Slashdot Mirror

Imagine an age of infinite reproducibility -- it shouldn't be too difficult to concieve. Would you pay $30 to download and skim a book from someone you have never heard of? I wouldn't. I'd just take it. Would you pay $30 to your favorite author when [s]he says [s]he is working on something new, and won't release it until [s]he makes $X amount of money? I would. You probably would, too. The concept is similar to that of paying a street performer, wherein you cannot actively moniter each consumer (each person on the street), but willing patrons can contribute to their own desire. The full write-up for the street performer protocol is available at http://www.counterpane.com/street_performer.html .

There are some valid attacks on this protocol, but yours is not one of them.

You can't block every bit of encrypted data unless you block all of the data flow. Steganography allows one to embed in virtually any data stream which has some amount of "white noise". Countrary to the popular belief that you need a binary format for that, you don't. It's easy to do steganography in plain text (OK, you need lots of text for that), say, using blanks (spaces/ tabs/CR/LF/FF/etc), punctuation or whatever else. Of course, it is quite hard to disseminate information among a wide audience using steganography - because if everyone knows where it is embedded, the blocking authorities also will, but the really persistent guys won't fear any firewall :)

Everyone interested in this subject should read Bruce Schneier's piece on the subject: Why Digital Signatures Aren't Signatures. The gist of his article is that although cryptography came verify that a document can from a given computer, it cannot verify that it came from a given person, or even that that person intended to sign that document. "The mathematics of cryptography, no matter how strong," he writes, "cannot bridge the gap between me and my computer."

The following has the potential to outlaw current feedback system that keeps vendors providing patches for glaring holes in their products. See Bruce Schneiers CryptoGram.

If the interpretation of device is as wide as it was in the DeCSS/DMCA case, also discussion about vulnerabilities could be prosecuted. Not to mention the actual exploits that seem to be the only things that push some vendors to take action.

I live in Europe/Finland. Until now it has been mostly safe to distribute & possess things like DeCSS here, but that seems to be changing.

Quotes from the convention:
Article 6 - Misuse of devices

1. Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right:

a. the production, sale, procurement for use, import, distribution or otherwise making available of:

i. a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with Article 2 ? 5;

the kinds of attacks the government seems to fear, namely massive DOS attacks. Or is there something else a 'net terrorist' could do to 'disrupt the vital flow of information'?

Bruce Schneier has an informative story about this in the November 15 CRYPTO-GRAM, including some of the pros and cons. Basically, he says it would be better than what they have now, but still not all that great (he points out that the government already has several separate, secure internets, for various purposes, and they were still infected by Melissa and LoveLetter). And that this is one of the few cases where security and convenience might really be inversely proportional.

Bruce Schneier covered this more than a year ago in the 15.06.2000 cryptogram. Anyone who has read Schneier's newsletter long enough begins to realize that he is the Cassandra of the Internet...

Here's what renowned cryptography guru Bruce Schneier has to say about the DMCA (emphasis mine):
---
[...] Dmitry Sklyarov (age 27) landed in jail because the Digital Millennium Copyright Act (DMCA) makes publishing critical research on this technology a more serious offense than publishing nuclear weapon designs. Just how did the United States of America end up with a law protecting the entertainment industry at the expense of freedom of speech? And how did the entertainment industry end up with stronger laws protecting their content than the information on constructing nuclear weapons?
[...]
Welcome to 21st century America, where the profits of the major record labels, movie houses, and publishing companies are more important than First Amendment rights or nuclear weapons information. (The more you look at the problem, the weirder it becomes. "The New York Times" has the legal right to publish secret government documents, unless they are protected by a digital copy-protection scheme, in which case publishing them would lead to an FBI raid.)
[...]
The entertainment industry is behaving the same way. The DMCA is unconstitutional, but they don't care. Until it's ruled unconstitutional, they've won. The charges against Sklyarov won't stick, but the chilling effect it will have on other researchers will. If they can scare software companies, ISPs, programmers, and T-shirt manufacturers (Hollywood has sued CopyLeft for publishing the DeCSS code on a T-shirt) into submission, they've won for another day. The entertainment industry is fighting a holding action, and fear, uncertainty, and doubt are their weapons. We need to win this, and we need to win it quickly. Please support those who are fighting these cases in the courts: the EFF and others. Every day we don't win is a loss.

---
Read the full text here.

Raymond

For more about why programs are getting less secure as time goes by, not more (and other interesting security-related topics, too), I highly recommend Secrets & Lies: Digital Security in a Networked World by Bruce Schneier. (/. had a review of it last year.)

Breaking a glass during the flight? Damn good idea.

Your pocket knife does not raise the risk either, not more than bringing in hard-plastic sharp pieces (or box cutters, coincidentially...). It is not possible to prevent this.

Do yourself a favour and read Bruce Schneier's special Crypto-Gram issue for an insightful piece.

The remote server will sent you it's signed certificate, which has the
hostname in it. It's the hostname and the signature that is important.
If you belive you can trust the Certificate Authority who signed it to only
sign certificates who belong to who they claim they are then you can trust
it.

I do not trust everyone that is in the CA list as provided by Netscape,
Mozilla, and Microsoft. And if the feds wanted to get bogus certs signed
they could, but I bet they couldn't keep it a secret too well.

Come to think of it, where do i find the key given for SSH? So far, when i
get the SSH message saying that "here is the key for this previously
undefined host, do you wanna accept it?" I have simply typed (or clicked,
depending on client) "yes", and gone on my merry way. Care to illuminate?

For SSH, when you accept a key you are acting like a CA for yourself.
If you dont ensure they validity of the key that you are accepting then it
has little immediate worth. Since you store these keys, it is useful to
detect if the key changes, which would happen if it were being spoofed.

As for PGP and GPG, there is something called a web of trust. This
allows you to decide (once again YOU are the CA) if you want to accept a
key, but you can say, I trust Bob, and if Bob accepts Alice's key then I
will. Thus you are a allowing Bob to make your policy decisions for you.
It's not a bad method, since you get to choose who to decide.

RTFM? Something?
If you want to learn more than you ever wanted to know about this stuff,
then get a copy of Schneier's Applied Cryptography.

Should read this and sign the petition.

Stand up for your rights!

I have been trying to submit this article for the last few days and it's been rejected every time. Please take the time to read it. It is an important piece.

Flame me or mod me down if you like, but I REALLY don't understand what gets posted as an article and what doesn't. I submitted a story that is in the interest of everyone on this site. An article that is "News For Nerds" and something that REALLY MATTERS. It talks about how your rights are being violated and why that is a bad thing. There is even a petition to sign to stand up for your rights. The article I am referring to is this. Please read it and spread the word. I hope people get a chance to read it, even though slashdot won't put it on the front page. I guess NSync is more important...

Not everybody who does Open Source is into the whole "community development" ideology. Some, such as the NSA and cryptography developers, are simply interested in the security advantages. Personally, I consider the main strength of Open Source to be its ability to create standards without falling into the design-by-committe trap. To see what I mean, compare KDE with CDE.

Bruce Schneier (of Counterpane) does a good job of sticking up for our rights on this one. He's really been doing a good job of getting the message out. Most articles on this kind of stuff have some good quotes from him. He's a consistent voice of reason. Kudos, Bruce.

Bruce Schneier (of Counterpane) does a good job of sticking up for our rights on this one. He's really been doing a good job of getting the message out. Most articles on this kind of stuff have some good quotes from him. He's a consistent voice of reason. Kudos, Bruce.

If you think any client-side methods can force someone to view an ad, think again.

What kind if checksum will you put in Javascript? Great! That means that webmasters who use Javascript responsibly will lose out, because everyone will surf with it off.

You can't force people to view ads. Instead, make ads that don't suck, so people aren't tempted to block them. Like Google - its ads get higher clickthroughs and suck less.

Don't forget to have background checks and a 3 day waiting period on anyone who buys a pack of playing cards. After all, they can be used as an encryption device

What, are they going to outlaw a deck of cards?

In the latest cryptogram I referenced this article. And this quote(look at the reader comments at the bottom to see my point):

"There are many people of poor and evil motivations who are seeking to disrupt business and government and exploit any vulnerabilities in the digital universe."

From John Ashcroft. This guy is just way off base here. He is totally missing what is going on the real world. We need some more technically savvy people in the government!

Bruce Schneier recently had a bit to say about the security problems of replacing POTS with IP telephony. In short, it's not a good idea. But I see how this sort of system might be useful in a business setting, to replace the PABX systems used in many offices. Heck, it's sure to be an improvement over the PABX we have here in our office!

Counterpane, a.k.a "Bruce Schneier's Headquarters" has an article about using a deck of cards for encryption here.

So I guess even playing a game of bridge will get you thrown in jail.

Bruce Schneier has all sorts of stuff to say about crypto in "Applied Cryptology."

See also his webpage search thingy, which links to a bunch of articles specific to escrow.

Bruce Schneier has all sorts of stuff to say about crypto in "Applied Cryptology."

See also his webpage search thingy, which links to a bunch of articles specific to escrow.

Taking away essential freedoms does not guarantee security. In fact, reduced freedom can often reduce security. If we had a police state, sure we would have a somewhat easier time nailing terrorists. But how secure would you really be? You've just traded the occasional terrorist for an ever-present government tyrant.

It is our freedoms that *provide* our security. Restrictions on governmental/police powers promote the fairness and honesty that enable all citizens to be safe. This is why we require warrants before allowing the government to spy on you or search your property. This is why the police have to have probable cause to arrest you, rather than because "he looked like he was up to no good". If we give up these kind of freedoms in an attempt to fight terrorists, we'll only be less secure. And the terrorists will have won.

It's interesting to note that of all the countries in the world, Americans are probably the safest. And we're the most free. Coincidence? I don't think so.

I'm all for giving the government new tools to help in the fight against terrorism. Reform wiretap laws to have wiretaps be on a per-person, not per-phone basis. Expand the ability to wiretap in cyberspace to match the equivalent in phonetap law. These will help fight terrorism without destroying our freedoms.

Other proposals do the opposite. They remove freedoms without helping the terrorist fight. Mandated encryption backdoors or bans on encryption are a good example of this. While they would appear to help, they really wouldn't. Terrorists would just get their crypto from abroad, while ordinary citizens are now more susceptible to the snooping of cr/hackers and the government.

What is really needed is a cool-headed assessment of what we can do to promote security without jeopardizing our freedom and our way of life. Decreasing our freedoms will only decrease our security in the long term. Let's make ourselves more secure, not less.

I think crypto-guy Bruce Schneier put it well when he said:

"The ideals we uphold during a crisis define who we are. Freedom and liberty have a price, and that price is constant vigilance so it not be taken from us in the name of security. Ben Franklin said something that was often repeated during the American Revolutionary War: 'They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.' It is no less true today."

Bruce Schneier also wrote about this in the current issue of Crypto-Gram, his online newletter. Also, worth a read, IMO.

Kid_A

Bruce Schneier comments on this and also includes good quotes from others in his latest Crypto-Gram newsletter, which can be found here.

Knee-jerk reactions to this event (and others like it) are not likely to 1) prevent these types of activities 2) be fully thought out to maintain our liberties. I can't, for the life of me, understand how making plastic knives illegal in airports will really help prevent a catastrophy like this.

Government Officials are already calling for restrictions on cryptography (prohibiting export, key escrow, etc). Sigh. I direct those interested to a review on key escrow here.

Our liberties are constantly under siege. From overzealous profit motivated sources to foreign (or even domestic) aggressors our freedom is slowly being eroded away. Without the federal government helping us protect our rights there is no hope. Misguided legislation could push us drastically in the wrong direction. Giving up rights is remarkably easy (and in some cases the loss may go unrecognized), getting them back (or obtaining them at all) can be at a tremendous cost.

For those eager, or at least not reluctant, to temporarily give up your liberties I suggest the following links and their references (note: I have drawn from these sources to some degree).

This Month's Cryptogram
Activists Defend Civil Liberties in Wake of Attack at privacy.org.

If you're looking for some good points to bring up in writing your elected officials about this, Bruce Schneier of Counterpane wrote a great piece in this week's Crypto-Gram:

11 September 2001

Both sides of the calendar debate were wrong; the new century began on 11 September 2001.

All day I fielded phone calls from reporters looking for the "computer security angle" to the story. I couldn't find one, although I expect several to come out of the aftermath.

Calls for increased security began immediately. Unfortunately, the quickest and easy way to satisfy those demands is by decreasing liberties. This is always short sighted; real security solutions exist that preserve the free society that we all hold dear, but they're harder to find and require reasoned debate. Strong police forces without Constitutional limitations might appeal to those wanting immediate safety, but the reality is the opposite. Laws that limit police power can increase security, by enforcing honesty, integrity, and fairness. It is our very liberties that make our society as safe as it is.

In times of crisis it's easy to disregard these liberties or, worse, to actively attack them and stigmatize those who support them. We've already seen government proposals for increased wiretapping capabilities and renewed rhetoric about encryption limitations. I fully expect more automatic surveillance of ordinary citizens, limits on information flow and digital-security technologies, and general xenophobia. I do not expect much debate about their actual effectiveness, or their effects on freedom and liberty. It's easier just to react. In 1996, TWA Flight 800 exploded and crashed in the Atlantic. Originally people thought it was a missile attack. The FBI demanded, and Congress passed, a law giving law enforcement greater abilities to expel aliens from the country. Eventually we learned the crash was caused by a mechanical malfunction, but the law still stands.

We live in a world where nation states are not the only institutions which wield power. International bodies, corporations, non-governmental organizations, pan-national ethnicities, and disparate political groups all have the ability to affect the world in an unprecedented manner. As we adjust to this new reality, it is important that we don't become the very forces we abhor. I consider the terrorist attacks on September 11th to be an attack against America's ideals. If our freedoms erode because of those attacks, then the terrorists have won.

The ideals we uphold during a crisis define who we are. Freedom and liberty have a price, and that price is constant vigilance so it not be taken from us in the name of security. Ben Franklin said something that was often repeated during the American Revolutionary War: "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." It is no less true today.

Google lists a few. Looks pretty insecure to me.

Not convinced? How about doing a search for Outlook Express at Security Focus?

Or browse a few Crypto-Gram by Bruce Schneier. Good reading, IMHO.

Speaking of cards...

I've been very happy with Solitaire, the algorithm designed by Bruce Schneier and made popular in Neal Stephenson's book Cryptonomicon. If you ever have any spare time, it's very easy to learn. I picked it up while waiting for some Nessus scans to complete.

It's built around a keyed deck of cards, but I ended up writing a small program to handle it for me. AFAIK, there's has been a way to get around it yet..

The trouble is, "effective copy protection" as you call it, is largely a myth. The world's best cryptographers have said that the threat model that digital copy protection is trying to address is impossible one. A good article that explains why this is so is here. In that article, Bruce Schneier even goes so far as to say that copying is a natural law of the digital world.

American-style credit cards did not take off in Europe so well because it was(and may be) so stinkin' difficult to get a phone line. He says Italy could throw enough red tape on the ordeal to delay install for a year. This was no way for merchants to jump on the credit bandwagon so they started using smart cards for wallet-based credit. Smart cards SOLVED A PROBLEM. That problem doesn't exist in America as phone lines are easy to come by.

The other reason, as mentioned in a different thread, is that there was/is little legal-based credit-fraud protection in Europe[generally], but such legislation has existed for a long time in the US. The point of Bruce's book applies here: different technology for credit cards won't happen until either the system get some unexpected, significant risk of fraud, or another system comes out which substantially reduces fraud risk below its current level and doesn't offend everyone for things like privacy. Repeat. The risk of credit card fraud is currently manageable. The security of the system has some, if few, countermeasures to keep the average Joe honest. It has a detection mechanism which identifies fraud. It has a response mechanism that allows them to go after all but the most sophisticated attackers. Changing technologies for credit cards must present a MAJOR improvement in: countermeasures, detection, and response. Smart cards don't provide a major step up in security nor do they simplify the speed at which I will spend money. If you don't agree, read the book first. Heck, borrow it from the library and support freedom the Stallman way.

American-style credit cards did not take off in Europe so well because it was(and may be) so stinkin' difficult to get a phone line. He says Italy could throw enough red tape on the ordeal to delay install for a year. This was no way for merchants to jump on the credit bandwagon so they started using smart cards for wallet-based credit. Smart cards SOLVED A PROBLEM. That problem doesn't exist in America as phone lines are easy to come by.

The other reason, as mentioned in a different thread, is that there was/is little legal-based credit-fraud protection in Europe[generally], but such legislation has existed for a long time in the US. The point of Bruce's book applies here: different technology for credit cards won't happen until either the system get some unexpected, significant risk of fraud, or another system comes out which substantially reduces fraud risk below its current level and doesn't offend everyone for things like privacy. Repeat. The risk of credit card fraud is currently manageable. The security of the system has some, if few, countermeasures to keep the average Joe honest. It has a detection mechanism which identifies fraud. It has a response mechanism that allows them to go after all but the most sophisticated attackers. Changing technologies for credit cards must present a MAJOR improvement in: countermeasures, detection, and response. Smart cards don't provide a major step up in security nor do they simplify the speed at which I will spend money. If you don't agree, read the book first. Heck, borrow it from the library and support freedom the Stallman way.

If you're going to be paranoid, why be paranoid by half measures?

A lot of people who are ignorant of computers have this belief that anyone who knows what they are doing can hack any computer easily. They do not believe that any form of computer security can exist.

The FBI, in particular, is very ignorant about computers and securty. Read this Month's crypto-gram (one link from the page I lined to) for a story on how sensitive FBI documents were passed on to the internet at large via SirCam.

About a year ago, there was an (mumble mumble) on-line community that I was a part of. They had a number of mailing lists. Discovering that they had a Majordomo-style interface, I proceeded to send the list-request address a LIST request.

Instead of just listing the mailing lists that exists, the program gave me a list of all mailing lists, and all people subscribed to the lists.

Later on, someone on one of the lists wondered out loud how many people were on a mailing list. I told them.

At this point, the people freked out. They though I had broken in to their system or some such. I explained how I got the information, and then said that I was going to leave. I knew that this was something that could get me in to trouble.

Thankfully, the moderator of the mailing list was a member of out family's church. I wonder what could have happened if we were not on friendly terms with these people.

Finally, I wonder why the FBI persues crap like this, and not stuff like legitimate problems where the FBI could really help (scrool down to the section where he describes his dealing with the FBI).

- Sam

The FBI, in particular, is very ignorant about computers and securty. Read this Month's crypto-gram (one link from the page I lined to) for a story on how sensitive FBI documents were passed on to the internet at large via SirCam.

About a year ago, there was an (mumble mumble) on-line community that I was a part of. They had a number of mailing lists. Discovering that they had a Majordomo-style interface, I proceeded to send the list-request address a LIST request.

Instead of just listing the mailing lists that exists, the program gave me a list of all mailing lists, and all people subscribed to the lists.

Later on, someone on one of the lists wondered out loud how many people were on a mailing list. I told them.

At this point, the people freked out. They though I had broken in to their system or some such. I explained how I got the information, and then said that I was going to leave. I knew that this was something that could get me in to trouble.

Thankfully, the moderator of the mailing list was a member of out family's church. I wonder what could have happened if we were not on friendly terms with these people.

Finally, I wonder why the FBI persues crap like this, and not stuff like legitimate problems where the FBI could really help (scrool down to the section where he describes his dealing with the FBI).

- Sam

What's the world coming to when everyone's favorite security guru starts blaming the messenger, too?

Dmitry Sklyarov (age 27) landed in jail because the Digital Millennium Copyright Act (DMCA) makes publishing critical research on this technology a more serious offense than publishing nuclear weapon designs. Just how did the United States of America end up with a law protecting the entertainment industry at the expense of freedom of speech?

. . .

There are also provisions in the DMCA to allow for security research, provisions that I and others fought hard to have included. But these provisions are being ignored, as we've seen in the DeCSS case against 2600 Magazine, the RIAA case against Ed Felten, and this arrest.

Dmitry Sklyarov (age 27) landed in jail because the Digital Millennium Copyright Act (DMCA) makes publishing critical research on this technology a more serious offense than publishing nuclear weapon designs. Just how did the United States of America end up with a law protecting the entertainment industry at the expense of freedom of speech?

. . .

There are also provisions in the DMCA to allow for security research, provisions that I and others fought hard to have included. But these provisions are being ignored, as we've seen in the DeCSS case against 2600 Magazine, the RIAA case against Ed Felten, and this arrest.

Sysadmins aren't entirely at fault. Certainly, this particular problem has received enough coverage that there really shouldn't be any unpatched IIS installations any more (but there are, sigh), but the other side is that it's pretty near impossible to keep up with every patch to every system.

Here's a good rant on the subject entitled The Security Patch Treadmill. It was written in March 2001, before Code Red. It still applies. A quote:

Those who manage computer networks are people too, and people don't always do the smartest thing. They know they're supposed to install all patches. But sometimes they can't take critical systems off-line. Sometimes they don't have the staffing available to patch every system on their network. Sometimes applying a patch breaks something else on their network. I think it's time the industry realized that expecting the patch process to improve network security just doesn't work.

I am not talking about the embarrasing mutilation of the english language, but the fact that you can tell from the wording that the person who wrote it is neither a cryptographer by profession or someone who seems to have digested any significant amount of litterature related to cryptography or security in general. If you've read a good deal of scientific papers on cryptography and related areas, perhaps digested a couple of books you can spot this quickly. People who understand cryptography express themselves quite differently. They strive to be precise and they are much more reluctant to call anything safe without at the same time either giving some measure of what they mean by "safe" or pointing out limiting factors. And God forbid: they'd never point their finger at a complex system and say that it was provably safe unless they could actually prove it.

I doubt you'll ever se any formal proof that SILC is secure.

I know most people would say "so what?". A lot of people would even say "well, you don't need a Ph.D to write a crypto app" -- and they would be right. you don't. however you still have to know a bit about cryptography and a LOT about how you avoid basing conclusions on assumptions.

(Just ask Bruce Schneier if his book "Applied Cryptography" suddenly lead to more quality crypto software being written. Tip: it didn't. It lead to more inept people writing even more bad crypto software). But you do need to understand what you are doing to make any kind of valid statement about what one should expect.

In any case, my point is that it takes a certain kind of mindset to design and implement anything having to do with security. The aforementioned white paper was apparently written by someone who understands some of the mechanics involved, but who doesn't seem to have absorbed any of the intellectual discipline good cryptographers convey in their writings.

I was thinking about downloading the thing and possibly install it, but if the white paper is that naive, what is the actual system going to be like? Probably not worth the bother from a security point of view, although one might actually learn other things from such a system (for instance their approach to message routing etc. I don't know I never got that far once it became obvious to me that this was the wrong place to look for a *secure* system)

So why am I writing this? To slam SILC?

Definitively not.

I'm writing it because most people are too ignorant, or to arrogant about their ignorance, to realize that they probably wouldn't be able to tell a more secure system from a less secure system. Also, because I think it is important that people try to make an effort to understand what type of security something provides -- ie. exactly what does the system prevent and what doesn't it prevent. I'd like people to *think* instead of choosing their security solutions the way most consumers choose toothpaste.

In this article he wrote for ZDnet, Bruce Schneier (of counterpane.com and author of applied cryptography and countless security whitepapers) has talked about this in good detail here: ZDNet Article.

Last I checked, Bruce Schneier (in his book Applied Cryptography) recommended PGP.

Last I checked, Bruce Schneier (in his book Applied Cryptography) recommended PGP.

Well, this article talks about how digital signatures are not really the same as written signatures (and the article was even discussed on /. Very interesting article.

I'm all for computer-assisted vote counting, but taking out the physical audit trail is reckless. There's no way to know whether the voting machine you're using will actually record your vote correctly. The whole Florida episode led to plenty of allegations of voting fraud; adding computer-mediated voting would make those allegations impossible to disprove and impossible to prove. Public confidence in the integrity of the vote would suffer, and democratic stability would suffer with it.

Bruce Schneier wrote an article on electronic voting, which election administrators should be urged to read before they consider adopting any such system (whether GNU/Linux or otherwise).

Ireland (my home) has started trying to get in electronic voting as well. I'm trying to stop it, but the reaction I've got from the legislators I've talked to is that since it isn't on the network, and the machines are locked away somewhere except during election times, what could be the risk? I am not convinced that no-one would dare tamper with them. Eventually, someone will, if they can get away with it. And they can.

Basically you transmit a very long sequence of bits, and agree at a point beforehand to select out a given subset of this as a key. It all hinges upon an agreement of exactly what subset of the bits to use, and that an intermediate party does not know that subset.

The issue on a key exchange server onboard a satellite using quantum crypto is quite different. It involves setting and then measuring properties of individual photons of light, much more complexe than the system in the counterpane article.

Passwords. You can't memorize good enough passwords any more, so don't bother. Create long random passwords, and write them down. Store them in your wallet, or in a program like Password Safe. Guard them as you would your cash. Don't let Web browsers store passwords for you. Don't transmit passwords (or PINs) in unencrypted e-mail and Web forms. Assume that all PINs can be easily broken, and plan accordingly.

Keeping a strong enough password is an uphill battle that really can't be won, because the cracker's tools are going to keep getting better at a rate faster than users can be reasonably expected to remember them. Even your elite haxxor mixed case alpha / numeric / symbolic max length password can't stand up to the scrutiny if someone with the right tools wanted it badly enough.

Your best bet is to make it reasonably obscure & just try to prevent the casual cracker from getting it. The casual cracker had meant someone enterprising enough to look for a post-it note, but with the tools getting better the barriers to entry are falling, to the point that you don't know that some little snotnosed 13 year old with a downloaded rootkit (or Back Orifice, or whatever) couldn't count as "casual" these days.

"You can't win, but there are alternatives to fighting..."

Passwords. You can't memorize good enough passwords any more, so don't bother. Create long random passwords, and write them down. Store them in your wallet, or in a program like Password Safe. Guard them as you would your cash. Don't let Web browsers store passwords for you. Don't transmit passwords (or PINs) in unencrypted e-mail and Web forms. Assume that all PINs can be easily broken, and plan accordingly.

Keeping a strong enough password is an uphill battle that really can't be won, because the cracker's tools are going to keep getting better at a rate faster than users can be reasonably expected to remember them. Even your elite haxxor mixed case alpha / numeric / symbolic max length password can't stand up to the scrutiny if someone with the right tools wanted it badly enough.

Your best bet is to make it reasonably obscure & just try to prevent the casual cracker from getting it. The casual cracker had meant someone enterprising enough to look for a post-it note, but with the tools getting better the barriers to entry are falling, to the point that you don't know that some little snotnosed 13 year old with a downloaded rootkit (or Back Orifice, or whatever) couldn't count as "casual" these days.

"You can't win, but there are alternatives to fighting..."