Read the advisory. The problem they're highlighting involves breaking the standard a bit.
What you do is send an ethernet frame that is too small by the standard's requirements. The reply will come back padded to meet the minimum size requirement. Where the padding comes from is apparently the problem...apparently it's just malloc'd, not cleared in any way.
This means, for one thing, that you have to be on the local LAN with your target, since any routing of the packet will re-write the ethernet header, blowing away your sneakiness. It also means that standard ping won't do. You have to be able to break the rules for ethernet to see the effect.
The math of the encryption systems that we (used to) limit export of was always open. You could always *talk* about the encryption. The only issue was with exporting binaries.
To show just how insane that policy was, I offer this: I went into a bookstore in London in 1995, and found a huge book that was nothing more than the source code to PGP, with a preface on the best OCR scanners to scan the book & get it to compile. The book was perfectly legal, since talking or writing about encryption was legal...it was just a pre-compiled binary that was illegal.
Trying to limit (like this) who works on something that's going to be published as research anyway is just stupid.
The problem is this: the gov't is not proposing to pay for someone else's education, they're proposing to pay for a study of something they're interested in, and then also trying to dictate who can work on that study. Since the study is unclassified, and therefore public science anyway, MIT apparently feels that this is improper and pretty pointless.
A few thoughts: 1) it depends on the anime you watch. Cowboy Bebop, for example, is worshipped because the stories are well done, and the characters interesting. Yes, there's some formulaic crap out there....don't try to tell me there's no formulaic crap on normal shows as well. 2) The stories can do things in anime that you can't do in reality...sure, you could try to do this with computer effects and real actors, but for some of the shows, it would end up almost entirely computer-generated....so why not just animate it?
Now, it's entirely possible that you just don't like animated stuff...I know a couple folks that are like that. I'm tempted to think it's some sort of disability...it helps me feel better for them.
You know, maybe we don't want them to release "the big hairy mole on Doom guy's ass". Personally, I think my life would be a bit better knowing that a game called "the big hairy mole on Doom guy's ass" never made it out of the design stage. It would encourage me that there is some hope left.
Why not just create a version of Photoshop that can only do things like contrast, burn, etc? Remove the tools that allow image modification entirely, and sell it to police forces as a way to get around this problem.
Heh. Well, since their old habit was to release these late in the afternoon on a Friday, I think I prefer the present setup....especially since they had a bad habit of announcing serious issues after CoB on the East Coast, meaning that we would all get called back for messy issues before a weekend.
What neither the original nor this sciam article mentions (which I'm really curious about) is *which* gas they're using to propogate the sound in. If it's some nasty, corrosive mess, then this isn't much of an improvement. (yes, it's unlikely that this is corrosive, given that they're putting metal in there, but still...)
You know, every time I read this argument, I think the same thing:
Why *only* work on the big-name problems? Are we so limited in our abilities that we can only work on one problem at a time? There are tons of people working on a cure for cancer, aids, etc. Do we really need to fling *everyone* at it? (And has no one read "The Mythical Man Month"?)
To answer my own questions: No. We *are* working on the big problems. We are *also* working on the cool stuff. The idea that we should only work on one thing at a time always seems...short-sighted.
You're going to need to spell out the terms of what you and they can and can not do in a very well-written contract. That is the only way you're going to be able to have any sort of protection from them doing anything nasty with your code.
If you've already signed a contract, then whatever is in the contract is what's happening, regardless of what you want to have happen.
Did you miss the last time this came up? (here: http://www.microsoft.com/technet/security/ bulletin/MS01-017.asp )
There is no CRL checking for Microsoft browsers. To be fair, Verisign doesn't include CRL Distribution Point info in their certs, either, so there really isn't any way for Microsoft to check, since they don't know who to ask. The way they handled the extra Verisign keys was to push out a *locally stored* CRL for just those keys.
They're going to argue that they already have complied with it in XP SP1, and the various releases of information that have trickled out so far. Whether the data they share is of any use at all (such as the worthless SMB documentation they released a bit ago) is something else entirely, and something that you'll have to take them back to court for.
This changes nothing from the state of things today. Whether it changed something from 4 years ago is another argument.
Which, interestingly enough, is not a state...and they're not particularly happy about that. They have no representation in the senate (at least, not any whose votes are actually counted), nor the House, and even put "Taxation without Representation" on the city license plates as a jab at the fact that they're the only part of the continental US that has no power in congress.
They might just be up for a revolution...would be worth a try...
So, have you ever been tempted to wander into somewhere like a LinuxWorld conference, just to see if you could stop all productive work from occurring? (you probably could, you know...)
Jamming cell phones in a theater/restaurant/library/etc is illegal. Violates FCC regulations.
You know, I wonder about that....what if the theater just puts a good Farraday cage around the actual screening area? That's not actively jamming, but it does interfere with the signal that the cell phones get. Would that be illegal? I'd hope not (it's just a feature of the building, not an active attempt to jam the phones), but then, I don't know, which is why I'm asking....
In other words, if it's okay for a business to choose to ignore a minority like the blind, why is it wrong for them to ignore other minorities, like blacks? The logic is the same in both cases, both for and against the government taking a stand on the issue.
Yes, there has to be a line drawn somewhere. But, once you start down the path of saying that companies must not discriminate against minorities, the whole issue becomes a case of where you draw that line, and which groups qualify as minorities. The precedent is there to force companies to do this...the only question is, does it help?
See, this is the only thing that's holding me back from really wanting one. I'd really want to write (or at least be able to add) an ssh client and maybe an ear-training program to this thing. If I'm dependent on the carriers to add that, I'll be waiting until hell freezes over, since they're congenital morons about small interest stuff.
Actually, the doctor does very little of the operation manually. The laser itself is run by a computer, with the present and requested shapes for your eye pre-programemd in. Once the laser's calibrated to your eye, it handles the re-shaping on its own. You just have to hope they programmed it right.
The only thing the doctor does (at least in my op) by hand is the cutting and pulling back of the cornea (which is *very* freaky, by the way), and keeping track of the lasers progress (keeping a finger on the panic-off button for the laser if you move too far).
I had it done about 2 1/2 years ago. No regrets at all. For the record, I had about -6.5 with about -3 astigmatism.
However, if you take one quote away from this post, it should be this: This isn't like buying toothpaste. This is surgery. You will get what you pay for.
In other words, do your homework before even talking to doctors. Be aware that this is surgery, even if it is outpatient surgery. I ended up paying much more than the "average" rate because the doctor I chose had done over 10,000 procedures (successfully), and was an instructor of the procedure. If you can afford it, the extra money for someone really experienced in the procedure is worth it.
Slashdot Mirror
Read the advisory. The problem they're highlighting involves breaking the standard a bit.
What you do is send an ethernet frame that is too small by the standard's requirements. The reply will come back padded to meet the minimum size requirement. Where the padding comes from is apparently the problem...apparently it's just malloc'd, not cleared in any way.
This means, for one thing, that you have to be on the local LAN with your target, since any routing of the packet will re-write the ethernet header, blowing away your sneakiness. It also means that standard ping won't do. You have to be able to break the rules for ethernet to see the effect.
Nonsense.
The math of the encryption systems that we (used to) limit export of was always open. You could always *talk* about the encryption. The only issue was with exporting binaries.
To show just how insane that policy was, I offer this: I went into a bookstore in London in 1995, and found a huge book that was nothing more than the source code to PGP, with a preface on the best OCR scanners to scan the book & get it to compile. The book was perfectly legal, since talking or writing about encryption was legal...it was just a pre-compiled binary that was illegal.
Trying to limit (like this) who works on something that's going to be published as research anyway is just stupid.
The problem is this: the gov't is not proposing to pay for someone else's education, they're proposing to pay for a study of something they're interested in, and then also trying to dictate who can work on that study. Since the study is unclassified, and therefore public science anyway, MIT apparently feels that this is improper and pretty pointless.
A few thoughts:
1) it depends on the anime you watch. Cowboy Bebop, for example, is worshipped because the stories are well done, and the characters interesting. Yes, there's some formulaic crap out there....don't try to tell me there's no formulaic crap on normal shows as well.
2) The stories can do things in anime that you can't do in reality...sure, you could try to do this with computer effects and real actors, but for some of the shows, it would end up almost entirely computer-generated....so why not just animate it?
Now, it's entirely possible that you just don't like animated stuff...I know a couple folks that are like that. I'm tempted to think it's some sort of disability...it helps me feel better for them.
You know, maybe we don't want them to release "the big hairy mole on Doom guy's ass". Personally, I think my life would be a bit better knowing that a game called "the big hairy mole on Doom guy's ass" never made it out of the design stage. It would encourage me that there is some hope left.
Why not just create a version of Photoshop that can only do things like contrast, burn, etc? Remove the tools that allow image modification entirely, and sell it to police forces as a way to get around this problem.
I see a software niche....
Heh. Well, since their old habit was to release these late in the afternoon on a Friday, I think I prefer the present setup....especially since they had a bad habit of announcing serious issues after CoB on the East Coast, meaning that we would all get called back for messy issues before a weekend.
No, he preceeded it with a dollar sign ("$X"), which means that it's a perl variable, which means all of Star Wars was written in perl.
Larry Wall should be proud.
I mentioned this the last time someone asked what I'd want the windows source for:
/home/archives/windows strcpy
grep -r
It would teach me tons about finding overflows, I'm sure....
Gentoo? I think you mean Knoppix. Gentoo is cool, but it's a "build everything from source" distro, and very definitely does touch the hard drive.
What neither the original nor this sciam article mentions (which I'm really curious about) is *which* gas they're using to propogate the sound in. If it's some nasty, corrosive mess, then this isn't much of an improvement. (yes, it's unlikely that this is corrosive, given that they're putting metal in there, but still...)
You know, every time I read this argument, I think the same thing:
Why *only* work on the big-name problems? Are we so limited in our abilities that we can only work on one problem at a time? There are tons of people working on a cure for cancer, aids, etc. Do we really need to fling *everyone* at it? (And has no one read "The Mythical Man Month"?)
To answer my own questions: No. We *are* working on the big problems. We are *also* working on the cool stuff. The idea that we should only work on one thing at a time always seems...short-sighted.
Hire. A. Lawyer.
You're going to need to spell out the terms of what you and they can and can not do in a very well-written contract. That is the only way you're going to be able to have any sort of protection from them doing anything nasty with your code.
If you've already signed a contract, then whatever is in the contract is what's happening, regardless of what you want to have happen.
Did you miss the last time this came up? (here:/ bulletin /MS01-017.asp
http://www.microsoft.com/technet/security
)
There is no CRL checking for Microsoft browsers. To be fair, Verisign doesn't include CRL Distribution Point info in their certs, either, so there really isn't any way for Microsoft to check, since they don't know who to ask. The way they handled the extra Verisign keys was to push out a *locally stored* CRL for just those keys.
Whee.
/me reads post with mis-spellings complaining about grammar.
pot, meet kettle. Kettle, meet pot.
Bull.
They're going to argue that they already have complied with it in XP SP1, and the various releases of information that have trickled out so far. Whether the data they share is of any use at all (such as the worthless SMB documentation they released a bit ago) is something else entirely, and something that you'll have to take them back to court for.
This changes nothing from the state of things today. Whether it changed something from 4 years ago is another argument.
'phenomenae'.
Do Doooo de do do.
'phenomenae'.
Do Do Di Do.
Which, interestingly enough, is not a state...and they're not particularly happy about that. They have no representation in the senate (at least, not any whose votes are actually counted), nor the House, and even put "Taxation without Representation" on the city license plates as a jab at the fact that they're the only part of the continental US that has no power in congress.
They might just be up for a revolution...would be worth a try...
So, have you ever been tempted to wander into somewhere like a LinuxWorld conference, just to see if you could stop all productive work from occurring? (you probably could, you know...)
If not, are you tempted now?
You know, I wonder about that....what if the theater just puts a good Farraday cage around the actual screening area? That's not actively jamming, but it does interfere with the signal that the cell phones get. Would that be illegal? I'd hope not (it's just a feature of the building, not an active attempt to jam the phones), but then, I don't know, which is why I'm asking....
This has lots of civil rights overtones.
In other words, if it's okay for a business to choose to ignore a minority like the blind, why is it wrong for them to ignore other minorities, like blacks? The logic is the same in both cases, both for and against the government taking a stand on the issue.
Yes, there has to be a line drawn somewhere. But, once you start down the path of saying that companies must not discriminate against minorities, the whole issue becomes a case of where you draw that line, and which groups qualify as minorities. The precedent is there to force companies to do this...the only question is, does it help?
See, this is the only thing that's holding me back from really wanting one. I'd really want to write (or at least be able to add) an ssh client and maybe an ear-training program to this thing. If I'm dependent on the carriers to add that, I'll be waiting until hell freezes over, since they're congenital morons about small interest stuff.
sigh.
Actually, the doctor does very little of the operation manually. The laser itself is run by a computer, with the present and requested shapes for your eye pre-programemd in. Once the laser's calibrated to your eye, it handles the re-shaping on its own. You just have to hope they programmed it right.
The only thing the doctor does (at least in my op) by hand is the cutting and pulling back of the cornea (which is *very* freaky, by the way), and keeping track of the lasers progress (keeping a finger on the panic-off button for the laser if you move too far).
However, if you take one quote away from this post, it should be this: This isn't like buying toothpaste. This is surgery. You will get what you pay for.
In other words, do your homework before even talking to doctors. Be aware that this is surgery, even if it is outpatient surgery. I ended up paying much more than the "average" rate because the doctor I chose had done over 10,000 procedures (successfully), and was an instructor of the procedure. If you can afford it, the extra money for someone really experienced in the procedure is worth it.