Slashdot Mirror
Slashback: Quinn, InfoCards, McKinnon
Globe's Ombudsman silent no longer. Andy Updegrove writes "For two months, the ombudsman of the Boston Globe has been silent on the reporting that helped bring about Massachusetts CIO Peter Quinn's resignation. Last night, in response to an entry pointing out that silence at the Standards Blog, ombudsman Richard Chacon at last responded, admitting to "lingering questions over why the [Quinn travel investigation] story was allowed to run without comment from Eric Kriss," but standing by "the initial reasons for looking into the story." Chacon also promises to report back with further observations after contacting Peter Quinn."
Microsoft continues push for 'InfoCards'. FrankieBoy writes "Bill Gate kicked off the RSA computer conference in San Jose, CA by unveiling a few more details about their new 'InfoCard' system in the upcoming IE7. With InfoCards people could save personal information on virtual cards on their computers which websites would recognize removing the need for many different internet passwords."
Gary McKinnon extradition hearing reopened. earthlingpink writes "BBC News is reporting that the extradition hearing has reopened for Briton Gary McKinnon who is accused by the US of hacking into military computers. The damages he has caused is estimated at £370,000 (about $640,000 today) and he is said to face more than 45 years in prison. The original story and audio interview were both covered by Slashdot in June of last year."
Bugs to help kick oil addiction. Mr. Ghost writes "Bugs such as certain species of termites and fungi such as Trichoderma reesei may be the key to effectively and cheaply generate ethanol from cellulose. Small companies like Iogen and large international energy companies like Royal Dutch Shell are putting more and more money into this research. This type of technology may even be a way for the American automobile industry to gain back market share from its competitors."
So stealing my laptop will allow anyone to go to websites and impersonate me?
That's a real logical leap. Anyone can build cars that run on any available fuel. How will the use of bio-fuel give an advantage to the American auto industry?
is that they will make it easy to get into any system, since they have your password in them.
...
The bad things are:
1. Now physical hacking gets easier and you can hack a copy or just take the card and return it after scan.
2. People will have a physical device to lose. This is always a good idea.
3. We'll start seeing movies where thieves steal the InfoCards from the guard, or chop off the hand that has it on a locked wrist. Really good movies.
4. We can all rest securely knowing that noone would ever suddenly jack up the "cost" of the card, such as requiring you pay $5000 a year when they suddenly upgraded the OS, "for security reasons".
Hmm. Good thing I own MSFT shares
-- Tigger warning: This post may contain tiggers! --
I see how Microsoft would like to position their system (passes, OS, Mail Client, etc.) as the "standard". Even previous versions of Windows allowed users to talk to everybody and anybody. Now it seems they have found another way to cut out 3rd-party companies, or get license fees (thus still dominating the market).
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
At a Harvard workshop last week on user-centric identity, a bunch of us agreed to collect InfoCard issues as we hear about them. While work in progress, and your mileage my vary, I put an initial list of those on my blog.
s oft-infocard-issues.html
http://netmesh.info/jernst/Digital_Identity/micro
Kim Cameron, the chief identity architect at Microsoft, agreed to take them back into Microsoft to hopefully get them resolved.
From my understanding of this whole thing, the InfoCard system's nothing new. We already have the same thing going on with existing technologies such as Firefox's Password Manager, Opera's Magic Wand, and not to mention my favorite – SSH keys! The latter I've been using obsessively now, I just keep the master key on my laptop and all my other boxes are set to recognize it so that I can get into any of them without a password.
;-)
(Completely off-topic, but the laptop's heavily password-protected as well; randomized 16-character password to log in, a completely different one to boot the thing or to get to it after it's been in standby... just in case anyone's worried about and/or hoping for my system mysteriously "vanishing"
For all that stuff about innovation, I have yet to see anything coming out of Microsoft...
Creative misinterpretation is your friend.
I think biofuels are FINALLY a realistic opening in the search for a oil-less way of transportation. After years of BS and dead ends with electric vehicles, hydrogen cars and whatnot, we finally have something that will use existing infrastructure and technology.
The only problem is, this will put the oil companies out of business. Seeing as oil companies have way more money than say, farmers (who look to benefit) and seeing as alot of money has been put into securing middle east oilfields, I don't see much shift in energy policy on this front in the near future. Atleast not in the US.
I mean, leaded gasoline became the industry standard instead of the equivalent of gasolinen with 10% ethanol, because the oil companies would have sold 10% less oil for chrissakes!
Some say he is made with ascii, others that he is eyeballed daily by millions. All we know is, he is known as the Sig
Troll on, but you miss the mark, my uninformed friend.
4 1f tware_token.phpi d=566
This is nothing to do with data aggregation, targeted advertising or behavior tracking. It is not invasive software, surreptitiously installed while a user beleives they are performing another action.
This is more akin to "soft token" technologies:
http://www.rsasecurity.com/rsalabs/node.asp?id=21
http://www.actividentity.com/en/products/4_2_6_so
http://www.securehq.com/group.wml&deptid=80&group
The catcher is that this is not tied to X.509 PKI infrastructures, per se. Identity is established by locally configurable means - usually a Kerberos ID - and presented by signed XML markups, rather than the static, signed ASN.1 encodings in certificates. The exchange is still fundamentally an RSA public key validation type problem, but with an extensible policy mechanism in XML. This is an application of the work done by multiple vendors in the WS-Security space. Dynamic policy, negotiated in a federated manner between endpoints, is not possible with x.509, which has permanent policy encoded in the cert.
There is integration with Windows AD Federation, which means there is possibility to interoperate with SAML clients. Trust can also be established by reputation - with attesters signing a keychain for particular identities.
The short story is that this could end phishing attacks.
The long story is that most banks and investment firms won't make this mandatory for transactions, since their Businesses still insist on Win95/IE4 compatibility from their IT and InfoSec personnel.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
I hate how lazy and irresponsible the mainstream media is these days.
The original article basically implied that Quinn was taking gifts from vendors to travel to conferences all over the world. This turned out to be false. So basically falsehoods. My feeling is that Quinn deserves an appology at minimum.
Then the "investigation" is just the Ombudsman phoning the reporter up, the reporter says there isn't any issue so it's fine. Plus some excuses about how busy the Ombudsman is and how his assistant is only part time. Mix in a few ad hominem attacks.
Nice. Way to go. It's goot that we have moronic lazy turd to keep everyone honest.
From TFA:
"Gates said it was too risky for people to enter their login names, passwords and credit card information on Web sites...
Using InfoCards, people could save personal information on virtual cards on their computers."
Great, so now I'm suppose to rely on yet another device created by microsoft to store my passwords?
I'm sorry Mr. Gates, but I'd rather keep my user names and passwords where I remember them best.. in my brain!
Using these infocards is just one more thing to try NOT to lose.
They can do that now, depending on what tools you use to store your information. All of the better browsers have some kind of password memory. If you took Bill's bait, you are using passport, the one password to rule them all. Of course, any of the keyloggers that propagate by M$ born worm will remember your passwords without telling you and Microsoft's "fast find" has kept a log of everything you type since 98. The real thing to worry about is the system being compromised from afar. Someone who knows what they are doing does not have to steal your laptop to get what they want out of it. Non Microsoft tools have taken local and remote attack into consideration but all bets are off with silly stuff like fast find.
Things are better on non M$ platforms.
Friends don't help friends install M$ junk.
Slashback tonight
Please, get over yourselves, this isn't a network news show, this is a website, and hardly a polished one at that.
Other than that, I'll use Password Safe, thank you very much.
Microsoft already had a universal password system fail: Passport. The majority of web site owners simply didn't trust Microsoft enough to integrate their security in any way.
Developers: We can use your help.
Don't feed the Beast.
Ron Paul
Microsoft continues push for 'InfoCards'. FrankieBoy writes "Bill Gate kicked off the RSA computer conference in San Jose, CA by unveiling a few more details about their new 'InfoCard' system in the upcoming IE7. With InfoCards people could save personal information on virtual cards on their computers which websites would recognize removing the need for many different internet passwords."
Wow! What a novel idea! It's like I'll have my own personal Passport for the internet letting all companies know who I am by referncing a single server controlled by a third party.
Tell me more about what other "new" ideas Microsoft has come up with recently.
All thjat does is identify the machine, not the user.
The Kruger Dunning explains most post on
Infocards really do sound quite good. If it was by someone other than Microsoft, I'm sure a lot of people would agree.
Yes, there's a chance they may result in some sort of identity theft if your laptop's stolen - but no less a chance then "Remember me" and your browsing history.
I think overall they're going to be very convenient for using a lot of sites and not having to remember passwords. You could bash keys till you've got a 30 digit password you'll never need to remember, and not have to do 'forgot password' forms every time you delete cookies.
The idea here is mostly that the US auto industry is SERIOUSLY hurting as a result of high oil prices in the U.S.. People are not as interested in cars and not interested in the same kinds of cars as they would be in an economy, like that of the 90s, with low oil prices. The U.S. auto industry has been harder hit by the oil situation than foreign carmakers, both because the U.S auto industry so heavily targets U.S. customers, and because the U.S. auto industry has so heavily invested in low-economy cars such as SUVs. At least one major analyst marked up Ford's recent plant closures as being a direct byproduct of oil prices.
Technology which could lower the price of fuel would reverse or at least negate this effect, allowing the U.S. car industry to recover.
Lowering oil prices would also benefit Japanese carmakers, of course, but who cares? Economics is not a zero-sum game. It's possible for something to benefit both American carmakers and foreign carmakers.
At 60 dollars a barrel it begins to become more profitable to use foods for bio-fuels. So farms will sell their products to bio-fuel companies and not to the store.
And why would the energy companies invest in this? They could dominate this market, as well as other alternative markets, which will be less costly to protect and set up.
Of course, at it's current rate of growth, in 2030 Cina alone will need 94million barrels of oil per day. Currently 84 million barrels per day is pulled out of the ground for the entire world. A number that is not lilly to change.
So market demands will put pressure on alternative means.
Of course, by 2030 it would surprise me if most of China wasn't nuclear.
The Kruger Dunning explains most post on
effectively and cheaply generate ethanol from cellulose
I wonder does anyone know how much land this would take up?
A. What's the richest source of cellulose
B. Based on the energy value of the ethanol produced from say 1 tonne of the crop, how much land is going to be needed to replace the oil consumtion in private cars in the USA?
I bet it's not a small amount...
It identifies the person authenticating against the identity store. If you cache your ID, under a single-factor pwd of "password", be my guest!
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
Ok
Ok
I mean seriously, the more you annoy the user with useless ok dialogs, the less they read them. Why can't they just implement an execute bit in the filesystem and not allow users to change it easily. Yeah, I know MS would just prompt "Do you want to be able to run this exe in future?" and the users will just hit OK. And that's without saying anything about all the other holes that have been found in IE previously that allow downloading and executing without prompting at all. Do we really trust that there aren't going to be any more?
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
"A. What's the richest source of cellulose"
A Midwesterns thighs!
Question:
At about 60 dollars a barrel it starts to become more profitable to sell crops for bio-fuel then it does to sell it to the food market.
What do you think farmers are going to do?
The Kruger Dunning explains most post on
McKinnon did not accidently wander into those systems, he did it intentionally knowing he was breaking the laws in both the UK and the USA. I took over as SA on a machine he had previously compromised. When it was determined that it had been "hacked" (yeah it takes mad skillz to exploit the old default MS SQL password) I had to report it and deal with the ensuing fun. After the forensic analysis (which was very fruitful) the box had to be reinstalled from scratch:NT,SQL and a particularly ugly document management application. Now those of you reading this who are actual professional system administrators know that we probably had other things to do. So if Gary is worried about spending time in a Virginia prison, tough. Thats where we keep criminals. (Sorry, didn't mean to rant).
So I still need a password? but now only one password is needs to access everything? Why not just use Password Safe?
The point is, people don't know how to make good passwords. Very often, so called 'expert' give bad advise about creating passwords.
Bear in mind, a lot of people still have to be walked through the steps to get to explorer on windows.
The Kruger Dunning explains most post on
Not only is InfoCard open source and standards based, but you are invited to participate in the design process. Just go to Kim Cameron's blog, he is the chief architect of identity at Microsoft.
Why do banks and others continue to insist on support for such old browsers anyway?
Does anyone have any actual evidence to support the theory of "We need to support version 4 browsers because our customers use them"?
Is it not true that MORE people are using current-version alternatives (i.e. Mozilla, Firefox, Opera, Konquer, Safari, Netsacpe 8, Camino etc) than are stuck with dinosaurs like Netscape Communicator and Internet Explorer 4?
Make no mistake, no security scheme (at least that is feasible for average use) will ever be perfectly secure. But when saying "all that does is identify the machine, not the user" you must consider "what does the current system (passwords) identify?".
The answer is nothing. Passwords are probably just about the worst security method you could imagine (besides no security at all)! They just happen to be the easiest method, so they became default.
If you spend some times actually researching InfoCard, you'll see it is at minimum a very interesting idea. Do I think it is the ultimate correct answer to security? No. However, its the most promising proposal I've seen in some time that can both provide pretty solid security and be easy enough for joe sixpack to put in wide use. Eventually, I'm sure better things will come along (or things similar to InfoCard will evolve and improve) but for the time being InfoCard is probably the best idea out there right now considering security offered, ease of use, expandibility, etc.
The point is passwords have well outlived thier usefulness in computer security and ideas like InfoCard are promising ideas which could well be the answer (at least for now).
"reality has a well-known liberal bias" - Steven Colbert
Troll on, but you miss the mark, my uninformed friend.
Whether he is uninformed or not is not really the point; many large corporations/industries already take a dim view of Microsoft's wheelings and dealings, and that alone will make this hard to implement. Add to that the mere fact that it *is* X.509 PKI we're talking about, and the scenario completely falls apart. It's here where the OSS world starts to shine, with its OpenPGP PKI and its lack of reliance on central CA.
"I might have made a tactical error in not going to a physician for 20 years." -- Warren Zevon
IE has password memory. So does Mozilla / Firefox, Opera, Safari, and a host of other browsers. It's a feature to make it easier to access sites, but users with high authentication should know that that ease comes at a cost of security. Admittedly many non-IE browsers have a "master password" structure whereby you type one password for it to remember all of your passwords on demand (as mentioned by a sibling post about Safari), but said poster also recognized that most of these systems ship with the feature off by default, and even if it is on, you're still doing a balancing act with security and ease -- if a cracker finds your master password, they've found ALL your passwords.
And I believe you're referring to FindFast, Microsoft's indexing tool that they shipped with Office. As I remember it, FindFast indexed documents (i.e. Microsoft Word, Excel, etc. files) so they could be found easier later, as well as have quicker in-file searching (i.e. searching for a word inside all your documents). It never stored your domain passwords or any such security-related tokens. Once again, though, you're only screwed if you put your password inside a Word file in your system... and why the hell would you do that if you're concerned about security? (P.S.: Anyone who had even a bit of technical acument would turn FindFast off back in the time when it was used, as it made your system horribly slow when it was indexing and tended to do so at inopportune times.)
Passport only works on sites that explicitly choose to support it, and generally only if you register yourself that way: most will give you an option for a registration in their site database only (eBay did this previously if I remember correctly). Several alternatives have been attempted at Passport-like solutions as well, to be fair, including some open source options. Once again, Microsoft isn't forcing you to use their solution, and I doubt a lot of systems use Passport authentication for high-level access anyway.
Normally I wouldn't be so argumentative, but you made a sweeping generalization when you said that "non Microsoft tools have taken local and remote attack into consideration". You made your bias quite clear in that statement. Next time you want to post attacks, at least back them up with some proof or evidence.
Anyway, I have yet to form an opinion on this InfoCard thing, but seeing as how it'll likely be Microsoft-proprietary and they'll probably have something to gain from it, I doubt I'll be either signing up for one (unless I have to in order to access a system, and even then I'll resist quite vocally) or deploying it on my own login systems.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
The identityblog has lots of information about InfoCards, how they were conceived and how they will work. It would be good to start at this entry, The Design Decisions Behind InfoCards.
http://www.identityblog.com/?p=366/
There were some rumors early summer last year, but they have proven to be false. Closed-source as usual.
That's cellulite, not cellulose.
Friends don't help friends install M$ junk.
What in Avalokistevara's name is that supposed to mean?
>Although his physical body was in the UK his "presence" if you will, was in the machines he was accessing Stateside.
Sure.
I would prefer to put it like this:
Machines in the US accepted connections from remote computers over a public network, and executed code sent to them by a computer in the UK which was being operated by McKinnon.
A machine is a machine - it does what you tell it, especially if you control the power button. A public network is a public network.
my password really is 'stinkypants'
Why not just use Password Safe?
Because I love Ayanami Rei.
Once again Hemp has been shown to be the answer to all that ails ya.
The perversity of the Universe tends towards a maximum. - O'Toole's Corollary
When everyone knows that triffids are the answer, and have absolutely no adverse consequences at all...?
Older gasoline engines were designed without taking ethanol content into account. Some cheap plastic parts (cheap as in, less expensive) work just fine in gasoline engines, but deteriorate quickly when exposed to ethanol.
The engines in the vehicles in Brazil were designed to take ethanol content into account, so they do not experience this problem. Both Ford and GM are bringing these engines to the United States in the near future (some are already here), so they will be just fine. It's those older cars that are in trouble - like your 1993 Ford Explorer.
Ethanol does not release as much energy when it is burned when compared to gasoline, so you do not get quite as high real MPG when using a gasoline/ethanol mix when compared to normal gasoline. Still, if you get 80% of the MPG for 33% of the price, it's a good deal all around.
The other interesting thing is that it is harder to get ethanol to burn at lower temperatures than it is to get gasoline to burn. Minnesota, you said? The solution is to have a small gasoline-only tank used just to start the car on a cold day, and then a change over to Ethanol once things have warmed up.
Chivalry is not dead, it's just frequently misspelt. - M. Langley
Just as a point of clarification: Yes, "InfoCard" is a Microsoft proprietary implementation of the core user-agent of the Identity Metasystem. However, the Identity Metasystem is not Microsoft proprietary and is (definitely) not Passport v.next: In the Identity Metasystem, all communications are carried out using standard HTTP & WS-* protocols, "InfoCard" will communicate with Identity Providers running on any other platform that supports the same protocols. Further, we openly welcome other platform vendors to implement "InfoCard" like capabilities in their platforms and products. You get to store your own identity information (in the case of self-issued cards) or store cards containing metadata referencing information stored by trusted third parties (your bank, your airline frequent-flyer club, your insurance company, your whatever).
Rich Turner