someone who was actually guilty and not investigated immediately would easily be able to destroy all evidence against them. You will be denied the basic human right of taking a shower if you are found near a body who was stabbed, with blood on your hands, and quite rightfully so.
Except the part where the EU has nothing waiting in the wings that comes anywhere near to the package Google offers. Lets face it, Google cutting off the EU would bring the continent to its knees for months and months.
Not at all. Microsoft adds a few thousand servers to Bing, sells a copy of their server software to Amazon and Apple, and we'll never need Google again.
Marginalized people like Neo Nazis* aren't allowed to speak in countries like France and Germany, they know there a minority so voting won't work, and no way that they would be allowed on a Jury. With that in mind it's surprising that we haven't seen more violence out of people like them.
Neo-nazis are quite handy in Germany. When kids decide to have a fight, they look for some neo-nazis to beat up instead of law-abiding citizens, so everyone is happy.
If people who disagreed with the NSA were arrested, or lost their jobs, or were audited, or were deported, or disappeared in the middle of the night, we would know about it. Those things can't be kept secret.
The NSA doesn't care whether you agree or disagree with them. They care about other things. For example, they might care that you once had a phone conversation with someone who once sat on the same bus as someone who is related to a terrorist. If you then disappeared, without having ever disagreed with the NSA, without ever having had anything to do with terrorists as far as you know, who would connect your disappearance with the NSA?
Convinced people things were secure when in fact it's significantly weakened to allow the NSA to spy on people.
Not sure what's the right thing to do, though. If the NSA tries that again on the RSA conference, wouldn't we want to have as many security experts present as possible?
Well you are correct, but other languages just throw an exception or error when you do something that ought to be undefined behavior. Many C / C++ undefined behaviors allow your program to keep running when you do something stupid.
Well, in some cases. Problems like a [i] = i++; go away in Java because it defines what should happen: The expression is evaluated strictly left to right, so the old value of i is stored into a [i], then i is increased by 1. Bad array indexes an nil pointers throw exceptions (which themselves will cause trouble if this was unexpected). But there are things like "restrict" in C which causes undefined behaviour if used wrong, but that is explicitly intended because it allows serious compiler optimisations.
I think I've seen two in twenty years. So they happen, but not often, and usually only when they run into very unusual code.
That's about my rate. Including one where the compiler gave a warning, which didn't match the actual C code, but did match the code generated by the compiler. But add a few occasions where a few people did swear it was a compiler bug and were proved wrong. One where converting -sizeof (int) to "long" produced a value of 65534. One (many years ago) where actually Sun compiler engineers explained sequence points to us :-( One where the same header file was included with different #defines which changed the size of a struct - for that one I could have killed someone.
He actually observed that different assembler code was generated - well how do you think can you generate _faster_ assembler code without generating _different_ assembler code?
The article does _not_ make any claim that any code would be working incorrectly, or give different results. The article _doesn't_ examine any user-reported issues. So on two accounts, the article summary is totally wrong.