is to support old servers (ancient Cisco gear comes to mind) that can't properly negotiate newer TLS versions.
Is this IOS? What versions?
Unfortunately those failed negotations don't fail, er, gracefully -- it just kills the connection. Browsers (Chrome, Firefox, probably others) retry using SSLv3. Why? There's a lot of old gear out there.
Then why are the browser vendors saying they are going to disable SSL v3? If we're going to use SSLv3 as an excuse and that excuse is taken away... what's left?
Some servers don't handle TLS version numbers at all, and typically just reject the connection instead of advertising to the connecting client that they can support SSL3, TLS1.0 and TLS1.1 but not TLS1.2. So when the client tries to connect with TLS1.2, they are disconnected, so the client tries to connect with TLS1.1 and is successful.
Please I'm begging for names... name names and versions... Who is supporting 1.1 AND doing this?
This SCSV thing adds a flag to each side to say "but I'm only using this protocol because you didn't like the other protocol" and for the server to say "but you never asked me?"
Isn't it easier to fix existing implementations rather than inventing new capability negotiation schemes, writing the code and deploying? Is anyone sure extra flags won't cause new compatibility problems?
If everyone is shutting down SSL 3 anyway as seems to be the case... what then is the remaining intersection of TLS 1+ capable servers and clients still not supporting version negotiation? Please anyone who knows I beg you to name names.
BTW, the core reason for all of this was because the pre-TLS browsers absolutely shit themselves over TLS1.0 advertisements, and because browser makers are absolute fuckers, rather than popping up a window saying
Firefox already mitigates the attack to some degree. If the connection started out at TLS 1.2 or 1.1 then it could not be downgraded to SSL3 because the code allowing that was removed sometime ago.
This does not make any sense. A mitigation that does not work is not worth anything.
Easiest way in Firefox to prevent a connection downgrade to SSL3 is to set "security.tls.version.min" to 1 in the about:config page. This sets the minimum version of the encryption protocol to TLS 1.0
What good does that do when a future attack against TLS 1.0 succeeds and 1.2 users again find themselves being pulled down to 1.0?
The last major browser that doesn't support TLS 1 was IE6. Even Microsoft doesn't support that piece of crap anymore.
I'm scared now... tested using old w2k image IE version 6.0.2800.1106 - TLSv1 amazingly works just fine with IE6 using RC4-SHA cipher, forcing AES was no-go.
When compatibility issues are raised always insist people name names too much of this space is ruled by legend passed down throughout the ages and unhealthy doses of hearsay.
Everyone saying "there are servers" or "there are clients" please name names and versions.
It is to support old servers (ancient Cisco gear comes to mind) that can't properly negotiate newer TLS versions. Unfortunately those failed negotations don't fail, er, gracefully -- it just kills the connection. Browsers (Chrome, Firefox, probably others) retry using SSLv3. Why? There's a lot of old gear out there.
There has got to be a better solution for clients in 2014 that does not involve leaving users vulnerable to downgrade attack.
Why can't browser vendors provide users with an option to enable "dancing" and not have it enabled by default?
I love backwards compatibility but the cost to overwhelming majority of people who don't have old vulnerability ridden gear to manage via SSL is way too high in 2014.
According to the summary, this isn't about browsers, it's about servers - the browsers choose to fall back to SSL3 to cope with broken servers.
Intentionally bypassing downgrade attack protection built into SSL to "cope" with broken servers is 100000% a browser defect. There is no possible excuse for this nonsense in 2014.
Does anyone know what exactly "many clients implement a protocol downgrade dance" means?... never heard of this ever... who exactly is doing this and what the hell are they thinking?
Screw this TLS_FALLBACK_SCSV bullshit it's 2014 cut the music and send the dancers home.
it's about keeping people informed so they can act appropriately. Imagine yourself a FreeBSD user; if you heard of Heartbleed as a Linux bug, would you think to look for an OpenSSL patch?
If your idea of being notified is hearing about it on CNN,./, other "media" or social propagation your doomed.
Users should not be expected to know what supporting libraries are used by applications. Application vendors need to provide patches and make announcements for service effecting vulnerabilities in supporting libraries distributed with their applications no different than if source of error were their own code.
Operating system/package vendors need to provide patches and make announcements for vulnerabilities in the software and standard libraries they distribute.
There are established update/security notification channels for these things users need to be following... there is no need for anyone to be guessing or make incorrect assumptions and no excuse for depending on shit sources (mass media, blogs, friends) for security notifications.
If anything keeping people "informed" is doing them a disservice.
I'll take those two OpenSSL and Bash vulnerabilities any day! That's an important distinction, and not making it lulls anyone using OpenSSL or Bash on a non-Linux system into a false sense of security and may prevent them from patching. That's either a good or bad thing, depending entirely on the color of your hat.
Yes, Heartbleed and Shellshock both had the potential to be much, much worst than this bug. However, those were only exploited after being found and disclosed, and patches being made available, while this and other Windows flaws are only patched after being found, disclosed, and exploited for a while. Where there were patches issued for Heartbleed and Shellshock within hours of disclosure, this won't be patched until Patch Tuesday. Mind you, that's today, but it's still coming not only days after the disclosure, but months after active exploits.
What is the point? For starters none of us have any idea who all has a stock of what 0-days for any platform.
Secondly CVE databases are loaded to the hilt with windows and Linux vulns.
Distinctions made are about as useful as an intelligence contest for the mentally retarded. Unsurprisingly everyone is failing... badly.
Bottom line in the real world saying no to correct horse battery staple and yes to FcD($*#)@2zJ7&Cd!23 is worse because your asking something unreasonable of your users when a more reasonable solution is available. This doesn't serve to help anyone or make anything more secure.
Wishing everyone use password managers won't make it so nor is it necessarily an ideal solution. Password managers and use of passphrases vs passwords are separate issues and should be treated as such.
Repeat after me: "it's against the law to drive people around for money without the proper credentials".
No society based on consent can *enforce* laws a significant portion of the public disagrees without commensurate erosion of state legitimacy or otherwise moving of needle from "consent" toward "force".
Either stepped up enforcement actions bring about increased pressure to change the law or otherwise resolve disagreements by amicable compromises such as reduction in licensing burdens or the industry goes underground where state looses visibility and ability to regulate while wasting resources and good will on enforcement actions the public is offended by.
Most innovations come from people who think differently than the mass.
Most people have a resistance to change and that slows down progress. What is the hurry to call it an hoax?
I would say wait until it is proven to be a fraud before declaring the would be inventor guilty.
Blah blah blah, you might want to look into the history of both Rossi and the evolution of his claims and antics over the years before playing the wacky inventor card.
The experiment was set up and run in a different country by a group independent of Rossi
Except Authors have been linked to Rossi from the beginning.
The fuel was measured in six different laboratories before and after the test. There is no mention of Copper in the output.
If you set out to debunk a paper, shouldn't you actually read it first.
Shame on you, not Slashdot.
Why would anyone set out to debunk this paper in the first place? What would be the point? Who has that kind of time to take the blabber of every mentally unstable fool and scam artist seriously?
With doublespeak like "You agree to the use of your data in accordance with Googleâ(TM)s privacy policies" ChromeOS is so far removed from rational expectations of acceptable behavior it is foolish to attempt to pass judgment.
Caring about the format of external storage is like building a house out of cardboard, paper and duct tape then attempting to evaluate its compliance with building codes.
You can say it's 99 cents, but this year alone I've probably downloaded about 1500 songs from a private music torrent site. The majority of them, maybe 60-70%, I delete after listening, because it was listening on a trial basis and I just wasn't into whatever I was checking out.
One good song is priceless to me. Once discovered 99 cents on Amazon for a DRM free no strings attached song is a price I happily pay. What more do we want/expect? Seems extraordinarily fair to me.
While there are plenty of verticals in the content space with fucked up markets music isn't one of them anymore.
And the only thing different is that today's Madonna's and Metallica's no longer get $100 million record deals; they just make their $100 million touring. I'm okay with that too.
While my touring experience is limited to rockband I strongly suspect 100 mil tours only work for a select few.
While I have a laundry list of complaints I like the underlying idea more than I dislike it. Amazing how simple html content ends up being and how flexible changes become once you have made a reasonable attempt to declare content and decouple style.
This said I'm very much less certain what my sentiment of CSS actually translates to in the real world.
The underlying problem while technology wants data presentation to work across maximal number of display sizes and capabilities such things too often appear as intolerable annoyances to designers. The world is teaming with fixed width websites and crap like zen garden is a joke. Without assumptions of fixed content tailored specifically for the garden those layouts would fall apart.
It often takes different skill sets to design something that both looks cool and is able to survive with coolness intact across a number of different and perhaps unknowable parameter changes.
This in my opinion is responsible for about half of the great tables v CSS layout arguments. What designers really want is for each page to have a known width and a known height without all of the compatibility bullshit or having to think about unknowns... what they actually want looks a heck of a lot more like PDF than it does HTML/CSS.
Without significant design / technology change to bring competing interests into better alignment I wouldn't bet on CSS lasting 50 years.
Ok I'm really scared now there must be something wrong with me when I find myself rooting for the US to continue spying on everyone...
"The simplest outcome is that we're going to end up breaking the Internet," said Eric Schmidt, Google's executive chairman. A splintering of the Internet would have costs in terms of science, knowledge, jobs and other areas, he said.
The Internet was designed to work without borders and can't reach its full potential with barriers between countries, said Colin Stretch, Facebook's general counsel. The result of data localization for most consumers would be a slower Internet experience and less personalized services, because Internet companies couldn't take advantage of economies of scale.
Rumor has it Eric Schmidt in the very same breath went on to say less is more, left is right, up is down, dark is light and...dramatic pause.... evil is good.
There is no useful or objective information anywhere in the article it is all childish name calling and appealing to what the cool kids are doing.
TFA is what I hate about this industry too many people have their heads in what's cool and getting suckered by marketeers rather than thinking about what they are doing and investing necessary effort to research and arrive based on objective criteria the best tool to get the job done.
Can't wait to see what happens years from now should Microsoft's NLA site become unreachable to one or more address families as the world swashes between IPv6 and IPv4 connectivity as a result of failed NLA probes.
There is no need or benefit for this garbage certainly not by default and certainly no excuse to failure in this manner. Heartbeat is code for more excuses for vendors to be in the loop and collect data when they have no legitimate business doing so.
Slashdot Mirror
The paper explains it.
Desperately looking for names and versions.
is to support old servers (ancient Cisco gear comes to mind) that can't properly negotiate newer TLS versions.
Is this IOS? What versions?
Unfortunately those failed negotations don't fail, er, gracefully -- it just kills the connection. Browsers (Chrome, Firefox, probably others) retry using SSLv3. Why? There's a lot of old gear out there.
Then why are the browser vendors saying they are going to disable SSL v3? If we're going to use SSLv3 as an excuse and that excuse is taken away ... what's left?
Some servers don't handle TLS version numbers at all, and typically just reject the connection instead of advertising to the connecting client that they can support SSL3, TLS1.0 and TLS1.1 but not TLS1.2. So when the client tries to connect with TLS1.2, they are disconnected, so the client tries to connect with TLS1.1 and is successful.
Please I'm begging for names... name names and versions... Who is supporting 1.1 AND doing this?
This SCSV thing adds a flag to each side to say "but I'm only using this protocol because you didn't like the other protocol" and for the server to say "but you never asked me?"
Isn't it easier to fix existing implementations rather than inventing new capability negotiation schemes, writing the code and deploying? Is anyone sure extra flags won't cause new compatibility problems?
If everyone is shutting down SSL 3 anyway as seems to be the case... what then is the remaining intersection of TLS 1+ capable servers and clients still not supporting version negotiation? Please anyone who knows I beg you to name names.
BTW, the core reason for all of this was because the pre-TLS browsers absolutely shit themselves over TLS1.0 advertisements, and because browser makers are absolute fuckers, rather than popping up a window saying
Please name names what browsers?
Firefox already mitigates the attack to some degree. If the connection started out at TLS 1.2 or 1.1 then it could not be downgraded to SSL3 because the code allowing that was removed sometime ago.
This does not make any sense. A mitigation that does not work is not worth anything.
Easiest way in Firefox to prevent a connection downgrade to SSL3 is to set "security.tls.version.min" to 1 in the about:config page. This sets the minimum version of the encryption protocol to TLS 1.0
What good does that do when a future attack against TLS 1.0 succeeds and 1.2 users again find themselves being pulled down to 1.0?
The last major browser that doesn't support TLS 1 was IE6. Even Microsoft doesn't support that piece of crap anymore.
I'm scared now... tested using old w2k image IE version 6.0.2800.1106 - TLSv1 amazingly works just fine with IE6 using RC4-SHA cipher, forcing AES was no-go.
When compatibility issues are raised always insist people name names too much of this space is ruled by legend passed down throughout the ages and unhealthy doses of hearsay.
Everyone saying "there are servers" or "there are clients" please name names and versions.
It is to support old servers (ancient Cisco gear comes to mind) that can't properly negotiate newer TLS versions. Unfortunately those failed negotations don't fail, er, gracefully -- it just kills the connection. Browsers (Chrome, Firefox, probably others) retry using SSLv3. Why? There's a lot of old gear out there.
There has got to be a better solution for clients in 2014 that does not involve leaving users vulnerable to downgrade attack.
Why can't browser vendors provide users with an option to enable "dancing" and not have it enabled by default?
I love backwards compatibility but the cost to overwhelming majority of people who don't have old vulnerability ridden gear to manage via SSL is way too high in 2014.
According to the summary, this isn't about browsers, it's about servers - the browsers choose to fall back to SSL3 to cope with broken servers.
Intentionally bypassing downgrade attack protection built into SSL to "cope" with broken servers is 100000% a browser defect. There is no possible excuse for this nonsense in 2014.
Does anyone know what exactly "many clients implement a protocol downgrade dance" means? ... never heard of this ever... who exactly is doing this and what the hell are they thinking?
Screw this TLS_FALLBACK_SCSV bullshit it's 2014 cut the music and send the dancers home.
it's about keeping people informed so they can act appropriately. Imagine yourself a FreeBSD user; if you heard of Heartbleed as a Linux bug, would you think to look for an OpenSSL patch?
If your idea of being notified is hearing about it on CNN, ./, other "media" or social propagation your doomed.
Users should not be expected to know what supporting libraries are used by applications. Application vendors need to provide patches and make announcements for service effecting vulnerabilities in supporting libraries distributed with their applications no different than if source of error were their own code.
Operating system/package vendors need to provide patches and make announcements for vulnerabilities in the software and standard libraries they distribute.
There are established update/security notification channels for these things users need to be following... there is no need for anyone to be guessing or make incorrect assumptions and no excuse for depending on shit sources (mass media, blogs, friends) for security notifications.
If anything keeping people "informed" is doing them a disservice.
I'll take those two OpenSSL and Bash vulnerabilities any day! That's an important distinction, and not making it lulls anyone using OpenSSL or Bash on a non-Linux system into a false sense of security and may prevent them from patching. That's either a good or bad thing, depending entirely on the color of your hat.
Yes, Heartbleed and Shellshock both had the potential to be much, much worst than this bug. However, those were only exploited after being found and disclosed, and patches being made available, while this and other Windows flaws are only patched after being found, disclosed, and exploited for a while. Where there were patches issued for Heartbleed and Shellshock within hours of disclosure, this won't be patched until Patch Tuesday. Mind you, that's today, but it's still coming not only days after the disclosure, but months after active exploits.
What is the point? For starters none of us have any idea who all has a stock of what 0-days for any platform.
Secondly CVE databases are loaded to the hilt with windows and Linux vulns.
Distinctions made are about as useful as an intelligence contest for the mentally retarded. Unsurprisingly everyone is failing ... badly.
FTFY. Slashdot-dwelling Randbots are against it, not Dutch public.
What is the basis? How do you know this?
Find myself disagreeing on virtually all points.
Bottom line in the real world saying no to correct horse battery staple and yes to FcD($*#)@2zJ7&Cd!23 is worse because your asking something unreasonable of your users when a more reasonable solution is available. This doesn't serve to help anyone or make anything more secure.
Wishing everyone use password managers won't make it so nor is it necessarily an ideal solution. Password managers and use of passphrases vs passwords are separate issues and should be treated as such.
Repeat after me: "it's against the law to drive people around for money without the proper credentials".
No society based on consent can *enforce* laws a significant portion of the public disagrees without commensurate erosion of state legitimacy or otherwise moving of needle from "consent" toward "force".
Either stepped up enforcement actions bring about increased pressure to change the law or otherwise resolve disagreements by amicable compromises such as reduction in licensing burdens or the industry goes underground where state looses visibility and ability to regulate while wasting resources and good will on enforcement actions the public is offended by.
Most people have the same reasoning has you do.
Most innovations come from people who think differently than the mass.
Most people have a resistance to change and that slows down progress. What is the hurry to call it an hoax?
I would say wait until it is proven to be a fraud before declaring the would be inventor guilty.
Blah blah blah, you might want to look into the history of both Rossi and the evolution of his claims and antics over the years before playing the wacky inventor card.
The experiment was set up and run in a different country by a group independent of Rossi
Except Authors have been linked to Rossi from the beginning.
The fuel was measured in six different laboratories before and after the test. There is no mention of Copper in the output.
If you set out to debunk a paper, shouldn't you actually read it first.
Shame on you, not Slashdot.
Why would anyone set out to debunk this paper in the first place? What would be the point? Who has that kind of time to take the blabber of every mentally unstable fool and scam artist seriously?
Giuseppe Levi
Baloney University, Bologna, Italy
Not a direct quote but close enough.
With doublespeak like "You agree to the use of your data in accordance with Googleâ(TM)s privacy policies" ChromeOS is so far removed from rational expectations of acceptable behavior it is foolish to attempt to pass judgment.
Caring about the format of external storage is like building a house out of cardboard, paper and duct tape then attempting to evaluate its compliance with building codes.
You can say it's 99 cents, but this year alone I've probably downloaded about 1500 songs from a private music torrent site. The majority of them, maybe 60-70%, I delete after listening, because it was listening on a trial basis and I just wasn't into whatever I was checking out.
One good song is priceless to me. Once discovered 99 cents on Amazon for a DRM free no strings attached song is a price I happily pay. What more do we want/expect? Seems extraordinarily fair to me.
While there are plenty of verticals in the content space with fucked up markets music isn't one of them anymore.
And the only thing different is that today's Madonna's and Metallica's no longer get $100 million record deals; they just make their $100 million touring. I'm okay with that too.
While my touring experience is limited to rockband I strongly suspect 100 mil tours only work for a select few.
That continued use of polygraph testing continues to be tolerated without these agencies is beyond amazing. Is this the 21st century or the 11th?
Shameful employment at FBI is limited to those lacking principals enough to allow themselves to submit to whims of mysticism and voodoo.
While I have a laundry list of complaints I like the underlying idea more than I dislike it. Amazing how simple html content ends up being and how flexible changes become once you have made a reasonable attempt to declare content and decouple style.
This said I'm very much less certain what my sentiment of CSS actually translates to in the real world.
The underlying problem while technology wants data presentation to work across maximal number of display sizes and capabilities such things too often appear as intolerable annoyances to designers. The world is teaming with fixed width websites and crap like zen garden is a joke. Without assumptions of fixed content tailored specifically for the garden those layouts would fall apart.
It often takes different skill sets to design something that both looks cool and is able to survive with coolness intact across a number of different and perhaps unknowable parameter changes.
This in my opinion is responsible for about half of the great tables v CSS layout arguments. What designers really want is for each page to have a known width and a known height without all of the compatibility bullshit or having to think about unknowns... what they actually want looks a heck of a lot more like PDF than it does HTML/CSS.
Without significant design / technology change to bring competing interests into better alignment I wouldn't bet on CSS lasting 50 years.
Ok I'm really scared now there must be something wrong with me when I find myself rooting for the US to continue spying on everyone...
"The simplest outcome is that we're going to end up breaking the Internet," said Eric Schmidt, Google's executive chairman. A splintering of the Internet would have costs in terms of science, knowledge, jobs and other areas, he said.
The Internet was designed to work without borders and can't reach its full potential with barriers between countries, said Colin Stretch, Facebook's general counsel. The result of data localization for most consumers would be a slower Internet experience and less personalized services, because Internet companies couldn't take advantage of economies of scale.
Rumor has it Eric Schmidt in the very same breath went on to say less is more, left is right, up is down, dark is light and...dramatic pause.... evil is good.
There is no useful or objective information anywhere in the article it is all childish name calling and appealing to what the cool kids are doing.
TFA is what I hate about this industry too many people have their heads in what's cool and getting suckered by marketeers rather than thinking about what they are doing and investing necessary effort to research and arrive based on objective criteria the best tool to get the job done.
When, a few years from now, all oil fields in the middle east will be controlled by IS
More likely OSPF.
we want to make the switch away from oil. This seems a solution worth investigating.
Nothing resembling a tokomak is ever worth investigating.
Windows registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet
EnableActiveProbing = 0
Android terminal:
settings put global captive_portal_server 127.0.0.1
settings put global captive_portal_detection_enabled 0
Can't wait to see what happens years from now should Microsoft's NLA site become unreachable to one or more address families as the world swashes between IPv6 and IPv4 connectivity as a result of failed NLA probes.
There is no need or benefit for this garbage certainly not by default and certainly no excuse to failure in this manner. Heartbeat is code for more excuses for vendors to be in the loop and collect data when they have no legitimate business doing so.
Personal data harvesting for contextual ads and content should be a beautiful thing.
Who writes this? Personalized ads are creep-tatstic they scream to their victim ... **WE'RE STALKING YOU**
They do it privately and securely, and it's all automated so that no human being actually learns anything about you.
Except of course the next person who uses the computer.