You are missing the difference between Initial Key Exchange and Shared Secret.
Initial Key Exchange (IKE) requires each end to negotiate a mutually acceptable encryption method (I know MD5, SHA and DES - you know DES, 3DES and AES - the result is DES).
Shared Secret requires that you and I have agreed in advance to a specific protocol/key combination (Me: What's my dog's name" - You "Spot" - Both: AES).
Shared Secret encryption under the right circumstances will be relatively impervious to MitM attacks, since the attacker would need to know both the protocol and the key to start attacking the encryption (which would, if done right, change on a "pseudo random" basis).
The "initial key exchange" is performed before any communications are attempted (at setup time). The article specifically mentions "shared secret". By definition, this excludes a MitM type attack, unless the MitM is also in the circle of *allowed* communicators
Re:Not unique to open source
on
The CVS Cop-Out
·
· Score: 1
My reason for saying this is that *most* developers do not make use of the various facilities to store program-specific files in their own directories (programmers by definition being lazy)
If the operating system mandates that best practices be followed (configuration files, necessary non-system libraries etc) be stored in non-system areas (application programs having the ability to add/modify system registry/configuration areas... NOT!!! ) then a great deal of problems could be solved.
It is not only the bloggers that are at fault. I read (daily) at least 3 newspapers in print (Arizona Republic - Phoenix), Arizona Daily Star (Tucson - morning), Tucson Citizen (Tucson - afternoon). I also read a number of newspapers online, and look at various news sites. Even though all attribute some of their stories to the Associated Press, when you compare stories in the various publications you find that each article is (sometimes slightly - sometimes significantly) different.
I have seen whole paragraphs removed, which completely alter the content. Once, however, you take the author of the article to task, the answer is that "what you read is out of context".
As the reader, if you do not follow up on those issues which interest you, you run a sigificant risk of knowing only what the writer (or publication) intended to present to you as NEWS.
I would also consider these people to be oathbreakers, violating their oaths to uphold the constitution, but then, so is pretty much every member of congress and every person in the armed forces.
NO!!! Absolutely not!!! Many illegal orders, on their face, may appear reasonable. No member of the armed forces (excepting the various JAG's and General Staff Officers) are expected to be constitutional scholars. The rest of the group you cited, however, has consistently violated Constitutional restrictions in their quest for power (and money, since money==power)
If the actions you take directly violate several sections of the Constitution of the United States, which you have sworn to "UPHOLD AND DEFEND", does this not make you an "enemy of the United States"???
As a programmer, I would suggest that you start without an IDE. It has been my experience that most IDE's provide a "suggested" way of doing things. If the outcome of the suggestions is not what the student intended, they will be hard pressed to determine why. Once the student has mastered the concepts of the language, then an IDE may make their life easer, but it may well make their life harder. Take, for example, an IDE that automagically allocates space for variables. If you have a memory leak (or the dreaded buffer overflow), finding a variable that *you* declared is much easier that finding the one (often incomprehensibly named) variable that your IDE defined to "make your life easier".
Re:Not unique to open source
on
The CVS Cop-Out
·
· Score: 1
I have made these comments before, but I will make them again:
Windows programs store *almost* all programs in a system repository
In Windows, there are no rules regarding libraries (which are stored in *ONE* directory) - if your library has the same name as a system library, the original.DLL is overwritten
In Windows, there is no procedure to rollback a library through multiple versions - you *obviously* have the latest and best version that any user could want. If I install program A, then program B, and do not like program A, it is a crapshoot as to whether I can de-install programm A without crashing my system.
In Windows, all programs write configuration data to the SYSTEM REGISTRY!! Some actually show program names, though many use "class ID's". This means that most users cannot remove misbehaving programs from their systems.
In Windows, you cannot install a program locally (for test) since the prevailing culture is that all users are administrators (with access to all system resources).
Supposedly, in Vista, this has been changed. I will believe it when I see it. Until then, I will stick with operating systems which allow me to:
Remove applications by simply deleting the relevant directories, ignore what order applications were instlalled in and test applications without affecting the stability of my system.
I have been watching this... Some obversations:
1) Change does not happen in a vacuum
2) Any problem that a user experiences may or may not be due to an unexpected use of the application
3) Some problems should be forseen, ie: If you have a from and to box, and there is data in the from box, to == end of file, not "application error"
4) All usability testing is important. We used to test any program using inexperienced users (video/audio) with a simulated help desk (also video/audio). No user had prior experience with the software, only the problem *WE* were supposed to solve.
5) True software change management takes time. First, you have to make sure the new release works as well as the current release. Second, you make sure that you have not changed any functionality. Third, do the new features/fixes work the way you thought they would. This is assuming that this has passed the "smell test" (Did I make this change in order to say "New and Improved?"
I have seen many programs that move "File - Preferences - Add Account" to "Options - Add Account" with no increase in functionality (with another short key combination). There was no net gain.
I pull CVS updates when necessary to fix *MY* problem (and test them). Otherwise, unless I pay the developer, I work with *THEIR* schedule. This is as it should be
I used to work for a defense contractor on classified networks. When we stood up a new lab, there was a briefing for all employees with access (AKA need to know). They were told that the SA's (I was one) were the first line. In other words, if we said no, the answer was to be interpreted as "no way in hell". My group, however, was in the minority (we said no more often than we said yes). Every request was checked into using the NISPOM. Every software request was extensively checked.
Unfortunately, this was the exception rather than the rule. In other areas, the mentality was "that which is not expressly prohibited is allowed", not the DOD/DSS standard of "that which is not allowed is expressly probibited".
I spent 3+ years fighting management over this issue, despite the fact that any "unusual" request to DSS/DOD went through the 3 people (myself included) who had the respect and trust of the officials who were required to approve the request. I also quashed (on one occaision 3x) requests that violated the rules.
The rules are there. They make sense. They only work when the people on the ground feel they make sense.
I left the environment when the stress of meeting the regulations exceeded the stress of fighting with management.
YMMV
Think earlier than Linux. I used to work for a company that had Ultrix machines (DEC pre-unix o/s). No vi, no sed, no window manager. The apps on the two systems were proprietary, obselete and undocumented. They were also ABSOLUTELY VITAL to the operations of the affected lab.
Recently AIM was re-enabled as a requirement by one of our Vendors...
WHAT... since when do vendors define what communications methods (other than TCP/IP) can be used to communicate with them. As soon as a potential vendor says to me "you have to enable this IM channel" they are shown the door.
Yes, I did mean "4.01" (my mistake). I worked for a company which was tasked with, among other things, performing a remote (as in cross-country) upgrade from DOS 4.01 to DOS 5.0 as a pilot project. We all (inside the development group) had 6GB drives loaded with 4 different operating systems (2 RTOS's, DOS, and whatever was appropriate for our environment - mine was OS/2).
As an OS/2 programmer, let me respond to some of your comments:
Of course, it would given that it descends from Unix, arguably the dumbest thing ever conceived this side of OS/2. Back when OS/2 was in it's 1.3 version (15 years ago), it was being used to control store systems (IBM's 4600 series registers) and end user banking systems (4700 teller terminals and ATM's). When MS-Dos 4.1 came out, when installed or re-installed on a PC with OS/2 installed, it would report "You have OS/2 installed. There may not be enough room to install DOS. Would you like to remove OS/2?". This when installing a single floppy image on a FAT partition with 2+GB free. Together, MS-Dos and Windows 3.1 required less than 5MB to install and run. In addition, I had created a transaction processing system which utilized 3 processes, each running 8 threads, to run an automated dispatch system. One process received dispatch requests and communicated status on an ongoing basis to requestors connected through a VAX. The second opened calls an monitored status on an IBM Mainframe, connected via 3270 controllers. The third kept status updated on DB/2 SQL based databases in 3 locations nationwide. Meanwhile, the company had a NT3.51 testbed which would bluescreen while sitting idle. Which O/S was more capable?
I also had occasion to create an assymetric multiprocessor complex for doing massively paraless processing. One processor (the control processor) controlled up to 64 others which would each receive a packet for processing through a neural network. This system ran successfully on OS/2 and *nix* systems (not only Linux, but also Solaris on E4K to E10K systems). Which O/S was more capable?
If IBM's sales force had not totally neglected OS/2 (and followed the NEXT model of pricing operating system software) the system would probably still be around. Of course, since you were going to pay for windows on a new PC whether or not you were going to use it, IBM's pricing model priced it out of the end-user market. Keep in mind that, 15 years later, the primary way of repairing a broken windows install is to wipe and reinstall.
The Windows model of placing any and all software in system directories, along with leaving write permission open in same, allows and promotes software which can seriously compromise system operation with no safeguards. The extension of this model (the System Registry) makes removing misbehaving software extremely difficult. The fact that a program which needs to be able to open up a TCP/IP port above 1023 requires system level privileges indicates extremely poor programming practice suited only to a non mission critical system that only one person should use. This describes ALL VERSIONS of Windows to a "T".
Keep in mind that the Chairman of Diebold stated prior to the 2004 election that "we are going to win this one for George Bush"... Diebold is headquartered in Ohio... Go figure...
I do not often weigh in on these sort of threads. However, in this case I might be able to clarify some of the reasons. I am currently working on a similar project in another city of the same size. First, the primary reason for installing wireless access is for public service (Police, Fire, EMS, City Operations). Since the infrastructure is there, and will not be unduly taxed by public access, there is no reason not to provide same. The systems used can easily segregate public, non-secure access (for web-surfing) from encrypted/secure communications. The current mobile terminals (called MDT's or KDT's) in use by PS agencies provide only very low speed communications. Second, the equipment has been provided by companies who see a benefit in providing same. New Orleans has one of the most advanced video surveillance networks in the country, all working over wireless TCP/IP systems. The added equipment provides much in the way of security for all citizens, whether residing in or visiting the city. That infrastructure (including VOIP) was in place well in advance of **ANY** other communications systems in the city and proved a major help in starting the recovery efforts. The only other effective communications structure was provided by Amateur Radio (suprise, suprise we got involved again).
Let's stop finding ways to criticize separate, parallel initiatives to help a sorely damaged community recover from a major (though not unforseen) disaster.
Scientific Atlanta makes the cable modems that Cox Business (among others) use. These modems do not include a router, making it very easy for a business to be provided with multiple static addresses.
By far, the best one was what they did with OS/2 (while MS was still heavily invested in Win3.11). OS/2 was my main o/s for day to day stuff, but there were some things I had to test in dos. I reinstalled dos to it's 1GB partition (no big thing - one diskette) and the installation procedure said "You have OS/2 installed. There may not be enough space to complete the installation. Would you like me to deinstall OS/2?" Huh...1 diskette is going to eat up 1GB of disk?
Try reading papers which use a feed from AP. I read 4 papers (online or in print). In addition, I look at the news reported on CNN and CBSNews. In *most* cases, I can read the same article, but each stops at a different point in the report. That is why most journalists (yes, even the good ones) cram the meat into the first few graf's and follow with the potatoes for the purists.
The whole thing about licensing (and disclaimers) started in the late '80s. A company sued Lotus regarding a bid they had entered. The premise of the suit was that the spreadsheet allowed them to make an incorrect calculation of their costs (since the software did not catch *their* math error, it must have been defective). Although Lotus won the suit, since then *ALL* software companies include a disclaimer to the effect that they are not responsible for , among other things, your mistakes. It is much, much easier to point at the disclaimer than to try to argue in most courts of law the fine points of cos(6) vs. sin(6) or log(5) vs. log10(5)
All of the above comments are missing the point. When I started in this field (professionally in 1977, as a hobby in 1974), there was a need to write tight, efficient code. As a result, you saw programs written to do one thing right, not include the kitchen sink in a "good enough" way. Now, if a program needs more memory to function (how many people actually use all of the functions available in *Office programs), the common fix is to throw more memory/disk/whatever at it. Did anyone stop to ask "Do you really need this to do the task at hand?"? When you write programs by a) punching up a bunch of cards (not too bad); b) keying the information to a paper tape (make one typo and see what happens); or c) flipping switches on a panel one at a time to store operation codes and data directly into memory (try to find the bug then), you naturally tend to want the program to do ONLY what is necessary for that task to be completed. Now, the preferred way (since we have GUI's instead of KSR33's) is to simply comment out what we don't want
What I found running maintenance operations at a large, multinational bank, is that the definition of down time is very important. You need to separate "scheduled" down time (patches, preventative maintenance, etc) from unplanned downtime (disk died). Otherwise, you will never get to a reasonable benchmark.
Slashdot Mirror
You are missing the difference between Initial Key Exchange and Shared Secret.
Initial Key Exchange (IKE) requires each end to negotiate a mutually acceptable encryption method (I know MD5, SHA and DES - you know DES, 3DES and AES - the result is DES).
Shared Secret requires that you and I have agreed in advance to a specific protocol/key combination (Me: What's my dog's name" - You "Spot" - Both: AES).
Shared Secret encryption under the right circumstances will be relatively impervious to MitM attacks, since the attacker would need to know both the protocol and the key to start attacking the encryption (which would, if done right, change on a "pseudo random" basis).
The "initial key exchange" is performed before any communications are attempted (at setup time). The article specifically mentions "shared secret". By definition, this excludes a MitM type attack, unless the MitM is also in the circle of *allowed* communicators
My reason for saying this is that *most* developers do not make use of the various facilities to store program-specific files in their own directories (programmers by definition being lazy) If the operating system mandates that best practices be followed (configuration files, necessary non-system libraries etc) be stored in non-system areas (application programs having the ability to add/modify system registry/configuration areas ... NOT!!! ) then a great deal of problems could be solved.
It is not only the bloggers that are at fault. I read (daily) at least 3 newspapers in print (Arizona Republic - Phoenix), Arizona Daily Star (Tucson - morning), Tucson Citizen (Tucson - afternoon). I also read a number of newspapers online, and look at various news sites. Even though all attribute some of their stories to the Associated Press, when you compare stories in the various publications you find that each article is (sometimes slightly - sometimes significantly) different. I have seen whole paragraphs removed, which completely alter the content. Once, however, you take the author of the article to task, the answer is that "what you read is out of context". As the reader, if you do not follow up on those issues which interest you, you run a sigificant risk of knowing only what the writer (or publication) intended to present to you as NEWS.
If the actions you take directly violate several sections of the Constitution of the United States, which you have sworn to "UPHOLD AND DEFEND", does this not make you an "enemy of the United States"???
As a programmer, I would suggest that you start without an IDE. It has been my experience that most IDE's provide a "suggested" way of doing things. If the outcome of the suggestions is not what the student intended, they will be hard pressed to determine why. Once the student has mastered the concepts of the language, then an IDE may make their life easer, but it may well make their life harder. Take, for example, an IDE that automagically allocates space for variables. If you have a memory leak (or the dreaded buffer overflow), finding a variable that *you* declared is much easier that finding the one (often incomprehensibly named) variable that your IDE defined to "make your life easier".
I have made these comments before, but I will make them again: Windows programs store *almost* all programs in a system repository In Windows, there are no rules regarding libraries (which are stored in *ONE* directory) - if your library has the same name as a system library, the original .DLL is overwritten
In Windows, there is no procedure to rollback a library through multiple versions - you *obviously* have the latest and best version that any user could want. If I install program A, then program B, and do not like program A, it is a crapshoot as to whether I can de-install programm A without crashing my system.
In Windows, all programs write configuration data to the SYSTEM REGISTRY!! Some actually show program names, though many use "class ID's". This means that most users cannot remove misbehaving programs from their systems.
In Windows, you cannot install a program locally (for test) since the prevailing culture is that all users are administrators (with access to all system resources).
Supposedly, in Vista, this has been changed. I will believe it when I see it. Until then, I will stick with operating systems which allow me to:
Remove applications by simply deleting the relevant directories, ignore what order applications were instlalled in and test applications without affecting the stability of my system.
I have been watching this... Some obversations: 1) Change does not happen in a vacuum 2) Any problem that a user experiences may or may not be due to an unexpected use of the application 3) Some problems should be forseen, ie: If you have a from and to box, and there is data in the from box, to == end of file, not "application error" 4) All usability testing is important. We used to test any program using inexperienced users (video/audio) with a simulated help desk (also video/audio). No user had prior experience with the software, only the problem *WE* were supposed to solve. 5) True software change management takes time. First, you have to make sure the new release works as well as the current release. Second, you make sure that you have not changed any functionality. Third, do the new features/fixes work the way you thought they would. This is assuming that this has passed the "smell test" (Did I make this change in order to say "New and Improved?" I have seen many programs that move "File - Preferences - Add Account" to "Options - Add Account" with no increase in functionality (with another short key combination). There was no net gain. I pull CVS updates when necessary to fix *MY* problem (and test them). Otherwise, unless I pay the developer, I work with *THEIR* schedule. This is as it should be
I used to work for a defense contractor on classified networks. When we stood up a new lab, there was a briefing for all employees with access (AKA need to know). They were told that the SA's (I was one) were the first line. In other words, if we said no, the answer was to be interpreted as "no way in hell". My group, however, was in the minority (we said no more often than we said yes). Every request was checked into using the NISPOM. Every software request was extensively checked. Unfortunately, this was the exception rather than the rule. In other areas, the mentality was "that which is not expressly prohibited is allowed", not the DOD/DSS standard of "that which is not allowed is expressly probibited". I spent 3+ years fighting management over this issue, despite the fact that any "unusual" request to DSS/DOD went through the 3 people (myself included) who had the respect and trust of the officials who were required to approve the request. I also quashed (on one occaision 3x) requests that violated the rules. The rules are there. They make sense. They only work when the people on the ground feel they make sense. I left the environment when the stress of meeting the regulations exceeded the stress of fighting with management. YMMV
Think earlier than Linux. I used to work for a company that had Ultrix machines (DEC pre-unix o/s). No vi, no sed, no window manager. The apps on the two systems were proprietary, obselete and undocumented. They were also ABSOLUTELY VITAL to the operations of the affected lab.
Recently AIM was re-enabled as a requirement by one of our Vendors...
WHAT... since when do vendors define what communications methods (other than TCP/IP) can be used to communicate with them. As soon as a potential vendor says to me "you have to enable this IM channel" they are shown the door.
Yes, I did mean "4.01" (my mistake). I worked for a company which was tasked with, among other things, performing a remote (as in cross-country) upgrade from DOS 4.01 to DOS 5.0 as a pilot project. We all (inside the development group) had 6GB drives loaded with 4 different operating systems (2 RTOS's, DOS, and whatever was appropriate for our environment - mine was OS/2).
As an OS/2 programmer, let me respond to some of your comments: Of course, it would given that it descends from Unix, arguably the dumbest thing ever conceived this side of OS/2. Back when OS/2 was in it's 1.3 version (15 years ago), it was being used to control store systems (IBM's 4600 series registers) and end user banking systems (4700 teller terminals and ATM's). When MS-Dos 4.1 came out, when installed or re-installed on a PC with OS/2 installed, it would report "You have OS/2 installed. There may not be enough room to install DOS. Would you like to remove OS/2?". This when installing a single floppy image on a FAT partition with 2+GB free. Together, MS-Dos and Windows 3.1 required less than 5MB to install and run. In addition, I had created a transaction processing system which utilized 3 processes, each running 8 threads, to run an automated dispatch system. One process received dispatch requests and communicated status on an ongoing basis to requestors connected through a VAX. The second opened calls an monitored status on an IBM Mainframe, connected via 3270 controllers. The third kept status updated on DB/2 SQL based databases in 3 locations nationwide. Meanwhile, the company had a NT3.51 testbed which would bluescreen while sitting idle. Which O/S was more capable? I also had occasion to create an assymetric multiprocessor complex for doing massively paraless processing. One processor (the control processor) controlled up to 64 others which would each receive a packet for processing through a neural network. This system ran successfully on OS/2 and *nix* systems (not only Linux, but also Solaris on E4K to E10K systems). Which O/S was more capable? If IBM's sales force had not totally neglected OS/2 (and followed the NEXT model of pricing operating system software) the system would probably still be around. Of course, since you were going to pay for windows on a new PC whether or not you were going to use it, IBM's pricing model priced it out of the end-user market. Keep in mind that, 15 years later, the primary way of repairing a broken windows install is to wipe and reinstall. The Windows model of placing any and all software in system directories, along with leaving write permission open in same, allows and promotes software which can seriously compromise system operation with no safeguards. The extension of this model (the System Registry) makes removing misbehaving software extremely difficult. The fact that a program which needs to be able to open up a TCP/IP port above 1023 requires system level privileges indicates extremely poor programming practice suited only to a non mission critical system that only one person should use. This describes ALL VERSIONS of Windows to a "T".
Keep in mind that the Chairman of Diebold stated prior to the 2004 election that "we are going to win this one for George Bush"... Diebold is headquartered in Ohio... Go figure...
I do not often weigh in on these sort of threads. However, in this case I might be able to clarify some of the reasons. I am currently working on a similar project in another city of the same size. First, the primary reason for installing wireless access is for public service (Police, Fire, EMS, City Operations). Since the infrastructure is there, and will not be unduly taxed by public access, there is no reason not to provide same. The systems used can easily segregate public, non-secure access (for web-surfing) from encrypted/secure communications. The current mobile terminals (called MDT's or KDT's) in use by PS agencies provide only very low speed communications. Second, the equipment has been provided by companies who see a benefit in providing same. New Orleans has one of the most advanced video surveillance networks in the country, all working over wireless TCP/IP systems. The added equipment provides much in the way of security for all citizens, whether residing in or visiting the city. That infrastructure (including VOIP) was in place well in advance of **ANY** other communications systems in the city and proved a major help in starting the recovery efforts. The only other effective communications structure was provided by Amateur Radio (suprise, suprise we got involved again). Let's stop finding ways to criticize separate, parallel initiatives to help a sorely damaged community recover from a major (though not unforseen) disaster.
Scientific Atlanta makes the cable modems that Cox Business (among others) use. These modems do not include a router, making it very easy for a business to be provided with multiple static addresses.
By far, the best one was what they did with OS/2 (while MS was still heavily invested in Win3.11). OS/2 was my main o/s for day to day stuff, but there were some things I had to test in dos. I reinstalled dos to it's 1GB partition (no big thing - one diskette) and the installation procedure said "You have OS/2 installed. There may not be enough space to complete the installation. Would you like me to deinstall OS/2?" Huh...1 diskette is going to eat up 1GB of disk?
Try reading papers which use a feed from AP. I read 4 papers (online or in print). In addition, I look at the news reported on CNN and CBSNews. In *most* cases, I can read the same article, but each stops at a different point in the report. That is why most journalists (yes, even the good ones) cram the meat into the first few graf's and follow with the potatoes for the purists.
The whole thing about licensing (and disclaimers) started in the late '80s. A company sued Lotus regarding a bid they had entered. The premise of the suit was that the spreadsheet allowed them to make an incorrect calculation of their costs (since the software did not catch *their* math error, it must have been defective). Although Lotus won the suit, since then *ALL* software companies include a disclaimer to the effect that they are not responsible for , among other things, your mistakes. It is much, much easier to point at the disclaimer than to try to argue in most courts of law the fine points of cos(6) vs. sin(6) or log(5) vs. log10(5)
All of the above comments are missing the point. When I started in this field (professionally in 1977, as a hobby in 1974), there was a need to write tight, efficient code. As a result, you saw programs written to do one thing right, not include the kitchen sink in a "good enough" way. Now, if a program needs more memory to function (how many people actually use all of the functions available in *Office programs), the common fix is to throw more memory/disk/whatever at it. Did anyone stop to ask "Do you really need this to do the task at hand?"? When you write programs by a) punching up a bunch of cards (not too bad); b) keying the information to a paper tape (make one typo and see what happens); or c) flipping switches on a panel one at a time to store operation codes and data directly into memory (try to find the bug then), you naturally tend to want the program to do ONLY what is necessary for that task to be completed. Now, the preferred way (since we have GUI's instead of KSR33's) is to simply comment out what we don't want
What I found running maintenance operations at a large, multinational bank, is that the definition of down time is very important. You need to separate "scheduled" down time (patches, preventative maintenance, etc) from unplanned downtime (disk died). Otherwise, you will never get to a reasonable benchmark.