Will the GNOME Foundation's indifferent response to Richard Stallman's appeal drive him to throw his weight behind KDE?
Not likely, unless TrollTech (or somebody who buys them out) releases Qt under a license that's compatible with versions of the GPL greater than 2. As it stands, you can't distribute a GPLv3 KDE app, because Qt is licensed as GPLv2-only (and a proprietary licence, which is useless in this context).
If it's about cheap high-quality education then they should try them in the US where kids graduate without being able to read or do basic math before foisting them on an unsuspecting third world nation. I suspect the results will be less than stellar.
They're severely confused. "Ogg" isn't even a codec. It's a container format that can be used to transport and synchronize Vorbis and Theora streams (as well as other formats, IIRC).
However which is more useful in a country without internet access, an OLPC or the equivalent cost in books?
Wikipedia can be (and is, IIRC) downloaded and installed locally on the the laptops. How much would it cost to make even a single print copy the current version of Wikipedia?
And that's just Wikipedia. There are also the benefits of immersing children in an environment where problem-solving is second-nature to them.
OLPC isn't about computers, it's about high-quality education on the cheap.
If you just want to fix small typos, IIRC, you can decompress the PDF using pdftk, then use a binary-safe text editor (e.g. "vim -b") to edit the text directly, then use pdftk to recompress the PDF (which will also regenerate the index, which has likely been broken by your edits).
That method is fairly cumbersome, and it won't repaginate the text, but it can be handy sometimes. Also, it demonstrates how easy PDF is to work with as a data format (once it's decompressed, it's mostly text, actually).
The only successful attack to date against bluetooth is a brute-force search of the PIN keyspace.
No. According to Wikipedia, the best attack against the E0 cipher used by Bluetooth is one that requires "the first 24 bits of 2^{23.8} frames and 2^{38} computations to recover the key." That means 14,605,415 frames, or about 7.3 million key-down/key-up message pairs. To put that into perspective, the machine I've been typing on right now has had about 213,000 keypresses in the last 4 days, so in less than 4-6 months, my key would be compromised. I'm a programmer; An employee working in data entry would likely have pressed many more keys in the same time period.
There are other generic attacks that apply to Bluetooth keyboards, such as the timing attack on keyboard-interactive SSH authentication by Song, Wagner, and Tian. One particularly good way to thwart this attack is to send either real or dummy frames at a constant rate. Unfortunately, this would either destroy interactivity for things like games, or (more likely) increase the average number of frames sent per minute, which would decrease battery life and make it easier for an attacker to get the 2^{23.8} frames he needs for the first attack.
And then not be able to run pipe transports as root because Wietse was too uncreative to imagine a scenario where one might legitimately want to, you know, start off as root and then switch to the appropriate user to deliver mail as that user.
I switched from qmail to postfix a few years ago because qmail was non-free and because qmail would get clogged with bounce messages from joe-jobs. It was not fun, and I still want to switch away from postfix (Sendmail is not a better option). From what I hear, both problems can be solved now.
Just because postfix has been better than the alternatives doesn't make it good.
The question to ask is, "If I were sued by the author of this code for copyright infringement, would I have sufficient evidence to defend myself in court?" If the answer is "no", then you shouldn't be distributing the code.
That's a really good analogy! After writing my fair share of PHP code, and trying to make it behave correctly, I consider writing PHP code to be comparable to fighting in a war.
It was, but presumably not writing the zeros was faster, and a faster linker meant faster development time, so compiler/linker developers learned to favour speed over trivial-seeming things like clearing memory.
If the game developers wanted to zero that memory, they could probably have done it after the linking step was done.
I very much doubt doubt that Asus's modification was made with the intention of exploiting its customers: more likely they are attempting to protect themselves from industrial espionage.
Tough cookies. If you can't handle the terms of the GPL, then write your own goddamn OS.
That means that the situation MUST be evaluated to see if the cop would be just as justified in shooting the person.
Not exactly. If a cop would be justified in shooting the person, then the cop should shoot the person for the cop's own safety.
Tasers are for cases when, for example, you have a small (e.g. female) cop who needs to take down a guy who is unarmed but huge (and the guy is drunk and won't come peacefully, etc.). Another example would be when a guy is waving a knife around, threatening to kill himself, and the cop reasonably thinks he'll really do it. In both cases, the cop wouldn't really be justified in shooting the person, but would put himself in danger of physical harm to tackle the person.
Every use of a taser should require the officer to file a use-of-force report, and these reports should be scrutinized. From what I understand, this is already done in some jurisdictions in Canada.
Exactly. I think in some jurisdictions, officers are required to file use-of-force reports whenever they use their taser (much like they have to when they point their gun at someone---regardless of whether it's fired). I suspect there's less abuse of tasers in such jurisdictions.
I was wondering where all the apologists have gone?
They're the ones who are now claiming that you need to have admin access on a machine to exploit this bug. If it's true that any user can debug its own processes, then this claim is simply wrong.
I'm pretty sure you don't need admin access to do damage with this bug. All you need to do is to read the memory of a process (say, firefox.exe) that's using the RNG, since a lot of the state is held in user space, and it's not updated very often (like once every 128 KiB of RNG output!).
CryptGenRandom is supposed to be the Windows-equivalent of/dev/urandom. Except it's not, because of this design flaw. The implications of this extend far beyond encrypted NTFS volumes.
For example, an attacker can passively monitor a network of Windows machines, wait for one of them to do something interesting (like connect via SSL www.paypal.com), then actively compromise those selected machines later, and gain enough information to decrypt the captured SSL sessions.
Basically, if you encrypt something sensitive, before some spyware gets installed on your Windows machine---or after it's removed---the random data used for the encryption (including stuff like SSH session keys) is likely to be compromised (except perhaps in cases where you've rebooted or restarted the requisite processes in the meantime).
But in other dimensions, DNS practices showed little improvement from a security point of view. Hardly anyone is using DNSSEC; and 31% of nameservers allow promiscuous zone transfers, a number little changed from last year.
Internet-visible DNSSEC improves security how, exactly, if the top-level domains don't support it?
Oh, and some of us allow "promiscuous zone transfers" because the only information we make publicly available in the DNS is information that is, you know, public.
Good security involves making sure that legitimate users don't get a false sense of security. One way to do that is to avoid providing features that look like they provide strong confidentiality or integrity without actually doing so.
Re:Yeah, well show me a PSK solution for browsers.
on
Spying On Tor
·
· Score: 1
Or by "single point of failure" are are implying that a CA will have its private key STOLEN by private crooks?? The latter would be a really stupid assumption to make, esp since they can revoke stolen keys.
Ha. Hahahahahahaha. Certificate revocation is completely useless in today's browsers. Here is one reference that's pretty old, but I'm sure you can find newer stuff if you actually research this.
Personally I think it made it look Debian look stupid
Please. Go research what actually happened, then please tell us all what you think Debian's options were, realistically. The Mozilla Foundation was the one that suddenly said, "you can't use our trademarks anymore".
Slashdot Mirror
Not likely, unless TrollTech (or somebody who buys them out) releases Qt under a license that's compatible with versions of the GPL greater than 2. As it stands, you can't distribute a GPLv3 KDE app, because Qt is licensed as GPLv2-only (and a proprietary licence, which is useless in this context).
... it's just that the RIAA's "authorization" might not be required for those copies.
Like, say, in Birmingham, Alabama?
They're severely confused. "Ogg" isn't even a codec. It's a container format that can be used to transport and synchronize Vorbis and Theora streams (as well as other formats, IIRC).
Wikipedia can be (and is, IIRC) downloaded and installed locally on the the laptops. How much would it cost to make even a single print copy the current version of Wikipedia?
And that's just Wikipedia. There are also the benefits of immersing children in an environment where problem-solving is second-nature to them.
OLPC isn't about computers, it's about high-quality education on the cheap.
... the dogs are learning provide whatever results the higher-ups want them to provide, and are rewarded or punished accordingly?
Sounds like doing science for the U.S. government.
SELinux? iptables? Using free software that doesn't do stupid things like that in the first place?
If you just want to fix small typos, IIRC, you can decompress the PDF using pdftk, then use a binary-safe text editor (e.g. "vim -b") to edit the text directly, then use pdftk to recompress the PDF (which will also regenerate the index, which has likely been broken by your edits).
That method is fairly cumbersome, and it won't repaginate the text, but it can be handy sometimes. Also, it demonstrates how easy PDF is to work with as a data format (once it's decompressed, it's mostly text, actually).
No. According to Wikipedia, the best attack against the E0 cipher used by Bluetooth is one that requires "the first 24 bits of 2^{23.8} frames and 2^{38} computations to recover the key." That means 14,605,415 frames, or about 7.3 million key-down/key-up message pairs. To put that into perspective, the machine I've been typing on right now has had about 213,000 keypresses in the last 4 days, so in less than 4-6 months, my key would be compromised. I'm a programmer; An employee working in data entry would likely have pressed many more keys in the same time period.
There are other generic attacks that apply to Bluetooth keyboards, such as the timing attack on keyboard-interactive SSH authentication by Song, Wagner, and Tian. One particularly good way to thwart this attack is to send either real or dummy frames at a constant rate. Unfortunately, this would either destroy interactivity for things like games, or (more likely) increase the average number of frames sent per minute, which would decrease battery life and make it easier for an attacker to get the 2^{23.8} frames he needs for the first attack.
And then not be able to run pipe transports as root because Wietse was too uncreative to imagine a scenario where one might legitimately want to, you know, start off as root and then switch to the appropriate user to deliver mail as that user.
I switched from qmail to postfix a few years ago because qmail was non-free and because qmail would get clogged with bounce messages from joe-jobs. It was not fun, and I still want to switch away from postfix (Sendmail is not a better option). From what I hear, both problems can be solved now.
Just because postfix has been better than the alternatives doesn't make it good.
What part of what I wrote excludes that from consideration?
IANAL; YMMV.
That's a really good analogy! After writing my fair share of PHP code, and trying to make it behave correctly, I consider writing PHP code to be comparable to fighting in a war.
It was, but presumably not writing the zeros was faster, and a faster linker meant faster development time, so compiler/linker developers learned to favour speed over trivial-seeming things like clearing memory.
If the game developers wanted to zero that memory, they could probably have done it after the linking step was done.
Tough cookies. If you can't handle the terms of the GPL, then write your own goddamn OS.
Not exactly. If a cop would be justified in shooting the person, then the cop should shoot the person for the cop's own safety.
Tasers are for cases when, for example, you have a small (e.g. female) cop who needs to take down a guy who is unarmed but huge (and the guy is drunk and won't come peacefully, etc.). Another example would be when a guy is waving a knife around, threatening to kill himself, and the cop reasonably thinks he'll really do it. In both cases, the cop wouldn't really be justified in shooting the person, but would put himself in danger of physical harm to tackle the person.
Every use of a taser should require the officer to file a use-of-force report, and these reports should be scrutinized. From what I understand, this is already done in some jurisdictions in Canada.
Exactly. I think in some jurisdictions, officers are required to file use-of-force reports whenever they use their taser (much like they have to when they point their gun at someone---regardless of whether it's fired). I suspect there's less abuse of tasers in such jurisdictions.
It was a lie. The true answer was "I don't know", but the BBC rep decided to pull a number out of his ass instead.
Or, get it for free from the IACR.
They're the ones who are now claiming that you need to have admin access on a machine to exploit this bug. If it's true that any user can debug its own processes, then this claim is simply wrong.
I'm pretty sure you don't need admin access to do damage with this bug. All you need to do is to read the memory of a process (say, firefox.exe) that's using the RNG, since a lot of the state is held in user space, and it's not updated very often (like once every 128 KiB of RNG output!).
CryptGenRandom is supposed to be the Windows-equivalent of /dev/urandom. Except it's not, because of this design flaw. The implications of this extend far beyond encrypted NTFS volumes.
For example, an attacker can passively monitor a network of Windows machines, wait for one of them to do something interesting (like connect via SSL www.paypal.com), then actively compromise those selected machines later, and gain enough information to decrypt the captured SSL sessions.
Basically, if you encrypt something sensitive, before some spyware gets installed on your Windows machine---or after it's removed---the random data used for the encryption (including stuff like SSH session keys) is likely to be compromised (except perhaps in cases where you've rebooted or restarted the requisite processes in the meantime).
Do not underestimate the severity of this bug.
Internet-visible DNSSEC improves security how, exactly, if the top-level domains don't support it?
Oh, and some of us allow "promiscuous zone transfers" because the only information we make publicly available in the DNS is information that is, you know, public.
Good security involves making sure that legitimate users don't get a false sense of security. One way to do that is to avoid providing features that look like they provide strong confidentiality or integrity without actually doing so.
Ha. Hahahahahahaha. Certificate revocation is completely useless in today's browsers. Here is one reference that's pretty old, but I'm sure you can find newer stuff if you actually research this.
Please. Go research what actually happened, then please tell us all what you think Debian's options were, realistically. The Mozilla Foundation was the one that suddenly said, "you can't use our trademarks anymore".