Slashdot Mirror

← Back to Stories (view on slashdot.org)

Whom Must You Trust?

Posted by Soulskill on from the mainly-just-late-night-infomercial-spokepeople dept.

CowboyRobot writes: 'In ACM's Queue, Thomas Wadlow argues that "Whom you trust, what you trust them with, and how much you trust them are at the center of the Internet today." He gives a checklist of what to look for when evaluating any system for trustworthiness, chock full of fascinating historical examples. These include NASA opting for a simpler, but more reliable chip; the Terry Childs case; and even an 18th century "semaphore telegraph" that was a very early example of steganographic cryptography. From the article: "Detecting an anomaly is one thing, but following up on what you've detected is at least as important. In the early days of the Internet, Cliff Stoll, then a graduate student at Lawrence Berkeley Laboratories in California, noticed a 75-cent accounting error on some computer systems he was managing. Many would have ignored it, but it bothered him enough to track it down. That investigation led, step by step, to the discovery of an attacker named Markus Hess, who was arrested, tried, and convicted of espionage and selling information to the Soviet KGB."'

54 of 120 comments (clear)

  1. I would trust me.... by Petron · · Score: 4, Funny

    But I know what I've been up to...

    --
    if (it != oneThing) it = another;
    1. Re:I would trust me.... by reboot246 · · Score: 1

      "But I know what I've been up to..."

      So does the NSA and they don't trust you either. In fact, they don't trust any of us. To them we're the (potential) enemy.

  2. Correct usage? by bluefoxlucid · · Score: 2, Informative

    The predicate comes first in this sentence?

    --
    Support my political activism on Patreon.
    1. Re:Correct usage? by Aighearach · · Score: 2, Funny

      Off the lawn you will get. Put up with this I will not!

    2. Re:Correct usage? by Opportunist · · Score: 1, Funny

      You need to stop using RPL, that reverse polish notation is not good for you.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:Correct usage? by Anonymous Coward · · Score: 1

      No, the actual article says Who. The moron changed it to Whom because grammar is so hard.

    4. Re:Correct usage? by gewalker · · Score: 1

      Use this simple test for 99% of the who/whom selection cases. Rephrase the sentence use Thee or Thou. If Thou is correct, use Who, When Thee is indicated, use whom -- The article title is the 1% case when you actually have to understand the grammar enough to distinguish subject vs. object usage.

      The rules for selecting Thee vs. Thou are the same, Thou=subject, Thee=object.

      For those of you not raised on Thee & Thou, can use the more modern Him and He. He=Who, Him=whom.

  3. Whom you trust ... ? by jamesl · · Score: 3, Informative

    Who vs. Whom

    This rule is compromised by an odd infatuation people have with whom -- and not for good reasons. At its worst, the use of whom becomes a form of one-upmanship some employ to appear sophisticated. The following is an example of the pseudo-sophisticated whom.
    http://www.grammarbook.com/gra...

    1. Re:Whom you trust ... ? by X-Ray+Artist · · Score: 2

      I was reading this to find out how to determine whom to trust. I didn't learn much on that topic (Basically, trust no one.) I did, however, learn plenty about "who vs whom."

      --
      I would have a sig but I am too busy updating programs and restarting my computer
    2. Re:Whom you trust ... ? by XanC · · Score: 1

      Exactly. Like, for example, in the title of this article.

    3. Re:Whom you trust ... ? by nine-times · · Score: 1

      Actually, we apparently disagree. I believe that between "Who do you trust?" and "Whom do you trust?" it is more correct to use "whom". "Whom" is the direct object of "trust". The standard test applies: when you answer the question, would you use "he" or "him"?

      Who is trustworthy?

      He is trustworthy.

      Whom do you trust?

      I trust him.

      Now, that's the issue of which is more correct. I wouldn't jump down your throat for asking, "Who do you trust?" but I think "whom" is actually more correct, so I wouldn't correct someone for saying it either.

    4. Re:Whom you trust ... ? by Nidi62 · · Score: 1

      I agree with you on that that "whom" sounds more correct in that instance, because there is an implied "in" at the beginning of the sentence (since it is the DO), ie "In whom do you trust". In that case "whom" sounds both correct and more fluid than it does in the summary title, where is sounds klunky, forced, and (as someone somewhere else here said) kind of pompous. But it might just be a colloquial quirk that I have regarding the phrasing "whom must" with the concurrent "m"s, so that "who must" sounds better than "whom must".

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
  4. Yes I'm here by istartedi · · Score: 2

    What do you want?

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
  5. Trust is a virgin by fustakrakich · · Score: 1

    Once it's gone, it's gone.

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:Trust is a virgin by ArcadeMan · · Score: 4, Funny

      You could have phrased that better, such as "Trust is like virginity. Once you get fucked, it's gone."

      --
      Get free satoshi (Bitcoin) and Dogecoins
  6. Are you guys too young or what? by ArcadeMan · · Score: 1

    TRUST NO ONE

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:Are you guys too young or what? by Chris+Mattern · · Score: 2

      TRUST NO ONE

      Keep your laser handy.

  7. Why 'must' I trust? by jkrise · · Score: 1, Interesting

    The headline indicates a necessity to trust anybody or any entity. There is no necessity to trust anyone. Least of all myself, because time plays tricks with me and I keep changing all the while.

    --
    If you keep throwing chairs, one day you'll break windows....
    1. Re:Why 'must' I trust? by canadiannomad · · Score: 1

      Depends on semantics.

      I must trust everyone on this bus not to pull out a gun and steal my tablet. Otherwise I wouldn't have taken it out.

      I must trust the guy at the corner store, because I believed that after I paid for some goods, he wouldn't come running after me calling me a thief.

      On the other hand, must I trust anyone or any entity to do the same thing they did in the past? Well only to the extent that it fits with their own best interests. Unfortunately the more removed they are from my circle of influence, the less likely that their best interests coincide with mine.
      Still I must trust that the sky wont fall, otherwise I'd never get out of the house.

      --
      Hmm, the humour and sarcasm seem to have been be lost on you.
    2. Re:Why 'must' I trust? by Opportunist · · Score: 1

      You must have a LOT of time on your hands. I have to trust a lot of people and organizations. The guy delivering my pizza that he abstains from putting poison on it, the garage that services my car that they actually service and not wreck it, the manufacturer of my door lock that they don't keep a spare key, the water company that they don't lace it with LSD or send H2SO4 instead of H2O, and of course every single person I meet on my way to work that they don't pull out a gun and kill me.

      When you think about it, you'll notice that you trust a LOT of people, all day, every day. Either that or your level of paranoia beats mine by some leagues.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:Why 'must' I trust? by penguinoid · · Score: 1

      Of course you have to trust a bunch of people, most of whom you don't know. You put your life in their hands every time you use certain items (eg your assumption that your new appliance is not laced with explosives). When it comes to knowledge, you can't verify everything yourself and trust that what you were told isn't wildly inaccurate (eg most of science).

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    4. Re:Why 'must' I trust? by iluvcapra · · Score: 1

      There is no necessity to trust anyone.

      Well, you're commenting on slashdot, so firstly, even if you've validated all your apps and system software against certificates, you're trusting a hardware vendor.

      You're also trusting Dice Media not to /dev/null arbitrary comments.

      --
      Don't blame me, I voted for Baltar.
  8. To quote The Wizard's doorman by Chas · · Score: 2

    NOT NOBODY!
    NOT NOHOW!

    --


    Chas - The one, the only.
    THANK GOD!!!
  9. Trust networks can fix this by MarkPNeyer3416 · · Score: 5, Interesting

    imagine something like linkedin's 'how are you connected to this person' - except instead of 'we worked together' the edges are all of the form 'i trust this person to this extent.'

    you take a bunch of statements of this form (node X trusts node Y with level 0.4), all signed by private keys. if you meet someone else, you can see all of the trust paths from you to them, to decide how much you trust them, and to what extent.

    then, instead of having to personally know someone else personally, i can say 'there are 300 paths from me to this woman. 250 of them are strictly positive with trust levels over 0.7 which is my default threshold for comfort. all of the negative ones turn negative over two hops from me, and only three are intensely negative. i already had weak trust levels for intermediary nodes between myself and the negative inbound edges to her. she's fine, and i have more confidence in my negative assessment of those intermediary nodes.'

    this could be huge. it would let us have more trust in strangers, and it would let us do things like this:

    • 'this lawyer has 50 inbound links from people i'm relatively close to, that all rated him as an asshole. i wont work with him'
    • 'this guy i'm serving at the restaurant has 30 level-4 links out who've said he helped them when they didn't offer anythign in return. i'll service him better than this other guy over where who's been rated as rude and elitist by some closer level links to me'
    • lets look at the yelp reviews of these restaurants, weighted by the trust scores i give users who've left the reviews. hmm, all of these reviews are from identities i only have a few paths to, with all of those paths passing through my SEO friend, who i thought might be black hat. drop this guy's trust level to negative and mark all of those reviews as untrusted by me. don't want my friends to waste their time with that.
    1. Re:Trust networks can fix this by mrchaotica · · Score: 1

      Wouldn't you just lower your trust level between you and that person, then? In other words, if you have a trust network A - B - C where B reports trusting C 100% but A thinks B is lying, then A reduces his trust in B to zero and the amount that B trusts C no longer matters.

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    2. Re:Trust networks can fix this by jdunn14 · · Score: 1

      God this sounds familiar..... and that's because I wrote a PhD thesis about building a system to do something a lot like this. It involved a fairly mediocre web interface wrapping a database of trust relationships specified by end users. A trusts B for 0.7 and B trusts C for 0.6 then you can put together a trust level between A and C by multiplying those together with some user-tweakable distance dropoff. Those trust levels were then measured against the levels required for access to shared data. Maybe you would allow anyone with a 0.7 or higher to read a given document and a 0.9 or higher to contribute to it. It was an interesting idea, but man did I get tired of it by the end. If for some bizarre reason anyone wants to read bits of it google books has some indexed and I probably have a pdf laying around somewhere....

      I figured it could be quite useful, but I was so fed up with the work in mid-2007 that I never looked back at it.

    3. Re:Trust networks can fix this by inflamed · · Score: 1

      Which would work well if you could trust people to consistently submit "trust statements" truthfully and accurately. Sometimes people lie when they tell you who they trust and who they don't.

      People lie but no so much when their lies are detremental to them. Such a web of trust could only be conned by 'fake' nodes which would have a very hard time developing any links to 'real' nodes.

    4. Re:Trust networks can fix this by inflamed · · Score: 1

      God this sounds familiar..... and that's because I wrote a PhD thesis about building a system to do something a lot like this. It involved a fairly mediocre web interface wrapping a database of trust relationships specified by end users. A trusts B for 0.7 and B trusts C for 0.6 then you can put together a trust level between A and C by multiplying those together with some user-tweakable distance dropoff. Those trust levels were then measured against the levels required for access to shared data. Maybe you would allow anyone with a 0.7 or higher to read a given document and a 0.9 or higher to contribute to it. It was an interesting idea, but man did I get tired of it by the end. If for some bizarre reason anyone wants to read bits of it google books has some indexed and I probably have a pdf laying around somewhere....

      I figured it could be quite useful, but I was so fed up with the work in mid-2007 that I never looked back at it.

      Thanks for laboring through a thesis on the topic, it's an occasional daydream of mine and I would love a copy. :-)

  10. Re:Uplink was visionary by Opportunist · · Score: 5, Insightful

    Trust is a necessity. People do not have infinite time and skill available. At some point, I must trust someone or something. I must trust my mechanic that he doesn't cut my brakes. I must trust the pizza delivery guy that he doesn't sprinkle his pizza with E605. Of course you can opt to trust NOBODY, but, bluntly, that would indeed leap over the border to paranoia.

    But just as you have to pick your battles, you have to pick who to trust and who not to. A good starting point is usually the "cui bono" approach. What's in it for my pizza guy to kill me? Nothing. So I guess it's safe to assume that he wants to continue bringing me pizza because he wants more of my money.

    OTOH, with the current situation, I wouldn't trust any government any further than I can throw up.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. Whom you trust ... ? by Anonymous Coward · · Score: 1, Funny

    I see that alot.

  12. On trust by wonkey_monkey · · Score: 1

    Arthur remained very worried.

    "But can we trust him?" he said.

    "Myself I'd trust him to the end of the Earth," said Ford.

    "Oh yes," said Arthur, "and how far's that?"

    "About twelve minutes away," said Ford, "come on, I need a drink."

    --
    systemd is Roko's Basilisk.
  13. Bruce Schneier by nitehawk214 · · Score: 1

    Seriously, if Bruce Schneier can't be trusted, who can?

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  14. Re:Uplink was visionary by Opportunist · · Score: 1

    Given how I feel about governments, it is most likely the second.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  15. "must" trust? by ChipMonk · · Score: 1

    Anyone demanding my trust, automatically loses it. Same goes for respect.

  16. Who by rossdee · · Score: 2

    Who do you serve, and who do you trust? - Galen

  17. Trust the Computer by fivepan · · Score: 1

    The Computer is your friend.

  18. No good comments? Not a comment worthy article. by qubezz · · Score: 1

    The linked article, which I did read, seems to have no thesis. It meanders from "C compilers can be subverted" to "see if people leave their purses out to judge if a neighborhood is safe". It is as if a high schooler had to write a paper on trust, and cut a paragraph out of each of the top 20 web search results.

    1. Re:No good comments? Not a comment worthy article. by AHuxley · · Score: 1

      Its like many ideas presented to top US intelligence students.
      Just enough history on todays enemy, the tech to do the work needed and the correct collection of happy short tech stories from the past.
      Thanks to the work of whistleblowers the world now understands:
      https://www.eff.org/deeplinks/...
      Different govs, the US, UK have total mastery of the 'net' via local shared facilities and people.
      http://www.theregister.co.uk/2... (3 Jun 2014) http://www.nytimes.com/2014/04... (APRIL 23, 2014) The standard crypto offered is junk.
      Entire generations have to rethink what the 'net' really is: predictive and trackable:
      "US Secret Service wants sarcasm-detection tool for Twitter" (05 Jun 2014)
      http://www.telegraph.co.uk/tec...
      People read the headline but a bit further down is the fun part: "real-time" and the ability to identify 'influencers'.
      Tech that was once at a budget level of a few nations agencies is now more wide spread at a federal level with a domestic role.

      --
      Domestic spying is now "Benign Information Gathering"
  19. Well, yes, I was there... by Cliff+Stoll · · Score: 5, Interesting

    It's been a quarter century since I chased down those hackers. Hard to think back that far: 2400 baud modems were rarities, BSD Unix was uncommon, and almost nobody had a pocket pager. As an astronomy postdoc (not a grad student), I ran a few Unix boxes at Lawrence Berkeley Labs. When the accounting system crashed, my reaction was curiosity: How come this isn't working? It's an attitude you get from physics -- when you don't understand something, it's a chance to do research. And oh, where it led...

    Today, of course, everything's changed: Almost nobody has a pocket pager, 2400 baud modems are a rarity, and Berkeley Unix is, uh, uncommon. What started out as a weirdness hiding in our etc/passwd file has become a multi-billion dollar business. So many stories to tell ...

    I've since tiptoed away from computer security; I now make Klein bottles and work alongside some amazing programmers at Newfield Wireless in Berkeley. Much fun debugging code and occasionally uncorking stories from when Unix was young.

    Warm cheers to m'slashdot friends,
    -Cliff

    1. Re:Well, yes, I was there... by Cliff+Stoll · · Score: 1

      And my thanks back to you, oh Anonymous Coward: The 15 cents in royalties from your purchase of m'book is now helping my kids attend college. Uh, it'll last about 1.3 minutes.

      You say that you're managing firewalls - all sorts of possibilities! I had the honor of working with Van Jacobson at LBL when he first researched TCP/IP traffic jams and compression. I was amazed at how much could be done by looking at traffic and thinking about the interaction of traffic, buffers, routers, and network congestion. Wonderful stuff - what looks like a boring problem may be an opportunity for research.

      With that in mind, here's my encouragement to you: Go and sharpen your tcpdump & wireshark tools. Figure out what's really happening to those packets. Who knows what you'll uncover?

    2. Re:Well, yes, I was there... by cpghost · · Score: 1

      It's been a quarter century since I chased down those hackers.

      I saw a translation of The KGB, the Computer, and Me that aired back then on German TV, and it was fascinating! Great to see you here on Slashdot Cliff!

      --
      cpghost at Cordula's Web.
    3. Re:Well, yes, I was there... by Cliff+Stoll · · Score: 1

      Thanx!

      I saw a short section of the German version of that Nova show ... apparently I speak fluent German in the that version!

      Mit den besten Wünschen,
      -Cliff

    4. Re:Well, yes, I was there... by starseeker · · Score: 1

      I still remember the fascination from when I first watched The KGB, the Computer, and Me. It was many years later that I finally read The Cuckoos Egg, and I found that even more enjoyable - a fascinating story, well told. I still have it on my bookshelves today.

      I also have one of the Klein bottles - a very nifty product, entertaining and educational at the same time.

      Thank you for making such rich contributions to the world.

      --
      "I object to doing things that computers can do." -- Olin Shivers, lispers.org
    5. Re:Well, yes, I was there... by yanyan · · Score: 1

      Hello Cliff, awesome to see you on here. I read "The Cuckoo's Egg" at least once every two years. Never gets old and it's truly a story for the ages. :-)

  20. Re:Uplink was visionary by Anonymous Coward · · Score: 2, Informative

    Bruce Schneier has an excellent 2012 book-length treatment of trust called Liars and Outliers: Enabling the Trust that Society Needs to Thrive .
    https://en.wikipedia.org/wiki/...

    It makes many of the same arguments as the previous post in a rigorous way, drawing on social science research and game theory for support. Well worth reading for those interested in trust and security.

    Posting anonymously to not loose my mods.

  21. Re:Uplink was visionary by mrchaotica · · Score: 1

    OTOH, with the current situation, I wouldn't trust any government any further than I can throw up.

    Like.. a baseball up into the air? Or like.. projectile vomiting?

    Like a mixed metaphor whooshing over an Anonymous Coward's head.

    --

    "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  22. You had me going there by jeffmeden · · Score: 1

    ACM seems like a reputable publication so I was going in to it thinking I was about to read some interesting stuff, and then this happened:

    Even the time of day can be exploited. In 2013 a network attack known as NTP Amplification used Network Time Protocol servers across the Internet in a distributed denial-of-service attack. By spoofing the IP address of a requester, an ever-larger stream of packets could be aimed at a target, swamping the target's ability to respond to TCP/IP requests.

    lolwut. The time of day was not exploited, not even a little. The boneheaded "Feature" of having a command to recall a large chunk of data via unauthenticated UDP was exploited. They go on to explain a basic denial of service attack and finish it off by misusing a term as basic as TCP/IP (it doesn't matter what protocol you are using when you are the target of a DDOS, your pipe is blocked period). I will go ahead and stop reading now.

  23. Re:IF you are the REAL Cliff Stoll? by Cliff+Stoll · · Score: 1

    (blush). Thanks!

    Now it's your turn: Go forth and make our networked community friendlier, stronger, more trustworthy, and more useful.

    Best wishes,
    -Cliff

    PS: Of course, you raise a fascinating, self-referential question. How can you tell if this posting is from the real Cliff Stoll? I know it's me - and it's easy to prove in person, but difficult online. For the best proof, well, stop by for coffee. Way more fun than posting online.

  24. My 2 cents by Cro+Magnon · · Score: 1

    I generally don't trust anyone who says "Trust me".

    --
    Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
  25. As Fox Mulder says... by antdude · · Score: 1

    "Trust no one." :P

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  26. hosts is on a read-only file system by tepples · · Score: 1

    [To configure Android's DNS resolver], a devtool like ADB and its 'pull' command will do

    But when I try to adb push a file back, I get an error "Read-only file system". Google apparently doesn't want end users to be able to specify whom to trust. Apparently I have to back everything up, wipe the device, and pray that everything restores properly before I'm allowed to edit system files.

  27. Re:I did that on my nephews Android by tepples · · Score: 1

    Look into OTHER commands like chmod existing in the ADB commandset then

    chmod won't do anything if a whole file system is read-only. To make /system writable, it must be remounted, and only root can do that. The key difference between GNU/Linux and Android is that on GNU/Linux, the owner of the PC has root by default.

    All I know is, I did ADB 'pull' on my nephews phone

    Was it rooted? That's what I meant by the backup requirement: to root a Nexus 7 tablet, you need to unlock the bootloader (fastboot oem unlock), and that wipes the device.

  28. Re:Uplink was visionary by Opportunist · · Score: 1

    Interesting how Bruce and I tend to have the same ideas. :)

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  29. Re:Get your "hooked on phonics" lessons out by yacc143 · · Score: 1

    Well, have fun blocking only on specific urls, basically every time something "unwanted" and "wanted" share a hostname.

    OTOH, a hosts file does have it's own use, you can apply it easily enough for a WLAN, while filtering on http urls is way uglier, without running an application level proxy on your router, which again is far from trivial.

    The APK link on the other hand looks a little bit like spam to me.