Yup, to the best of my knowledge, AIM is unencrypted. Even the password is only "roasted" before being transmitted, which can easily be reversed. It's quite horrifically insecure, but for most useless conversations, it's just fine (the same way the public phone network is insecure). People have made various client addons for securing AIM, but very few pairs of people both use them. The only major protocol I know of that is secure is Jabber / Google Talk, which can connect via SSL.
I doubt the iPod would have to tell the computer it's number, rather it would be the other way around. The iPod is the one that needs to know, and it has it's own processor. My theoretical implementation just broke your theoretical hack. Oh, and "store it in a blatant file"? I'm sure they could do better than that, seeing as your Fairplay keys are kept hidden quite well. Go ask the people who have been trying to figure out how they are encrypted and stored ever since iTunes 6 and the corresponding iPod firmware updates broke hymn. Apple really can get security right when they really want to.
Saying an image file on a computer is just one big number is like saying humans are just a bunch of carbon atoms. It's a failed analogy. So the next time someone steals your car, you can just shrug it off and say, "oh, those silly carbon atoms!"
(Sorry I can't properly attribute that, but I forgot the original source).
Not if you sign the new certificate with the correct hostname. Normally, your browser has root certificates from a bunch of companies such as Verisign that you trust to only sign a certificate for the proper owner of a host (as identified in the whois information, etc). However, in this case, the library has added their own root certificate to the browser. Therefore, they can create certificates with any hostname, sign it themselves, and have the browser trust it as with any other certificate.
Also, if you were to bring your own laptop to the library, this would not work as you would not have the library's root certificate. Although I doubt such a library would offer WiFi as my local ones do.
Yes, you could. Quite easily. Heck, I don't even have an application installed for editing the metadata, so I just opened one of my iTunes Plus files in a hex editor, searched for my real and account names, and overwrote them with useless data (Anonymous User and someoneelse - same lengths). Done. That was hard.
Ok, granted, most people aren't going to open a hex editor to do something so simple. Which one wouldn't have to, since editing audio tags is a perfectly valid thing to do, so there are multitudes of programs to do just that. I'm pretty sure you could do it using Atomic Parsley.
I'm really tired of people trying to make an issue out of this. As has been pointed out many times, your account data has been in files from the iTunes store from the very beginning. Your name not DRM. Does having your name in the file prevent you from doing anything? No! And as the tags are not encrypted, they are obviously not intended for tracking files on peer to peer filesharing as I could change them to reference anyone. I find having the data there helpful, as I can tell whether a specific file was purchased by me or my dad. If you don't like it, just get rid of it!
Besides, didn't everyone cheer when some stores introduced audio watermarking which would actually prevent you from putting the original file on peer to peer networks, unlike this?
I don't know how you still have a positive score for that comment. Have you ever met Paul Vixie? I have. He's a great man with a good sense of humor (see http://en.wikiquote.org/wiki/Paul_Vixie). Now can we just take this quote to mean that exploiting this part of the IPv6 specification has an extremely low barrier to entry as it was intended and move along?
That would also be the Deadline For Saying "Yes" To National ID, wouldn't it? News (look at the top of the page... "news for nerds") about voting shouldn't say tell you how to vote, should it?
Using a proxy does not "break a machine" or "make it otherwise unusable". The only possible concern for the use of a proxy affecting the network's usability would be the extra use of bandwidth, but most proxys are so slow that they won't make much of an impact. Using a proxy, what the summary was talking about, by no means "enables students to mess up the computers and prevent others from using them" any more than going to any other website. At my school, I have - numerous times - needed to use my proxy to be able to give a presentation in class from a site blocked for "streaming media". Teachers have even approached me to help them get around the blocking of websites. Proxys can, in certain instances, increase usability.
I agree that any vandalism of school computers, that, as you say, messes up the computers and prevents others from using them, should be dealt with extremely harshly. But benign "offenses" such as using a proxy or booting off of a linux Live CD (to go with your locked BIOS example, which my school does not do), things that do not cost the school in any way, should receive a slap on the wrist at worst.
Hmm... I'm a high school junior who just had a talking to by the Dean of Students and Director of IT for setting up a proxy to help others get around my school's Websense installation. This isn't exactly the email I wanted to see in my inbox...
---
Danny:
Please explain why you put this program in this folder
Luckily for me, the only thing I have to do is comment on my school's Acceptable Use Policy to help make it more clear to students (and, of course, not help people access blocked sites again). I was a little worried about getting a detention or other punishment of that magnitude when I was pulled into a conference room after my last class, but 3 months suspension? That's simply insane. And these are probably some of the schools best students... take it from someone in high school that Websense's "Your company policy denies access to this page at all times" just begs to be worked around. It's not really the getting to Facebook and Youtube at school that was fun, but the challenge of figuring out the best way to do it.
Although I still have qualms with some of the blocked sites, I would like to commend my school's handling of this. They talked about why what I did was wrong (they were mainly upset with my helping of other students to get around the blocking, not doing it personally), and invited me to talk to them about such issues. Much better than the knee-jerk reaction described in the summary.
---
And while i'm at it, I think I'll describe my now-removed setup. First off, many people had put a copy of Firefox in their user's folder so they wouldn't have to use IE (which is the only browser on most all but the science laptops), which, of course, was a huge waste of space. Therefore, I put a copy of Portable Firefox in a folder that everyone could access (although without permission) with a modified launcher that would store the user's profile (bookmarks, history, etc) in each person's own user folder. Then, to bypass Websense, I ran tinyproxy on my home router running OpenWRT with a domain name from DynDNS, then configured FoxyProxy in the shared Firefox install to use my house as a proxy to access the blocked sites. Then I could put a shortcut to the Firefox install in someone's home folder, and they would have persistent bookmarks and a configured proxy.
I had previously set up CGIProxy on my webserver, but that was unusably slow. Websense also caused me to read the HTTP protocol specifications in an attempt to find other weaknesses that don't rely on a outside proxy. I determined that you can access some sites by mucking with the HTTP headers. (Unfortunately, this only works for servers that are not properly configured per the RFC's, but that seems to be a lot of them.) In HTTP 1.0, there was no way to serve more than one domain name from one IP address. HTTP 1.1 addressed this issue by requiring that all requests include a "Host:" header specifying the domain the information should be accessed from. Many servers, such as Youtube, will respond the same no matter what host is specified. Websense, however, will always look at the Host: header if it exists to determine if the site is allowed. Therefore, it is possible to make an HTTP request to youtube.com but ask for "Host: websense.com", have Websense believe that you are going to websense.com, but actually have a page from youtube.com returned. (However, technically, it is improper for servers to respond to requests for domains they do not serve). As far as I know, mine is the first discovery of this technique. Great fun!
Websense causes learning... just not how school administrators expect!
(without incurring the insane streaming server licensing costs charged by Real, Adobe and Microsoft ...and Apple. You would be right that Quicktime Streaming Server comes with Mac OS X Server, which does cost money (although not above and beyond the cost of the hardware or OS). It is supported and well integrated into the OS.
However, Apple also releases the Darwin Streaming Server for "alternative platforms such as Windows, Linux, and Solaris, or those developers who need to extend and/or modify the existing streaming server code to fit their needs". It is only missing some of the advanced administration tools, and is even released under a license recognized as free by the FSF.
Either bundled with the server OS or free is hardly an "insane cost", is it?
Science sure is interesting when shown to be. And, in case you wanted to know, i'm a current high school student (at a Catholic school).
-------
In my middle school, a retired teacher came back to teach an extra science course before regular classes started. He taught us all kinds of things, all hands on. We soldered together electronic kits, dissected animals (including a shark one of his friends caught... who needs preservatives), fermented wine from raisins, distilled it into alcohol, then burned it, made a barometer by pouring mercury into tubing, showed that there is a limit to how high you can lift water through suction by running a really long straw to the roof and having us try, exploding hydrogen balloons, and more...
Much of this wasn't exactly "safe", but that's what made it exciting. We all missed a bit of sleep in the morning, but loved it. Mr Zucca, you will always have a place in my heart.
-------
In either 7th or 8th grade (or both, I can't remember if one was outside of class time or not), one entire trimester of science was dedicated to doing a science fair project. Both of mine were on coilguns. Although I got a lot (and I do mean a lot) of assistance from my father that most kids wouldn't get, I can say that I learned a lot about electricity and magnetism. Winning 1st at county and 3ed at the regional science fairs wasn't bad either.
-------
Skip forward a few grades to my current junior year, in which my school entered the FIRST Robotics Competition for the first time. In this competition I learned way more about the disciplines involved in building a robot than I could have otherwise. Mechanical engineering, electrical engineering, building a drivetrain, pneumatics, sensors, control systems, just everything. Teamwork, planning, meeting deadlines, working with your allies, strategising, and emergency last minute repairs are all part of this competition. And as the team's programmer, I got my introduction to writing code for embedded systems, a field I may end up pursuing.
We all had a blast designing and building our robot during the six weeks from the kickoff to the ship date. Not much else would keep us at school until eight or nine at night while learning the whole time. Seeing this thread has made me realize what FIRST is really about; Dean Kamen's (the founder's) speeches now make sense. It's about getting us interested in science and technology, and that's exactly what it does. If you happen to be in a position where you could support this organization, whether you work in a high school (or even middle school... look into the FIRST Lego or VEX challenges), a company that can provide parts or sponsor a team with the support of engineers, or hold a public office, I would strongly advise you to look into this great organization.
And in case you are wondering, I'm on the FIRST Robotics Competition team 2144 from Sacred Heart in Atherton, CA. Our RadBot ended up being the highest seeded robot built by a rookie team in the Silicion Valley Regional, coming in at 11th out of 48 attending teams. We even got to be one of the 8 teams to pick our alliance members going into the finals. Victory in our first quarter final against the number one seeded alliance, when Woodside (team 100) fell over, was one of the greatest rushes in our lives. They came back strong and won the next two matches (moving on to the semifinals), but this competition was easily the most exciting thing I've ever done.
-------
So back on topic, student involvement is the only way to way to keep kids interested in subjects. Simply having books just doesn't cut it. And as much as I loved the Oregon Trail in elementary school, more games isn't the way to go. Hands on activities and larger projects are. In some subjects (sciences especially), this is relatively easy. In others (such as history or math) it's harder, but still doable. Small things like trying to make a hypercube out of pasta and marshmallows can make all the difference.
This looks like it's the closest to the image enhancement on the Enterprise (or any other tv show or movie) that i'm going to come. Very cool! Now to pick out crystal clear faces from distant blurry security cameras...
I'm not sure in relation to that context, but in modern day translations sure are.
From the New American Bible:
All rights reserved. No portion of this Bible, including all supplementary material, may be reproduced without written permission of the copyright holder.
Copyright, 1876 and 1871, by Devore & Sons, Inc.
Whichita, Kansas 67201
Copyright, 1876 and 1871, by Catholic Bible Publishers
Whichita, Kansas 67201
Apple seems to have already had a solution to this problem:
If one were to turn on speech recognition in OS X, the default behavior is to listen only when a key (default is escape) is pressed. The other option is to listen continuously with a keyword (default is Computer, but can be changed to anything) that is either required before every command (default), optional, or 15 or 30 seconds after the last command. One would have to change two different settings to expose OS X to such an exploit as easily as Vista is.
Slashdot Mirror
Yup, to the best of my knowledge, AIM is unencrypted. Even the password is only "roasted" before being transmitted, which can easily be reversed. It's quite horrifically insecure, but for most useless conversations, it's just fine (the same way the public phone network is insecure). People have made various client addons for securing AIM, but very few pairs of people both use them. The only major protocol I know of that is secure is Jabber / Google Talk, which can connect via SSL.
I doubt the iPod would have to tell the computer it's number, rather it would be the other way around. The iPod is the one that needs to know, and it has it's own processor. My theoretical implementation just broke your theoretical hack. Oh, and "store it in a blatant file"? I'm sure they could do better than that, seeing as your Fairplay keys are kept hidden quite well. Go ask the people who have been trying to figure out how they are encrypted and stored ever since iTunes 6 and the corresponding iPod firmware updates broke hymn. Apple really can get security right when they really want to.
Saying an image file on a computer is just one big number is like saying humans are just a bunch of carbon atoms. It's a failed analogy. So the next time someone steals your car, you can just shrug it off and say, "oh, those silly carbon atoms!" (Sorry I can't properly attribute that, but I forgot the original source).
Well, what else would you orient your rocket propelled grenade at? Not hitting anything wouldn't be any fun.
So you wouldn't prosecute him for identity *theft*?
Not if you sign the new certificate with the correct hostname. Normally, your browser has root certificates from a bunch of companies such as Verisign that you trust to only sign a certificate for the proper owner of a host (as identified in the whois information, etc). However, in this case, the library has added their own root certificate to the browser. Therefore, they can create certificates with any hostname, sign it themselves, and have the browser trust it as with any other certificate.
Also, if you were to bring your own laptop to the library, this would not work as you would not have the library's root certificate. Although I doubt such a library would offer WiFi as my local ones do.
Yes, you could. Quite easily. Heck, I don't even have an application installed for editing the metadata, so I just opened one of my iTunes Plus files in a hex editor, searched for my real and account names, and overwrote them with useless data (Anonymous User and someoneelse - same lengths). Done. That was hard.
Ok, granted, most people aren't going to open a hex editor to do something so simple. Which one wouldn't have to, since editing audio tags is a perfectly valid thing to do, so there are multitudes of programs to do just that. I'm pretty sure you could do it using Atomic Parsley.
I'm really tired of people trying to make an issue out of this. As has been pointed out many times, your account data has been in files from the iTunes store from the very beginning. Your name not DRM. Does having your name in the file prevent you from doing anything? No! And as the tags are not encrypted, they are obviously not intended for tracking files on peer to peer filesharing as I could change them to reference anyone. I find having the data there helpful, as I can tell whether a specific file was purchased by me or my dad. If you don't like it, just get rid of it!
Besides, didn't everyone cheer when some stores introduced audio watermarking which would actually prevent you from putting the original file on peer to peer networks, unlike this?
I don't know how you still have a positive score for that comment. Have you ever met Paul Vixie? I have. He's a great man with a good sense of humor (see http://en.wikiquote.org/wiki/Paul_Vixie). Now can we just take this quote to mean that exploiting this part of the IPv6 specification has an extremely low barrier to entry as it was intended and move along?
That would also be the Deadline For Saying "Yes" To National ID, wouldn't it? News (look at the top of the page... "news for nerds") about voting shouldn't say tell you how to vote, should it?
Using a proxy does not "break a machine" or "make it otherwise unusable". The only possible concern for the use of a proxy affecting the network's usability would be the extra use of bandwidth, but most proxys are so slow that they won't make much of an impact. Using a proxy, what the summary was talking about, by no means "enables students to mess up the computers and prevent others from using them" any more than going to any other website. At my school, I have - numerous times - needed to use my proxy to be able to give a presentation in class from a site blocked for "streaming media". Teachers have even approached me to help them get around the blocking of websites. Proxys can, in certain instances, increase usability.
I agree that any vandalism of school computers, that, as you say, messes up the computers and prevents others from using them, should be dealt with extremely harshly. But benign "offenses" such as using a proxy or booting off of a linux Live CD (to go with your locked BIOS example, which my school does not do), things that do not cost the school in any way, should receive a slap on the wrist at worst.
Hmm... I'm a high school junior who just had a talking to by the Dean of Students and Director of IT for setting up a proxy to help others get around my school's Websense installation. This isn't exactly the email I wanted to see in my inbox...
j ect\Project\FirefoxPortable
---
Danny:
Please explain why you put this program in this folder
\\file-server\shp_classes\AP_US_History_Final_Pro
---
Luckily for me, the only thing I have to do is comment on my school's Acceptable Use Policy to help make it more clear to students (and, of course, not help people access blocked sites again). I was a little worried about getting a detention or other punishment of that magnitude when I was pulled into a conference room after my last class, but 3 months suspension? That's simply insane. And these are probably some of the schools best students... take it from someone in high school that Websense's "Your company policy denies access to this page at all times" just begs to be worked around. It's not really the getting to Facebook and Youtube at school that was fun, but the challenge of figuring out the best way to do it.
Although I still have qualms with some of the blocked sites, I would like to commend my school's handling of this. They talked about why what I did was wrong (they were mainly upset with my helping of other students to get around the blocking, not doing it personally), and invited me to talk to them about such issues. Much better than the knee-jerk reaction described in the summary.
---
And while i'm at it, I think I'll describe my now-removed setup. First off, many people had put a copy of Firefox in their user's folder so they wouldn't have to use IE (which is the only browser on most all but the science laptops), which, of course, was a huge waste of space. Therefore, I put a copy of Portable Firefox in a folder that everyone could access (although without permission) with a modified launcher that would store the user's profile (bookmarks, history, etc) in each person's own user folder. Then, to bypass Websense, I ran tinyproxy on my home router running OpenWRT with a domain name from DynDNS, then configured FoxyProxy in the shared Firefox install to use my house as a proxy to access the blocked sites. Then I could put a shortcut to the Firefox install in someone's home folder, and they would have persistent bookmarks and a configured proxy.
I had previously set up CGIProxy on my webserver, but that was unusably slow. Websense also caused me to read the HTTP protocol specifications in an attempt to find other weaknesses that don't rely on a outside proxy. I determined that you can access some sites by mucking with the HTTP headers. (Unfortunately, this only works for servers that are not properly configured per the RFC's, but that seems to be a lot of them.) In HTTP 1.0, there was no way to serve more than one domain name from one IP address. HTTP 1.1 addressed this issue by requiring that all requests include a "Host:" header specifying the domain the information should be accessed from. Many servers, such as Youtube, will respond the same no matter what host is specified. Websense, however, will always look at the Host: header if it exists to determine if the site is allowed. Therefore, it is possible to make an HTTP request to youtube.com but ask for "Host: websense.com", have Websense believe that you are going to websense.com, but actually have a page from youtube.com returned. (However, technically, it is improper for servers to respond to requests for domains they do not serve). As far as I know, mine is the first discovery of this technique. Great fun!
Websense causes learning... just not how school administrators expect!
However, Apple also releases the Darwin Streaming Server for "alternative platforms such as Windows, Linux, and Solaris, or those developers who need to extend and/or modify the existing streaming server code to fit their needs". It is only missing some of the advanced administration tools, and is even released under a license recognized as free by the FSF.
Either bundled with the server OS or free is hardly an "insane cost", is it?
Science sure is interesting when shown to be. And, in case you wanted to know, i'm a current high school student (at a Catholic school).
-------
In my middle school, a retired teacher came back to teach an extra science course before regular classes started. He taught us all kinds of things, all hands on. We soldered together electronic kits, dissected animals (including a shark one of his friends caught... who needs preservatives), fermented wine from raisins, distilled it into alcohol, then burned it, made a barometer by pouring mercury into tubing, showed that there is a limit to how high you can lift water through suction by running a really long straw to the roof and having us try, exploding hydrogen balloons, and more...
Much of this wasn't exactly "safe", but that's what made it exciting. We all missed a bit of sleep in the morning, but loved it. Mr Zucca, you will always have a place in my heart.
-------
In either 7th or 8th grade (or both, I can't remember if one was outside of class time or not), one entire trimester of science was dedicated to doing a science fair project. Both of mine were on coilguns. Although I got a lot (and I do mean a lot) of assistance from my father that most kids wouldn't get, I can say that I learned a lot about electricity and magnetism. Winning 1st at county and 3ed at the regional science fairs wasn't bad either.
-------
Skip forward a few grades to my current junior year, in which my school entered the FIRST Robotics Competition for the first time. In this competition I learned way more about the disciplines involved in building a robot than I could have otherwise. Mechanical engineering, electrical engineering, building a drivetrain, pneumatics, sensors, control systems, just everything. Teamwork, planning, meeting deadlines, working with your allies, strategising, and emergency last minute repairs are all part of this competition. And as the team's programmer, I got my introduction to writing code for embedded systems, a field I may end up pursuing.
We all had a blast designing and building our robot during the six weeks from the kickoff to the ship date. Not much else would keep us at school until eight or nine at night while learning the whole time. Seeing this thread has made me realize what FIRST is really about; Dean Kamen's (the founder's) speeches now make sense. It's about getting us interested in science and technology, and that's exactly what it does. If you happen to be in a position where you could support this organization, whether you work in a high school (or even middle school... look into the FIRST Lego or VEX challenges), a company that can provide parts or sponsor a team with the support of engineers, or hold a public office, I would strongly advise you to look into this great organization.
And in case you are wondering, I'm on the FIRST Robotics Competition team 2144 from Sacred Heart in Atherton, CA. Our RadBot ended up being the highest seeded robot built by a rookie team in the Silicion Valley Regional, coming in at 11th out of 48 attending teams. We even got to be one of the 8 teams to pick our alliance members going into the finals. Victory in our first quarter final against the number one seeded alliance, when Woodside (team 100) fell over, was one of the greatest rushes in our lives. They came back strong and won the next two matches (moving on to the semifinals), but this competition was easily the most exciting thing I've ever done.
-------
So back on topic, student involvement is the only way to way to keep kids interested in subjects. Simply having books just doesn't cut it. And as much as I loved the Oregon Trail in elementary school, more games isn't the way to go. Hands on activities and larger projects are. In some subjects (sciences especially), this is relatively easy. In others (such as history or math) it's harder, but still doable. Small things like trying to make a hypercube out of pasta and marshmallows can make all the difference.
This looks like it's the closest to the image enhancement on the Enterprise (or any other tv show or movie) that i'm going to come. Very cool! Now to pick out crystal clear faces from distant blurry security cameras...
I'm not sure in relation to that context, but in modern day translations sure are.
...so yes, it is.
From the New American Bible:
All rights reserved. No portion of this Bible, including all supplementary material, may be reproduced without written permission of the copyright holder.
Copyright, 1876 and 1871, by Devore & Sons, Inc. Whichita, Kansas 67201
Copyright, 1876 and 1871, by Catholic Bible Publishers Whichita, Kansas 67201
Apple seems to have already had a solution to this problem:
If one were to turn on speech recognition in OS X, the default behavior is to listen only when a key (default is escape) is pressed. The other option is to listen continuously with a keyword (default is Computer, but can be changed to anything) that is either required before every command (default), optional, or 15 or 30 seconds after the last command. One would have to change two different settings to expose OS X to such an exploit as easily as Vista is.