I use mac filter as my white list as the last measure of defense. This way most zero day exploits will have to spoof white listed MAC to even start exploiting. This is one extra step for someone wardriving my WiFi.
With public WiFi like this? You already in, so you are free to exploit the heck out of any vulnerability or misconfiguration. This is one exploit away from entire network getting turned into a botnet.
To continue the trend of posting as AC, I didn't find this site approach to posting as AC puritanical. Additionally, I personally browse at 0 and read (and mod up) AC comments.
>>>I used to be all for this type of research. Then my wife and I had a child
See, this is how we can be sure your argument is emotion-based instead of fact-driven. Unsurprisingly, your hormonal adjustment and parental instincts interfere with clear thinking. Logically, you having a child is unrelated and irrelevant event to evaluating merits and ethics of medical research.
Too bad you succumbed to "Think of the children" hysteria, and my condolences on the premature demise of your logical self.
Anything from late 90s will have power, will have modern safety (ABS, Traction, Side Airbags) if you go sufficiently upscale but will not have any integrated infotainment electronics. If you go older, you start losing safety features. Late 80s is ABS, early 80s is airbags, 70s independent rear suspension and rear disk brakes.
Well, clearly, the solution is to show more advertising to remaining customers. Go for 61 minutes of advertising per hour, 24/7 each channel. This should maximize the revenue stream.
CocaCola should have funded social studies instead, whole 'fat shaming' avenue would be a lot more productive than trying to misinterpret peer-reviewed hard science. With Social Sciences any nonsense could be published, given you insert enough right-think buzz words into your papers. For example the paper titled "The fat shaming of disadvantaged minorities by the patriarchy over consumption of carbonated beverages" is guaranteed to get published no matter what the conclusions and methods are. As long as introduction cites Gloria Steinem.
Can someone please explain to me how are they managed to bypass signed update functionality? MitM will not give you magical powers to sign updates with MS key. As a result, the sig check would still fail when you attempt to install inserted update... So it either WSUS and signature check vulnerability, or not a big deal at all.
... and this is why friends shouldn't let friends implement systems with unsigned automatic updates.
They asked us to punch the monkey... and we did. What do they expect with dropper-infested, bandwidth-hogging, slow-loading, auto-play with sound enabled "advertising" they keep showing on us?
They turned cable into never-ending commercials, people responded by record-and-skip and cable-cutting. They turned media sites into never-ending commercials, people responded by blacklisting and blocking advertising. I think the advertising industry shows clear pattern of shitting the bed, as such this is of their own making.
/dev/urnadom CAN run dry, it is that "dry" is much "wetter" than most people expect. What happens when it runs dry is that output become predictable if you know its state. That is, if you somehow could derive previous state (hard task), then consequent output during low-entropy will be highly correlated to that previous state.
You are correct, aside from initial boot, for non-cryptographic tasks/dev/urandom is good enough. Now, if you have VPN and intend for it to resist state-level actors, then/dev/urandom is not good enough for seeing your crypto.
This is not how it works. You take 1...2...3...n sequence, pass it through SHA-1 and you will get a very predictable set of random-looking numbers that will pass every test. As such "because SHA-1" argument is absurd.
Entropy estimation isn't a black art. Here is how you do it: take SP 800-90B recommended tests - Markov, Compression, Frequency, Collision, and Partial Collection, collect 1 million samples, then take minimum of the individual test results. Or just do Markov. As long as you take care to analyze raw data (not conditioned), you can find our what is your entropy.
I do this for living. This presentation is FUD and not applicable for 99% of all configurations. Sure, some headless system with a solid state drive will encounter 'at rest' issues if they idle long enough. This why/dev/random design blocks. For that 1% cases you can always mix Intel RdRand, or Freescale SEC sources.
The real issue with Entropy is that developers keep using/dev/urandom, then all bets are off, as you need to guarantee that system always has sufficient entropy.
"If you made it a whole day without private citizens [heckling] your ass"
That would be social consequence of speech. At no point I am stating that speech should be without consequences, it is that consequences should never be in a form of government prosecution.
I should be able to stand on the corner and proclaim support for ISIS all day long without having to face government prosecution. This is how free speech works in US. As such, this is "with computers" type of a case.
I disagree. FIPS main goal is to mitigate people from making preventable mistakes from home-cooking crypto primitives. This was a big issue during early 90s. In this regard - NIST succeeded. We now have open standards, reference implementations, and openly available testing tools. You could even argue that FIPS program succeeded tot he point of becoming irrelevant. For example, hardly anyone get AES wrong these days. Do you think for a moment that if NIST were to go away and stop supporting FIPS, big corps like RSA Security wouldn't crawl back and try to proprietary lock everything down? Imagine having to pay royalties for implementing TLS 3.0, and imagine what that would to to Open Source.
Car repairs are only expensive if someone else does it for you, because then you have to pay labor. For example, bad brakes mentioned in the original post: you potentially have low or old brake fluid (very cheap), rusted and sticking calipers (preventable with fluid changes, have to replace or send to get remanufactured), damaged master cylinder (again, preventable with regular fluid changes, but need new part), bad disks/drums and/or callipers (wear and tear part), or bald tires.There is 66% chance that this could be solved with 10$ jug of DOT brake fluid, funnel, and a hose to siphon old fluid out.
Any one of these issues could be solved for under $250 in used or new non-OEM parts. Only calipers and master cylinder R&R even remotely complicated (you have to bleed the system).
It is all but impossible for "interested party" to do this without support of developers. You need to have at least two participants - lab and sponsor. Lab can only test and report, sponsor has to develop evidence, run test vectors and so on. Even if you could find a lab that would agree to do it for free, you still have to have someone create test harnesses, write docs and so on.
Slashdot Mirror
Free WiFi is a trap, news at 11!
I use mac filter as my white list as the last measure of defense. This way most zero day exploits will have to spoof white listed MAC to even start exploiting. This is one extra step for someone wardriving my WiFi.
With public WiFi like this? You already in, so you are free to exploit the heck out of any vulnerability or misconfiguration. This is one exploit away from entire network getting turned into a botnet.
Any HTML5 blockers out there, because we know the scum from marketing department will have us Punching Monkeys in HTML5 in no time.
To continue the trend of posting as AC, I didn't find this site approach to posting as AC puritanical. Additionally, I personally browse at 0 and read (and mod up) AC comments.
>>>I used to be all for this type of research. Then my wife and I had a child
See, this is how we can be sure your argument is emotion-based instead of fact-driven. Unsurprisingly, your hormonal adjustment and parental instincts interfere with clear thinking. Logically, you having a child is unrelated and irrelevant event to evaluating merits and ethics of medical research.
Too bad you succumbed to "Think of the children" hysteria, and my condolences on the premature demise of your logical self.
NTP still stuck with MD5 authentication, when are they implementing modern crypto?
I want a modern car, and don't want to deal with it. I am also not interested in being infotained. What can I buy?
Anything from late 90s will have power, will have modern safety (ABS, Traction, Side Airbags) if you go sufficiently upscale but will not have any integrated infotainment electronics. If you go older, you start losing safety features. Late 80s is ABS, early 80s is airbags, 70s independent rear suspension and rear disk brakes.
So much for market forces resulting in a positive outcome. Airline industry is one of the most customer-hostile service providers.
Well, clearly, the solution is to show more advertising to remaining customers. Go for 61 minutes of advertising per hour, 24/7 each channel. This should maximize the revenue stream.
If you're running windows, you're most likely compromised. Switch to Linux now.
I did switch to Linux but for some reason I keep getting hacked. The last guy even patched it for me on the way out.
I choose to exercise my /. rights to never read TFA.
CocaCola should have funded social studies instead, whole 'fat shaming' avenue would be a lot more productive than trying to misinterpret peer-reviewed hard science. With Social Sciences any nonsense could be published, given you insert enough right-think buzz words into your papers. For example the paper titled "The fat shaming of disadvantaged minorities by the patriarchy over consumption of carbonated beverages" is guaranteed to get published no matter what the conclusions and methods are. As long as introduction cites Gloria Steinem.
Can someone please explain to me how are they managed to bypass signed update functionality? MitM will not give you magical powers to sign updates with MS key. As a result, the sig check would still fail when you attempt to install inserted update... So it either WSUS and signature check vulnerability, or not a big deal at all.
... and this is why friends shouldn't let friends implement systems with unsigned automatic updates.
They asked us to punch the monkey... and we did. What do they expect with dropper-infested, bandwidth-hogging, slow-loading, auto-play with sound enabled "advertising" they keep showing on us?
They turned cable into never-ending commercials, people responded by record-and-skip and cable-cutting. They turned media sites into never-ending commercials, people responded by blacklisting and blocking advertising. I think the advertising industry shows clear pattern of shitting the bed, as such this is of their own making.
/dev/urnadom CAN run dry, it is that "dry" is much "wetter" than most people expect. What happens when it runs dry is that output become predictable if you know its state. That is, if you somehow could derive previous state (hard task), then consequent output during low-entropy will be highly correlated to that previous state.
/dev/urandom is good enough. Now, if you have VPN and intend for it to resist state-level actors, then /dev/urandom is not good enough for seeing your crypto.
You are correct, aside from initial boot, for non-cryptographic tasks
This is not how it works. You take 1...2...3...n sequence, pass it through SHA-1 and you will get a very predictable set of random-looking numbers that will pass every test. As such "because SHA-1" argument is absurd.
Entropy estimation isn't a black art. Here is how you do it: take SP 800-90B recommended tests - Markov, Compression, Frequency, Collision, and Partial Collection, collect 1 million samples, then take minimum of the individual test results. Or just do Markov. As long as you take care to analyze raw data (not conditioned), you can find our what is your entropy.
I do this for living. This presentation is FUD and not applicable for 99% of all configurations. Sure, some headless system with a solid state drive will encounter 'at rest' issues if they idle long enough. This why /dev/random design blocks. For that 1% cases you can always mix Intel RdRand, or Freescale SEC sources.
/dev/urandom, then all bets are off, as you need to guarantee that system always has sufficient entropy.
The real issue with Entropy is that developers keep using
"If you made it a whole day without private citizens [heckling] your ass"
That would be social consequence of speech. At no point I am stating that speech should be without consequences, it is that consequences should never be in a form of government prosecution.
I should be able to stand on the corner and proclaim support for ISIS all day long without having to face government prosecution. This is how free speech works in US. As such, this is "with computers" type of a case.
Funny, I do the same thing with my backup tapes. I store them in the bog.
I disagree. FIPS main goal is to mitigate people from making preventable mistakes from home-cooking crypto primitives. This was a big issue during early 90s. In this regard - NIST succeeded. We now have open standards, reference implementations, and openly available testing tools. You could even argue that FIPS program succeeded tot he point of becoming irrelevant. For example, hardly anyone get AES wrong these days. Do you think for a moment that if NIST were to go away and stop supporting FIPS, big corps like RSA Security wouldn't crawl back and try to proprietary lock everything down? Imagine having to pay royalties for implementing TLS 3.0, and imagine what that would to to Open Source.
Car repairs are only expensive if someone else does it for you, because then you have to pay labor. For example, bad brakes mentioned in the original post: you potentially have low or old brake fluid (very cheap), rusted and sticking calipers (preventable with fluid changes, have to replace or send to get remanufactured), damaged master cylinder (again, preventable with regular fluid changes, but need new part), bad disks/drums and/or callipers (wear and tear part), or bald tires.There is 66% chance that this could be solved with 10$ jug of DOT brake fluid, funnel, and a hose to siphon old fluid out.
Any one of these issues could be solved for under $250 in used or new non-OEM parts. Only calipers and master cylinder R&R even remotely complicated (you have to bleed the system).
It is all but impossible for "interested party" to do this without support of developers. You need to have at least two participants - lab and sponsor. Lab can only test and report, sponsor has to develop evidence, run test vectors and so on. Even if you could find a lab that would agree to do it for free, you still have to have someone create test harnesses, write docs and so on.