For one thing, we won't have to listen to RMS whining about it every time someone mentions the current version of OpenOffice.
People still listen to RMS whine? The facts never stopped him from whining before. It makes for a good read. Be sure to continue on into the archive, where there are some real gems like this. It's great, Ubuntu caters to his bitching by coming up with Gobuntu, which meets all of his ridiculous criteria, and he won't recommend it because it sounds like Ubuntu. *dawns flame suit for the large percentage of rms zealots on/.* Seriously, rms DID some great things in the past, but now he just sounds like he took too much acid (and looks like it too). Practicality is what matters in programming; if F/OSS really is better, it will be used. And it will, eventually. But it won't be done if you sit on the sidelines kvetching. It will be if you make coding contributions under the appropriate license and make F/OSS BETTER.
The GP presents a weak argument, but there are other defaults in Ubuntu that can be exploited. If someone is given direct access to a machine, it really is only a matter of time before they can compromise it. The only reason I think the students haven't done so, in this case, is because they aren't as knowledgeable about Linux as they are Winders. Of course, the admins at the school can change the unsafe (for this type of scenario) defaults; things such as taking the recovery mode option out of the grub menu, not allowing the grub entries to be edited. Then in the BIOS, the admins must not allow booting from anything other than the HD which Ubuntu is installed on. That sort of [obvious] thing.
Then Wil Wheaton saved the day by making out with Ashley Judd.
[comic book guy voice]
Ah yes, TNG Season 5 episode 6 - The Game. Actually, it was Data that ended up saving the day with the strobe light. Wesley Crusher did fix Data's positronic links that were severed by Dr Crusher, but they ended up forcing Wesley to play the game right before Data saved them.
[/comic book guy voice]
Exactly, I read the thing about the ants and I couldn't even imagine why you would even bother to send some place live ants. Hey, you know you can *gasp* take more than one newspaper from the machine when you only payed for one! Onos security breach!
And I read the AC reply to you, and all I have to say is this: I don't want to live in a society where everyone is treated like a criminal. Things are moving more and more in this direction in the US, and it's very sad. I think people should be treated like the adults they are, and the people who abuse those privileges need to be punished. Now, instead of only the criminal being punished, everyone is. Great!
For example - a friend told me that due to company policies, the SSL port was blocked by the company, so there was no way to securely communicate with the outside (or between the workers themselves, for example, by testing the network - a lot of them used MSN). What kind of policy is that? Just to keep information from leaking without being detected? How about emergencies? People then transferred files and information via open chat, where EVERYBODY could see it. Including non-loyal employees. Last thing I knew is that my friends' team ended up using http tunnelling. In the end, nothing was gained and the IT team spent more time than they should to just work around stupid company policies.
You seem to have some terminology mixed up. There is no such thing as an SSL port. Your friend must have meant the https port or similar; which really does nothing to prevent SSL from being used and is only related because SSL traffic is normally routed through those ports. I will agree with you that it is a very silly policy. Your friend also prob didn't mean HTTP tunnel (although there is such a thing), which really has nothing to do with the situation you're describing. If he wanted to use SSL, he probably setup an SSH tunnel, or similar, and routed the http traffic through that (this is why the companie's policy is silly and only an inconvenience).
I believe the other examples you mentioned would be recommended at your "safe computing seminar", however. It is arguable that it would make things more efficient. On one hand, you have inefficiencies from needing an IT guy to install apps on everyone's computer. On the other, you have users installing apps that are potentially dangerous, which could require even more IT effort to remedy. Either way, as you stated, the programmers are definitely smart enough to be able to take command of their own computer, if they need to. They, in my opinion, should be able to install whatever they want because they are simply more educated about such things than a companie's average user. Also, I have seen such policies implemented by default, and then the IT guy would simply give admin to whichever users he felt were capable.
As you said, you are in a very small minority of executives and the parent's comment was focused on the actions of most executives (atleast from where I'm sitting). I think it's funny how you take such great offense to a comment that doesn't even apply to you. I say you take a day off every weekday like your fellow executive buds and chill.
And yes, like every other company, you should pay a person more to keep them... duh. More experience means you should get more money. This is especially true in the tech field. At most tech companies I've seen and heard about, the annual pay increase does match what they could get, with the experience they have, somewhere else. This is a reason why we hop companies every 3 or so years.
If I am directly responsible for procuring 100% of the business, and you are responsible for creating a product that retains that business, then I trump you anyday
We'll just have to agree to disagree on that one. It's arguable that the product could sell without a sales person, but you sure as hell couldn't sell the product without someone creating it. There is definitely a trade-off, but it does say something about your attitude that you think you are always more important than the people that have created a job for you by giving you something to sell and manage.
PS. Take a vacation, you seem to need it. If the business falls apart while you're away - you haven't done a very good job managing it.
You, sir, are a moron. First off, most everyone knows that quid=pound. Everyone who didn't know that knew they could find the answer from google. Slashdot ID revoked.
You do realize that list only shows the "top" or "most active" contributors, correct? It is definitely far from all-encompassing; Debian is not even on that list, for example (please do not take this as your cue to start bitching about Debian). Not only this, but I don't really trust those stats too much, a few of the problems are mentioned in replies to the LWN article (I know I know, reading is so overrated). Now, if you had taken the additional 2 seconds, and gone ahead and searched the Linux Kernel Mailing List, you would see why your statement is so foolish. Here's a start. Or even do a search for Ben Collins. Ya, I think it's weird that Ubuntu has a kernel lead when they aren't doing ANY kernel development too/sarcasm.
Do Ubuntu developers do anything besides tweak color palettes and write bullshit press releases which fail to give credit to the actual producers of the software which they parasitize?
Hilarious. Might I then suggest that Fedora do the same to win their market share back?
I'm not sure I quite understand this infighting; surely you must realize that what is good for Ubuntu (or any Linux distro) is good for Linux? I know one thing that makes Linux less attractive to the outside world: petty fighting over this senseless bullshit.
So you want to make games for a living, that's your prerogative. You must realize, however, that content creation, specifically games, is a pretty packed industry; everyone wants to do it. My suggestion to you is make the content creation a hobby, like your 'game's fans' who are willing to do what you are doing for free, and get a real job. I'm not saying it's ok for people to pirate your work, I'm just saying it's not a lucrative route to go in your career and it seems like it's going to be that way for quite some time. It's not so much the torrent of your game floating around that's hurting your business, it's the other 124125152352462 people that also want to make content/games for a living (oh ya, and then the hobbyists who are willing to do it for free) .
Phishing is a type of MITM attack, the way we're talking about here, they can be used interchangeably. With phishing attacks, you don't neccessarily have to control one of the routers the victim is using, you can, like you said, simply host a webpage that mimics the site the victim thinks they're on. But since we're hosting this wireless AP, it puts us in a good position to simply forward their requests while taking the information we want.
SSL is very interesting, and you should look at the wikipedia page to get a good in-depth understanding. But briefly, it uses asynchronous/public-key cryptography. The host site can get their public key signed by a Certificate Authority (CA), to bind their public key to an identity (in the examples above, Bank of America). When a user is using SSL (from the browser it will show https) the user receives the certificate from the server, which will have the public key, the name/domain, and the CA that approved it. Your browser will automatically check with the CA to make sure the information is correct. Since any would-be phisher will not, or not easily, be able to get their public key approved, they can also sign their own certificate, but virtually all browsers in use today will start throwing up red flags all over the place. Browsers will also throw a red flag if a user is trying to sign in "over an insecure site", as in, not one secured by SSL. However, it is still up the victim on whether or not to load the site. That is why it is called social engineering, because it relies more on the stupidity of the users, and much less on the weakness of the security that is in place.
WaMu (Washington Mutual) - a favorite amongst the college crowd - displays the last four digits of the account in the transaction history, too. However, if you view a statement, it does show the full account number.
Aw geez, I logged back in to BoA I went to Account Details for my checking account; it does actually allow you to view the whole account number by clicking 'Show Account Number'! =/ The odd thing is, I went to account details for my credit card, and I can't find a place to display it. Still, I don't think that's enough to rack up some charges to someone's account, since you are usually required to have an expiration date and the verification number, which I couldn't seem to find on the site.
I did have my CC number stolen and some charges racked up on it before (The GAP online and some online dating site). It was a credit card that my parents and I shared that I could use to pay for school books. I only used it to purchase books, so maybe twice a year, and only at one store (Engineers Bookstore by SPSU, if anyone cares). I'm not exactly sure they were the culprits, but my point is that there are far easier ways to get access to peoples CC numbers that only require a little social engineering and no technical skills whatsoever. And either way, my CC company (a MasterCard from USAA) covered the charges no problem.
Yes, of course you use a proxy when performing a MITM attack. Yes, as I mentioned above, you can dupe stupid users into ignoring their browser's "phishing detection". However, BoA does not list any account numbers online, only the last 4 digits (I am assuming that other banks do the same). You do have access then to any transactions they made, which is bad, but there is very little you can do. You can login later on with their credentials (from a public AP, of course), but what are you going to do? You can't transfer any money to any account you own without it being traced back to you. You don't have any account numbers to steal an identity or purchase anything online. You might be able to call BoA to try some more social engineering, because sometimes they do ask you about your previous transactions to verify your identity, but other times they ask you street addresses, for numbers on the back of your card, full account numbers, etc. If you're not making that phone call from a previously listed number for that account, they will definitely grill you (and you are making that phone call from a public telephone, right?).
People are hired to think about this for their day job, and you can't explain how to break it with 2 sentences, I guarantee you that.
An SSL certificate is fairly cheap to purchase, just by one and operate a man-in-the-middle for all SSL connections. A few tech-savvy might notice, but most won't.
You purchase an SSL cert from a CA for a single host, so you will have to go through the whole process for each site the user tries to connect to. Not only this, but CAs do, admittedly minimaly, verify that you are who you say you are (depending on how much money you give them). Not only this, but you will not be able to get a cert that says you're, for example, Bank of America. You can always self-sign a cert, but this will alert the user in all modern browsers. On top of all that, if the user does get fooled by your MITM attack, you only get the information that they give you: their username and password. Sure, you can now log in to the site, but I know that if you're signing into BoA for the first time from that location, they ask you one of the security questions (which you do not have). Even if they didn't (or you fooled the user into giving you that information too) and you got access to their account, what are you going to do? You can't just transfer that money to your account without someone finding out who you are, and the accounts only show the last 4 digits of each account number. You can't get that 3 digit number on the back of the card for most online purchases, not to mention that online purchases will also point back to you. I will admit this is all much easier than cracking the 128-bit SSL session.
All of that means you aren't going to do shit; the payoff just isn't worth it and it's not as easy as some/. posters will have you believe.
It doesn't help that speed limits on interstates get lowered as you approach larger cities. This is a good reason to remove enforced upper limits on these roads completely. Much of the braking is due to the few goody-goodies cramping the whole flow.
Exactly, I remember a short while ago a group of GA State Univ students took up all the highway lanes going down 75 South into Atl doing the speed limit (55mph). The build up of cars behind them was nuts and I'm sure they weren't too happy. The movie was called "A Meditation on the Speed Limit" and can be found here. I can't tell if it works because I don't use Quicktime =/
I worked in downtown Atl for about 2 years, where the traffic is notorious for being terrible. The only times I would see cops gunning people is on the roads going/against/ traffic (where there are fewer cars). If the cops were gunning the busy direction, traffic would become absolutely horrible much faster, almost as if there were a wreck where the cop car was.
now that's just stupid, by writing hexadecimal instead of bits you can only use 1/16 the paper.
I know you were making a joke, but your math is not quite right. Your paper savings would increase by a factor of 4. 4 binary (base 2) digits can be represented by 1 hexadecimal (base 16) digit.
Slashdot Mirror
The GP presents a weak argument, but there are other defaults in Ubuntu that can be exploited. If someone is given direct access to a machine, it really is only a matter of time before they can compromise it. The only reason I think the students haven't done so, in this case, is because they aren't as knowledgeable about Linux as they are Winders. Of course, the admins at the school can change the unsafe (for this type of scenario) defaults; things such as taking the recovery mode option out of the grub menu, not allowing the grub entries to be edited. Then in the BIOS, the admins must not allow booting from anything other than the HD which Ubuntu is installed on. That sort of [obvious] thing.
Ah yes, TNG Season 5 episode 6 - The Game. Actually, it was Data that ended up saving the day with the strobe light. Wesley Crusher did fix Data's positronic links that were severed by Dr Crusher, but they ended up forcing Wesley to play the game right before Data saved them.
[/comic book guy voice]
Exactly, I read the thing about the ants and I couldn't even imagine why you would even bother to send some place live ants. Hey, you know you can *gasp* take more than one newspaper from the machine when you only payed for one! Onos security breach!
And I read the AC reply to you, and all I have to say is this: I don't want to live in a society where everyone is treated like a criminal. Things are moving more and more in this direction in the US, and it's very sad. I think people should be treated like the adults they are, and the people who abuse those privileges need to be punished. Now, instead of only the criminal being punished, everyone is. Great!
I believe the other examples you mentioned would be recommended at your "safe computing seminar", however. It is arguable that it would make things more efficient. On one hand, you have inefficiencies from needing an IT guy to install apps on everyone's computer. On the other, you have users installing apps that are potentially dangerous, which could require even more IT effort to remedy. Either way, as you stated, the programmers are definitely smart enough to be able to take command of their own computer, if they need to. They, in my opinion, should be able to install whatever they want because they are simply more educated about such things than a companie's average user. Also, I have seen such policies implemented by default, and then the IT guy would simply give admin to whichever users he felt were capable.
And yes, like every other company, you should pay a person more to keep them... duh. More experience means you should get more money. This is especially true in the tech field. At most tech companies I've seen and heard about, the annual pay increase does match what they could get, with the experience they have, somewhere else. This is a reason why we hop companies every 3 or so years.
We'll just have to agree to disagree on that one. It's arguable that the product could sell without a sales person, but you sure as hell couldn't sell the product without someone creating it. There is definitely a trade-off, but it does say something about your attitude that you think you are always more important than the people that have created a job for you by giving you something to sell and manage.
PS. Take a vacation, you seem to need it. If the business falls apart while you're away - you haven't done a very good job managing it.
I'm not sure I quite understand this infighting; surely you must realize that what is good for Ubuntu (or any Linux distro) is good for Linux? I know one thing that makes Linux less attractive to the outside world: petty fighting over this senseless bullshit.
So you want to make games for a living, that's your prerogative. You must realize, however, that content creation, specifically games, is a pretty packed industry; everyone wants to do it. My suggestion to you is make the content creation a hobby, like your 'game's fans' who are willing to do what you are doing for free, and get a real job. I'm not saying it's ok for people to pirate your work, I'm just saying it's not a lucrative route to go in your career and it seems like it's going to be that way for quite some time. It's not so much the torrent of your game floating around that's hurting your business, it's the other 124125152352462 people that also want to make content/games for a living (oh ya, and then the hobbyists who are willing to do it for free) .
Phishing is a type of MITM attack, the way we're talking about here, they can be used interchangeably. With phishing attacks, you don't neccessarily have to control one of the routers the victim is using, you can, like you said, simply host a webpage that mimics the site the victim thinks they're on. But since we're hosting this wireless AP, it puts us in a good position to simply forward their requests while taking the information we want.
SSL is very interesting, and you should look at the wikipedia page to get a good in-depth understanding. But briefly, it uses asynchronous/public-key cryptography. The host site can get their public key signed by a Certificate Authority (CA), to bind their public key to an identity (in the examples above, Bank of America). When a user is using SSL (from the browser it will show https) the user receives the certificate from the server, which will have the public key, the name/domain, and the CA that approved it. Your browser will automatically check with the CA to make sure the information is correct. Since any would-be phisher will not, or not easily, be able to get their public key approved, they can also sign their own certificate, but virtually all browsers in use today will start throwing up red flags all over the place. Browsers will also throw a red flag if a user is trying to sign in "over an insecure site", as in, not one secured by SSL. However, it is still up the victim on whether or not to load the site. That is why it is called social engineering, because it relies more on the stupidity of the users, and much less on the weakness of the security that is in place.
I did have my CC number stolen and some charges racked up on it before (The GAP online and some online dating site). It was a credit card that my parents and I shared that I could use to pay for school books. I only used it to purchase books, so maybe twice a year, and only at one store (Engineers Bookstore by SPSU, if anyone cares). I'm not exactly sure they were the culprits, but my point is that there are far easier ways to get access to peoples CC numbers that only require a little social engineering and no technical skills whatsoever. And either way, my CC company (a MasterCard from USAA) covered the charges no problem.
Yes, of course you use a proxy when performing a MITM attack. Yes, as I mentioned above, you can dupe stupid users into ignoring their browser's "phishing detection". However, BoA does not list any account numbers online, only the last 4 digits (I am assuming that other banks do the same). You do have access then to any transactions they made, which is bad, but there is very little you can do. You can login later on with their credentials (from a public AP, of course), but what are you going to do? You can't transfer any money to any account you own without it being traced back to you. You don't have any account numbers to steal an identity or purchase anything online. You might be able to call BoA to try some more social engineering, because sometimes they do ask you about your previous transactions to verify your identity, but other times they ask you street addresses, for numbers on the back of your card, full account numbers, etc. If you're not making that phone call from a previously listed number for that account, they will definitely grill you (and you are making that phone call from a public telephone, right?).
People are hired to think about this for their day job, and you can't explain how to break it with 2 sentences, I guarantee you that.
All of that means you aren't going to do shit; the payoff just isn't worth it and it's not as easy as some
I worked in downtown Atl for about 2 years, where the traffic is notorious for being terrible. The only times I would see cops gunning people is on the roads going
They are probably better drivers on average because it is much harder to get a driver's license there compared to the US.
Oops, maybe I was high. I was thinking of Symbol devices :o