All measures like this are just bandaids and may in fact open up more holes because it adds complexity to an already complex beast.
99% of security is bandaid and "obscurity" under cover. Even cryptography with large prime numbers is just obscurity: they give you the number and if you could factor is quickly, you can break it. You just can't break it quickly yet.
Still though, it's the nature of the beast. It's in uphill battle with the hackers. Tech gets sophisticated, hackers get sophisticated, tech gets more sophisticated... It's evolution in a way.
There are very few security concepts which aren't "bandaids", for example privilege levels are such a security measure, and still, most apps that take advantage of this have a bunch of "bandaids" in them to avoid privilege escalation situations.
ASLR is a practical approach to easily calling known adresses after buffer overflow exploit. If all apps in existence made proper use of the no-execute bit and made sure not to overrun buffers in the first place, ASLR could've been useless.
OS designers though meet a world with imperfect apps, and their task is to improve security in this *existing* situation. They do good.
I remember those three episodes by Discovery on our possible future.
In one of the episodes, some guy was pouring old urine in his own toilet, since the toilet was equipped with built-in analyzer. The analyzer would catch he had some beer yesterday, while the doctor told him his heath condition doesn't allow alcohol.
If the toilet detects he had beer, it'll go in his central medical record, his insurance company would see this, and he'd lose his medical insurance.
He later fell through a window after an accident, and the blood test went to the insurance company again, and he lost his insurance, remaining to be left dying, although this had nothing to do with his health condition prior to the accident.
There's no excuse for using Google for anything. Considering Google's #1 motive seems to be to collect as much information as possible on the public, it really makes you question their ultimate goals and wonder about how such a young company got so much funding so quickly to become the monolith they are.
It was less than year ago when people over here would throw themselves defending anything "Google". This is reversing now.
Well, I'd agree to the optimists that we can do literally magic, with Google having all possible info on everyone, the only problem is "trust" is imaginary, it's PR-based.
Any corporation with power morphs into abusive entity. It's not up to even "good people with good intentions" being there. If data can be used, people with intention to abuse it will try to get a job there and soon skew the purpose of Google. It already is happening for few years, Google hiring so fast, so much.
I predict by 2012-2015 we'll be looking back at the rants against Microsoft, looking to what Google has turned out to be, and laugh hysterically.
Unfortunately this is probably beyond the abilities of current medical science. The problem is that the nervous system grows with the limbs and organs starting from early embryonic stage; it's not something that you can entice to regrow from scratch. Probably the long term solution will be nanomachines that are injected into the body and rebuild nerves along preplanned routes, molecule by molecule. This is very appealing and also probably about 50 years away from reality.
I like how everything infeasible is 50 years away from happening, but this is too optimistic. The nervous system is so complex after millions of years evolution, that the nerves grow randomly connecting the brain to the nerve ends, and it takes few years for the brain to figure out adaptively where the signal is coming from and what does it mean.
I'd argue regrowing complete nerves from scratch in a grown body is impossible for all practical purposes.
The nano robots that fix everything is a nice escapism concept, but not something that will happen. Even if we had RIGHT now a nano robot with all the required tools, intelligence, connectivity, the engineering tasks itself of rebuilding the damage in a grown body is inconceivable.
Nature has come up with a better mechanism: those who have damage die, and those who don't, survive. It's cruel, but made is human. We're trying to reverse the process.
To that magical software that was supposed to guess if a movie will be a box-office homerun or not. It was supposed to turn the industry around and make poorly performing movies part of the past.
It's funny, I'm holding out on buying a huge-display HDTV until prices drop due to the increased production/sales volume from the forced conversion to digital.
Economics dictate things a bit differently. Forced conversion would increase demand with unchanged supply. This will *raise* the prices, potentially a lot. After the peak, the supply would have caught up and demand will drop. Only then prices will *drop*.
So you're in for waiting for something like 6-7 years for this effect to become reality. I suggest you just buy something now if you need it at all.
2. The bill in question is the wrong way to address the issue. The card associations have a solution to the problem except they won't implement it because it cuts into their fraud revenue and the costs are much higher per-card than dumb plastic/mag-stripe. The standard is called EMV. It solves 98% of fraud issues. Today. The other 2% I'll blame on bad coding.
For e-commerce it's even simpler. In our country (Bulgaria) 10 years ago we suffered from too many teen hacker wannabes for whom the greatest fun in the world was stealing credit card info and ordering books for it.
Not only people abroad suffered, but also local citizens. So, for online commerce, the solution is dead simple, when a transaction is carried out, a confirmation link is sent to your email, and you need to click that link to make money move.
Why is this better than the majority of credit cards nowadays? Well.
With mastercard or visa, I input all the information that's required to complete the purchase in the form. No secret remains mine. If this info leaks, anyone can order from my card.
With the email confirmation, I still have the password on my card account which I never input anywhere, where the email is specified. I never enter the password to my email anywhere either.
Second benefit is I get real time notification in my email when someone tries to order with my card. With regular credit card, I only see this 10 days later on my bank statement.
So I guess it's true: the credit card providers DO want the fraud to continue, since they don't implement basic confirmation techniques, despite it's neither complicated nor costly (fine, maybe it'll be costly NOW with so many merchants to update their business process, but common sense wasn't invented yesterday, what were they doing ALL THOSE YEARS..?).
So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place
The data that goes out, why spend incredible efforts tracking every action of the victims in case it's a fraud.. versus, invalidating the data that went out?
Your social security number was leaked because of the government? The government changes your social security number, fixes their data, and the old one remains as a trap waiting for some fraudster wanna be try and use it.
Mark though - Apple would have been mad never to have provided one, and personally I expected this announcement for WWDC'08, but I have found it astoundingly ridiculous how people have cried and whined about the lack of an SDK without thinking for a single minute. For crying out loud, it's been only three months. The only thing 'long overdue' will, hopefully, be the shutting of the mouths of all the incessant whining.
Steve could have announced the SDK for February 2008 from the very beginning and you'd not see the bitter remarks you rant about.
The strategy Jobs uses for announcing products only when 100% done has its benefits with consumers, but developers hate when you cut them off and don't give them a clear roadmap for what to expect ahead.
Learn from this, don't just add another rant to the thousands.
It makes me suspect that Steve was caught a bit flat-footed, if it'll take until then. If this was the usual Apple release, it would be a total surprise and be available Friday or something.
Apple announced today the deal they made with Orange, in France, and this deal requires they sell unlocked phones. While it means unlocked phones provider-wise, not app-wise, it may start a trend which combined with the current trend of hacking each firmware release within 2-3 days, may prove bad for iPhone's image as a platform.
I bet one of the changes that will happen from now to February, is make the apps not run as root. The reason they run as root in the first two firmware releases is purely one of time: they had no time to get it right, hence didn't release a SDK.
Their challenge now is to contain the community, and completely rework the iPhone software, so by February it's ready for their SDK.
I found that wrecking stuff is a very good way to relieve stress.
Furthermore, I always thought of punching a client in the face, or nuts, and I think being allowed to do that would definitely help my stress, and the solidarity among me and the rest of the employees.
Since most slashdotters are libertarians for some reason (and I could argue even I am to some degree) my question is: where's the technological efficient solution to this.
We've seen some "free market" solutions which basically required that you pay a fee to every mail provider so they don't trash your email. And this didn't particularly help spam either.
I come to the conclusion that spam as an issue is one of two things, or both of those things:
1) Not that big of a problem (hard to believe if you are a mail provider / ISP yourself)
2) Impossible to solve by means of free market solutions, and requires cooperation and standardization of new technology.
Point 2 is hard to happen since every little startup that comes with a mini solution, trumpet it on their own and hence they are only a nuissance to deal with in the big picture (due to lack of a single standard, it's impossible to have clients which make the process of whitelisting easier and even half automatic).
Here are couple of solution which would get us half-there, but are only quarter-implemented right now:
1) Whitelist SMTP servers by talking back to the supposed mail of origin and comparing IP-s. The SMTP may return list of IP-s this host responds from. This is then cached and used for further authentication on this domain. It *may* lead to DoS if many hosts do a first-time check simultaneously, but it's unlikely (and less problematic, given we're eliminating 95% of bad emails this way).
2) Test-for-human-intelligence in your first email to a new email. Such as, I don't know, some sort of CAPTCHA you fill-in? Once this is done, communication can proceed without further tests between those two emails. The receiver still has the option to block you, lest you employ a mechanical turk.
Those solutions are boring, they're incomplete in a way, they introduce hassle, but if we *all* agree on those, they can be made less of a hassle, and still not lose their efficacy.
That would require the likes of AOL, Hotmail, Gmail and so on free mail providers to cooperate with the likes of Microsoft, Apple, Linux devs and so on, to implement this on both the clients and servers.
Right now, I could see Hotmail cooperating with Microsoft (.. wink, wink..:P ), but that's where it ends.
Depends if you want to prevent or just constantly search for infringement. If I were at a major corporation, I would hire an intern for this.
I think in one of the cases where content was down despite it being fair use, the company in question fired some intern in charge of marking the video.
How can they be attacking Open Source projects on one hand, and seeking not only to use open source methods, but even to use the OSI Approved Open Source trademark? Nobody knows for sure except Microsoft.
They have more than one bit in their brains to make decisions. Hence "open source" is not a knee jerk reaction to them, in a way that "Microsoft" is a knee jerk reaction to certain people in the community.
Open Source is a model, it's a tool, to achieve a purpose. A serious company doesn't shy to use the tools at its disposal, even if some simpler folk might find this contradictory upon first sight.
Copyright owners don't need to provide "decades of copyrighted material".
The system will help with reuploads. This means, when a video is marked as pirated, the system will be able to recognize the duplicates and mark them for removal.
This means companies don't need to track the duplicates manually any more but just point to a single sample.
I wouldn't exactly call this 'bashing'. More of a jab. With six version of Vista, MSFT pretty much walked into that punchline.
His jabs are annoying, actually. Anyone who has a clue about the six versions of Vista is more than aware of the situation with OSX. This is just meat for the fans.
Also, we can see now that OSX expands, it starts to "grow" multiple versions of itself too:
- OSX Desktop - $129 (upgrade) - OSX Server 10 clients max - $499 - OSX Server unlimited clients - $999
What is with the "10 clients max"? Artificial limitation, the very thing he mocks Windows about.
If they include legal fees, and what they spend tracking down file sharers, it just might be more than she has to pay.
That's not a damage she did, it's a damage they did upon themselves.
I've not heard before that a thief has to pay for the salaries of the cops that caught him, or the judge that convicted him, this being part of the implicit damage he did by stealing your truck (for example).
Great artists steal, didn't someone said that. Picasso did.
And Steve Jobs is on record abiding by this rule. Apple's products also come up as pretty original until you figure out they are an appropriate sum of someone else's discoveries.
Still though, this is an art on its own. If Led Zeppelin wasn't around probably we'd never know the artists they ripped either.
Yes, computers specifically have nothing to do with it. It has to do with genetics and has to do with repetitive motion and/or pressing the nerves of your hands against some hard surface.
Doesn't change the fact people who use mice, keyboards and posture in a certain way end up with CTS.
A totally random anecdotal example: I use mouse. After 10 years, CTS. Bought Wacom, no pain, use mouse, pain, use wacom, no pain, use mouse, pain.
After year of exclusive wacom usage, no pain with mouse nor wacom. After using the mouse for some time, again pain.
I think I'll conclude mice is not good for my hand and keep on using my Wacom
Someone spoofed a letter and got it transferred anyway. He wasn't without the domain for very long, but just goes to show you that things like this are hard to make bulletproof.
Some companies have whitelisted their domains in their software. I guess the real fun would be if one of those got transfered:
adobe.com microsoft.com [any other company with unsigned executable updates].com
Then they could feed any executable to Flash/Windows users by means of their update mechanisms.
Slashdot Mirror
Apple is finally catching up with BSD, Linux and Vista!
Hehe, you were modded +5 Funny, but if it was the other way around:
"Vista is finally catching up with BSD, Linux and OSX!"
You would be modded +5 Insightful... Where are the scores of Microsoft fanboys bashing Apple, damn it!
All measures like this are just bandaids and may in fact open up more holes because it adds complexity to an already complex beast.
99% of security is bandaid and "obscurity" under cover. Even cryptography with large prime numbers is just obscurity: they give you the number and if you could factor is quickly, you can break it. You just can't break it quickly yet.
Still though, it's the nature of the beast. It's in uphill battle with the hackers. Tech gets sophisticated, hackers get sophisticated, tech gets more sophisticated... It's evolution in a way.
There are very few security concepts which aren't "bandaids", for example privilege levels are such a security measure, and still, most apps that take advantage of this have a bunch of "bandaids" in them to avoid privilege escalation situations.
ASLR is a practical approach to easily calling known adresses after buffer overflow exploit. If all apps in existence made proper use of the no-execute bit and made sure not to overrun buffers in the first place, ASLR could've been useless.
OS designers though meet a world with imperfect apps, and their task is to improve security in this *existing* situation. They do good.
I remember those three episodes by Discovery on our possible future.
In one of the episodes, some guy was pouring old urine in his own toilet, since the toilet was equipped with built-in analyzer. The analyzer would catch he had some beer yesterday, while the doctor told him his heath condition doesn't allow alcohol.
If the toilet detects he had beer, it'll go in his central medical record, his insurance company would see this, and he'd lose his medical insurance.
He later fell through a window after an accident, and the blood test went to the insurance company again, and he lost his insurance, remaining to be left dying, although this had nothing to do with his health condition prior to the accident.
There's no excuse for using Google for anything. Considering Google's #1 motive seems to be to collect as much information as possible on the public, it really makes you question their ultimate goals and wonder about how such a young company got so much funding so quickly to become the monolith they are.
It was less than year ago when people over here would throw themselves defending anything "Google". This is reversing now.
Well, I'd agree to the optimists that we can do literally magic, with Google having all possible info on everyone, the only problem is "trust" is imaginary, it's PR-based.
Any corporation with power morphs into abusive entity. It's not up to even "good people with good intentions" being there. If data can be used, people with intention to abuse it will try to get a job there and soon skew the purpose of Google. It already is happening for few years, Google hiring so fast, so much.
I predict by 2012-2015 we'll be looking back at the rants against Microsoft, looking to what Google has turned out to be, and laugh hysterically.
Unfortunately this is probably beyond the abilities of current medical science. The problem is that the nervous system grows with the limbs and organs starting from early embryonic stage; it's not something that you can entice to regrow from scratch. Probably the long term solution will be nanomachines that are injected into the body and rebuild nerves along preplanned routes, molecule by molecule. This is very appealing and also probably about 50 years away from reality.
I like how everything infeasible is 50 years away from happening, but this is too optimistic. The nervous system is so complex after millions of years evolution, that the nerves grow randomly connecting the brain to the nerve ends, and it takes few years for the brain to figure out adaptively where the signal is coming from and what does it mean.
I'd argue regrowing complete nerves from scratch in a grown body is impossible for all practical purposes.
The nano robots that fix everything is a nice escapism concept, but not something that will happen. Even if we had RIGHT now a nano robot with all the required tools, intelligence, connectivity, the engineering tasks itself of rebuilding the damage in a grown body is inconceivable.
Nature has come up with a better mechanism: those who have damage die, and those who don't, survive. It's cruel, but made is human. We're trying to reverse the process.
To that magical software that was supposed to guess if a movie will be a box-office homerun or not. It was supposed to turn the industry around and make poorly performing movies part of the past.
Well, so much for this one as well.
It's funny, I'm holding out on buying a huge-display HDTV until prices drop due to the increased production/sales volume from the forced conversion to digital.
Economics dictate things a bit differently. Forced conversion would increase demand with unchanged supply. This will *raise* the prices, potentially a lot. After the peak, the supply would have caught up and demand will drop. Only then prices will *drop*.
So you're in for waiting for something like 6-7 years for this effect to become reality. I suggest you just buy something now if you need it at all.
2. The bill in question is the wrong way to address the issue. The card associations have a solution to the problem except they won't implement it because it cuts into their fraud revenue and the costs are much higher per-card than dumb plastic/mag-stripe. The standard is called EMV. It solves 98% of fraud issues. Today. The other 2% I'll blame on bad coding.
For e-commerce it's even simpler. In our country (Bulgaria) 10 years ago we suffered from too many teen hacker wannabes for whom the greatest fun in the world was stealing credit card info and ordering books for it.
Not only people abroad suffered, but also local citizens. So, for online commerce, the solution is dead simple, when a transaction is carried out, a confirmation link is sent to your email, and you need to click that link to make money move.
Why is this better than the majority of credit cards nowadays? Well.
With mastercard or visa, I input all the information that's required to complete the purchase in the form. No secret remains mine. If this info leaks, anyone can order from my card.
With the email confirmation, I still have the password on my card account which I never input anywhere, where the email is specified. I never enter the password to my email anywhere either.
Second benefit is I get real time notification in my email when someone tries to order with my card. With regular credit card, I only see this 10 days later on my bank statement.
So I guess it's true: the credit card providers DO want the fraud to continue, since they don't implement basic confirmation techniques, despite it's neither complicated nor costly (fine, maybe it'll be costly NOW with so many merchants to update their business process, but common sense wasn't invented yesterday, what were they doing ALL THOSE YEARS..?).
So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place
The data that goes out, why spend incredible efforts tracking every action of the victims in case it's a fraud.. versus, invalidating the data that went out?
Your social security number was leaked because of the government? The government changes your social security number, fixes their data, and the old one remains as a trap waiting for some fraudster wanna be try and use it.
Always put the password somewhere near your laptops in case you forget it. Security is aight, but there's nothing worse than forgetting your password!
Mark though - Apple would have been mad never to have provided one, and personally I expected this announcement for WWDC'08, but I have found it astoundingly ridiculous how people have cried and whined about the lack of an SDK without thinking for a single minute. For crying out loud, it's been only three months. The only thing 'long overdue' will, hopefully, be the shutting of the mouths of all the incessant whining.
Steve could have announced the SDK for February 2008 from the very beginning and you'd not see the bitter remarks you rant about.
The strategy Jobs uses for announcing products only when 100% done has its benefits with consumers, but developers hate when you cut them off and don't give them a clear roadmap for what to expect ahead.
Learn from this, don't just add another rant to the thousands.
The risk of damage would be a lot less damage if every app on the iPhone didnt run as root
They made the apps run as root due to lack of time to figure out the security properly. This is the same reason they didn't release a SDK.
By February, we'll have a firmware with reengineered OS and apps that don't run as root. The SDK will only support this firmware and newer.
It makes me suspect that Steve was caught a bit flat-footed, if it'll take until then. If this was the usual Apple release, it would be a total surprise and be available Friday or something.
Apple announced today the deal they made with Orange, in France, and this deal requires they sell unlocked phones. While it means unlocked phones provider-wise, not app-wise, it may start a trend which combined with the current trend of hacking each firmware release within 2-3 days, may prove bad for iPhone's image as a platform.
I bet one of the changes that will happen from now to February, is make the apps not run as root. The reason they run as root in the first two firmware releases is purely one of time: they had no time to get it right, hence didn't release a SDK.
Their challenge now is to contain the community, and completely rework the iPhone software, so by February it's ready for their SDK.
I found that wrecking stuff is a very good way to relieve stress.
Furthermore, I always thought of punching a client in the face, or nuts, and I think being allowed to do that would definitely help my stress, and the solidarity among me and the rest of the employees.
Question: why do you read Slashdot.
Since most slashdotters are libertarians for some reason (and I could argue even I am to some degree) my question is: where's the technological efficient solution to this.
:P ), but that's where it ends.
We've seen some "free market" solutions which basically required that you pay a fee to every mail provider so they don't trash your email. And this didn't particularly help spam either.
I come to the conclusion that spam as an issue is one of two things, or both of those things:
1) Not that big of a problem (hard to believe if you are a mail provider / ISP yourself)
2) Impossible to solve by means of free market solutions, and requires cooperation and standardization of new technology.
Point 2 is hard to happen since every little startup that comes with a mini solution, trumpet it on their own and hence they are only a nuissance to deal with in the big picture (due to lack of a single standard, it's impossible to have clients which make the process of whitelisting easier and even half automatic).
Here are couple of solution which would get us half-there, but are only quarter-implemented right now:
1) Whitelist SMTP servers by talking back to the supposed mail of origin and comparing IP-s. The SMTP may return list of IP-s this host responds from. This is then cached and used for further authentication on this domain. It *may* lead to DoS if many hosts do a first-time check simultaneously, but it's unlikely (and less problematic, given we're eliminating 95% of bad emails this way).
2) Test-for-human-intelligence in your first email to a new email. Such as, I don't know, some sort of CAPTCHA you fill-in? Once this is done, communication can proceed without further tests between those two emails. The receiver still has the option to block you, lest you employ a mechanical turk.
Those solutions are boring, they're incomplete in a way, they introduce hassle, but if we *all* agree on those, they can be made less of a hassle, and still not lose their efficacy.
That would require the likes of AOL, Hotmail, Gmail and so on free mail providers to cooperate with the likes of Microsoft, Apple, Linux devs and so on, to implement this on both the clients and servers.
Right now, I could see Hotmail cooperating with Microsoft (.. wink, wink..
Depends if you want to prevent or just constantly search for infringement.
:)
If I were at a major corporation, I would hire an intern for this.
I think in one of the cases where content was down despite it being fair use, the company in question fired some intern in charge of marking the video.
So I guess they already do that
How can they be attacking Open Source projects on one hand, and seeking not only to use open source methods, but even to use the OSI Approved Open Source trademark? Nobody knows for sure except Microsoft.
They have more than one bit in their brains to make decisions. Hence "open source" is not a knee jerk reaction to them, in a way that "Microsoft" is a knee jerk reaction to certain people in the community.
Open Source is a model, it's a tool, to achieve a purpose. A serious company doesn't shy to use the tools at its disposal, even if some simpler folk might find this contradictory upon first sight.
If you are using Vista as a server, you pretty much deserve what ever happens to you.
.NET, hence Windows Server.
Correct, what about just 4 months from now, when Vista SP1 and Windows Server 2008 come out, and they *share the same codebase*.
And also 70% of the coding jobs in US now are related to
Lots of fun ahead.
Copyright owners don't need to provide "decades of copyrighted material".
The system will help with reuploads. This means, when a video is marked as pirated, the system will be able to recognize the duplicates and mark them for removal.
This means companies don't need to track the duplicates manually any more but just point to a single sample.
I wouldn't exactly call this 'bashing'. More of a jab. With six version of Vista, MSFT pretty much walked into that punchline.
His jabs are annoying, actually. Anyone who has a clue about the six versions of Vista is more than aware of the situation with OSX. This is just meat for the fans.
Also, we can see now that OSX expands, it starts to "grow" multiple versions of itself too:
- OSX Desktop - $129 (upgrade)
- OSX Server 10 clients max - $499
- OSX Server unlimited clients - $999
What is with the "10 clients max"? Artificial limitation, the very thing he mocks Windows about.
If they include legal fees, and what they spend tracking down file sharers, it just might be more than she has to pay.
That's not a damage she did, it's a damage they did upon themselves.
I've not heard before that a thief has to pay for the salaries of the cops that caught him, or the judge that convicted him, this being part of the implicit damage he did by stealing your truck (for example).
Great artists steal, didn't someone said that. Picasso did.
And Steve Jobs is on record abiding by this rule. Apple's products also come up as pretty original until you figure out they are an appropriate sum of someone else's discoveries.
Still though, this is an art on its own. If Led Zeppelin wasn't around probably we'd never know the artists they ripped either.
Yes, computers specifically have nothing to do with it. It has to do with genetics and has to do with repetitive motion and/or pressing the nerves of your hands against some hard surface.
Doesn't change the fact people who use mice, keyboards and posture in a certain way end up with CTS.
A totally random anecdotal example: I use mouse. After 10 years, CTS. Bought Wacom, no pain, use mouse, pain, use wacom, no pain, use mouse, pain.
After year of exclusive wacom usage, no pain with mouse nor wacom. After using the mouse for some time, again pain.
I think I'll conclude mice is not good for my hand and keep on using my Wacom
Someone spoofed a letter and got it transferred anyway. He wasn't without the domain for very long, but just goes to show you that things like this are hard to make bulletproof.
Some companies have whitelisted their domains in their software. I guess the real fun would be if one of those got transfered:
adobe.com
microsoft.com
[any other company with unsigned executable updates].com
Then they could feed any executable to Flash/Windows users by means of their update mechanisms.