When the chunks are encrypted there is no way of knowing who the appropriate AA is. As all you have is a little chunk it's impossible to decrypt because the underlying compression layer is missing important data and so you cannot even check your decryption.
You may be able to identify a piece of gzip by frequency analysis as there's a tiny bit of entropy left but a modern compression (7z, rar) will probably leave nothing to distinguish the particular chunk you have.
Next time someone tells you to take a chocolate you better make a copy then.
You're the one playing word games; you're mixing the "take/remove" definition of take with the "take a photograph/take a copy" definition. This is no different to the "He's going to take my daughter" wordplay.
Oooh, does this mean "take her photograph" now means "**** her brains out" ?
Closer, but I wouldn't want to tell it how many columns because I don't know what height the screen is so I don't know how many columns are needed to display the text.
It's like "list mode" in windows explorer where you use horizontal scroll to see more text.
I imagine CSS will eventually have this sort of thing, or you can probably use javascript to hack it in but it will still be bogged down by so many bad early choices.
Pro Tip: Presentation matters as much as the content. In fact, presentation *is* part of the content.
Yup, spend too much time on the fluff and there's no content left for the meat.
As for Hutnick's site it's definitely a case in point. He's using (almost) plain HTML and what should have happened was that your browser would supply your favourite style sheet so that it doesn't look ugly and bland to you. That way the web is an information source and nobody needs to create the fluff.
Of course, then Microsoft declared the browser wars and everybody started bastardising HTML. Some people who understood the original hope got a committee together and started on CSS for the publishers who demanded complete control, however, it looks like most of them misunderstood the requirements so CSS has no reasonable layout engine (eg: a "stretchy grid") and even where it is workable it has weird and unintuitive hidden rules (inheritance and weights) that cannot be learnt by example (ie visually), a rather serious flaw in a language for visual presentation by primarily visual people!
Javascript, isn't too bad. (faint praise; Okay, okay it's actually a damn good language now) The original implementations were flaky but that's mostly gone. It's only real problem is the object model and yet again Microsoft are the main criminals here. Still the language is probably good enough to fix everything... if noscript lets it.
Arrrg! CSS is CRAP! There I said it. The only way the inheritance and selectivity rules can be used is to minimise their effects and as for layout you basically have to pin everything to a static grid and pray your boxes and gaps are big enough. Sure there are a few simple layouts created by "CSS gurus" that with do the right almost every time, almost. But don't expect more than three stretchy columns or any sort of column wrap. As for doing something a little original like having the screen laid out with a fixed height and adding columns as the content increases... yea, right!
On the contrary, conficker looks very much like something that harkens back to the bad old days. True it doesn't have the hard memory constraints of a boot sector virus but it's not bloated nor is it just a primitive script.
It uses strong crypto to protect it's updates, it uses peer to peer to distribute it's updates and code obfuscation that puts the best of the old school to shame. The obfuscation is so good in fact that it's proving to be a serious barrier to pulling apart the new peer to peer code; it can't stop it being decoded but it may be able to delay it past 1st April.
Even this little technique of generating domain names to check for update distribution points is very unusual.
All this does mean that people are worried. The botnet that exists has sufficient potential for damage in the hands of anyone but these people have shown an unusual level of technical skill for botnet builders and there is a clear danger that they have come up with a new and interesting use for the botnet.
All things considered it may be the best result if it's just being sold to a spammer for a few dollars a machine.
You may need to use active responses against some users. This isn't a problem but your responses should always be in 'Tit-for-Tat' mode. If they do something bad now respond now but remove your response as soon as possible and forget that it ever happened. Don't put a user into the doghouse, make sure they invite themselves every time.
Place a traffic shaper before your uplink arrange it so that inbound and outbound are limited and shared by the box.
The box should share the available bandwidth between customers (possibly customer IP addresses) not between TCP sessions and definitely not by protocol; don't get sucked into the P2P arms race.
Within each bucket (ie for each customer) give certain packets an advantage over everything else, eg. ssh from an interactive session, small packets in general. Maybe http/https, not smtp.
Maybe give your webcache priority over this so it people use your cache they get a better deal. Transparent caching is probably a bad idea though because you would then need to make sure the cache works perfectly 24x7 and it's a complex beast.
Don't forget to make sure your machines are in the rotation, in particular your boss's PC.
I used Google Earth to print out nice images when I went to do Jury service. It meant I could use public transport to get there and actually reduced the costs as I didn't have to either (1) drive my car and park it at an extortionate rate every day or (2) take a taxi at the same kind of cost. Instead I was able to see an alley and a walking bridge across the river that was just a dotted line on a normal map.
This was a DIRECT cost, I expect there will be many indirect costs.
It's really very simple, but it's a small technical detail that seems minor at first sight.
When you connect to a Gopher server it waits for you to send a string (just like HTML) this string is the name of the item you want. HTML is almost the same, except you put a command (GET, POST...) in front of it. This is not important because you can easily run an HTTP site with just GETs.
The difference is that Gopher immediately gives you the file, whereas http gives you a status code and file type then the file.
Why is this important? Well it's not, if the world is perfect, but in the real world things change so the "selector" that was valid yesterday and pointed to an image might not be valid today. But the server doesn't know it used to point to an image so it goes and returns the main site page which isn't an image. At this point the client throws a tantrum.
This means that the only links you can reasonably do are to your own site or to the root of someone else's, no deeplinking, no "intergophers". OTOH, because http returns the status and type there are lots of options if things move, but none of them are a client program crash (normally!). This also applies to links you make, ie no bookmarks, so you don't remember where that important document was on the gopher server, but you a (safe) bookmark directly to the http location.
You're thinking single user, it's quite reasonable for multiple users to use a machine, even at the same time. So sending debugging tools to the outhouse is not the solution.
Furthermore, it often the right thing to run the debugger on the user's machine so you can actually see WTH the user has managed to break.
They've got part of the right idea in that it shouldn't be possible to "work" (or play) as the real Administrator but the way they've completely fucked up the the NT security model is really the pits.
To see what to do they only have to look at the unix world. Firstly it's pretty common that X (or rather common login programs for X) will refuse root. Then any program that has to be security conscious and doesn't need root will also refuse to run under root. Many programs that need root to start with will discard root privs when they have done the tiny bit of setup that they need root for.
The point is there are two distinct classes here and users need to know it.
We wouldn't want a Windows that has to be administered from the command line but you can do almost as well. If the Administrator account could only be used from what looks like an 800x600 local loopback RDP connection I think the social pressure would slam the admin requiring developers full force. If to this you add some simple things like IE, Winword and Outlook refuse to run in that little admin window it becomes quite obvious that there are two classes of program, system and user. You can actually SEE them, programs that run on the blue desktop are user programs, the ones on the burgundy desktop are system.
It neatly sidesteps the need to logoff to do admin jobs as you just start the 'Administration client'. Also if the 'client' program takes over the desktop when it's given focus it has the security of a private desktop against things like a 'shatter attack'.
The best part, it's simple, nearly all the code exists already and you just need a couple of minor tweaks to the default winlogon and the user applications. Sure it would be easy to override but that's not a problem, in fact I think there should be a downloadable winlogon/IE update to do it.
The point is to clearly divide user programs from administration programs and to continually show the users the difference but without making "the right way" a complete PITA.
I think Microsoft would try to say that hacking the extra attributes into the existing directory entries is important. But most programmers would say it's just really, really stupid. It caused a lot of problems at the time and frequently broke if a non-ms driver touched the filesystem.
OTOH, UMSDOS only broke if your program reordered or sorted the directory entries in some way and it was a rare program that did that without an explicit 'sort the directory entries' request.
Don't cha just love the way the idiots rally round to say nothing can be done.
Just because the Yes then No questions only protects lazy idiots doesn't mean it's worthless. You know I think the marketing department must write all the Microsoft 'Confirmation dialogs' because they read like marketing copy... always positive, never mention anything in a negative way, never let the mark even think of the 'N' word.
Then again here's a nice way of saying it...
Do you really want to delete everything (y/N)?
Do you want to keep it just in case (Y/n)?
The problem is that any part of a site can say "trust domain.xex for this important code". But security needs to be simple to use and a full site audit is not simple.
My suggestion is a simple tag at the top of an html page that say two things.
This file is a top level page and may not be rendered inside a frame.
Only use files from "this" list of hosts to render anything in this window.
In an ideal world a browser that doesn't understand the tag would display a nasty warning or error too.
It might be that this suggestion won't work. But there is one that will because SSH is secure.
However, that's not important,
the most important part is Keep It Simple...
At the heart of this issue is that the CPU has run its course and the soul of the PC is shifting quickly to the GPU. This is clearly an attempt to stifle innovation to protect a decaying CPU business.
Now that is true talking out of your arse!
Yup it's looking like the GPU will be following in the footsteps of the FPU.
Not at all it's very easy to compare; Pirate Bay consists of four main pieces.
A blog or a place where the owners of the site can put any messages or news Items they like
Just like the BBC.
A method of uploading small copyright free files for distribution to a wide audience.
On Pirate Bay they have a 'torrent' extension, on the BBC they have a 'jpg' extension. You can upload pictures from your phone to the BBC.
A commenting scheme when users can upload text comments attached to just about anything on the site.
Just like the BBC.
A rather simple messaging board where you can post short random character strings with an internet port address and download lists of the strings other people have posted.
This is a tracker, I separated it out from the previous one because the lawyers are trying to and there are technical differences in the exact method of implementation.
But really is a collection of these "dd2edb87ea9eb7a32fd4057276d3a1fab861c1d5 74.125.45.100:80" an illegal message! Or maybe they're illegal links?
"bt://74.125.45.100:80/dd2edb87ea9eb7a32fd4057276d3a1fab861c1d5" ?
From a technical point of view, without looking too closely at the content there is little difference between how the Pirate Bay website works and the BBC works. Some minor protocol differences but that's all.
But the content makes all the difference, have they done something illegal, or how about something wrong? Perhaps, but I don't see how you could prove any intent to harm anyone. There's no direct monetary gain from the copying, the adverts are indirect gains and prove nothing really because they will still get money from them if every file torrented is strictly legal. Without some sort of intent it will be difficult to get anything more than a wristslap even if they are convicted of something.
Who knows maybe all the filenames on Pirate Bay will have to be rot13'd
Slashdot Mirror
When the chunks are encrypted there is no way of knowing who the appropriate AA is. As all you have is a little chunk it's impossible to decrypt because the underlying compression layer is missing important data and so you cannot even check your decryption.
You may be able to identify a piece of gzip by frequency analysis as there's a tiny bit of entropy left but a modern compression (7z, rar) will probably leave nothing to distinguish the particular chunk you have.
Next time someone tells you to take a chocolate you better make a copy then.
You're the one playing word games; you're mixing the "take/remove" definition of take with the "take a photograph/take a copy" definition. This is no different to the "He's going to take my daughter" wordplay.
Oooh, does this mean "take her photograph" now means "**** her brains out" ?
All you need to do is fetch and use ftp://rs.internic.net/domain/root.zone.gz and you're independent of the root name servers.
It's more like saying you must stay with OSX-Tiger and not upgrade to OSX-Leopard.
It's simply saying "Must Try Harder".
Closer, but I wouldn't want to tell it how many columns because I don't know what height the screen is so I don't know how many columns are needed to display the text. It's like "list mode" in windows explorer where you use horizontal scroll to see more text.
I imagine CSS will eventually have this sort of thing, or you can probably use javascript to hack it in but it will still be bogged down by so many bad early choices.
Horrifyingly about a quarter of a percent are still using IE5. I really, really, hope they are faking their UA string ... please.
Pro Tip: Presentation matters as much as the content. In fact, presentation *is* part of the content.
Yup, spend too much time on the fluff and there's no content left for the meat.
As for Hutnick's site it's definitely a case in point. He's using (almost) plain HTML and what should have happened was that your browser would supply your favourite style sheet so that it doesn't look ugly and bland to you. That way the web is an information source and nobody needs to create the fluff.
Of course, then Microsoft declared the browser wars and everybody started bastardising HTML. Some people who understood the original hope got a committee together and started on CSS for the publishers who demanded complete control, however, it looks like most of them misunderstood the requirements so CSS has no reasonable layout engine (eg: a "stretchy grid") and even where it is workable it has weird and unintuitive hidden rules (inheritance and weights) that cannot be learnt by example (ie visually), a rather serious flaw in a language for visual presentation by primarily visual people!
Javascript, isn't too bad. (faint praise; Okay, okay it's actually a damn good language now) The original implementations were flaky but that's mostly gone. It's only real problem is the object model and yet again Microsoft are the main criminals here. Still the language is probably good enough to fix everything ... if noscript lets it.
Arrrg! CSS is CRAP! There I said it. The only way the inheritance and selectivity rules can be used is to minimise their effects and as for layout you basically have to pin everything to a static grid and pray your boxes and gaps are big enough. Sure there are a few simple layouts created by "CSS gurus" that with do the right almost every time, almost. But don't expect more than three stretchy columns or any sort of column wrap. As for doing something a little original like having the screen laid out with a fixed height and adding columns as the content increases ... yea, right!
This is the site you were looking for.
On the contrary, conficker looks very much like something that harkens back to the bad old days. True it doesn't have the hard memory constraints of a boot sector virus but it's not bloated nor is it just a primitive script.
It uses strong crypto to protect it's updates, it uses peer to peer to distribute it's updates and code obfuscation that puts the best of the old school to shame. The obfuscation is so good in fact that it's proving to be a serious barrier to pulling apart the new peer to peer code; it can't stop it being decoded but it may be able to delay it past 1st April.
Even this little technique of generating domain names to check for update distribution points is very unusual.
All this does mean that people are worried. The botnet that exists has sufficient potential for damage in the hands of anyone but these people have shown an unusual level of technical skill for botnet builders and there is a clear danger that they have come up with a new and interesting use for the botnet.
All things considered it may be the best result if it's just being sold to a spammer for a few dollars a machine.
Not likely, the list's been out a couple of days now, anything actually illegal will have been 404'd.
Damn, [preview] not [submit]
You may need to use active responses against some users. This isn't a problem but your responses should always be in 'Tit-for-Tat' mode. If they do something bad now respond now but remove your response as soon as possible and forget that it ever happened. Don't put a user into the doghouse, make sure they invite themselves every time.
I used Google Earth to print out nice images when I went to do Jury service. It meant I could use public transport to get there and actually reduced the costs as I didn't have to either (1) drive my car and park it at an extortionate rate every day or (2) take a taxi at the same kind of cost. Instead I was able to see an alley and a walking bridge across the river that was just a dotted line on a normal map.
This was a DIRECT cost, I expect there will be many indirect costs.
It's really very simple, but it's a small technical detail that seems minor at first sight.
When you connect to a Gopher server it waits for you to send a string (just like HTML) this string is the name of the item you want. HTML is almost the same, except you put a command (GET, POST...) in front of it. This is not important because you can easily run an HTTP site with just GETs.
The difference is that Gopher immediately gives you the file, whereas http gives you a status code and file type then the file.
Why is this important? Well it's not, if the world is perfect, but in the real world things change so the "selector" that was valid yesterday and pointed to an image might not be valid today. But the server doesn't know it used to point to an image so it goes and returns the main site page which isn't an image. At this point the client throws a tantrum.
This means that the only links you can reasonably do are to your own site or to the root of someone else's, no deeplinking, no "intergophers". OTOH, because http returns the status and type there are lots of options if things move, but none of them are a client program crash (normally!). This also applies to links you make, ie no bookmarks, so you don't remember where that important document was on the gopher server, but you a (safe) bookmark directly to the http location.
HTTP wins, html comes along for the ride, Ooops!.
Not really, there have always been plenty of "B" Movies.
Of course there used to be a few "A" Movies too.
You're thinking single user, it's quite reasonable for multiple users to use a machine, even at the same time. So sending debugging tools to the outhouse is not the solution.
Furthermore, it often the right thing to run the debugger on the user's machine so you can actually see WTH the user has managed to break.
You've got that the Windows UAC way round. The difference is that root always has full access.
The simple rule could be, "you can ptrace a program if you can write to the executable"
They've got part of the right idea in that it shouldn't be possible to "work" (or play) as the real Administrator but the way they've completely fucked up the the NT security model is really the pits.
To see what to do they only have to look at the unix world. Firstly it's pretty common that X (or rather common login programs for X) will refuse root. Then any program that has to be security conscious and doesn't need root will also refuse to run under root. Many programs that need root to start with will discard root privs when they have done the tiny bit of setup that they need root for.
The point is there are two distinct classes here and users need to know it.
We wouldn't want a Windows that has to be administered from the command line but you can do almost as well. If the Administrator account could only be used from what looks like an 800x600 local loopback RDP connection I think the social pressure would slam the admin requiring developers full force. If to this you add some simple things like IE, Winword and Outlook refuse to run in that little admin window it becomes quite obvious that there are two classes of program, system and user. You can actually SEE them, programs that run on the blue desktop are user programs, the ones on the burgundy desktop are system.
It neatly sidesteps the need to logoff to do admin jobs as you just start the 'Administration client'. Also if the 'client' program takes over the desktop when it's given focus it has the security of a private desktop against things like a 'shatter attack'.
The best part, it's simple, nearly all the code exists already and you just need a couple of minor tweaks to the default winlogon and the user applications. Sure it would be easy to override but that's not a problem, in fact I think there should be a downloadable winlogon/IE update to do it.
The point is to clearly divide user programs from administration programs and to continually show the users the difference but without making "the right way" a complete PITA.
Yes, quite easily.
I think Microsoft would try to say that hacking the extra attributes into the existing directory entries is important. But most programmers would say it's just really, really stupid. It caused a lot of problems at the time and frequently broke if a non-ms driver touched the filesystem.
OTOH, UMSDOS only broke if your program reordered or sorted the directory entries in some way and it was a rare program that did that without an explicit 'sort the directory entries' request.
Don't cha just love the way the idiots rally round to say nothing can be done.
Just because the Yes then No questions only protects lazy idiots doesn't mean it's worthless. You know I think the marketing department must write all the Microsoft 'Confirmation dialogs' because they read like marketing copy ... always positive, never mention anything in a negative way, never let the mark even think of the 'N' word.
Then again here's a nice way of saying it ...
Do you really want to delete everything (y/N)?
Do you want to keep it just in case (Y/n)?
If you use Microsoft conditional comments it's perfectly simple.
<!--[if IE]><![if gte IE 7]><![endif]-->
<link rel="stylesheet" type="text/css" href="css/main.css">
<!--[if IE ]>
<link rel="stylesheet" type="text/css" href="css/ie.css">
<![endif]-->
<!--[if IE]><![endif]><![endif]-->
Getting that into a TEXT slashdot message OTOH is not.
Curing XSS should be as easy as bolting a door!
The problem is that any part of a site can say "trust domain.xex for this important code". But security needs to be simple to use and a full site audit is not simple.
My suggestion is a simple tag at the top of an html page that say two things.
In an ideal world a browser that doesn't understand the tag would display a nasty warning or error too.
It might be that this suggestion won't work. But there is one that will because SSH is secure.
However, that's not important, the most important part is Keep It Simple...
At the heart of this issue is that the CPU has run its course and the soul of the PC is shifting quickly to the GPU. This is clearly an attempt to stifle innovation to protect a decaying CPU business.
Now that is true talking out of your arse!
Yup it's looking like the GPU will be following in the footsteps of the FPU.
Not at all it's very easy to compare; Pirate Bay consists of four main pieces.
Just like the BBC.
On Pirate Bay they have a 'torrent' extension, on the BBC they have a 'jpg' extension. You can upload pictures from your phone to the BBC.
Just like the BBC.
This is a tracker, I separated it out from the previous one because the lawyers are trying to and there are technical differences in the exact method of implementation.
But really is a collection of these "dd2edb87ea9eb7a32fd4057276d3a1fab861c1d5 74.125.45.100:80" an illegal message! Or maybe they're illegal links?
"bt://74.125.45.100:80/dd2edb87ea9eb7a32fd4057276d3a1fab861c1d5" ?
From a technical point of view, without looking too closely at the content there is little difference between how the Pirate Bay website works and the BBC works. Some minor protocol differences but that's all.
But the content makes all the difference, have they done something illegal, or how about something wrong? Perhaps, but I don't see how you could prove any intent to harm anyone. There's no direct monetary gain from the copying, the adverts are indirect gains and prove nothing really because they will still get money from them if every file torrented is strictly legal. Without some sort of intent it will be difficult to get anything more than a wristslap even if they are convicted of something.
Who knows maybe all the filenames on Pirate Bay will have to be rot13'd