Well unless you want to start going to https://72.14.207.99/ I suggest you propose a better solution. (incidentally, Google's cert only cares for google.com and not their IP)
Most self-signed certs are, in fact, not MITM attacks but just cheap site owners. It may not rule out DNS poisoning or any of that crap, but at least you know nobody's going to snag your login credentials through that open WiFi.
As in, pronounced "canteen"? That's definitely used as slang for the cafeteria in some places (namely all of France, if my old lessons are treating me well).
That's true in some markets, but in typical day-to-day use, k=thousand and M=million. There's only one other time I can recall 'MM' being used for million, and it was also in the context of sales/revenue.
It's like "milliard" - not technically wrong, but you'll confuse the fuck out of most people with it.
No, most programmers can design an architecture. Most programmers can create an interface that's functional at some level. At least among most Windows and Linux software, it seems that there's a rare few that can make software that's easy to use for its primary purpose and accessible/customizable enough to deal with those down-and-dirty tasks (OS X programmers tend to be better this way; I'm sure it's partly cultural, but they also understand how important consistency is between apps and how Fucking Annoying it is when you come across a non-conforming app).
Don't get me wrong - most half-decent programmers can implement someone else's design with no problem (that's what you meant by 'inspiration', right?). That's not being a designer. A good designer can start with nothing and create an attractive and easy-to-use interface. With very rare exception, programmers throw too many options and preferences in the user's face and make an overwhelming, hard-to-use interface. And that's the crux of the problem.
Unfortunately for the Free software community, the majority of good UI designers are off getting paid well by Apple. I think Microsoft may even be bringing someone who understands UI on board soon.
You're right. I somehow mistranslated the MITM attack to a hijacked box and/or some sort of redirect where the accountant would never actually communicate with the intended server.
It's Monday morning and I hadn't had any coffee yet.
Well at a 1GB target size, I'm sure you'll encounter a number of hash collisions. But of all of the n arbitrary streams of bits that will hash down to whatever, I'd be very surprised to find more than one that would actually result in files that any software could open. Even if you had a hundred to pick from, you're in a situation where a human can figure out the rest (or be treated to some very unusual porn).
That's not entirely unlike the decentralized tracker system Bit-torrent clients have implement of late. You pass them magnet://some md5 hash link, it pings a bunch of nodes in the network if anyone in the swarm has a torrent that hashes down to that hash, and once it finds it, starts the downloads as normal. It's not brute-force reconstruction, but it is creating files from a tiny hash. This is where the beauty of the general lack of hash collisions between non-arbitrary chunks of data shows itself.
This is why I like how my bank handles their online banking. Beyond the SSL cert (which ironically has some missing info causing a blue rather than green info pane in FF3), their login system is a two-stage thing. I give them a username alone, they send me back an image and phrase that I set when creating the account in addition to the password field. If the image or phrase is wrong, then I know something is up.
Infallible? Of course not. But it makes me feel a HELL of a lot better than AmEx, which (aside from their awful interface) does the typical login interface, but upon sign-up forced my password to have between 6 and 8 characters and I still haven't found the link to change the password. Why anyone would EVER limit a password to any maximum size is well beyond my scope of understanding, let alone one of the world's largest financial companies. Given that approach, I wouldn't be entirely surprised to find a VARCHAR(8) `password` field in their database.
Firefox 3 already does this, to a degree. Plaintext (http) has a white address bar and favicon. Unverified certs change the favicon to a blue background, and verified (example) turns it green. On any of them, you can click the favicon to get expanded details.
The problem is that it's not especially obvious, and that it has very little meaning to most people even if they do notice. The only way that people will notice without a doubt is to make self-signed certs as obtrusive as they currently are - block the page entirely and proceed on if you allow an override. That doesn't fix it having little or no meaning to most people, but that's an entirely separate issue.
No. The accountant doesn't have the documents for the man in the middle to intercept (this is a one-way thing, from the poster's description), and obviously he wouldn't find them by connecting to a hijacked server. The most that a MITM attack could gain for the attacker is what files the accountant is looking for provided that this was set up as some odd search-based system rather than some equivalent of a directory listing. On the other side, the man in the middle COULD intercept documents that you're *putting on* the server if the box/cert became compromised.
From what I've read and heard, ZFS is designed to pretty much be the last filesystem we'll ever need. I'm pretty sure they've considered hash collisions with regards to data integrity.
Also consider that you probably won't need to reconstruct the entire sector, but only a few bits from it. If there was some sort of insane scenario where you had to reconstruct a complete 1GB block from a single MD5 hash... (ie, "here's an MD5 hash. Give me a sequence of 1073741824 bytes to make it") well it's technically possible, though the electric bill for your server farm may piss off more than a few treehuggers. On the other hand, if you had only a few bytes that needed repair, brute-force reconstruction, while still time-consuming, suddenly becomes more more feasible. I always wonder why I can't apply this kind of logic to torrents with that one file stuck at 99.98%...
I'm sure that kind of thing is largely irrelevant with ZFS as it's designed to be somewhat more efficient, but you get the point.
No seriously. I don't know a whole lot about network infrastructure (nor do I care, strictly speaking), but there's clearly some sort of error-checking/correcting going on behind the scenes as I'll grab huge disk images that pass verification before they get mounted (ex. iPhone SDK ~ 1.2GB) all the time. Some sort of network-based solution is really ideal for data transfer.
Of course with residential upload speeds it's often slower than the ol' sneakernet (depends where it's going, how it's getting there, and how much there is), but not unusably so. I'll SSH half-gig files to/from my home system from work all the time. Grabbing them from the house is somewhat of a painful process that'll often run 1/2-1 1/2hr, but oh well.
Obviously splitting your large disk image into a bunch of smaller rars or whatever you prefer could help with connection disruptions, but data integrity issues are almost never an issue.
That might be good for music where a near-lossless reconstruction is acceptable, but I'd suggest not drilling holes in your thesis paper, or any other type of data where lossy compression is unacceptable (everything except images, audio and video, basically)
At the expense of everyone else's access. There's a difference between allowing them to ghost the hard drive and walk out with their copy of any relevant data (which I'd say is worse without a warrant, as then nobody even finds out that this has taken place) and removing the system entirely therefore preventing anyone else to use said system.
Which is why I wonder if this was just a clever social engineering attack. I obviously couldn't be bothered to RTFA, but these days it couldn't be too hard to just show up to any random place looking like you come from the government, make some arbitrary demand, and walk off with hardware or data.
Mod parent up. The whole source of this problem is that most programmers can't design (or follow UI guidelines), but they think they can. On the flip side, I've seen a lot of designers who can sort of code makes some really god-awful programs that look great that are less optimized than doing it by hand.
I can't design and I know it. But I still know when someone else's design either works or fails utterly, and I'll give the designer props/shit accordingly. Typically, coders are very poor designers and designers are very poor coders. There are the rare exceptions of course, but they're off making too much money to devote time to free software (the single exception that I know of being the designer+developer of Quicksilver).
Widely-used Free software occasionally picks up enough steam to get some people who can really design on board (read: Firefox), but by and large, Free software tends to be developer-centric, menu-driven apps that work very well if you can figure out how to use them. As a developer I often can, but I still tend to suggest people use the paid equivalent if they ask simply so they don't come back to me every hour asking how to do that next thing.
Only because the rockets are designed specifically for use with (only function on?) cars that will only ever be used in the No Rocket Cars Allowed Test Track.
That "Fire!" example comes up all the freaking time. Has it ever been tested? At least pre-9/11, I think the worst that would get you is a punch in the face for being a douche bag.
Though by all means, feel free to correct me.
Having said that, the first amendment was created to ensure that US citizens could question and challenge the government, not to ruin movies.
Interesting. Of note, the brand new VMWare Fusion 2 beta 2 (ie, came out yesterday) seems to have made a huge improvement for me - while it's still unplayable due to some bizarre interaction with the mouse, the framerate for Far Cry was fine even if it was running in some butt-ugly, presumably DX8 mode. I assume the mouse thing was due, at least in part, to my multi-monitor setup which always seems to confuse fullscreen VM stuff.
Slashdot Mirror
You mean the gag image in the original iPhone Stevenote?
Well unless you want to start going to https://72.14.207.99/ I suggest you propose a better solution. (incidentally, Google's cert only cares for google.com and not their IP)
Most self-signed certs are, in fact, not MITM attacks but just cheap site owners. It may not rule out DNS poisoning or any of that crap, but at least you know nobody's going to snag your login credentials through that open WiFi.
As in, pronounced "canteen"? That's definitely used as slang for the cafeteria in some places (namely all of France, if my old lessons are treating me well).
SQL and ASCII tend to be the exception to the rule. In any case, neither contain numerals. I think that whole 'l8r' trend died off.
That's true in some markets, but in typical day-to-day use, k=thousand and M=million. There's only one other time I can recall 'MM' being used for million, and it was also in the context of sales/revenue.
It's like "milliard" - not technically wrong, but you'll confuse the fuck out of most people with it.
No, most programmers can design an architecture. Most programmers can create an interface that's functional at some level. At least among most Windows and Linux software, it seems that there's a rare few that can make software that's easy to use for its primary purpose and accessible/customizable enough to deal with those down-and-dirty tasks (OS X programmers tend to be better this way; I'm sure it's partly cultural, but they also understand how important consistency is between apps and how Fucking Annoying it is when you come across a non-conforming app).
Don't get me wrong - most half-decent programmers can implement someone else's design with no problem (that's what you meant by 'inspiration', right?). That's not being a designer. A good designer can start with nothing and create an attractive and easy-to-use interface. With very rare exception, programmers throw too many options and preferences in the user's face and make an overwhelming, hard-to-use interface. And that's the crux of the problem.
Unfortunately for the Free software community, the majority of good UI designers are off getting paid well by Apple. I think Microsoft may even be bringing someone who understands UI on board soon.
You're right. I somehow mistranslated the MITM attack to a hijacked box and/or some sort of redirect where the accountant would never actually communicate with the intended server.
It's Monday morning and I hadn't had any coffee yet.
Well at a 1GB target size, I'm sure you'll encounter a number of hash collisions. But of all of the n arbitrary streams of bits that will hash down to whatever, I'd be very surprised to find more than one that would actually result in files that any software could open. Even if you had a hundred to pick from, you're in a situation where a human can figure out the rest (or be treated to some very unusual porn).
That's not entirely unlike the decentralized tracker system Bit-torrent clients have implement of late. You pass them magnet://some md5 hash link, it pings a bunch of nodes in the network if anyone in the swarm has a torrent that hashes down to that hash, and once it finds it, starts the downloads as normal. It's not brute-force reconstruction, but it is creating files from a tiny hash. This is where the beauty of the general lack of hash collisions between non-arbitrary chunks of data shows itself.
This is why I like how my bank handles their online banking. Beyond the SSL cert (which ironically has some missing info causing a blue rather than green info pane in FF3), their login system is a two-stage thing. I give them a username alone, they send me back an image and phrase that I set when creating the account in addition to the password field. If the image or phrase is wrong, then I know something is up.
Infallible? Of course not. But it makes me feel a HELL of a lot better than AmEx, which (aside from their awful interface) does the typical login interface, but upon sign-up forced my password to have between 6 and 8 characters and I still haven't found the link to change the password. Why anyone would EVER limit a password to any maximum size is well beyond my scope of understanding, let alone one of the world's largest financial companies. Given that approach, I wouldn't be entirely surprised to find a VARCHAR(8) `password` field in their database.
Firefox 3 already does this, to a degree. Plaintext (http) has a white address bar and favicon. Unverified certs change the favicon to a blue background, and verified (example) turns it green. On any of them, you can click the favicon to get expanded details.
The problem is that it's not especially obvious, and that it has very little meaning to most people even if they do notice. The only way that people will notice without a doubt is to make self-signed certs as obtrusive as they currently are - block the page entirely and proceed on if you allow an override. That doesn't fix it having little or no meaning to most people, but that's an entirely separate issue.
No. The accountant doesn't have the documents for the man in the middle to intercept (this is a one-way thing, from the poster's description), and obviously he wouldn't find them by connecting to a hijacked server. The most that a MITM attack could gain for the attacker is what files the accountant is looking for provided that this was set up as some odd search-based system rather than some equivalent of a directory listing. On the other side, the man in the middle COULD intercept documents that you're *putting on* the server if the box/cert became compromised.
A lot of cheap hosts don't allow for SSH/SCP connections.
That RSS approach is, quite frankly, brilliant. Care to share the source?
From what I've read and heard, ZFS is designed to pretty much be the last filesystem we'll ever need. I'm pretty sure they've considered hash collisions with regards to data integrity.
Also consider that you probably won't need to reconstruct the entire sector, but only a few bits from it. If there was some sort of insane scenario where you had to reconstruct a complete 1GB block from a single MD5 hash... (ie, "here's an MD5 hash. Give me a sequence of 1073741824 bytes to make it") well it's technically possible, though the electric bill for your server farm may piss off more than a few treehuggers. On the other hand, if you had only a few bytes that needed repair, brute-force reconstruction, while still time-consuming, suddenly becomes more more feasible. I always wonder why I can't apply this kind of logic to torrents with that one file stuck at 99.98%...
I'm sure that kind of thing is largely irrelevant with ZFS as it's designed to be somewhat more efficient, but you get the point.
Bit-torrent?
No seriously. I don't know a whole lot about network infrastructure (nor do I care, strictly speaking), but there's clearly some sort of error-checking/correcting going on behind the scenes as I'll grab huge disk images that pass verification before they get mounted (ex. iPhone SDK ~ 1.2GB) all the time. Some sort of network-based solution is really ideal for data transfer.
Of course with residential upload speeds it's often slower than the ol' sneakernet (depends where it's going, how it's getting there, and how much there is), but not unusably so. I'll SSH half-gig files to/from my home system from work all the time. Grabbing them from the house is somewhat of a painful process that'll often run 1/2-1 1/2hr, but oh well.
Obviously splitting your large disk image into a bunch of smaller rars or whatever you prefer could help with connection disruptions, but data integrity issues are almost never an issue.
That might be good for music where a near-lossless reconstruction is acceptable, but I'd suggest not drilling holes in your thesis paper, or any other type of data where lossy compression is unacceptable (everything except images, audio and video, basically)
At the expense of everyone else's access. There's a difference between allowing them to ghost the hard drive and walk out with their copy of any relevant data (which I'd say is worse without a warrant, as then nobody even finds out that this has taken place) and removing the system entirely therefore preventing anyone else to use said system.
Which is why I wonder if this was just a clever social engineering attack. I obviously couldn't be bothered to RTFA, but these days it couldn't be too hard to just show up to any random place looking like you come from the government, make some arbitrary demand, and walk off with hardware or data.
Mod parent up. The whole source of this problem is that most programmers can't design (or follow UI guidelines), but they think they can. On the flip side, I've seen a lot of designers who can sort of code makes some really god-awful programs that look great that are less optimized than doing it by hand.
I can't design and I know it. But I still know when someone else's design either works or fails utterly, and I'll give the designer props/shit accordingly. Typically, coders are very poor designers and designers are very poor coders. There are the rare exceptions of course, but they're off making too much money to devote time to free software (the single exception that I know of being the designer+developer of Quicksilver).
Widely-used Free software occasionally picks up enough steam to get some people who can really design on board (read: Firefox), but by and large, Free software tends to be developer-centric, menu-driven apps that work very well if you can figure out how to use them. As a developer I often can, but I still tend to suggest people use the paid equivalent if they ask simply so they don't come back to me every hour asking how to do that next thing.
Only because the rockets are designed specifically for use with (only function on?) cars that will only ever be used in the No Rocket Cars Allowed Test Track.
That "Fire!" example comes up all the freaking time. Has it ever been tested? At least pre-9/11, I think the worst that would get you is a punch in the face for being a douche bag.
Though by all means, feel free to correct me.
Having said that, the first amendment was created to ensure that US citizens could question and challenge the government, not to ruin movies.
The Constitution went to hell in a handbasket quite some time ago.
Umm... mods? I wasn't joking.
Interesting. Of note, the brand new VMWare Fusion 2 beta 2 (ie, came out yesterday) seems to have made a huge improvement for me - while it's still unplayable due to some bizarre interaction with the mouse, the framerate for Far Cry was fine even if it was running in some butt-ugly, presumably DX8 mode. I assume the mouse thing was due, at least in part, to my multi-monitor setup which always seems to confuse fullscreen VM stuff.
If you feel the need to post anonymously, our terrorist government has already won.