Actually, vaporization is far more efficient than combustion. The material is heated to the point where the organic volatiles (cannabanoids and terpenes) go through a phase change from semi-solid to gas.
One of the things I absolutely love about drug debate is the informed, relevant, calmly intelligent commentary coming from sources who you can't help but believe are learned advocates because they're users. The irony of the contrast with the popular myth of "dope" and its effects is amusing, as is the contrast with the often misinformed, fallacious, and belligerent commentary from detractors. Fun stuff.
(No offense, but I should mention it's spelled "cannabinoids".)
There's plenty of work beside tweaking for incompliants. More gratifying work, too.
You can't seriously be advocating the "let's have the situation be worse so that we can be gainfully employed in handling that" scenario.
It's thinking like yours that holds back the whole of fucking humanity. Let's solve the browser compatibility issue and move on to the next situation. There will always be something. Let's make that something related to progress, okay?
There may be a number of good technical and use-oriented reasons not to bother with IE8. I don't know the details on it just yet. But it could be twice as good as the next browser and I still wouldn't use it. Not after what Microsoft did to us all with earlier versions. The standards compliance problems have been infuriating for developers. How much human effort has been wasted trying to cope with this? And the vulnerabilities have made popular computing a diseased seething mass. How many geeks have had to spend evenings or whole weekends taking care friends and family members' systems?
All of that and Microsoft let IE rot for how many years? Half a freakin' decade in the midst of humanity's glorious ascension into a networked era? It took competition forcefully wedging its way into IE's monopolistic stranglehold before Microsoft got off their asses to do anything.
Well, it's too late. Fuck off.
I'm no battered wife. I know that MS isn't "really a good husband, he just..." whatever. I'd rather other people not drag me into another round of this same neglected-until-it-matters-to-Microsoft bullshit. The fewer people who use IE, the better.
a 17 byte query becomes a 50k response (or something like that)
I haven't tried to figure out the exact numbers, but my tcpdump files of a root NS query and its response have been about 100 and 300 bytes respectively.
Oh, here: dig reports "MSG SIZE rcvd: 300".
Still, a DNS amplification attack. (Not a smurf attack, though that's another reflection/amplifcation attack, but it's specifically with pings.)
Seek the link between bullying and school shootings. It won't be hard to find.
As a casual observer I see that a character named Rocky was the bane of the Trench Coat Mafia. Doubtlessly there were other influences for Klebold and Harris, but those influences are accounted for in a larger bullying dynamic.
I haven't yet seen a single person claim to be able to recover from even a single pass wipe. I don't know enough to say whether it's possible, but no one's given eyewitness account of having done it. So what did you do? It couldn't have been to just run software you found. I haven't seen a software package claim to be able to read single-pass overwritten data.
Well then, okay, a solid A. I get the general idea of the non-criticality of the incident, and that mitigates the disclosure time delay. (I still recommend putting good effort towards coordinated disclosure with the vuln finder, if just for PR purposes.) And I like hearing about predetermined procedures for handling (major) events. (I bet you even have specific plans for how to notify "all software vendors, subscribers, and the general public", i.e., in which forums or to which lists or email addresses reporting must be done.)
That said, I'm not very familiar with the intricacies of the CA business and am probably not the best grader. Still, from a layman's perspective, it looks to me like StartCom's behavior in this scenario is sufficient for trust in the organization's procedures and operation.
Now if only the entire SSL PKI model weren't so iffy, what with any trusted CA (out of dozens) being able to subvert the whole system. I get the impression for this model to continue to "work", such as it might, things will have to change. Primarily the stringency of CA performance (and auditing) requirements. And so I don't mind you raising hell when you see shoddy (or even negligent, or even malfeasant) practices. And I am glad to see efforts like Sotirov et al.'s "Creating A Rogue CA Certificate" project, even if it makes me scared. Better frighteningly informed than blithely insecure.
I don't know how feasible this idea is, but I'd rather have a genuine web of trust rather than a commercial one or an institutional one (like what Mozilla corp. or MS or Apple or Opera provide). A real web of trust based on keys vouching for other keys... vouching for CA performance, thus defining my browser's CA list. Maybe this is a dream and there's no way a system like this would survive gaming or no way it could be practical because people are lazy, but I like the dream. Here's a related project that leans in a democratic direction, Perspectives. Have you seen this?
Indeed. Though it's interesting that no one here seems to be thinking about your company's culpability/performance. Either they assumed it was a similar incident (and probably also didn't look twice at the name of the company), or they're only vaguely thinking "SSL bad!" I wouldn't worry about public perception, though sharing your full disclosure is of course due diligence.
Anyone following closely enough will see that Schmoilito clarified your company's performance and behavior. (And I noticed that he was referencing my post on your blog.) Your defense in depth and quick response basically exonerate you. However, please discuss with the other persons who "gave you permission" (so far, Eddy, you look to me like the guy running the show) that your company's giving full disclosure after someone else disclosed your vulnerability makes it look like your hand was forced rather than that you're trying to run an open show.
You should have arranged with Schmoilito about who (probably both of you) would disclose and how and when it would be done. If not at the time of the incident you should have discussed this with him shortly thereafter. I realize it's not half a month since, but the sooner the better. Who knows? Maybe you'll be personally involved in finding a serious vuln at another CA and have to out them, and then you'd want to have already emptied your closet of skeletons.
Anyway, I give your company's response to the incident an A-. Overall very good performance, but points lost for having the attacker disclose your vuln before you, especially when you had cooperative interaction with them.
Over-aggressive attempt at vendor lock-in. Many content hosting businesses are perfectly content (hm) to let the hurdle of scraping your data out be barrier enough.
I don't believe many customers think about the importance of being able to File -> Export.
I hope eventually consumers come around to understanding, and that this feature becomes a primary criterion in selecting services.
So, I realize it was intended as a "Yay Firefox" claim - but, if you look deeper at the numbers - less of the new Anti-MS crowd are adopting it than have in the past.
Percentage-wise in relation to how many MS refugees were going FF before? Does that measure actually matter to anyone but an ignorant Firefox fanboy?
An enlightened Firefox fanboy would realize that the absolute FF usership numbers are still climbing, and at an excitingly fast pace.
And a truly enlightened user would realize that Firefox's real goal is not domination but wresting monopolistic control from IE. That's what "Take back the web" means. Firefox could take 1/5th of all the remaining IE users and the rest could go to some mix of other browsers and that would be cool.
This isn't really about pro-Firefox gains. It's about anti-IE stranglehold progress.
but it's a service to users by helping to improve the Internet ecology as a whole, as the millions of users that are most likely to be pwned over are now being directly told to switch to software that isn't hopelessly insecure.
A bold improvement, and not just that, but the ecosystem grows more diverse. Having a monoculture of a single browser for an overwhelming bulk of the userbase is blight-prone. Conversely, diversity is resilience. O, happy progress!
And more than that, a browser-fragmented userbase forces development towards interoperability (which can realistically be achieved these days with the level of standards compliance in modern browsers), which denies any one company the ability to lock everyone into their platform.
Where they then sit on their laurels.
For fucking years.
As IE6 rots and rots.
And developers pull their hair out trying to cope with IE's quirks while supporting other browsers (via standards as possible).
And IE6 rots some more.
And systems get pwned and zombified into spam spewers.
And technical friends grudgingly have to clean up their friends' borked systems.
God damn it, I just have to scream about how angry I am at Microsoft for what they did to us with The Great Languish! They sewed up the market and proved their lack of care for us users and developers by not keeping IE6 current. Oh, but a little fox started nibbling on their lunch and they think they can roll out some shiny new browsers and get us back to the same old lock in? Won't work this time. Piss off!
Slashdot Mirror
Actually, vaporization is far more efficient than combustion. The material is heated to the point where the organic volatiles (cannabanoids and terpenes) go through a phase change from semi-solid to gas.
One of the things I absolutely love about drug debate is the informed, relevant, calmly intelligent commentary coming from sources who you can't help but believe are learned advocates because they're users. The irony of the contrast with the popular myth of "dope" and its effects is amusing, as is the contrast with the often misinformed, fallacious, and belligerent commentary from detractors. Fun stuff.
(No offense, but I should mention it's spelled "cannabinoids".)
There's plenty of work beside tweaking for incompliants. More gratifying work, too.
You can't seriously be advocating the "let's have the situation be worse so that we can be gainfully employed in handling that" scenario.
It's thinking like yours that holds back the whole of fucking humanity. Let's solve the browser compatibility issue and move on to the next situation. There will always be something. Let's make that something related to progress, okay?
There may be a number of good technical and use-oriented reasons not to bother with IE8. I don't know the details on it just yet. But it could be twice as good as the next browser and I still wouldn't use it. Not after what Microsoft did to us all with earlier versions. The standards compliance problems have been infuriating for developers. How much human effort has been wasted trying to cope with this? And the vulnerabilities have made popular computing a diseased seething mass. How many geeks have had to spend evenings or whole weekends taking care friends and family members' systems?
All of that and Microsoft let IE rot for how many years? Half a freakin' decade in the midst of humanity's glorious ascension into a networked era? It took competition forcefully wedging its way into IE's monopolistic stranglehold before Microsoft got off their asses to do anything.
Well, it's too late. Fuck off.
I'm no battered wife. I know that MS isn't "really a good husband, he just..." whatever. I'd rather other people not drag me into another round of this same neglected-until-it-matters-to-Microsoft bullshit. The fewer people who use IE, the better.
a 17 byte query becomes a 50k response (or something like that)
I haven't tried to figure out the exact numbers, but my tcpdump files of a root NS query and its response have been about 100 and 300 bytes respectively.
Oh, here: dig reports "MSG SIZE rcvd: 300".
Still, a DNS amplification attack. (Not a smurf attack, though that's another reflection/amplifcation attack, but it's specifically with pings.)
It's a reflection attack. Send a small query that requires a bigger answer to a bunch of nameservers. Spoof the source address for the query.
Here's what I'm seeing of this attack.
Microsoft is dying.
Net Applications confirms it.
I wonder what that search result count will look like over the next two years.
Net Applications confirms it!
Seek the link between bullying and school shootings. It won't be hard to find.
As a casual observer I see that a character named Rocky was the bane of the Trench Coat Mafia. Doubtlessly there were other influences for Klebold and Harris, but those influences are accounted for in a larger bullying dynamic.
I'm glad the net's throwing media into chaos. Let's hope something more forthright shakes out.
Obligatory bullying ref:
Big, Bad Bully
Excellent article on the phenomenon of bullying. Gave me a lot of insight into the dynamic.
The real concern over video games, FPSs specifically, is chronic stimulation of fright/flight/fight response.
Play the adrenalin- and cortisol-response producing games long enough and you'll be at much higher risk of associated problems.
If you think you might have such problems, do some research on stress as it relates to hyperglycemia.
Wait a second... What method(s) were you using?
I haven't yet seen a single person claim to be able to recover from even a single pass wipe. I don't know enough to say whether it's possible, but no one's given eyewitness account of having done it. So what did you do? It couldn't have been to just run software you found. I haven't seen a software package claim to be able to read single-pass overwritten data.
Only during 3D viewing. You should be able to use it at full resolution without polarized lenses.
Well then, okay, a solid A. I get the general idea of the non-criticality of the incident, and that mitigates the disclosure time delay. (I still recommend putting good effort towards coordinated disclosure with the vuln finder, if just for PR purposes.) And I like hearing about predetermined procedures for handling (major) events. (I bet you even have specific plans for how to notify "all software vendors, subscribers, and the general public", i.e., in which forums or to which lists or email addresses reporting must be done.)
That said, I'm not very familiar with the intricacies of the CA business and am probably not the best grader. Still, from a layman's perspective, it looks to me like StartCom's behavior in this scenario is sufficient for trust in the organization's procedures and operation.
Now if only the entire SSL PKI model weren't so iffy, what with any trusted CA (out of dozens) being able to subvert the whole system. I get the impression for this model to continue to "work", such as it might, things will have to change. Primarily the stringency of CA performance (and auditing) requirements. And so I don't mind you raising hell when you see shoddy (or even negligent, or even malfeasant) practices. And I am glad to see efforts like Sotirov et al.'s "Creating A Rogue CA Certificate" project, even if it makes me scared. Better frighteningly informed than blithely insecure.
I don't know how feasible this idea is, but I'd rather have a genuine web of trust rather than a commercial one or an institutional one (like what Mozilla corp. or MS or Apple or Opera provide). A real web of trust based on keys vouching for other keys ... vouching for CA performance, thus defining my browser's CA list. Maybe this is a dream and there's no way a system like this would survive gaming or no way it could be practical because people are lazy, but I like the dream. Here's a related project that leans in a democratic direction, Perspectives. Have you seen this?
Indeed. Though it's interesting that no one here seems to be thinking about your company's culpability/performance. Either they assumed it was a similar incident (and probably also didn't look twice at the name of the company), or they're only vaguely thinking "SSL bad!" I wouldn't worry about public perception, though sharing your full disclosure is of course due diligence.
Anyone following closely enough will see that Schmoilito clarified your company's performance and behavior. (And I noticed that he was referencing my post on your blog.) Your defense in depth and quick response basically exonerate you. However, please discuss with the other persons who "gave you permission" (so far, Eddy, you look to me like the guy running the show) that your company's giving full disclosure after someone else disclosed your vulnerability makes it look like your hand was forced rather than that you're trying to run an open show.
You should have arranged with Schmoilito about who (probably both of you) would disclose and how and when it would be done. If not at the time of the incident you should have discussed this with him shortly thereafter. I realize it's not half a month since, but the sooner the better. Who knows? Maybe you'll be personally involved in finding a serious vuln at another CA and have to out them, and then you'd want to have already emptied your closet of skeletons.
Anyway, I give your company's response to the incident an A-. Overall very good performance, but points lost for having the attacker disclose your vuln before you, especially when you had cooperative interaction with them.
Your Tier 1 may be functionally available already. Plus some.
Check out Perspectives.
If you would rather not read, this page may give you the idea at a glance.
Over-aggressive attempt at vendor lock-in. Many content hosting businesses are perfectly content (hm) to let the hurdle of scraping your data out be barrier enough.
I don't believe many customers think about the importance of being able to File -> Export.
I hope eventually consumers come around to understanding, and that this feature becomes a primary criterion in selecting services.
Controlling the way that people access computing is a big, big deal.
If you control the channel you get to call the shots in a ton of (even tangentially related) ways.
So, I realize it was intended as a "Yay Firefox" claim - but, if you look deeper at the numbers - less of the new Anti-MS crowd are adopting it than have in the past.
Percentage-wise in relation to how many MS refugees were going FF before? Does that measure actually matter to anyone but an ignorant Firefox fanboy?
An enlightened Firefox fanboy would realize that the absolute FF usership numbers are still climbing, and at an excitingly fast pace.
And a truly enlightened user would realize that Firefox's real goal is not domination but wresting monopolistic control from IE. That's what "Take back the web" means. Firefox could take 1/5th of all the remaining IE users and the rest could go to some mix of other browsers and that would be cool.
This isn't really about pro-Firefox gains. It's about anti-IE stranglehold progress.
I for one will kick and scream against MS grabbing a lion's share of the market again. (Or any browser.)
They abused the lot of us when they let IE6 rot for freakin' half a decade. I don't want to suffer through another Great Languish.
but it's a service to users by helping to improve the Internet ecology as a whole, as the millions of users that are most likely to be pwned over are now being directly told to switch to software that isn't hopelessly insecure.
A bold improvement, and not just that, but the ecosystem grows more diverse. Having a monoculture of a single browser for an overwhelming bulk of the userbase is blight-prone. Conversely, diversity is resilience. O, happy progress!
And more than that, a browser-fragmented userbase forces development towards interoperability (which can realistically be achieved these days with the level of standards compliance in modern browsers), which denies any one company the ability to lock everyone into their platform.
Where they then sit on their laurels.
For fucking years.
As IE6 rots and rots.
And developers pull their hair out trying to cope with IE's quirks while supporting other browsers (via standards as possible).
And IE6 rots some more.
And systems get pwned and zombified into spam spewers.
And technical friends grudgingly have to clean up their friends' borked systems.
God damn it, I just have to scream about how angry I am at Microsoft for what they did to us with The Great Languish! They sewed up the market and proved their lack of care for us users and developers by not keeping IE6 current. Oh, but a little fox started nibbling on their lunch and they think they can roll out some shiny new browsers and get us back to the same old lock in? Won't work this time. Piss off!
And I've got FF3 on my W2K, so I think G-GP has a broken W2K installation or something.
I made sure that the site was usable (not very pretty, but usable) for these users, put an alert(); in the index page, and that's it.
Someone in this thread pointed out "Browse Sad". Another nice way to do what you're doing.
Stop IE6 was fun. Had a cool link to "Browse Sad". Ha!
But http://savethedevelopers.org/ is broken. Or, more like, co-opted.
The one I've been using for a decade now is an AST "KB-101" (part # 120077-001 Rev. A). I haven't found another that has as nice a feel.
It's getting old, though.
I was thinking about moving to a Happy Hacking Lite 2. Anyone have experience with that?