"the bigger the island of knowledge, the bigger the shore of ignorance".
It's the opposite (sorta). The more you expand the shore of knowledge, the bigger the island of ignorance. The more we know and discover, the more we realize what we don't know and have yet to discover.
And then there's the ocean of information around the island that in the famous (paraphrased) words of Donald Rumsfeld, you don't know you don't know.
That it would force people to write down the passwords in sticky notes and very cleverly paste it on the underside of the keyboard is not realized by the bozos, or if it did, it did not bother them.
People keep trotting this out as if it was some horrible, boogeyman security practice.
Quite frankly, it's probably better than any other security solution. After all, humans have spent thousands of years working on physical locks, while electronic ones (like passwords) have only been around for a few decades. And, physical security is another legitimate layer of security. Sure somebody can break into your work place and grab your passwords. But they'd actually have to be physically there. And the cops are much more likely (and able) to respond to a physical break-in than to some virtual intruder entering virtual storage.
The worst thing that could happen would be to electronically store the passwords in plain text. You get neither physical nor electronic security. That should be discouraged.
Sometimes, I wonder where the idea of putting comments at the bottom of an article comes from. It seems horribly inefficient from all perspectives except the commentator's, and a low barrier to commenting is counterproductive to any meaningful discourse.
Slashdot's not a publication. It's a community with links to articles as topics of conversation.
The raison d'etre of publications is producing articles and other pieces of content. The raison d'etre of Slashdot is the community and the discourse of other people's content.
tl;dr: Without (an effective system for) comments there is no Slashdot.
Agreed. The "responsible" in responsible disclosure applies to both the researcher and the company. If the company is not responsible in their behavior towards the security hole, then there's no point in the researcher being responsible either.
Companies that have a bad track record of responsibility should have their security holes publicized immediately. After all, if they don't take their product's security seriously today, there's no reason to expect them to take their product's security seriously the next time around.
Even without an NDA, you'd be lucky if you didn't screw up somehow. Not only could you be revealing trade secrets, you could also misrepresent your company, or in the worst case, reveal insider financial or strategic information. Best to keep that line drawn, especially on a public forum.
By imperfectly mimicking the old Office GUI, the LibreOffice GUI (and UI in general) ended up falling into the uncanny valley. It sort of looks like MS Office, but because it differs in subtle ways both visually and behaviorially, it's off-putting.
If there's any OSS product that needs a UI redesign, it'd be LibreOffice. It'd be great if Mozilla could ship all their Firefox UI resources over, since it seems Firefox has so many choices they can't seem to decide which one to go with.
Maybe the more notable result of the study is that those who consider themselves moderate Republicans are easier to manipulate via selective informing. It explains the success of Fox News anyway.
You just increased your attack surface while offering marginal benefit. The increase in attack surface is certainly new.
You're also paying additional for it, both during purchase (to recoup the manufacturer's R&D investment and for the additional physical components), and then afterwards as part of the car's maintenance. The additional costs associated with the additional components is also new.
It's another attack vector, on top of all the existing attack vectors.
The attack vector these electronics close is hotwiring under the dash. This kind of attack doesn't happen as much as you think. More likely, people go for the GPS unit or something other item that's left out in the open, or your wheels and other easily-accessible parts. Stealing whole cars is rarer, unless you've got some collector's piece, and stealing whole cars via hotwiring is very rare. For stealing whole cars, there's a lot of low-hanging fruit, namely people who forget to lock their doors, people who more than crack their windows, or people who habitually keep the keys inside their car. And people who do steal whole cars for a living (usually for getting to less-accessible but more expensive parts) will have the equipment to be able to gain entry anyway, so it hardly matters.
The additional electronic security may close one or two attack vectors, but it doesn't close all of them, and certainly not the most important ones. So now the question becomes, is closing the one or two attack vectors worth the additional (literally) thousands of dollars worth of electronics as well as introducing an additional unknown quantity of electronic attack vectors?
And you know what, if government red tape and paranoia against the people it was meant to serve has caused the government's systems to be more vulnurable to hackers from abroad, they got what was coming for them.
I feel bad for the government employees who had their personal information compromised. I don't feel bad for having official correspondences and documents that otherwise would be encrypted exposed due to security holes.
If the government wants their systems secure, they're going to have to work to make sure everybody's systems are secure.
Of course, for those who don't know what I'm talking about, it's with regards to the NSA sabotaging standards and causing software bloat that results in unintended security holes (e.g. heartbleed).
This doesn't let an outsider break into the system; it is a flaw that only is useful if you have already compromised the machine.
For a Windows machine, that's not a very high bar, especially in 1997 and all the way until... well, it's a little harder today, but not that much harder...
The problem is persistence. If you get root, you can get firmware and nothing short of throwing the motherboard away would fix it. That's scary.
At the end of the day, the only way to update an airgapped machine is via sneakernet. USB, DVD, 3.5 floppy, it doesn't really matter. If you can beam an update into a machine via say, IR, it wouldn't be air-gapped.
If you have an entire air-gapped network, then any normal package manager would work. Just have to update the server via sneakernet and push the patch out from there.
That's because MS Word and L/OO Writer are not word processors anymore. They're WYSIWYG document creation tools, i.e. they attempt to combine text input, text management, and document layout into one tool.
Besides which, word processors aren't feature complete yet. Even advanced text-only word processors like Textpad and Notepad++ are constantly adding new features, and has a leg up on Word/Writer on things like search and cursor movement.
And with persistent connectivity, there's a whole new layer of features for everyone to add.
Slashdot Mirror
Forget the gasoline tank.
There's motor oil lubricating your engine. It's very flammable.
In fact, that's how car fires tend to start--spurting motor oil from cracked seals.
"the bigger the island of knowledge, the bigger the shore of ignorance".
It's the opposite (sorta). The more you expand the shore of knowledge, the bigger the island of ignorance. The more we know and discover, the more we realize what we don't know and have yet to discover.
And then there's the ocean of information around the island that in the famous (paraphrased) words of Donald Rumsfeld, you don't know you don't know.
That it would force people to write down the passwords in sticky notes and very cleverly paste it on the underside of the keyboard is not realized by the bozos, or if it did, it did not bother them.
People keep trotting this out as if it was some horrible, boogeyman security practice.
Quite frankly, it's probably better than any other security solution. After all, humans have spent thousands of years working on physical locks, while electronic ones (like passwords) have only been around for a few decades. And, physical security is another legitimate layer of security. Sure somebody can break into your work place and grab your passwords. But they'd actually have to be physically there. And the cops are much more likely (and able) to respond to a physical break-in than to some virtual intruder entering virtual storage.
The worst thing that could happen would be to electronically store the passwords in plain text. You get neither physical nor electronic security. That should be discouraged.
That's easy. We'll just take away your sharks.
Sometimes, I wonder where the idea of putting comments at the bottom of an article comes from. It seems horribly inefficient from all perspectives except the commentator's, and a low barrier to commenting is counterproductive to any meaningful discourse.
Whatever happened to forums?
Slashdot's not a publication. It's a community with links to articles as topics of conversation.
The raison d'etre of publications is producing articles and other pieces of content. The raison d'etre of Slashdot is the community and the discourse of other people's content.
tl;dr: Without (an effective system for) comments there is no Slashdot.
Simple: It's a slow news day. Editors need something to rile up the troops to make their daily impression quotas.
ARE BELONG TO ME!
Stupidity is no excuse for doing bad things.
Which is to say, this stuff should be fail closed, not fail open.
Agreed. The "responsible" in responsible disclosure applies to both the researcher and the company. If the company is not responsible in their behavior towards the security hole, then there's no point in the researcher being responsible either.
Companies that have a bad track record of responsibility should have their security holes publicized immediately. After all, if they don't take their product's security seriously today, there's no reason to expect them to take their product's security seriously the next time around.
Even without an NDA, you'd be lucky if you didn't screw up somehow. Not only could you be revealing trade secrets, you could also misrepresent your company, or in the worst case, reveal insider financial or strategic information. Best to keep that line drawn, especially on a public forum.
By imperfectly mimicking the old Office GUI, the LibreOffice GUI (and UI in general) ended up falling into the uncanny valley. It sort of looks like MS Office, but because it differs in subtle ways both visually and behaviorially, it's off-putting.
If there's any OSS product that needs a UI redesign, it'd be LibreOffice. It'd be great if Mozilla could ship all their Firefox UI resources over, since it seems Firefox has so many choices they can't seem to decide which one to go with.
Guess who owns Columbia Pictures?
You got it: Sony.
It's yet another black mark for the company that can't seem to stop shitting all over their public image.
Maybe the more notable result of the study is that those who consider themselves moderate Republicans are easier to manipulate via selective informing. It explains the success of Fox News anyway.
You just increased your attack surface while offering marginal benefit. The increase in attack surface is certainly new.
You're also paying additional for it, both during purchase (to recoup the manufacturer's R&D investment and for the additional physical components), and then afterwards as part of the car's maintenance. The additional costs associated with the additional components is also new.
It's another attack vector, on top of all the existing attack vectors.
The attack vector these electronics close is hotwiring under the dash. This kind of attack doesn't happen as much as you think. More likely, people go for the GPS unit or something other item that's left out in the open, or your wheels and other easily-accessible parts. Stealing whole cars is rarer, unless you've got some collector's piece, and stealing whole cars via hotwiring is very rare. For stealing whole cars, there's a lot of low-hanging fruit, namely people who forget to lock their doors, people who more than crack their windows, or people who habitually keep the keys inside their car. And people who do steal whole cars for a living (usually for getting to less-accessible but more expensive parts) will have the equipment to be able to gain entry anyway, so it hardly matters.
The additional electronic security may close one or two attack vectors, but it doesn't close all of them, and certainly not the most important ones. So now the question becomes, is closing the one or two attack vectors worth the additional (literally) thousands of dollars worth of electronics as well as introducing an additional unknown quantity of electronic attack vectors?
From hacker's news, it seems this exploit is in PDF.js. If you're not running PDF.js, there's no security hole.
Their sun dials told them their time zone was off by half an hour.
And you know what, if government red tape and paranoia against the people it was meant to serve has caused the government's systems to be more vulnurable to hackers from abroad, they got what was coming for them.
I feel bad for the government employees who had their personal information compromised. I don't feel bad for having official correspondences and documents that otherwise would be encrypted exposed due to security holes.
If the government wants their systems secure, they're going to have to work to make sure everybody's systems are secure.
Of course, for those who don't know what I'm talking about, it's with regards to the NSA sabotaging standards and causing software bloat that results in unintended security holes (e.g. heartbleed).
This doesn't let an outsider break into the system; it is a flaw that only is useful if you have already compromised the machine.
For a Windows machine, that's not a very high bar, especially in 1997 and all the way until... well, it's a little harder today, but not that much harder...
The problem is persistence. If you get root, you can get firmware and nothing short of throwing the motherboard away would fix it. That's scary.
At the end of the day, the only way to update an airgapped machine is via sneakernet. USB, DVD, 3.5 floppy, it doesn't really matter. If you can beam an update into a machine via say, IR, it wouldn't be air-gapped.
If you have an entire air-gapped network, then any normal package manager would work. Just have to update the server via sneakernet and push the patch out from there.
Cue hack to create slow-motion tentacle porn in 5, 4, 3, ...
You don't even need to modify the hardware to make it serviceable.
Better question:
If the film was released as a movie, who would serve a longer prison sentence, the killer or the guy who leaked it on TPB?
That's because MS Word and L/OO Writer are not word processors anymore. They're WYSIWYG document creation tools, i.e. they attempt to combine text input, text management, and document layout into one tool.
Besides which, word processors aren't feature complete yet. Even advanced text-only word processors like Textpad and Notepad++ are constantly adding new features, and has a leg up on Word/Writer on things like search and cursor movement.
And with persistent connectivity, there's a whole new layer of features for everyone to add.
Kill either the percentage or the time part of the spec and it won't be nearly as specific.
And why the fuck is this shit in a markup language specification in the first place?