This is a control that takes an url or webpage as input and renders it in a control. Its basically an embeddable web browser. And of course it relies on the Internet Explorer (Trident) rendering engine. I use them, for example, for printing in quick and dirty utility apps. Suppose I've got some data structured as an xml document -- its SOOO easy to just write a quick xsl transform, and push the xml through it to an attractive formatted html/css document and feed it to this control which renders it, and can also print it.
Instant attractive report printing, and as a bonus I've got attractive onscreen display that copes with rezizing etc, the option to save as html/css. or even as an xml/xsl pair. Which makes it easy for someone else to work with the data, and view it attractively.
Contrast with the effort of developing something to print 'manually'. Which just gets me printer output and is a TON more work.
The big handicap though is that I'm basically embedding 'Internet Explorer', and leveraging its features... but I get all its warts too, and have little real control over the rendering.
All stock Web controls provide a protected non-sealed virtual method named "RenderControl" (actually, they all inherit it from their common base class). You can always override that in a derived class, and do what you see fit in your implementation, without any preparsing.
All true, and I'm a big fan of ASP.NET because of this. The only things that really bug me about asp.net rendering output is that:
a) some of the defaults really suck (but can be easily fixed as per above),
b) the fact that they seem to have disowned maintaining the browser-capabilities which is why safari 3 gets treated as 'downlevel' for items like certain menu control configurations when it's more than capable of handling the uplevel code correctly. And worse the company they handed it off to... 'cyscape' has even less interest in maintaining it... no they want me to pay for their product that does it.
If Microsoft wants to support uplevel/downlevel browsers and send custom code to different browsers, that's great. But I shouldn't have to manage this myself except maybe for bleeding edge beta browsers. And I certainly shouldn't have to bloody pay for it.
c) the __VIEWSTATE and a couple other item names that piss off 'html tidy' and don't validate as strict xhtml. I've never found a good way of 'fixing' that. I've seen a few idiotic solutions that run a regex on the incoming requests and outgoing pages to fix it, but that's a stupid performance hit just to get a 'green-checkmark'.
What isn't descriptive about the Graphical Image Manipulation Program?
The fact that its galled 'gimp'!
And few people know what it expands to, apparently that includes even you: From the gimp.org website: "GIMP" is the "GNU Image Manipulation Program" [not "Graphics..."]
Besides most people just see 'gimp' and I assure they are not thinking about manipulating images. gimp means a variety of things... usually with connotations of 'awkward' or 'inept' or 'uncoordinated'. hardly inspiring.
By contrast 'Microsoft Live Messenger' is descriptive, and that's what they call it. If it was called 'MLM' it would be nearly as bad as 'gimp'... and would maybe be mistaken by many to be some sort of multi-level-marketing thing...
Internet Explorer: That's obviously Microsoft's version of traceroute.
At least its related to the internet.
As opposed to Konqueror which is a game to take over the world? Or maybe its not a game? And FireFox? A hunting simulator?
SQL Server Management Studio: It sounds like a paint program of some kind; I think it paints graphs of which managers are in charge of what databases
Well at least we're talking about databases.
As opposed to FlameRobin, some sort of automated troll posting system that seeks and flames anyone who talks about birds?
Photoshop: An online store who is getting its clock cleaned by free services such as flickr.
As opposed to gimp? The window manager that randomly hides, moves, and resizes all the various controls on a window. You also mentioned 'flickr' the apparent website to visit if you want to inducing epileptic seizures.
Windows Live Messenger: That's obvious a watchdog alert for sysadmins. When your Windows system is not live, this program makes your pager vibrate.
Meanwhile the foss crowd has pidgin, some sort of Hawaiian slang dictionary?
Remote Desktop Connection: That's a device driver for some kind of IR keyboard.
As opposed to VNC which if we are lucky enough to guess the correct expansion is still 'virtual network computing' which must be some sort of network simulator for when you don't have a real one handy. Fortunately its available in many flavors... depending on whether you need your 'virtual network' to be 'ultra', 'tight', or perhaps the paradoxical 'real'.
On the other hand, perhaps the bottlenecks are somewhere inside the Rails framework, and the Twitter team thinks that it'd be simpler to move to a new framework than to invest the effort to fix Rails.
That would be the crux of it, as I read it.
The rails framework is aptly named. Its like driving a train. You follow the rails. Its easy, simple, and those are its strengths. But if one day, you decide you want to cut across a field save a few hours of travel, well, you probably shouldn't have chosen 'train' as your mode of transportation.
The simpler and easier a framework is the harder it is to change its behaviour in ways the designers didn't expect. Its like using Microsofts web rendering controls in an application... they are drag and drop simple to use and that's great. But if you want to tweak them so they handle a particular css element in a different way [read standards compliant way], its not going to happen. The -best- you can hope for is to pre-parse the document to rewrite it in a way that the rendering control will get the appearance right, because you are NOT going to change the rendering behaviour itself easily. Better by far to just switch to a different rendering engine.
Conversely the more robust a framework is, and the more hooks they give you to inject/alter behavior, the more complicated and bug-prone it is to develop with.
Rails is a trade off... great when it fits what you need, abysmal when it doesn't. And rails in particular from what I've heard is especially frustrating when its 'oh-so-close-but-not-quite' what you need.
You're the only one that said "good names". The GP said "doublespeak". There is a difference.
Fair comment.
But that just underscores the whole issue that half the oss community explicitly disagrees with calling linux GNU/Linux. A FUD spreading cynic might even think it odd that half the community wants to lose the part about saying its 'not unix'. Hmmmm.:)
But actually, this gets even more deliciously ironic when you realize that "GNU/Linux" really represents the pairing of the 'gnu' userland, and the 'linux' kernel... so all we're claiming is that the GNU userland is 'not unix'... but what about linux?
To put it in the OP's words:
GNU stands for "gnu's not unix". Ergo, linux is not unix.
This is an elementary logical fallacy. Because GNU isn't Linux. And we're not claiming squat about Linux. And indeed, by calling it 'Linux' we are very deliberately associating it with Unix. We could have called it something else... linos, oslin, linKernel, LinK... but no we chose 'Linux'.
Talk about doublespeak. That's at least on par with OOXML if you ask me.
The fundamental problem with captcha's is that they are using computers to come up with problems for humans. If a computer can come up with the problem, a computer can come up with the solution.
Captcha's so far are relying on a human strengths at visual perception, edge finding, pattern recognition, etc to retrieve distorted data. But these are simply processing issues. And computers will eventually solve them all.
The proposals for 'better captchas' revolve around the idea of having more complex problems of semantics and meaning. But the issue there is that machines can't generate such problems. And human's don't want to be bothered with it, so the problem set ends up being quite small, and falls easily to a dictionary attack.
I think the solution will ultimately be based in encryption. We need problems that are just plain hard for anybody, all the time. And crypto satisfies that. We'll sign messages with keys.
To preserve anonymity, some sort of reputation system and chain of trust could step up. You get people with good reputations to sign your key, and you in turn sign other people's keys. You'll be reluctant to sign keys that you don't think are really people because the reputation system will reward you if the keys you sign develop good reputations themselves, or punish your key if its been found to have signed keys for bots etc.
Not all keys need be anonymous, and some could be 'verified by Verisign as a real person' etc. Of course such a key would still be subject to the reputation system, and subject to key revocation if it gets handed over to a bot-script or something... but it would get a bonus to reputation at the start.
A disadvantage is that all your posts anywhere would be linked to each other. So even if not linked to you, they would be linked to each other. They'd have to be for a reputation system to work.
You could get true anonymity - by having a 'good reputation' key, and a distributed 'tor-like' service that will take your 'good reputation' key as input, and return a one-time use key that's signed by the 'tor-like' service. The service would keep track only that it had issued a key for your 'good reputation key', not which key it had issued. So someone could only track the post back to 'tor-like service'.
The reason it would record that it had issued a key for you, would be to limit you to 10 one time keys per day or something. So that you couldn't blow spam through the service... or at least... very little spam.
Probably not perfect, and I'm just thinking off the top of my head... but it seems like an approach that could work.
GNU/Linux, unlike products released by Microsoft (Such as OPENXML), tend to have names which are not doublespeak. This practice of not praciticing doublespeak is also adopted by the Free Software Foundation.
What a load. You tell me which products tell you what they do:
Internet Explorer SQL Server Management Studio Photoshop Windows Mail Windows Live Messenger Remote Desktop Connection Adobe Acrobat Reader
I could go on all day. Sure there are plenty of bad proprietary names, and lots of descriptive OSS names, but suggesting that a characteristic of open source projects is good names is utterly laughable.
it's that she was planning on producing a similar encyclopedia herself, with all the proceeds going to charity,
Does it matter one iota what she claims she was planning on doing with the money?
That seems a blatant sympathy grab.
And indeed, there is NOTHING stopping her from producing her own version of the encyclopedia. She can even put a big sticker on it that says its the 'official jk rowlings one' and that 'all proceeds go to charity' on it.
And remember, in this case, the goal really is not to retrieve the password, but merely to use it. If one were to visit gmail using his computer, and his password was saved, it really doesn't matter if you can find out what the password actually is. As long as firefox fills his credentials when I visit the gmail page I'm still into the account -- which in this case is all that matters.
But his computer is one thing, various services another. To get into his personal files may not be so hard and are probably possible to do, to get into various services probably not. I really hope they don't honor such requests actually.
1) Once you've got his computer open, there are good odds you'll be able to find the passwords on it. Especially given how many people just have IE/Firefox save them. But also possibly stored in a file. Or in his 'address book'. etc.
2) Once you've got his computer open, there are good odds you'll be able to use automated password recovery services to obtain the password. Often they just send an email with a link to another account. So if you have access through his computer to his 'main' email account, the rest fall down like dominos.
Does it mean, you don't even have to reboot? If it is true, that means there are back doors.
Quite the contrary. Think about it. If you are using EFS, and have already logged in, authenticated, and so on... and then someone plugs in a USB drive with some command line tools... say...something like grep for example, and a fancy gui for it.
Then they'd plug in the usb key, open it from my computer (or more often it autoruns)... then they do push some simple buttons in the gui... and grep gets sent out to do a system wide scan for...
porn, password, child, etc, etc... some other utility scans the IE folder for saved passwords some other utility does... whatever.
If they had seized the PC, and shut it off. They'd be screwed. The contents of the hard drive are encrypted and basically untouchable because they don't have any keys. They'd have to brute force your login, which, if the security policy and passphrase were set up correctly could take decades.
If you read the press release from Microsoft about COFEE, which I linked elsewhere in this thread already, the device just automates a bunch of stuff a computer forensics expert can ALREADY do, but the device saves considerable time and requires less expertise to use.
I'm sure some slashdotter will end up with a COFEE soon enough, especially if they are being distributed the way they are... and we'll all see exactly what it does. I'm pretty sure we're not going to find any "HOLY CRAP I CAN'T BELIEVE THEY DID THAT" revelations in it.
But seriously, who wants to be managing something with a GUI under Windows, when you could be SSHing in and changing all the settings.
Yeah, that's why all those cpanel and webmin products are so unpopular. Oh wait... they are extremely popular. Hmmm... maybe people do want this.
I know I do... I like to be able to ssh and change all the settings. But I also like being able to flip a checkbox on a form when I just need to change one setting, or even better, delegate flipping that setting to somebody much less tech savvy than me... and without worry that one typo can bork the entire [whatever].
Choice is good. Competition is good. We're not losing anything here so what's the problem?
Aren't those related? In order for one person to download music, someone else has to distribute it.
True but you have to charge the correct person. And when you charge someone with distribution, you have to well, prove, they did in fact distribute it.
"COFEE, a preconfigured, automated tool fits on a USB thumb drive. Prior to COFEE the equivalent work would require a computer forensics expert to enter 150 complex commands manually through a process that could take three to four hours. With COFEE, you simply plug into a running computer to extract the data with the click of one button --completing the work in about 20 minutes."
Its little more than an automated tool that can be run by 'joe-beat-cop' instead of sending a forensics computer expert along. It doesn't do anything that couldn't already be done.
Turns out I can do one better. From an actual press release from Microsoft:
"COFEE, a preconfigured, automated tool fits on a USB thumb drive. Prior to COFEE the equivalent work would require a computer forensics expert to enter 150 complex commands manually through a process that could take three to four hours. With COFEE, you simply plug into a running computer to extract the data with the click of one button --completing the work in about 20 minutes."
Its little more than a preconfigured, automated tool, that does stuff that could already be done, but makes it easier, and is something joe-beat-cop can use instead of bringing a computer expert along.
Which implies that the tool can extract data from a RUNNING MACHINE. The issue at hand is: Do we now trust Windows cryptography?
It *implies* no such thing.
If the machine is running, logged in, and so on, then all the locks are already open, and you can just run tools to scan the disk. For example, the usb device may simply be to let law enforcement run 'standardized tools' in a standardized way without having to install software etc. No different than running a copy of firefox with custom plugins etc from a usb drive when using a public pc for example.
This might just makes it so joe-average-cop can do a file search via a simplified and standardized interface without having to do much else.
It would be interesting to know if this device will even unlock a PC that is 'locked'.
True, it says it can 'decrypt passwords', but that's almost worthless. Does it mean it recover my saved email password for social networking site/ free webmail service/ etc from Internet explorer's saved passwords feature? Or that it can recover my EFS passphrase?
One is considerably more serious/meaningful than the other. The article really doesn't say anything of real value. Anyone using the security features of windows should want to know more, but shouldn't panic yet.
Of course, your trust quotient may be much higher than mine.
My trust quotient is quite low. But my paranoia quotient is fairly low too.
I think its already been engineered around. Something -else- in the system will generally break down long before the flash media is toast.
Flash chips with 300,000 write cycles are common, and currently the best flash chips are rated at 1,000,000 write cycles per block (with 8,000 blocks per chip). Now, just because a flash chip has a given write cycle rating, it doesn't mean that the chip will self-destruct as soon as that threshold is reached. It means that a flash chip with a 1 million Erase/Write endurance threshold limit will have only 0.02 percent of the sample population turn into a bad block when the write threshold is reached for that block.
The better flash solid state flash drive manufacturers have two ways to increase the longevity of the drives: First, a "balancing" algorithm is used. This monitors how many times each disk block has been written. This will greatly extend the life of the drive. The better manufacturers have "wear-leveling" algorithms that balance the data intelligently, avoiding both exacerbating the wearing of the blocks and "thrashing" of the disk: When a given block has been written above a certain percentage threshold, the solid state flash drive will (in the background, avoiding performance decreases) swap the data in that block with the data in a block that has exhibited a "read-only-like" characteristic.
Second, should bad blocks occur, they are mapped out as they would be on a rotating disk. With usage patterns of writing gigabytes per day, each flash-based solid state flash drive should last hundreds of years, depending on capacity.
If the government actually had a backdoor to Windows encyrption, it would only be valuable if they kept it a secret.
If it existed, and the keys to using it will be passed around to low level law enforcement flunkies, it will be a -very- short time before anyone who wants one (or at least a copy of one) will have one.
At which point Windows EFS is completely worthless because ANYONE can hack it. It will be the new WEP. Anyone who wants security will use something else. And Microsoft is left with a technology nobody wants, nobody who actually cares about security will use, and they'll either have to fix it, or let 3rd party products take the market. Its a big lose for Microsoft.
I'm not saying EFS isn't about to become the next WEP, but its not likely. Of course, anyone using EFS (or any other encryption) should always stay abreast of the news surrounding its security. In this case, I'm sure we'll have first hand information about just what this key can and can't do shortly, and we can pass judgement then.
But until we find out more don't panic. Its premature to abandon EFS based on this article.
If your 2500 IOs/s hit the same sector, your server SSD is fried in 7 min.
One would think that would actually be an ideal scenario. Your cache hits would be through the roof. Even if it wrote the sector back to the flash drive once every 2 seconds, that would be 5000 IO's worth of updates in one write op.
Factor in drive wear leveling (so that it moves the data sector around on the empty space on the physical disk rather than in the same physical place each time), and the disk would probably last nearly forever.
Its actually had it since windows 2000 in their non-home products. It uses public key encryption, and by all accounts is a perfectly good implementation. There is a conspiracy theory that there is an NSA backdoor, but its little more than an unsubstantiated rumor.
This is talking about breaking the encryption on Windows passwords which is a lot easier.
The weakness of EFS is indeed the Windows passwords itself, which are often "a lot easier" to break. However, there are several 'modes' that the windows passwords can be stored in and only the more basic (and default) modes are easy, and a good password combined with the appropriate security policies results in a respectably safe encryption solution. (e.g. no linux live CD tools that I'm aware of has -ever- been able to recover or reset a password and get the encrypted files back.)
And I seriously doubt the new ms usb tool can either. Unless the NSA backdoor really existed... but even then I doubt they'd let joe-law-enforcement have access to it and tip their hand that it really existed. (in the unlikely event that it actually did exist).
So, the sheer fact that there is a device that can do this also means that anybody can do this because the methods are in place for bypassing security. It's only a matter of time before someone spends enough energy to develop a device that can do this (outside of Microsoft).
No. The ONLY question that is of any interest is whether or not this device actually has a back door to Windows encryption. Somehow I seriously doubt that it does. Its probably little more than a bootable drive with NTFS support, and some tools. If you've got a password on your login, it doesn't mean you are using encryption. And this tool probably just lets you get straight to searching the -unencrypted- disk without cracking the login, or without pulling the drive and installing it somewhere else to scan through.
The implications of a device like this are scary to say the least. Although I'm not a Microsoft hater, this alone is more than enough to make me take a second look at options other than Microsoft Windows.
I suspect your average Linux LiveCD Recovery Disk has all the same tools on it. MS is just getting on board with their own version, to remove another area, where, right now, you have to use Linux. If that's the case the implications aren't scary at all.
And this whole are article is pure FUD.
Unless they've provided a back door to the encryption. That is the -only- question. But I really doubt they have.
Actually, according to most accounts Linux comes from:
"Linus' Minux" = Linux.
Linus is of course Linus Torvalds.
Minix is a 'Unix-like' operating system whose name apparently itself derives from: Minimal Unix.
Of course, Minix isn't "really" unix either... it was written to be a teaching OS, an inexpensive clone of unix.
The rest of your post is sound, but this particular snippet is simply technically incorrect, assuming we're talking about ASP.NET.
That would be an incorrect assumption. I was actually referring to a winforms web browser control:
e.g.
http://msdn.microsoft.com/en-us/library/2te2y1x6.aspx
This is a control that takes an url or webpage as input and renders it in a control. Its basically an embeddable web browser. And of course it relies on the Internet Explorer (Trident) rendering engine. I use them, for example, for printing in quick and dirty utility apps. Suppose I've got some data structured as an xml document -- its SOOO easy to just write a quick xsl transform, and push the xml through it to an attractive formatted html/css document and feed it to this control which renders it, and can also print it.
Instant attractive report printing, and as a bonus I've got attractive onscreen display that copes with rezizing etc, the option to save as html/css. or even as an xml/xsl pair. Which makes it easy for someone else to work with the data, and view it attractively.
Contrast with the effort of developing something to print 'manually'. Which just gets me printer output and is a TON more work.
The big handicap though is that I'm basically embedding 'Internet Explorer', and leveraging its features... but I get all its warts too, and have little real control over the rendering.
All stock Web controls provide a protected non-sealed virtual method named "RenderControl" (actually, they all inherit it from their common base class). You can always override that in a derived class, and do what you see fit in your implementation, without any preparsing.
All true, and I'm a big fan of ASP.NET because of this. The only things that really bug me about asp.net rendering output is that:
a) some of the defaults really suck (but can be easily fixed as per above),
b) the fact that they seem to have disowned maintaining the browser-capabilities which is why safari 3 gets treated as 'downlevel' for items like certain menu control configurations when it's more than capable of handling the uplevel code correctly. And worse the company they handed it off to... 'cyscape' has even less interest in maintaining it... no they want me to pay for their product that does it.
If Microsoft wants to support uplevel/downlevel browsers and send custom code to different browsers, that's great. But I shouldn't have to manage this myself except maybe for bleeding edge beta browsers. And I certainly shouldn't have to bloody pay for it.
c) the __VIEWSTATE and a couple other item names that piss off 'html tidy' and don't validate as strict xhtml. I've never found a good way of 'fixing' that. I've seen a few idiotic solutions that run a regex on the incoming requests and outgoing pages to fix it, but that's a stupid performance hit just to get a 'green-checkmark'.
-cheers
What isn't descriptive about the Graphical Image Manipulation Program?
The fact that its galled 'gimp'!
And few people know what it expands to, apparently that includes even you:
From the gimp.org website: "GIMP" is the "GNU Image Manipulation Program"
[not "Graphics..."]
Besides most people just see 'gimp' and I assure they are not thinking about manipulating images. gimp means a variety of things... usually with connotations of 'awkward' or 'inept' or 'uncoordinated'. hardly inspiring.
By contrast 'Microsoft Live Messenger' is descriptive, and that's what they call it. If it was called 'MLM' it would be nearly as bad as 'gimp'... and would maybe be mistaken by many to be some sort of multi-level-marketing thing...
Brilliant :)
Internet Explorer: That's obviously Microsoft's version of traceroute.
At least its related to the internet.
As opposed to Konqueror which is a game to take over the world? Or maybe its not a game? And FireFox? A hunting simulator?
SQL Server Management Studio: It sounds like a paint program of some kind; I think it paints graphs of which managers are in charge of what databases
Well at least we're talking about databases.
As opposed to FlameRobin, some sort of automated troll posting system that seeks and flames anyone who talks about birds?
Photoshop: An online store who is getting its clock cleaned by free services such as flickr.
As opposed to gimp? The window manager that randomly hides, moves, and resizes all the various controls on a window. You also mentioned 'flickr' the apparent website to visit if you want to inducing epileptic seizures.
Windows Live Messenger: That's obvious a watchdog alert for sysadmins. When your Windows system is not live, this program makes your pager vibrate.
Meanwhile the foss crowd has pidgin, some sort of Hawaiian slang dictionary?
Remote Desktop Connection: That's a device driver for some kind of IR keyboard.
As opposed to VNC which if we are lucky enough to guess the correct expansion is still 'virtual network computing' which must be some sort of network simulator for when you don't have a real one handy. Fortunately its available in many flavors... depending on whether you need your 'virtual network' to be 'ultra', 'tight', or perhaps the paradoxical 'real'.
cheers.
On the other hand, perhaps the bottlenecks are somewhere inside the Rails framework, and the Twitter team thinks that it'd be simpler to move to a new framework than to invest the effort to fix Rails.
That would be the crux of it, as I read it.
The rails framework is aptly named. Its like driving a train. You follow the rails. Its easy, simple, and those are its strengths. But if one day, you decide you want to cut across a field save a few hours of travel, well, you probably shouldn't have chosen 'train' as your mode of transportation.
The simpler and easier a framework is the harder it is to change its behaviour in ways the designers didn't expect. Its like using Microsofts web rendering controls in an application... they are drag and drop simple to use and that's great. But if you want to tweak them so they handle a particular css element in a different way [read standards compliant way], its not going to happen. The -best- you can hope for is to pre-parse the document to rewrite it in a way that the rendering control will get the appearance right, because you are NOT going to change the rendering behaviour itself easily. Better by far to just switch to a different rendering engine.
Conversely the more robust a framework is, and the more hooks they give you to inject/alter behavior, the more complicated and bug-prone it is to develop with.
Rails is a trade off... great when it fits what you need, abysmal when it doesn't. And rails in particular from what I've heard is especially frustrating when its 'oh-so-close-but-not-quite' what you need.
You're the only one that said "good names". The GP said "doublespeak". There is a difference.
:)
Fair comment.
But that just underscores the whole issue that half the oss community explicitly disagrees with calling linux GNU/Linux. A FUD spreading cynic might even think it odd that half the community wants to lose the part about saying its 'not unix'. Hmmmm.
But actually, this gets even more deliciously ironic when you realize that "GNU/Linux" really represents the pairing of the 'gnu' userland, and the 'linux' kernel... so all we're claiming is that the GNU userland is 'not unix'... but what about linux?
To put it in the OP's words:
GNU stands for "gnu's not unix". Ergo, linux is not unix.
This is an elementary logical fallacy. Because GNU isn't Linux. And we're not claiming squat about Linux. And indeed, by calling it 'Linux' we are very deliberately associating it with Unix. We could have called it something else... linos, oslin, linKernel, LinK... but no we chose 'Linux'.
Talk about doublespeak. That's at least on par with OOXML if you ask me.
-cheers
The fundamental problem with captcha's is that they are using computers to come up with problems for humans. If a computer can come up with the problem, a computer can come up with the solution.
Captcha's so far are relying on a human strengths at visual perception, edge finding, pattern recognition, etc to retrieve distorted data. But these are simply processing issues. And computers will eventually solve them all.
The proposals for 'better captchas' revolve around the idea of having more complex problems of semantics and meaning. But the issue there is that machines can't generate such problems. And human's don't want to be bothered with it, so the problem set ends up being quite small, and falls easily to a dictionary attack.
I think the solution will ultimately be based in encryption. We need problems that are just plain hard for anybody, all the time. And crypto satisfies that. We'll sign messages with keys.
To preserve anonymity, some sort of reputation system and chain of trust could step up. You get people with good reputations to sign your key, and you in turn sign other people's keys. You'll be reluctant to sign keys that you don't think are really people because the reputation system will reward you if the keys you sign develop good reputations themselves, or punish your key if its been found to have signed keys for bots etc.
Not all keys need be anonymous, and some could be 'verified by Verisign as a real person' etc. Of course such a key would still be subject to the reputation system, and subject to key revocation if it gets handed over to a bot-script or something... but it would get a bonus to reputation at the start.
A disadvantage is that all your posts anywhere would be linked to each other. So even if not linked to you, they would be linked to each other. They'd have to be for a reputation system to work.
You could get true anonymity - by having a 'good reputation' key, and a distributed 'tor-like' service that will take your 'good reputation' key as input, and return a one-time use key that's signed by the 'tor-like' service. The service would keep track only that it had issued a key for your 'good reputation key', not which key it had issued. So someone could only track the post back to 'tor-like service'.
The reason it would record that it had issued a key for you, would be to limit you to 10 one time keys per day or something. So that you couldn't blow spam through the service... or at least... very little spam.
Probably not perfect, and I'm just thinking off the top of my head... but it seems like an approach that could work.
GNU/Linux, unlike products released by Microsoft (Such as OPENXML), tend to have names which are not doublespeak. This practice of not praciticing doublespeak is also adopted by the Free Software Foundation.
... ...
What a load. You tell me which products tell you what they do:
Internet Explorer
SQL Server Management Studio
Photoshop
Windows Mail
Windows Live Messenger
Remote Desktop Connection
Adobe Acrobat Reader
or their FOSS equiv's..
Firefox / Konqueror / IceWeasel...
pgAdmin III / FlameRobin
gimp
Thunderbird / Evolution
Pidgin / Gaim
TightVNC / FreeNX
Evince
I could go on all day. Sure there are plenty of bad proprietary names, and lots of descriptive OSS names, but suggesting that a characteristic of open source projects is good names is utterly laughable.
it's that she was planning on producing a similar encyclopedia herself, with all the proceeds going to charity,
Does it matter one iota what she claims she was planning on doing with the money?
That seems a blatant sympathy grab.
And indeed, there is NOTHING stopping her from producing her own version of the encyclopedia. She can even put a big sticker on it that says its the 'official jk rowlings one' and that 'all proceeds go to charity' on it.
And remember, in this case, the goal really is not to retrieve the password, but merely to use it. If one were to visit gmail using his computer, and his password was saved, it really doesn't matter if you can find out what the password actually is. As long as firefox fills his credentials when I visit the gmail page I'm still into the account -- which in this case is all that matters.
But his computer is one thing, various services another. To get into his personal files may not be so hard and are probably possible to do, to get into various services probably not. I really hope they don't honor such requests actually.
1) Once you've got his computer open, there are good odds you'll be able to find the passwords on it. Especially given how many people just have IE/Firefox save them. But also possibly stored in a file. Or in his 'address book'. etc.
2) Once you've got his computer open, there are good odds you'll be able to use automated password recovery services to obtain the password. Often they just send an email with a link to another account. So if you have access through his computer to his 'main' email account, the rest fall down like dominos.
Does it mean, you don't even have to reboot? If it is true, that means there are back doors.
Quite the contrary. Think about it. If you are using EFS, and have already logged in, authenticated, and so on... and then someone plugs in a USB drive with some command line tools... say...something like grep for example, and a fancy gui for it.
Then they'd plug in the usb key, open it from my computer (or more often it autoruns)... then they do push some simple buttons in the gui... and grep gets sent out to do a system wide scan for...
porn, password, child, etc, etc...
some other utility scans the IE folder for saved passwords
some other utility does... whatever.
If they had seized the PC, and shut it off. They'd be screwed. The contents of the hard drive are encrypted and basically untouchable because they don't have any keys. They'd have to brute force your login, which, if the security policy and passphrase were set up correctly could take decades.
If you read the press release from Microsoft about COFEE, which I linked elsewhere in this thread already, the device just automates a bunch of stuff a computer forensics expert can ALREADY do, but the device saves considerable time and requires less expertise to use.
I'm sure some slashdotter will end up with a COFEE soon enough, especially if they are being distributed the way they are... and we'll all see exactly what it does. I'm pretty sure we're not going to find any "HOLY CRAP I CAN'T BELIEVE THEY DID THAT" revelations in it.
But seriously, who wants to be managing something with a GUI under Windows, when you could be SSHing in and changing all the settings.
Yeah, that's why all those cpanel and webmin products are so unpopular. Oh wait... they are extremely popular. Hmmm... maybe people do want this.
I know I do... I like to be able to ssh and change all the settings. But I also like being able to flip a checkbox on a form when I just need to change one setting, or even better, delegate flipping that setting to somebody much less tech savvy than me... and without worry that one typo can bork the entire [whatever].
Choice is good. Competition is good. We're not losing anything here so what's the problem?
Aren't those related? In order for one person to download music, someone else has to distribute it.
True but you have to charge the correct person. And when you charge someone with distribution, you have to well, prove, they did in fact distribute it.
Sorry to attach this to your +5 post but I wanted this to get seen:
http://www.microsoft.com/presspass/features/2008/apr08/04-28CrantonQA.mspx
From the ms press release:
"COFEE, a preconfigured, automated tool fits on a USB thumb drive. Prior to COFEE the equivalent work would require a computer forensics expert to enter 150 complex commands manually through a process that could take three to four hours. With COFEE, you simply plug into a running computer to extract the data with the click of one button --completing the work in about 20 minutes."
Its little more than an automated tool that can be run by 'joe-beat-cop' instead of sending a forensics computer expert along. It doesn't do anything that couldn't already be done.
This all... MUCH ADO ABOUT NOTHING!!
The fine article states:...
Turns out I can do one better. From an actual press release from Microsoft:
"COFEE, a preconfigured, automated tool fits on a USB thumb drive. Prior to COFEE the equivalent work would require a computer forensics expert to enter 150 complex commands manually through a process that could take three to four hours. With COFEE, you simply plug into a running computer to extract the data with the click of one button --completing the work in about 20 minutes."
Its little more than a preconfigured, automated tool, that does stuff that could already be done, but makes it easier, and is something joe-beat-cop can use instead of bringing a computer expert along.
Which implies that the tool can extract data from a RUNNING MACHINE. The issue at hand is: Do we now trust Windows cryptography?
It *implies* no such thing.
If the machine is running, logged in, and so on, then all the locks are already open, and you can just run tools to scan the disk. For example, the usb device may simply be to let law enforcement run 'standardized tools' in a standardized way without having to install software etc. No different than running a copy of firefox with custom plugins etc from a usb drive when using a public pc for example.
This might just makes it so joe-average-cop can do a file search via a simplified and standardized interface without having to do much else.
It would be interesting to know if this device will even unlock a PC that is 'locked'.
True, it says it can 'decrypt passwords', but that's almost worthless. Does it mean it recover my saved email password for social networking site/ free webmail service/ etc from Internet explorer's saved passwords feature? Or that it can recover my EFS passphrase?
One is considerably more serious/meaningful than the other. The article really doesn't say anything of real value. Anyone using the security features of windows should want to know more, but shouldn't panic yet.
Of course, your trust quotient may be much higher than mine.
My trust quotient is quite low. But my paranoia quotient is fairly low too.
http://www.bitmicro.com/press_resources_flash_ssd.php
Why?
Logic.
If the government actually had a backdoor to Windows encyrption, it would only be valuable if they kept it a secret.
If it existed, and the keys to using it will be passed around to low level law enforcement flunkies, it will be a -very- short time before anyone who wants one (or at least a copy of one) will have one.
At which point Windows EFS is completely worthless because ANYONE can hack it. It will be the new WEP. Anyone who wants security will use something else. And Microsoft is left with a technology nobody wants, nobody who actually cares about security will use, and they'll either have to fix it, or let 3rd party products take the market. Its a big lose for Microsoft.
I'm not saying EFS isn't about to become the next WEP, but its not likely. Of course, anyone using EFS (or any other encryption) should always stay abreast of the news surrounding its security. In this case, I'm sure we'll have first hand information about just what this key can and can't do shortly, and we can pass judgement then.
But until we find out more don't panic. Its premature to abandon EFS based on this article.
If your 2500 IOs/s hit the same sector, your server SSD is fried in 7 min.
One would think that would actually be an ideal scenario. Your cache hits would be through the roof. Even if it wrote the sector back to the flash drive once every 2 seconds, that would be 5000 IO's worth of updates in one write op.
Factor in drive wear leveling (so that it moves the data sector around on the empty space on the physical disk rather than in the same physical place each time), and the disk would probably last nearly forever.
Windows doesn't HAVE an encrypted file system...
http://en.wikipedia.org/wiki/Encrypting_File_System
Its actually had it since windows 2000 in their non-home products. It uses public key encryption, and by all accounts is a perfectly good implementation. There is a conspiracy theory that there is an NSA backdoor, but its little more than an unsubstantiated rumor.
This is talking about breaking the encryption on Windows passwords which is a lot easier.
The weakness of EFS is indeed the Windows passwords itself, which are often "a lot easier" to break. However, there are several 'modes' that the windows passwords can be stored in and only the more basic (and default) modes are easy, and a good password combined with the appropriate security policies results in a respectably safe encryption solution. (e.g. no linux live CD tools that I'm aware of has -ever- been able to recover or reset a password and get the encrypted files back.)
And I seriously doubt the new ms usb tool can either. Unless the NSA backdoor really existed... but even then I doubt they'd let joe-law-enforcement have access to it and tip their hand that it really existed. (in the unlikely event that it actually did exist).
So, the sheer fact that there is a device that can do this also means that anybody can do this because the methods are in place for bypassing security. It's only a matter of time before someone spends enough energy to develop a device that can do this (outside of Microsoft).
No. The ONLY question that is of any interest is whether or not this device actually has a back door to Windows encryption. Somehow I seriously doubt that it does. Its probably little more than a bootable drive with NTFS support, and some tools. If you've got a password on your login, it doesn't mean you are using encryption. And this tool probably just lets you get straight to searching the -unencrypted- disk without cracking the login, or without pulling the drive and installing it somewhere else to scan through.
The implications of a device like this are scary to say the least. Although I'm not a Microsoft hater, this alone is more than enough to make me take a second look at options other than Microsoft Windows.
I suspect your average Linux LiveCD Recovery Disk has all the same tools on it. MS is just getting on board with their own version, to remove another area, where, right now, you have to use Linux. If that's the case the implications aren't scary at all.
And this whole are article is pure FUD.
Unless they've provided a back door to the encryption. That is the -only- question. But I really doubt they have.
This line of action may come across rather as rather peculiar during court proceedings.
Hopefully by then your lawyer will have arrived. And then its his/her job to talk, not yours.
They seem to be saying that seeing a skinny avatar of yourself can condition you to see that weight change is possible & attainable.
And the guy playing a giant troll? (Guess that would be an EQ Troll not a WoW Troll...)
Follow your dreams. You can reach your goals, I'm living proof...Beefcake, BEEFCAKE!
OK, now try to touch-type while you're doing something else and not looking at the screen.
I can't do that effectively on anything but a regular keyboard. Blackberry, Palm, iPhone... I have to look at the keyboard on all of them...