Slashdot Mirror
Slashback: Quinn, InfoCards, McKinnon
Globe's Ombudsman silent no longer. Andy Updegrove writes "For two months, the ombudsman of the Boston Globe has been silent on the reporting that helped bring about Massachusetts CIO Peter Quinn's resignation. Last night, in response to an entry pointing out that silence at the Standards Blog, ombudsman Richard Chacon at last responded, admitting to "lingering questions over why the [Quinn travel investigation] story was allowed to run without comment from Eric Kriss," but standing by "the initial reasons for looking into the story." Chacon also promises to report back with further observations after contacting Peter Quinn."
Microsoft continues push for 'InfoCards'. FrankieBoy writes "Bill Gate kicked off the RSA computer conference in San Jose, CA by unveiling a few more details about their new 'InfoCard' system in the upcoming IE7. With InfoCards people could save personal information on virtual cards on their computers which websites would recognize removing the need for many different internet passwords."
Gary McKinnon extradition hearing reopened. earthlingpink writes "BBC News is reporting that the extradition hearing has reopened for Briton Gary McKinnon who is accused by the US of hacking into military computers. The damages he has caused is estimated at £370,000 (about $640,000 today) and he is said to face more than 45 years in prison. The original story and audio interview were both covered by Slashdot in June of last year."
Bugs to help kick oil addiction. Mr. Ghost writes "Bugs such as certain species of termites and fungi such as Trichoderma reesei may be the key to effectively and cheaply generate ethanol from cellulose. Small companies like Iogen and large international energy companies like Royal Dutch Shell are putting more and more money into this research. This type of technology may even be a way for the American automobile industry to gain back market share from its competitors."
So stealing my laptop will allow anyone to go to websites and impersonate me?
I see how Microsoft would like to position their system (passes, OS, Mail Client, etc.) as the "standard". Even previous versions of Windows allowed users to talk to everybody and anybody. Now it seems they have found another way to cut out 3rd-party companies, or get license fees (thus still dominating the market).
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
At a Harvard workshop last week on user-centric identity, a bunch of us agreed to collect InfoCard issues as we hear about them. While work in progress, and your mileage my vary, I put an initial list of those on my blog.
s oft-infocard-issues.html
http://netmesh.info/jernst/Digital_Identity/micro
Kim Cameron, the chief identity architect at Microsoft, agreed to take them back into Microsoft to hopefully get them resolved.
Troll on, but you miss the mark, my uninformed friend.
4 1f tware_token.phpi d=566
This is nothing to do with data aggregation, targeted advertising or behavior tracking. It is not invasive software, surreptitiously installed while a user beleives they are performing another action.
This is more akin to "soft token" technologies:
http://www.rsasecurity.com/rsalabs/node.asp?id=21
http://www.actividentity.com/en/products/4_2_6_so
http://www.securehq.com/group.wml&deptid=80&group
The catcher is that this is not tied to X.509 PKI infrastructures, per se. Identity is established by locally configurable means - usually a Kerberos ID - and presented by signed XML markups, rather than the static, signed ASN.1 encodings in certificates. The exchange is still fundamentally an RSA public key validation type problem, but with an extensible policy mechanism in XML. This is an application of the work done by multiple vendors in the WS-Security space. Dynamic policy, negotiated in a federated manner between endpoints, is not possible with x.509, which has permanent policy encoded in the cert.
There is integration with Windows AD Federation, which means there is possibility to interoperate with SAML clients. Trust can also be established by reputation - with attesters signing a keychain for particular identities.
The short story is that this could end phishing attacks.
The long story is that most banks and investment firms won't make this mandatory for transactions, since their Businesses still insist on Win95/IE4 compatibility from their IT and InfoSec personnel.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
I hate how lazy and irresponsible the mainstream media is these days.
The original article basically implied that Quinn was taking gifts from vendors to travel to conferences all over the world. This turned out to be false. So basically falsehoods. My feeling is that Quinn deserves an appology at minimum.
Then the "investigation" is just the Ombudsman phoning the reporter up, the reporter says there isn't any issue so it's fine. Plus some excuses about how busy the Ombudsman is and how his assistant is only part time. Mix in a few ad hominem attacks.
Nice. Way to go. It's goot that we have moronic lazy turd to keep everyone honest.
They can do that now, depending on what tools you use to store your information. All of the better browsers have some kind of password memory. If you took Bill's bait, you are using passport, the one password to rule them all. Of course, any of the keyloggers that propagate by M$ born worm will remember your passwords without telling you and Microsoft's "fast find" has kept a log of everything you type since 98. The real thing to worry about is the system being compromised from afar. Someone who knows what they are doing does not have to steal your laptop to get what they want out of it. Non Microsoft tools have taken local and remote attack into consideration but all bets are off with silly stuff like fast find.
Things are better on non M$ platforms.
Friends don't help friends install M$ junk.
No. You are talking about PIN/Password caching, in an encrypted store. Think Mac keychain.
This is an identity system, that supports federation, incorporates policy negotiation and can establish reputation with third-parties.
It is Passport, without the central identity repository - similar to Liberty Alliances' SAML work, but in the WS-Security framework, and with extended user functionality.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
Unfortunately the majority of farms these days are corporate farms. Sure, there's still a lot of family-owned farms, but they are slowly getting Borged by the CorpFarms. Also lots of sneaky bullshit where CorpFarms set up deals with companies so they get better deals when they sell their products than the family farms can get.
Microsoft already had a universal password system fail: Passport. The majority of web site owners simply didn't trust Microsoft enough to integrate their security in any way.
Developers: We can use your help.
effectively and cheaply generate ethanol from cellulose
I wonder does anyone know how much land this would take up?
A. What's the richest source of cellulose
B. Based on the energy value of the ethanol produced from say 1 tonne of the crop, how much land is going to be needed to replace the oil consumtion in private cars in the USA?
I bet it's not a small amount...
"The only problem is, this will put the oil companies out of business."
If you think about it why would they let themselves go out of business? Who is to say they wont buy out bio firms and farms working on alt fuels? Trust me, one day driving by exxon and shell farms producing the raw material for ethanol and bio diesel.
McKinnon did not accidently wander into those systems, he did it intentionally knowing he was breaking the laws in both the UK and the USA. I took over as SA on a machine he had previously compromised. When it was determined that it had been "hacked" (yeah it takes mad skillz to exploit the old default MS SQL password) I had to report it and deal with the ensuing fun. After the forensic analysis (which was very fruitful) the box had to be reinstalled from scratch:NT,SQL and a particularly ugly document management application. Now those of you reading this who are actual professional system administrators know that we probably had other things to do. So if Gary is worried about spending time in a Virginia prison, tough. Thats where we keep criminals. (Sorry, didn't mean to rant).
Make no mistake, no security scheme (at least that is feasible for average use) will ever be perfectly secure. But when saying "all that does is identify the machine, not the user" you must consider "what does the current system (passwords) identify?".
The answer is nothing. Passwords are probably just about the worst security method you could imagine (besides no security at all)! They just happen to be the easiest method, so they became default.
If you spend some times actually researching InfoCard, you'll see it is at minimum a very interesting idea. Do I think it is the ultimate correct answer to security? No. However, its the most promising proposal I've seen in some time that can both provide pretty solid security and be easy enough for joe sixpack to put in wide use. Eventually, I'm sure better things will come along (or things similar to InfoCard will evolve and improve) but for the time being InfoCard is probably the best idea out there right now considering security offered, ease of use, expandibility, etc.
The point is passwords have well outlived thier usefulness in computer security and ideas like InfoCard are promising ideas which could well be the answer (at least for now).
"reality has a well-known liberal bias" - Steven Colbert
IE has password memory. So does Mozilla / Firefox, Opera, Safari, and a host of other browsers. It's a feature to make it easier to access sites, but users with high authentication should know that that ease comes at a cost of security. Admittedly many non-IE browsers have a "master password" structure whereby you type one password for it to remember all of your passwords on demand (as mentioned by a sibling post about Safari), but said poster also recognized that most of these systems ship with the feature off by default, and even if it is on, you're still doing a balancing act with security and ease -- if a cracker finds your master password, they've found ALL your passwords.
And I believe you're referring to FindFast, Microsoft's indexing tool that they shipped with Office. As I remember it, FindFast indexed documents (i.e. Microsoft Word, Excel, etc. files) so they could be found easier later, as well as have quicker in-file searching (i.e. searching for a word inside all your documents). It never stored your domain passwords or any such security-related tokens. Once again, though, you're only screwed if you put your password inside a Word file in your system... and why the hell would you do that if you're concerned about security? (P.S.: Anyone who had even a bit of technical acument would turn FindFast off back in the time when it was used, as it made your system horribly slow when it was indexing and tended to do so at inopportune times.)
Passport only works on sites that explicitly choose to support it, and generally only if you register yourself that way: most will give you an option for a registration in their site database only (eBay did this previously if I remember correctly). Several alternatives have been attempted at Passport-like solutions as well, to be fair, including some open source options. Once again, Microsoft isn't forcing you to use their solution, and I doubt a lot of systems use Passport authentication for high-level access anyway.
Normally I wouldn't be so argumentative, but you made a sweeping generalization when you said that "non Microsoft tools have taken local and remote attack into consideration". You made your bias quite clear in that statement. Next time you want to post attacks, at least back them up with some proof or evidence.
Anyway, I have yet to form an opinion on this InfoCard thing, but seeing as how it'll likely be Microsoft-proprietary and they'll probably have something to gain from it, I doubt I'll be either signing up for one (unless I have to in order to access a system, and even then I'll resist quite vocally) or deploying it on my own login systems.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
We have had ten percent ethanol in our fuel here in Minnesota for many years. I personally have never had to replace any part that has been damaged by ethanol and I don't expect the old Explorer to suffer any worse with twenty percent. Frankly, I think ethanol helps keep the fuel system cleaner.
Alcohol is less volatile than gasoline in cold weather but the lion's share of every-day cars on the road are now fuel injected and that more than makes up for some alcohol in the gas (injectors vaporize fuel much better than carburetors). Also, the alcohol really helps with frozen fuel lines and "water in the gas" both used to be big problems here in Minnesota where many of us all winter long added gas line anti-freeze (which is just alcohol) to our gas. We no longer need to do that.
Today, we don't need a second tank for gas/alcohol mixes but they do use that configuration in Brazil where most drivers use pure ethanol for fuel. I have a friend who uses E85 in her tank and she has never complained about hard starts in cold weather so, I assume that just a little gas added to the alcohol is all it takes to make it start well in the winter.
What really helps in the winter is a good battery. I try to replace mine at three years and I buy the biggest battery that will fit (you can get some 1000 amp batteries that are pretty small). Back in the days of carburetors I used to have to use a tank-heater and when it was really cold I'd even hook up a battery charger and throw a blanket over the hood and grille. I haven't done that in ten years though.