I followed a similar path. I started out programming my own little Half-Life server-side mod, and had a great time doing it. I thought it would be fun to do game development professionally, so I went into computer science. As I got to know some older students who had friends in the game industry who hated their jobs, I changed my mind about wanting to be a game developer (though I still a couple of graphics and game design courses for fun).
About four years ago I built a Linux desktop for around $150. I found a bundle on TigerDirect that had a case, power supply, CPU, motherboard, and a 256 MB stick of ram for $120 after several rebates (which I managed to collect after a while). I bought another 512 MB of RAM, threw in a graphics card and hard drive from an old box, and I was done for $150 (it would have been under $200 even with the other parts I added). About 2 years later I decided it was underpowered, so I spent a more sizable chunk of change to build a better one.
I assume that given Moore's law I could build a computer considerably better than that one for a similar amount of money, but I haven't had much need to build on a tight budget since then.
I think a more likely question is "does that mean it's now legal to circumvent copy protection to play content?" It sounds like the ruling found that it was legal to circumvent technological measures so that they could use the product - I don't know that making a copy of the product would necessarily qualify as use, but I imagine playing back a DVD or BluRay disc would.
It's always struck me that vendors ought to be paying researchers for the time they spend working with the vendor to help get a bug fixed, rather than a flat rate for finding a bug. i don't think vendors have any obligation to pay people who find security vulnerabilities for the time they spent finding the bug, but if they want a research to spend time documenting and explaining the bug so they can fix it then they need to compensate that researcher. If there is a flat bounty rate, the researcher can decide how much time they're willing to commit to helping the vendor fix the bug.
When Microsoft says they're not interested in a per-vuln bounty, I don't think that necessarily means they won't compensate researchers, but that the compensation will be based on something other than finding a vulnerability - such as the time the researcher spends helping get the bug fixed.
I'm pretty sure I've seen other blogging software which implements the Wordpress template API. Couldn't one just claim that the templates were written for another blogging suite in a way that is compatible with Wordpress? Assuming there are multiple suites that can use the same templating format (and someone could write one, even if none currently exist), this seems tantamount to claiming that all Microsoft Word documents are covered by the GPL because someone wrote a GPL'd program that can read them.
My school has a deal where they can let students on to their site license of recent Windows versions for $10, but in general you're right. Most people can't count on finding a legal $10 copy of Windows.
This is my approach. I use a password manager that generates strong, random passwords. I only have a small handful of passwords that I actually remember - decrypt my hard drive, log in to my computer, log in to my e-mail, and log in to my password manager. Every other password I need is stored in my password manager and completely unmemorable.
If anything, it would make things worse because they'd be harder to revoke.
Re:Any success stories with Wine
on
Wine 1.2 Released
·
· Score: 2, Informative
One valuable aspect of Wine, particular the major releases like 1.2, is that it provides an API that developers can target to easily create Linux versions of their Windows programs. As nice as it would be if developers would make a fully native port of their application for Linux, it's often more practical to get something that works passably by tweaking an existing program to work with Wine. Sometimes these can even be compiled against Winelib to create an ELF binary.
That's easy to say with 20/20 hindsight; I'm sure if they knew how things would turn out they would have done things differently. But given what they knew at the time, and believing they'd be able to set a precedent in their favor, the $16.9 million would have seemed like a reasonable investment from their perspective.
They may. But again, it is more difficult. We can argue whether it is.0001 or 10,000 units of good better, but there's no way to rationally deny that it is a positive number. More secure. Good.
As I've said, beating encryption without identification is a trivial exercise. Any script-kiddie in a coffee house can do it. Any organization that wants to do it on a large scale could do so for a few thousand dollars in equipment per 10 gbps worth of bandwidth, which is a paltry sum compared to what they could potentially gain. False sense of security. Bad.
They could, but I doubt this would go over well when it was discovered. If selling your unencrypted data borders on scary and an invasion of privacy, I don't think this active role from the ISP for marketing purposes would be tolerated in the least. And IANAL, but it is probably illegal, at least in many jurisdictions.
I doubt it would go over well if it were discovered regardless of whether or not they were breaking encryption to do it. I'm not aware of specific cases of an ISP collecting such information, but if they are I'm reasonably certain they're anonymizing the data as much as possible to avoid scrutiny. If you're already paranoid that your ISP is stealing sensitive data, why are you suddenly willing to trust them not to break encryption that can be broken trivially?
This is a stupid and useless assumption. Instead, the browser should assume that the connection should be secure only if the server has a certificate from an authority that confirms identity. Otherwise, it should encrypt but look like any other site without SSL. It raises the bar from passive attacks working to only active ones being viable. Bonus! And the user doesn't even need to be bothered.
You really don't get how this works, do you? In a man-in-the-middle scenario, the man-in-the-middle controls everything the end user sees. Imagine I want to sniff the connection between you and your bank. You request your bank's website. Your bank sends me its certificate with an authority that confirms identity. I send you my certificate with no authority to confirm identity. In your scenario the browser sees a certificate with no authority to confirm identity, and lets the user into the website without warning. Put plainly, what you propose means there would be no warning to the user even if the site's certificate requires identification. Most users won't verify that the connection is secured properly and will proceed to login. Even if you could train the general population to check (which is an incredibly difficult proposal) if 5% of people for get 5% of the time, this would still be a very lucrative endeavor for hackers.
This is a little hyperbolic. If a car company doesn't do a recall, people die. Paying out settlements can't fix that. If HSBC has a policy that results in money being stolen, nobody dies. Paying out settlements can fix that. The bank and their stockholders lose, but the customers only lose time and legal fees (which might be compensated by a lawsuit).
I doubt this is the case, but it's possible that the direct cost of having customers activate their own card is higher than the probable loss from sending out pre-activated cards. If that is the case, then the bank and stock holders are better off sending out pre-activated cards and taking the risk of having to eat the occasional loss.
Maybe you're not talking to the entity you thought you were talking to without verification, but at least only the party on the other end can read your message.
Any party along the way can read your message if there's no identification. If I'm trying to talk to https://example.com/ without identification while any node between me and example.com is compromised, that node can establish an encrypted connection with example.com and an encrypted connection with me. I send the attacker encrypted data, the attacker decrypts it, logs it, re-encrypts it for example.com, and forwards it along. This does require an active role, but there's no reason to assume someone who wants to steal your data is going to assume a passive role. As I stated in my last post, you can take an active role simply by being on the same network (wireless or otherwise) as your victim.
it's foolish to say there are no advantages over totally unencrypted traffic in these days when our ISPs sell our personal data and governments are increasingly monitoring Internet traffic.
But encryption without identification offers little practical advantage in this case. Your ISP could man-in-the-middle your HTTPS connection, collect data, and continue selling your personal data.
Why can't the browser just encrypt things and make no claims about identity verification?
They tried this for years, and users kept giving up sensitive data to phishers. Most users don't check for the lock or identity information like they should. The current approach that browsers are taking puts more control in the hands of the destination website. If the web server is requiring an HTTPS connection, the browser assumes the connection needs to be secure. If the HTTPS connection doesn't provide identity information, it is susceptible to man-in-the-middle attacks and cannot be considered secure. Since the web server is effectively saying it requires a secure connection, and the browser cannot consider the connection to be secure, it tells the user that something is wrong and they should take extreme caution if the choose to proceed.
Encryption without authentication is pointless. There are readily available tools that will allow a script kiddie to man-in-the-middle SSL communication with just a few clicks. This can be done from the same wireless network, physical network, or at any node between the source and destination hosts. Encryption without authentication is nothing but a false sense of security.
It occurs to me - H.264 presumably has different patents covering the bitstream specification, the encoder, and the decoder. If Google is to be believed, the bitstream specification, reference encoder, and reference decoder are all royalty free. Even though the bitstream specification is safe as far as patents go. Presumably, Google jumped through some hoops to make sure their encoder and decoder were royalty free, but that doesn't mean it's impossible to create encoders and decoders that do violate someone's patents.
In short, it seems plausible that the bit stream specification and google's implementation is patent free while FFMPEG's implementation is not.
I don't know that this means she would make policy decisions herself, just that she would support and encourage policy decisions that past courts have considered unconstitutional.
If you collect DNA directly from two people you can pretty much be certain that the DNA comes from two different people, barring identical twins. I believe there are 13 markers used to identify DNA, and if all 13 markers are intact the odds of a match are astronomical. The problem comes when you collect DNA from a crime scene - which may have 7 of 13 markers in tact - and compare it to a database. In that case, chances are fairly high that you'll get a match.
Prosecutors will go and tell a jury that the odds of a match are 1 in 1,000,000 (for example). In truth, this means the odds of any two people matching are 1 in 1,000,000, but they don't explain that the match was found using a database of 300,000, so the odds of finding a match were quite high. Unless the accused has a bullet proof alibi, they go down for the crime because juries don't understand statistics.
For student owned devices they get a certificate error and they can either accept the cert or not. When you block a site, do you give an error message or does it just close the connection? If you're giving an error message, I assume they're getting a cert error on HTTPS sites before they can see your error message anyway, so you might as well give them the option to proceed with the possibility of the school snooping.
That's an implementation details, and there are numerous such proxies. It would not be difficult for a proxy to validate a certificate for a website before generating another cert for the site.
All you have to do to add a word to the Swype dictionary is type it in manually once. After that you can get it by swyping. I've added a few colorful words to my dictionary that way, and it seems to have no filters keeping them out.
Enable word prediction in the Swype Settings menu, and swype will behave quite similarly to the standard keyboard if you tap letters one at a time instead of swyping. That said, from my initial impressions I'm unconvinced that using both hands to type on the horizontal keyboard would be faster than swyping on the vertical keyboard.
I disagree, because what you're proposing continues to encourage a two party system - just a bit fairer for those two parties. The fact that there are usually just two candidates in a a state where they use IRV in a few counties doesn't mean that IRV wouldn't benefit third parties if used in more parts of the country. I've talked to a lot of people (myself included) whose views align more with a third party than one of the major parties. They often feel they have to decide between voting for the candidate they actually agree with who has little chance of winning, or voting for the lesser of two evils. Many people choose to vote for the lesser of two evils. With IRV, they could choose to vote for the candidate they actually support, with a fallback vote for the candidate they would have voted for without IRV.
The top two primary seems completely absurd to me. Say you have an area that is about 60% democrat and 40% republican. You have five democratic candidates and three republican candidates in the primaries. Assuming they get a roughly even distribution of voters from their party, each democratic candidate would get about 12% and each republican candidate would get 13% of the total vote. So even though the democratic party has more votes for its candidates, you end up with two republicans in the general election. The point in the primary is supposed to be that members of the party can choose the best candidate to align behind from an arbitrarily large pool of candidates. With top two primaries, the parties have to have some mechanism of aligning behind a smaller set of candidates before even going to the primaries, which completely defeats the purpose of a primary.
For that matter, if they want to vote the old way they could just fill in a bubble or check a box. So long as there's only one vote cast, it could easily be assumed that the bubble meant '1'.
10% of men are colorblind, which boils down to about 5% of the general population. That said, the vast majority of colorblind people still see color, we just don't see it quite right. This gallery demonstrates how people with different types of colorblindness see various pictures.
That was my thought. When the Mac Mini was originally released, I believe the low end was $499. When they moved to Intel chips, the low end moved to $599. Now the low end is up to $699. It's still the cheapest way to get Mac OSX, but it's losing its price advantage.
Slashdot Mirror
I followed a similar path. I started out programming my own little Half-Life server-side mod, and had a great time doing it. I thought it would be fun to do game development professionally, so I went into computer science. As I got to know some older students who had friends in the game industry who hated their jobs, I changed my mind about wanting to be a game developer (though I still a couple of graphics and game design courses for fun).
About four years ago I built a Linux desktop for around $150. I found a bundle on TigerDirect that had a case, power supply, CPU, motherboard, and a 256 MB stick of ram for $120 after several rebates (which I managed to collect after a while). I bought another 512 MB of RAM, threw in a graphics card and hard drive from an old box, and I was done for $150 (it would have been under $200 even with the other parts I added). About 2 years later I decided it was underpowered, so I spent a more sizable chunk of change to build a better one.
I assume that given Moore's law I could build a computer considerably better than that one for a similar amount of money, but I haven't had much need to build on a tight budget since then.
I think a more likely question is "does that mean it's now legal to circumvent copy protection to play content?" It sounds like the ruling found that it was legal to circumvent technological measures so that they could use the product - I don't know that making a copy of the product would necessarily qualify as use, but I imagine playing back a DVD or BluRay disc would.
It's always struck me that vendors ought to be paying researchers for the time they spend working with the vendor to help get a bug fixed, rather than a flat rate for finding a bug. i don't think vendors have any obligation to pay people who find security vulnerabilities for the time they spent finding the bug, but if they want a research to spend time documenting and explaining the bug so they can fix it then they need to compensate that researcher. If there is a flat bounty rate, the researcher can decide how much time they're willing to commit to helping the vendor fix the bug.
When Microsoft says they're not interested in a per-vuln bounty, I don't think that necessarily means they won't compensate researchers, but that the compensation will be based on something other than finding a vulnerability - such as the time the researcher spends helping get the bug fixed.
I'm pretty sure I've seen other blogging software which implements the Wordpress template API. Couldn't one just claim that the templates were written for another blogging suite in a way that is compatible with Wordpress? Assuming there are multiple suites that can use the same templating format (and someone could write one, even if none currently exist), this seems tantamount to claiming that all Microsoft Word documents are covered by the GPL because someone wrote a GPL'd program that can read them.
My school has a deal where they can let students on to their site license of recent Windows versions for $10, but in general you're right. Most people can't count on finding a legal $10 copy of Windows.
This is my approach. I use a password manager that generates strong, random passwords. I only have a small handful of passwords that I actually remember - decrypt my hard drive, log in to my computer, log in to my e-mail, and log in to my password manager. Every other password I need is stored in my password manager and completely unmemorable.
If anything, it would make things worse because they'd be harder to revoke.
One valuable aspect of Wine, particular the major releases like 1.2, is that it provides an API that developers can target to easily create Linux versions of their Windows programs. As nice as it would be if developers would make a fully native port of their application for Linux, it's often more practical to get something that works passably by tweaking an existing program to work with Wine. Sometimes these can even be compiled against Winelib to create an ELF binary.
That's easy to say with 20/20 hindsight; I'm sure if they knew how things would turn out they would have done things differently. But given what they knew at the time, and believing they'd be able to set a precedent in their favor, the $16.9 million would have seemed like a reasonable investment from their perspective.
As I've said, beating encryption without identification is a trivial exercise. Any script-kiddie in a coffee house can do it. Any organization that wants to do it on a large scale could do so for a few thousand dollars in equipment per 10 gbps worth of bandwidth, which is a paltry sum compared to what they could potentially gain. False sense of security. Bad.
I doubt it would go over well if it were discovered regardless of whether or not they were breaking encryption to do it. I'm not aware of specific cases of an ISP collecting such information, but if they are I'm reasonably certain they're anonymizing the data as much as possible to avoid scrutiny. If you're already paranoid that your ISP is stealing sensitive data, why are you suddenly willing to trust them not to break encryption that can be broken trivially?
You really don't get how this works, do you? In a man-in-the-middle scenario, the man-in-the-middle controls everything the end user sees. Imagine I want to sniff the connection between you and your bank. You request your bank's website. Your bank sends me its certificate with an authority that confirms identity. I send you my certificate with no authority to confirm identity. In your scenario the browser sees a certificate with no authority to confirm identity, and lets the user into the website without warning. Put plainly, what you propose means there would be no warning to the user even if the site's certificate requires identification. Most users won't verify that the connection is secured properly and will proceed to login. Even if you could train the general population to check (which is an incredibly difficult proposal) if 5% of people for get 5% of the time, this would still be a very lucrative endeavor for hackers.
This is a little hyperbolic. If a car company doesn't do a recall, people die. Paying out settlements can't fix that. If HSBC has a policy that results in money being stolen, nobody dies. Paying out settlements can fix that. The bank and their stockholders lose, but the customers only lose time and legal fees (which might be compensated by a lawsuit).
I doubt this is the case, but it's possible that the direct cost of having customers activate their own card is higher than the probable loss from sending out pre-activated cards. If that is the case, then the bank and stock holders are better off sending out pre-activated cards and taking the risk of having to eat the occasional loss.
Any party along the way can read your message if there's no identification. If I'm trying to talk to https://example.com/ without identification while any node between me and example.com is compromised, that node can establish an encrypted connection with example.com and an encrypted connection with me. I send the attacker encrypted data, the attacker decrypts it, logs it, re-encrypts it for example.com, and forwards it along. This does require an active role, but there's no reason to assume someone who wants to steal your data is going to assume a passive role. As I stated in my last post, you can take an active role simply by being on the same network (wireless or otherwise) as your victim.
But encryption without identification offers little practical advantage in this case. Your ISP could man-in-the-middle your HTTPS connection, collect data, and continue selling your personal data.
They tried this for years, and users kept giving up sensitive data to phishers. Most users don't check for the lock or identity information like they should. The current approach that browsers are taking puts more control in the hands of the destination website. If the web server is requiring an HTTPS connection, the browser assumes the connection needs to be secure. If the HTTPS connection doesn't provide identity information, it is susceptible to man-in-the-middle attacks and cannot be considered secure. Since the web server is effectively saying it requires a secure connection, and the browser cannot consider the connection to be secure, it tells the user that something is wrong and they should take extreme caution if the choose to proceed.
Encryption without authentication is pointless. There are readily available tools that will allow a script kiddie to man-in-the-middle SSL communication with just a few clicks. This can be done from the same wireless network, physical network, or at any node between the source and destination hosts. Encryption without authentication is nothing but a false sense of security.
It occurs to me - H.264 presumably has different patents covering the bitstream specification, the encoder, and the decoder. If Google is to be believed, the bitstream specification, reference encoder, and reference decoder are all royalty free. Even though the bitstream specification is safe as far as patents go. Presumably, Google jumped through some hoops to make sure their encoder and decoder were royalty free, but that doesn't mean it's impossible to create encoders and decoders that do violate someone's patents.
In short, it seems plausible that the bit stream specification and google's implementation is patent free while FFMPEG's implementation is not.
I don't know that this means she would make policy decisions herself, just that she would support and encourage policy decisions that past courts have considered unconstitutional.
If you collect DNA directly from two people you can pretty much be certain that the DNA comes from two different people, barring identical twins. I believe there are 13 markers used to identify DNA, and if all 13 markers are intact the odds of a match are astronomical. The problem comes when you collect DNA from a crime scene - which may have 7 of 13 markers in tact - and compare it to a database. In that case, chances are fairly high that you'll get a match.
Prosecutors will go and tell a jury that the odds of a match are 1 in 1,000,000 (for example). In truth, this means the odds of any two people matching are 1 in 1,000,000, but they don't explain that the match was found using a database of 300,000, so the odds of finding a match were quite high. Unless the accused has a bullet proof alibi, they go down for the crime because juries don't understand statistics.
For student owned devices they get a certificate error and they can either accept the cert or not. When you block a site, do you give an error message or does it just close the connection? If you're giving an error message, I assume they're getting a cert error on HTTPS sites before they can see your error message anyway, so you might as well give them the option to proceed with the possibility of the school snooping.
That's an implementation details, and there are numerous such proxies. It would not be difficult for a proxy to validate a certificate for a website before generating another cert for the site.
All you have to do to add a word to the Swype dictionary is type it in manually once. After that you can get it by swyping. I've added a few colorful words to my dictionary that way, and it seems to have no filters keeping them out.
Enable word prediction in the Swype Settings menu, and swype will behave quite similarly to the standard keyboard if you tap letters one at a time instead of swyping. That said, from my initial impressions I'm unconvinced that using both hands to type on the horizontal keyboard would be faster than swyping on the vertical keyboard.
I disagree, because what you're proposing continues to encourage a two party system - just a bit fairer for those two parties. The fact that there are usually just two candidates in a a state where they use IRV in a few counties doesn't mean that IRV wouldn't benefit third parties if used in more parts of the country. I've talked to a lot of people (myself included) whose views align more with a third party than one of the major parties. They often feel they have to decide between voting for the candidate they actually agree with who has little chance of winning, or voting for the lesser of two evils. Many people choose to vote for the lesser of two evils. With IRV, they could choose to vote for the candidate they actually support, with a fallback vote for the candidate they would have voted for without IRV.
The top two primary seems completely absurd to me. Say you have an area that is about 60% democrat and 40% republican. You have five democratic candidates and three republican candidates in the primaries. Assuming they get a roughly even distribution of voters from their party, each democratic candidate would get about 12% and each republican candidate would get 13% of the total vote. So even though the democratic party has more votes for its candidates, you end up with two republicans in the general election. The point in the primary is supposed to be that members of the party can choose the best candidate to align behind from an arbitrarily large pool of candidates. With top two primaries, the parties have to have some mechanism of aligning behind a smaller set of candidates before even going to the primaries, which completely defeats the purpose of a primary.
For that matter, if they want to vote the old way they could just fill in a bubble or check a box. So long as there's only one vote cast, it could easily be assumed that the bubble meant '1'.
10% of men are colorblind, which boils down to about 5% of the general population. That said, the vast majority of colorblind people still see color, we just don't see it quite right. This gallery demonstrates how people with different types of colorblindness see various pictures.
That was my thought. When the Mac Mini was originally released, I believe the low end was $499. When they moved to Intel chips, the low end moved to $599. Now the low end is up to $699. It's still the cheapest way to get Mac OSX, but it's losing its price advantage.