(Watching the wheels of military technology turn is like watching grass grow)
A couple of recent rapid developments serve to disprove that particular bit of common wisdom. The military, when pressed, kicks ass like no other organization in existence.
If Linux had been created back in the 8088 days, either today's Linux would be incompatible with its legacy apps, or its stability would be comparable to Win9x.
Linux, as we know it, could never have been created on an 8088. In fact, the minimum x86 processor necessary for Linux is the 386. Linux, like Unix, requires virtual memory, preferably page based, and memory protection.
Linus deliberately set out to create himself an OS that followed the Unix model. He was unhappy with the Unix-like x86 OS implementations of the time and created his own. He clearly had in mind that his system would do as Unix does, not just look like Unix. You can make DOS look like Unix if you install enough GNU utilities, but it is fundamentally not Unix.
In a very real sense the stability of Linux, as derived from Unix, is by design, not simply because the coders are somehow better. By design, Linux proper can not operate on an 8088, and for good reason.
Note: today there are derivatives of Linux that can operate without hardware support of virtual memory. One important example is uCLinux. On systems without memory protection or VM support in hardware, the kernel suffers the same vulnerabilities to failures in user-land code as would DOS. These appeal of these systems is that they provide the POSIX API on very limited VM-less platforms.
Even a stopped clock is right twice a day. Art Bell occasionally approaches reality, too! My problem with it that you have to filter out the high BS content to learn anything of value. While Art may have had this on some night two years ago, the 730 days since then have been pure brain rot.
Busy sites will have variable server load for the attacker to cope with. It's more than just network latency you have to factor out.
I wonder to what degree not knowing the precise parameters of the SSL server would complicate things. If, for instance, you don't know whether the server is a SPARC, Intel or some form or dedicated hardware. Each combination of software and hardware would have wildly different behavior relative to the very precise measurements required.
Also, by it's nature, this attack probably can't be used to implement a general purpose worm. So to be safe you'll need a lot of hosts in different locales at your disposal. If you spend too much time cracking remote hosts from a single site you will get found.
Finally, once you have a private key, you also need access to the traffic between the compromised server and whomever is trusting it. Without this it's not much good. Once you have managed to reliably tap that traffic, what then would you do with it? It's not a cash machine that starts pumping out money on command. Passively sniff collecting credit card numbers to sell off? Rouge employees do that all the time anyhow. Implement a man-in-the-middle somehow?
A concerted effort against a specific target could result in some successful theft of something. As we all know, however, there are many ways to attack a system when one has focus.
As vulnerabilities go, I don't think it rates very high. I'll bet 99% of the SSL servers and other encryption endpoints in the world will be made secure against this in the course of regular upgrades before an actual attack results in any real consequence.
The attack works by measuring the time it takes for an SSL server to encrypt things. By causing the SSL server to do lots of encrypting of known things, you can derive a private key. Apparently, this must be repeated many times and is highly dependent on timing. Thus, it's not fast and network latency, high server load, etc. will reduce the effectiveness of the attack. Further, subtle environment differences prevent an obvious "script kiddy" level implementation of this attack. A relevant quote from the paper:
As we will see, the performance of our attack varies with the exact environment in which it is applied. Even the exact compiler optimizations used to compile OpenSSL can make a big difference.
A solution to this might be to implement a small random delay before the server returns cyphertext to the client, no? A few extra milliseconds here and there would probably be sufficient.
This model aircraft spectrum change was motivated by two things. Get more channels so that more models could be flow simultaneously and improve standards in transmitters and receivers to reduce interference. If I remember correctly, they basically doubled the number of channels by creating a new channel between the existing channels. The standards for performance of the transmitters and receivers was toughened up quite a bit.
Contemporary model aircraft radios are pretty sophisticated. High end radios use digital protocols over the air. Error correction, etc. I've been away from it for about 10 years. Anyone know if spread spectrum is in common (or any) use yet for model aircraft? Seems to me that would go a long way toward preventing unintended landings. I don't remember any provision for it in the new frequency allocations. Too bad I guess.
The idea that 50 million dollars is a good price...
Indeed. Besides, the music industry is too busy corrupting the FCC to suppress Reed's revolutionary radio ideas. They can't be bothered spamming people.
nvidia.com's problem is not Mozilla's fault, according to bug 148090.
This bug appears to be a networking issue. The operator couldn't access the site at all.
My problem wasn't nearly as dramatic. The components of the menu bar at the top of the nvidia.com site would splay across with width of the page. They're not supposed to. 1.3 seems to get it.
1.2.1 finally fixed www.msnbc.com. However, www.nvidia.com was still not "right". Now even that site works. woot!
I know judging a browser by it's ability to handle the twisted "html" these sites use is a bad thing to do. However, it's nice to see Mozilla take on the challenge and succeed anyhow.
Not really. I'm used to hearing words on the order of threatened, endangered or imperiled from these folks. "Risked" seems comparatively much less hysterical.
You obviously don't see the correlations between feeding the poor and spaceships.
What I attempted to point out is the merit of a particular "big budget" NASA project verses the results we've gotten from the "faster, better, cheaper" philosophy. There are no "feeding the poor" implications in this.
However, I am well aware that singling out foodstamps causes many knees to jerk. I could have used any number of different budget figures to the same effect, but I know what I am doing.:)
Chalk one up for slow, lame(?) and expensive. Cassini is firmly among the old-school "big budget" NASA projects. The probe cost over 3 billion dollars. Read about that here.
Cassini. Remember that name. You're going to hear a lot about Cassini over the next few years. The knowledge brought to us by that probe will make science headlines for the rest of this decade. Not bad for something that cost 15% of the Federal Foodstamp budget in FY2001.
My Father bought a gyroscope that had been pulled from a Northrop Grumman Corsair around 1960. He still has it. It is well built to say the least. It weight about 30 pounds and I'm sure it could withstand moderate shrapnel. The gimbals are very smooth. No corrosion whatsoever. I'm guessing it's all stainless as Corsair's are Navy aircraft. This thing is going on 60 years old at least.
As I suggested, go debate the fine point of this in a NY fire station. If you ever regain consciousness, you will have a clear understanding about what one has to do with the other.
Frankly space exploration is and should be above the almighty dollar.
Sigh. The operative word there is should. What should be and what is are two quite distinct matters.
If you wish to see phenomenal progress in Space, find a way to make it turn a profit. You'll live to witness contract negotiations between businesses and astronaut unions.
As I have said before if we could set up a truly International Space Agency with contributions from every nation on the planet then we would be getting a hell of a lot further along than we are at the moment.
A "truly international" Space Agency would spend most of it's time squabbling over which country gets the rocket contracts and how much launch facility compensation must be paid.
"Where do companies get off thinking that they can be judge, jury, and executioner?"
So you have to watch it for free on the old fashioned tube if you're local. How tragic.
Cut them a break. They have long standing contractual obligations to the affiliates. The alternative is to change nothing. Instead, they've arranged it so that this can happen despite the existing contracts. That's admirable. It opens the door to greater things.
Imagine if this is actually successful. Baseball (tm) might discover that they can actually turn a nice profit in advertising. Maybe this leads to a day when the affiliates have less power at the bargaining table.
Think 10-15 years out. The phone monopolies have finally been overcome. Everyone has enough bandwidth to stream live video from anywhere for close to free. All Professional Sports (world-wide, 24x7) will be pay-per-view events on competing virtual networks. Baseball's (tm) first tentative effort is merely a precursor to the inevitable. That they had to make this silly exception due to affiliate contracts means nothing.
Yet again another instance of someone pulling numbers out of their ass.
LOL
Bingo!
Or has anyone here actually seen the research that supports these numbers?
It would take a lot more than having "seen" the results to convince me. Universities, private think tanks and government are bought and paid for whores of whatever faction sponsors them. This passes for "research" in business and politics. If you believe what you are fed by these folks, know that you are a Useful Idiot (tm).
Yeah, but if you can afford to own such nice things, you're rich, so it doesn't hurt you. Think of all the underprivileged people who can't. Fun being rich huh?
The system we have was not foisted on us by some big government conspiracy and it's not maintained by the pressures of a cartel.
NASA is the reason you're not lounging around on the Moon right now. Bush will attack Iraq because his dad want's the oil. McDonalds hates animals AND humans, so they klll one to kill the other. The World Bank is the reason you aren't as wealthy as Bill Gates. The current state of radio technology is a function of FCC corruption funded by record labels.
I want enough balls to run JDeveloper, an Oracle instance and JBoss doing a full compile/run/debug cycle for 10 hours without complaint. That, and several other common apps in the background, a LOT of disk and RAM and a CD burner. 99 days out of 100 the longest I actually carry the thing is from my office to the back seat of my car. I do this every working day and I could care less if it weights 7-8 pounds. The only time I need the battery is while traveling or stuck in a meeting. Real computing on a plane is hopeless unless you're in 1st class and meetings don't last long enough to kill the batts.
Too heavy? PDAs do email just fine.
I really don't get these people that whine about weight/size. There are thin 2-3lb laptops all over the place. I won't have anything to do with them but I see them often enough. What is the problem? Does it surprise you to discover that.5" and 2.5lbs with 1076x768 won't replace your desktop? Well no sh*t Sherlock!
Slashdot Mirror
(Watching the wheels of military technology turn is like watching grass grow)
A couple of recent rapid developments serve to disprove that particular bit of common wisdom. The military, when pressed, kicks ass like no other organization in existence.
If Linux had been created back in the 8088 days, either today's Linux would be incompatible with its legacy apps, or its stability would be comparable to Win9x.
Linux, as we know it, could never have been created on an 8088. In fact, the minimum x86 processor necessary for Linux is the 386. Linux, like Unix, requires virtual memory, preferably page based, and memory protection.
Linus deliberately set out to create himself an OS that followed the Unix model. He was unhappy with the Unix-like x86 OS implementations of the time and created his own. He clearly had in mind that his system would do as Unix does, not just look like Unix. You can make DOS look like Unix if you install enough GNU utilities, but it is fundamentally not Unix.
In a very real sense the stability of Linux, as derived from Unix, is by design, not simply because the coders are somehow better. By design, Linux proper can not operate on an 8088, and for good reason.
Note: today there are derivatives of Linux that can operate without hardware support of virtual memory. One important example is uCLinux. On systems without memory protection or VM support in hardware, the kernel suffers the same vulnerabilities to failures in user-land code as would DOS. These appeal of these systems is that they provide the POSIX API on very limited VM-less platforms.
Even a stopped clock is right twice a day. Art Bell occasionally approaches reality, too! My problem with it that you have to filter out the high BS content to learn anything of value. While Art may have had this on some night two years ago, the 730 days since then have been pure brain rot.
Busy sites will have variable server load for the attacker to cope with. It's more than just network latency you have to factor out.
:)
I wonder to what degree not knowing the precise parameters of the SSL server would complicate things. If, for instance, you don't know whether the server is a SPARC, Intel or some form or dedicated hardware. Each combination of software and hardware would have wildly different behavior relative to the very precise measurements required.
Also, by it's nature, this attack probably can't be used to implement a general purpose worm. So to be safe you'll need a lot of hosts in different locales at your disposal. If you spend too much time cracking remote hosts from a single site you will get found.
Finally, once you have a private key, you also need access to the traffic between the compromised server and whomever is trusting it. Without this it's not much good. Once you have managed to reliably tap that traffic, what then would you do with it? It's not a cash machine that starts pumping out money on command. Passively sniff collecting credit card numbers to sell off? Rouge employees do that all the time anyhow. Implement a man-in-the-middle somehow?
A concerted effort against a specific target could result in some successful theft of something. As we all know, however, there are many ways to attack a system when one has focus.
As vulnerabilities go, I don't think it rates very high. I'll bet 99% of the SSL servers and other encryption endpoints in the world will be made secure against this in the course of regular upgrades before an actual attack results in any real consequence.
But, then again, IANACE.
A SQL varient of this is far more effective:
insert into mouth values ('foot')
IANACE (crypo expert)
The attack works by measuring the time it takes for an SSL server to encrypt things. By causing the SSL server to do lots of encrypting of known things, you can derive a private key. Apparently, this must be repeated many times and is highly dependent on timing. Thus, it's not fast and network latency, high server load, etc. will reduce the effectiveness of the attack. Further, subtle environment differences prevent an obvious "script kiddy" level implementation of this attack. A relevant quote from the paper:
As we will see, the performance of our attack varies with the exact environment in which it is applied. Even the exact compiler optimizations used to compile OpenSSL can make a big difference.
A solution to this might be to implement a small random delay before the server returns cyphertext to the client, no? A few extra milliseconds here and there would probably be sufficient.
This model aircraft spectrum change was motivated by two things. Get more channels so that more models could be flow simultaneously and improve standards in transmitters and receivers to reduce interference. If I remember correctly, they basically doubled the number of channels by creating a new channel between the existing channels. The standards for performance of the transmitters and receivers was toughened up quite a bit.
Contemporary model aircraft radios are pretty sophisticated. High end radios use digital protocols over the air. Error correction, etc. I've been away from it for about 10 years. Anyone know if spread spectrum is in common (or any) use yet for model aircraft? Seems to me that would go a long way toward preventing unintended landings. I don't remember any provision for it in the new frequency allocations. Too bad I guess.
The idea that 50 million dollars is a good price...
Indeed. Besides, the music industry is too busy corrupting the FCC to suppress Reed's revolutionary radio ideas. They can't be bothered spamming people.
nvidia.com's problem is not Mozilla's fault, according to bug 148090.
This bug appears to be a networking issue. The operator couldn't access the site at all.
My problem wasn't nearly as dramatic. The components of the menu bar at the top of the nvidia.com site would splay across with width of the page. They're not supposed to. 1.3 seems to get it.
Well I can't square what you say with what I see. The production release of 1.3 is snappy. At least as fast as 1.2.1.
1.2.1 finally fixed www.msnbc.com. However, www.nvidia.com was still not "right". Now even that site works. woot!
I know judging a browser by it's ability to handle the twisted "html" these sites use is a bad thing to do. However, it's nice to see Mozilla take on the challenge and succeed anyhow.
Not really. I'm used to hearing words on the order of threatened, endangered or imperiled from these folks. "Risked" seems comparatively much less hysterical.
What I attempted to point out is the merit of a particular "big budget" NASA project verses the results we've gotten from the "faster, better, cheaper" philosophy. There are no "feeding the poor" implications in this.
However, I am well aware that singling out foodstamps causes many knees to jerk. I could have used any number of different budget figures to the same effect, but I know what I am doing. :)
Thanks for playing!
Good point! Thanks. :)
Cassini. Remember that name. You're going to hear a lot about Cassini over the next few years. The knowledge brought to us by that probe will make science headlines for the rest of this decade. Not bad for something that cost 15% of the Federal Foodstamp budget in FY2001.
My Father bought a gyroscope that had been pulled from a Northrop Grumman Corsair around 1960. He still has it. It is well built to say the least. It weight about 30 pounds and I'm sure it could withstand moderate shrapnel. The gimbals are very smooth. No corrosion whatsoever. I'm guessing it's all stainless as Corsair's are Navy aircraft. This thing is going on 60 years old at least.
As I suggested, go debate the fine point of this in a NY fire station. If you ever regain consciousness, you will have a clear understanding about what one has to do with the other.
Frankly space exploration is and should be above the almighty dollar.
Sigh. The operative word there is should. What should be and what is are two quite distinct matters.
If you wish to see phenomenal progress in Space, find a way to make it turn a profit. You'll live to witness contract negotiations between businesses and astronaut unions.
As I have said before if we could set up a truly International Space Agency with contributions from every nation on the planet then we would be getting a hell of a lot further along than we are at the moment.
A "truly international" Space Agency would spend most of it's time squabbling over which country gets the rocket contracts and how much launch facility compensation must be paid.
I guess you missed the sarcasm. There was an implied smiley in there.
Some of my fellow conservatives are embarrassing...
"Where do companies get off thinking that they can be judge, jury, and executioner?"
:)
So you have to watch it for free on the old fashioned tube if you're local. How tragic.
Cut them a break. They have long standing contractual obligations to the affiliates. The alternative is to change nothing. Instead, they've arranged it so that this can happen despite the existing contracts. That's admirable. It opens the door to greater things.
Imagine if this is actually successful. Baseball (tm) might discover that they can actually turn a nice profit in advertising. Maybe this leads to a day when the affiliates have less power at the bargaining table.
Think 10-15 years out. The phone monopolies have finally been overcome. Everyone has enough bandwidth to stream live video from anywhere for close to free. All Professional Sports (world-wide, 24x7) will be pay-per-view events on competing virtual networks. Baseball's (tm) first tentative effort is merely a precursor to the inevitable. That they had to make this silly exception due to affiliate contracts means nothing.
Chill, dude. It's all good.
Yet again another instance of someone pulling numbers out of their ass.
LOL
Bingo!
Or has anyone here actually seen the research that supports these numbers?
It would take a lot more than having "seen" the results to convince me. Universities, private think tanks and government are bought and paid for whores of whatever faction sponsors them. This passes for "research" in business and politics. If you believe what you are fed by these folks, know that you are a Useful Idiot (tm).
Yeah, but if you can afford to own such nice things, you're rich, so it doesn't hurt you. Think of all the underprivileged people who can't. Fun being rich huh?
The system we have was not foisted on us by some big government conspiracy and it's not maintained by the pressures of a cartel.
NASA is the reason you're not lounging around on the Moon right now. Bush will attack Iraq because his dad want's the oil. McDonalds hates animals AND humans, so they klll one to kill the other. The World Bank is the reason you aren't as wealthy as Bill Gates. The current state of radio technology is a function of FCC corruption funded by record labels.
Clear? Good.
"Certainly not Dell, HP, IBM or the likes of any Tier 1 supplier that wants to keep on receiving their share of the Intel Processor Yields"
I have a 1GHz Duron laptop from HP. Plays DVDs just fine. Guess you're a bit off the mark.
but suck as a true laptop IMO
.5" and 2.5lbs with 1076x768 won't replace your desktop? Well no sh*t Sherlock!
I want enough balls to run JDeveloper, an Oracle instance and JBoss doing a full compile/run/debug cycle for 10 hours without complaint. That, and several other common apps in the background, a LOT of disk and RAM and a CD burner. 99 days out of 100 the longest I actually carry the thing is from my office to the back seat of my car. I do this every working day and I could care less if it weights 7-8 pounds. The only time I need the battery is while traveling or stuck in a meeting. Real computing on a plane is hopeless unless you're in 1st class and meetings don't last long enough to kill the batts.
Too heavy? PDAs do email just fine.
I really don't get these people that whine about weight/size. There are thin 2-3lb laptops all over the place. I won't have anything to do with them but I see them often enough. What is the problem? Does it surprise you to discover that