Given the peculiar characteristics of computer programs for circumventing encryption and other access control measures, the DMCA as applied to posting and linking here does not contravene the First Amendment.
I read the original forum thread yesterday. It didn't sound authentic, it sounded a little "off". It sounded like it was semi-scripted, the voice was all wrong. Did anybody else get that impression?
Do you have any idea how long it would take to print those emails out, scan them in and embed the scan into a Word document for online distribution? After all, that's the standard way of distributing data from people in the public sector isn't it?
It was NOT designed to handle complex layouts: for that, you used tables.
Tables weren't designed to handle complex layouts either.
And then the semantic folks arrived and told everyone using tables was baaaadddd for their main purpose was to present tabular data, not to layout things. And they were right, of course. But they made the wrong choice, deciding to extend CSS rather than crafting a new standard, specifically designed for the task.
The concept of separating semantics and presentation was around well before CSS. CSS was designed for this. They weren't "extending" CSS, that's what it's for.
Even CSS 2 isn't supported properly by some browsers.
Neither are tables. The question is, which browsers? The only mainstream browser that doesn't support CSS 2 is Internet Explorer 7, which people are already dropping support for.
I think perhaps, if some of the richest companies in the world haven't been able to implement this standard properly in, say, 10 years of continued effort
"Some of" isn't true. One of is. And that one has a vested interest in incompatibility, that they have explicitly stated in internal memos.
Here's another data point - iCab, before it switched to WebKit, supported CSS 2. It was built by a single developer. If a single developer can do it, it's not "overly complex".
my understanding of salt is that it is simply an algorithm you apply to your password before it gets hashed.
No, it's randonly-generated data that is combined with your password before it gets hashed.
If your password hashes have been stolen, it is reasonably likely that your salting algorithm has too. Therefore, whether or not each hash has it's own unique salt becomes largely irrelevant as the attacker will likely know how to produce each salt.
Where in my comment did you get the idea that I think that the attacker doesn't know the salt?
When somebody performs a brute force attack, they generate as many password hashes as they can, comparing those hashes against the hashes stored in the database. If the hashes match any of the hashes in the database, then they've cracked a password.
When a single salt is used for the entire database, the attacker can use the salt so that it's only the password he needs to guess. When he generates a hash, he can compare that hash with all the hashes in the database, and he can get 0-n hits, where n is the number of accounts. If all the accounts have the same password and he cracks it, he has access to every account.
When a unique salt is used for each account, the attacker can still use the salt so that it's only the password he needs to guess. But now, when he generates a hash, he can only compare that hash with the account he took the salt from. He can get only 0-1 hits*. Even if all the accounts have the same password, he'll still have to crack each of them individually because their salts are different, so their hashes won't match.
As I said, if your account is being targeted specifically, it won't help, but if the attacker is merely trying to compromise as many accounts as possible, individually salted hashes do protect you.
You're missing the point. If a unique salt is used for each password, then you have to attack each password individually. If the same salt is used for each password, then when you compute a hash, you can compare it against all the hashes in the database at once.
Unless the attacker is targeting your account specifically, then yes, individually salted passwords help.
This reminds me of standard oil making deals with railroads, to not carry oil for companies that competed with standard oil
Really? It reminds me of Microsoft making deals with OEMs, to not install operating systems from companies that competed with Microsoft. They've already been caught doing this with Hitachi and Compaq to kill BeOS.
I don't see how pedantic discussions on factual and scientific information can be seen as bad
Maybe it's not the scientific knowledge people have a problem with, but rather the endless streams of crap there. 122 footnotes for a list of Pokemon? That starts out "For more detailed lists of Pokemon, see..."?
I wouldn't mind so much if it weren't for the fact that perfectly reasonable topics are removed for lack of notability. Yet the Pokemon stays.
That's pretty inaccurate. The problem described by that article is that the traditional colour model for the web ignored gamma while the PNG image format has optional gamma information - a feature that GIF lacks. Therefore if a PNG image contains gamma information, an RGB value within the image is not the same as an RGB value defined by HTML or CSS. If a PNG image doesn't use this optional feature, the RGB values match and there is no inconsistency. The lone buggy browser mentioned in the (eight year-old) article that screws this up is used by virtually nobody these days.
The only reason GIF isn't in the same boat is because it lacks gamma control entirely. GIF is worse than PNG at representing colours because outside of a couple of very dodgy hacks, it can't represent more than 256 colours and lacks gamma control and the alpha channel.
It's not that PNG "can't" match HTML/CSS colours, it's that there are some designers and developers out there that don't know what they are doing and produce PNGs that are meant to match HTML/CSS colours but include gamma information.
The only reason to use GIF these days is if you need animation.
The UK doesn't have any anti free speech laws. It has laws against Libel and Slander
The UK does have anti-free speech laws, and libel/slander are examples of them - restriction of speech. Every country has laws like these, because every country has decided that completely unrestricted speech is unwise.
However some countries cling to the concept of free speech as a propaganda tool. Their people are so indoctrinated to believe that their country has free speech and that makes their country special that they convince themselves that any law contradicting this belief must therefore not be actually restricting speech. So you get convoluted explanations as to why laws that quite clearly restrict people from saying things aren't actually curtailing free speech.
If I am restricted from knowingly saying untrue, disparaging things about another person, then that is a restriction of my speech. There's no getting away from that. You can either think the law is bad because it curtails free speech, or you can accept the idea that restrictions on free speech is sometimes acceptable. The more common third option, "excusing" the law (most likely by redefining "speech" to exclude the unwanted speech), is not intellectually honest.
To put it another way - if it's an anti-free speech law that you have grown up with, then you are likely to be unable to recognise it as an anti-free speech law. It's just the way things are for you. If it's a new law that is being introduced, then you are more likely to recognise it as such.
If the users need to authenticate - switch to SCP over SSH. Switching to SFTP sounds nice in theory, until some tech comes along and screws up the FTP server config and people are able to start logging in again over regular FTP.
That doesn't make sense. SFTP is not a normal FTP server exposed over an SSH or SSL tunnel. There's no "FTP server config" you can screw up and magically transform an SFTP server into an FTP server. Even if there were, server configs don't change on their own, it doesn't really make sense to say "don't switch to something secure because that means if you disable security you won't have that security".
In fact, if your criticism held weight at all, your recommendation would be going in the opposite direction - SCP is just RCP over SSH.
ISPs aren't required to implement the IWF blacklist unless they want to provide services to the government. Individuals are free to use an ISP that doesn't implement the blacklist, such as AAISP.
I wonder: if this had been a GIRL shopping such a list about boys, would we have even had a Slashdot article to read about it?
It's already happened, only the circumstances were far worse (revealing intimate details, including photographs, going viral). Quote from the article I've linked to:
The comment thread on Jezebel focuses on whether or not Karen Owen is being unfairly castigated because she is a woman, presuming that, had a man posted such a list, the fallout would not be as great.
Nobody seems to have been clear on what is supposed to be published but isn't. The WebKit source has had checkins as recently as 2 minutes ago, so it doesn't look like Apple have stopped publishing the source to me.
It's a perfectly reasonable requirement and your comment is nothing but flamebait. Why is it so hard to believe that tablets are being used for serious work?
As an example, one of my recent projects was an iPad app for a company to use for going through projects with their clients and during pitches. They have a lot of projects and some of the files are relatively large. They easily transfer gigabytes of data at once. The only alternative to Wi-Fi for their app would be to add the files through iTunes file sharing, which isn't anywhere near as convenient.
Yes, I get the point, but in my experience this is one of the worst things about the Microsoft stack, by far. I've got no problem sharing infrastructure at the CLR level, but once you go beyond that to try to make applications written for one paradigm fit anywhere the CLR is, you end up with an unholy mess. The "integration" doesn't make things easier, it just forces you into one colossal fuckup instead of a more sensible approach of platform-specific front-ends over a portable base.
Microsoft's approach to web frameworks is an ideal example of this. They tried to make developing a website like developing a desktop application; and web forms, postbacks, and all of that gigantic mountain of failure was the result. ASP.NET development is about as far away from the architectural principles of the web as you can get without dumping the technology altogether and using plugins instead. They tried to abstract away HTTP when it's one of the most fundamental parts of the web, they did a shitty, incomplete job because the architecture of the web and traditional desktop applications are entirely different, and they ended up with a failure that they are now attempting to replace altogether.
So when somebody comes along and says that they are making a game that can be "web-based" because Silverlight's integration lets them do that easily, my immediate reaction is that it's not "an interesting move", it's a continuation of the same terrible fucked up attitude that Microsoft don't show any real signs of shaking. Hence the question - is this actually a web-based game - i.e. does Silverlight's "integration" really deliver, or is it the same old fuckup they always come out with?
A very interesting move is the integration between Silverlight and XNA: this will allow (I am developing such a game right now!) web-based 3D accelerated games
Is it really a web-based game, or is it merely a web-delivered game? Because I see Flash and Silverlight developers confuse these all the time. Is the game based on the fundamental technologies of the web - e.g. are you delivering human-readable code, or are objects in the game discrete resources served via HTTP, or are levels addressable via URI, or is the environment represented by a DOM? In short, does it look anything like this? If not, you aren't basing your game on the web, you are delivering the game via the web. Just because you can get a chunk of non-human-readable code to execute and display something in a browser window by use of a plugin, it doesn't make it "web based". The only thing you are doing is streamlining the obtain->install->run cycle for a non-web-based game.
Trying to ignite a political flame war with a idiotic screed about how a slow news day story proves liberals are wrong about supposedly not wanting the rule of law? Your trolling is far too obvious. Try a little subtlety next time.
Slashdot Mirror
This is why automated regression testing is a best practice. I guess Dropbox don't test their authentication.
Original forum discussion here.
On the 17th of August, 2000, when 2600 was barred from linking to DeCSS under the terms of the DMCA.
(Emphasis mine.)
How on earth is pointing out a major security breach "shilling" for BitCoin?
Next up: Articles about Sony's security breaches are secretly paid for by Sony!
I read the original forum thread yesterday. It didn't sound authentic, it sounded a little "off". It sounded like it was semi-scripted, the voice was all wrong. Did anybody else get that impression?
Do you have any idea how long it would take to print those emails out, scan them in and embed the scan into a Word document for online distribution? After all, that's the standard way of distributing data from people in the public sector isn't it?
So which competing cloud syncing solution will they install on their iPhone instead?
Tables weren't designed to handle complex layouts either.
The concept of separating semantics and presentation was around well before CSS. CSS was designed for this. They weren't "extending" CSS, that's what it's for.
Neither are tables. The question is, which browsers? The only mainstream browser that doesn't support CSS 2 is Internet Explorer 7, which people are already dropping support for.
"Some of" isn't true. One of is. And that one has a vested interest in incompatibility, that they have explicitly stated in internal memos.
Here's another data point - iCab, before it switched to WebKit, supported CSS 2. It was built by a single developer. If a single developer can do it, it's not "overly complex".
foo { display: table-cell; }
It's been around since 1998, the only thing stopping people from using it was Internet Explorer 7 and below.
No, it's randonly-generated data that is combined with your password before it gets hashed.
Where in my comment did you get the idea that I think that the attacker doesn't know the salt?
When somebody performs a brute force attack, they generate as many password hashes as they can, comparing those hashes against the hashes stored in the database. If the hashes match any of the hashes in the database, then they've cracked a password.
When a single salt is used for the entire database, the attacker can use the salt so that it's only the password he needs to guess. When he generates a hash, he can compare that hash with all the hashes in the database, and he can get 0-n hits, where n is the number of accounts. If all the accounts have the same password and he cracks it, he has access to every account.
When a unique salt is used for each account, the attacker can still use the salt so that it's only the password he needs to guess. But now, when he generates a hash, he can only compare that hash with the account he took the salt from. He can get only 0-1 hits*. Even if all the accounts have the same password, he'll still have to crack each of them individually because their salts are different, so their hashes won't match.
As I said, if your account is being targeted specifically, it won't help, but if the attacker is merely trying to compromise as many accounts as possible, individually salted hashes do protect you.
* Not counting collisions, obviously.
You're missing the point. If a unique salt is used for each password, then you have to attack each password individually. If the same salt is used for each password, then when you compute a hash, you can compare it against all the hashes in the database at once.
Unless the attacker is targeting your account specifically, then yes, individually salted passwords help.
Really? It reminds me of Microsoft making deals with OEMs, to not install operating systems from companies that competed with Microsoft. They've already been caught doing this with Hitachi and Compaq to kill BeOS.
Maybe it's not the scientific knowledge people have a problem with, but rather the endless streams of crap there. 122 footnotes for a list of Pokemon? That starts out "For more detailed lists of Pokemon, see..."?
I wouldn't mind so much if it weren't for the fact that perfectly reasonable topics are removed for lack of notability. Yet the Pokemon stays.
That's pretty inaccurate. The problem described by that article is that the traditional colour model for the web ignored gamma while the PNG image format has optional gamma information - a feature that GIF lacks. Therefore if a PNG image contains gamma information, an RGB value within the image is not the same as an RGB value defined by HTML or CSS. If a PNG image doesn't use this optional feature, the RGB values match and there is no inconsistency. The lone buggy browser mentioned in the (eight year-old) article that screws this up is used by virtually nobody these days.
The only reason GIF isn't in the same boat is because it lacks gamma control entirely. GIF is worse than PNG at representing colours because outside of a couple of very dodgy hacks, it can't represent more than 256 colours and lacks gamma control and the alpha channel.
It's not that PNG "can't" match HTML/CSS colours, it's that there are some designers and developers out there that don't know what they are doing and produce PNGs that are meant to match HTML/CSS colours but include gamma information.
The only reason to use GIF these days is if you need animation.
The UK does have anti-free speech laws, and libel/slander are examples of them - restriction of speech. Every country has laws like these, because every country has decided that completely unrestricted speech is unwise.
However some countries cling to the concept of free speech as a propaganda tool. Their people are so indoctrinated to believe that their country has free speech and that makes their country special that they convince themselves that any law contradicting this belief must therefore not be actually restricting speech. So you get convoluted explanations as to why laws that quite clearly restrict people from saying things aren't actually curtailing free speech.
If I am restricted from knowingly saying untrue, disparaging things about another person, then that is a restriction of my speech. There's no getting away from that. You can either think the law is bad because it curtails free speech, or you can accept the idea that restrictions on free speech is sometimes acceptable. The more common third option, "excusing" the law (most likely by redefining "speech" to exclude the unwanted speech), is not intellectually honest.
To put it another way - if it's an anti-free speech law that you have grown up with, then you are likely to be unable to recognise it as an anti-free speech law. It's just the way things are for you. If it's a new law that is being introduced, then you are more likely to recognise it as such.
That doesn't make sense. SFTP is not a normal FTP server exposed over an SSH or SSL tunnel. There's no "FTP server config" you can screw up and magically transform an SFTP server into an FTP server. Even if there were, server configs don't change on their own, it doesn't really make sense to say "don't switch to something secure because that means if you disable security you won't have that security".
In fact, if your criticism held weight at all, your recommendation would be going in the opposite direction - SCP is just RCP over SSH.
User-replaceable batteries take up more space. They need extra casing and catches that are otherwise unnecessary.
Hardware SIMs are an annoyance. They should be replaced by software, in which case they would take up no room at all.
Apple have patented something along those lines and the carriers weren't happy about it.
ISPs aren't required to implement the IWF blacklist unless they want to provide services to the government. Individuals are free to use an ISP that doesn't implement the blacklist, such as AAISP.
It's already happened, only the circumstances were far worse (revealing intimate details, including photographs, going viral). Quote from the article I've linked to:
Nobody seems to have been clear on what is supposed to be published but isn't. The WebKit source has had checkins as recently as 2 minutes ago, so it doesn't look like Apple have stopped publishing the source to me.
It's a perfectly reasonable requirement and your comment is nothing but flamebait. Why is it so hard to believe that tablets are being used for serious work?
As an example, one of my recent projects was an iPad app for a company to use for going through projects with their clients and during pitches. They have a lot of projects and some of the files are relatively large. They easily transfer gigabytes of data at once. The only alternative to Wi-Fi for their app would be to add the files through iTunes file sharing, which isn't anywhere near as convenient.
Yes, I get the point, but in my experience this is one of the worst things about the Microsoft stack, by far. I've got no problem sharing infrastructure at the CLR level, but once you go beyond that to try to make applications written for one paradigm fit anywhere the CLR is, you end up with an unholy mess. The "integration" doesn't make things easier, it just forces you into one colossal fuckup instead of a more sensible approach of platform-specific front-ends over a portable base.
Microsoft's approach to web frameworks is an ideal example of this. They tried to make developing a website like developing a desktop application; and web forms, postbacks, and all of that gigantic mountain of failure was the result. ASP.NET development is about as far away from the architectural principles of the web as you can get without dumping the technology altogether and using plugins instead. They tried to abstract away HTTP when it's one of the most fundamental parts of the web, they did a shitty, incomplete job because the architecture of the web and traditional desktop applications are entirely different, and they ended up with a failure that they are now attempting to replace altogether.
So when somebody comes along and says that they are making a game that can be "web-based" because Silverlight's integration lets them do that easily, my immediate reaction is that it's not "an interesting move", it's a continuation of the same terrible fucked up attitude that Microsoft don't show any real signs of shaking. Hence the question - is this actually a web-based game - i.e. does Silverlight's "integration" really deliver, or is it the same old fuckup they always come out with?
Is it really a web-based game, or is it merely a web-delivered game? Because I see Flash and Silverlight developers confuse these all the time. Is the game based on the fundamental technologies of the web - e.g. are you delivering human-readable code, or are objects in the game discrete resources served via HTTP, or are levels addressable via URI, or is the environment represented by a DOM? In short, does it look anything like this? If not, you aren't basing your game on the web, you are delivering the game via the web. Just because you can get a chunk of non-human-readable code to execute and display something in a browser window by use of a plugin, it doesn't make it "web based". The only thing you are doing is streamlining the obtain->install->run cycle for a non-web-based game.
-1, Troll.
Trying to ignite a political flame war with a idiotic screed about how a slow news day story proves liberals are wrong about supposedly not wanting the rule of law? Your trolling is far too obvious. Try a little subtlety next time.