I'd rather spend 80 billion on something that has the ability to fundamentally change our existance as we know it.
The biggest limitation on technology right now is energy. If we throw fusion reactors with a high Q factor in the mix, chemical processes which are right now too expensive will be trivial.
Take the Pacific Gyre. A fusion plant combined with a thermal depolymerization setup will render the used condoms into usable crude that can be used for making stuff (and not just burning).
Fuel for cars and vehicles? It was discussed on/. about being able to break apart CO2 from the air and use that as a potential fuel source. Ideally, it would be nice to be able to render liquified propane from CO2, because propane is one of the most idiot-resistant [1] fuel sources around, and if it leaks, it just disperses (or ignites), and doesn't post an environmental hazard compared to gasoline or diesel.
Oil companies won't be affected by fusion -- instead of petroleum being burned, it will be used for more projects such as plastics, cements, and other items. This allows them to keep selling oil, without having to resort to more damaging ways to find more places to drill.
For a government, 80 billion is not that big a number. I'd rather see it spent on something that might do some good, and the research knowledge gained is always usable in other fields.
[1]: I did not say idiot proof. There are always people who think that disposing of their propane bottles in a campfire is a great idea.
With appliances becoming more common, as well as trying to make more "smart" devices, embedded device programming is one of the few open frontiers left in programming.
With Android features becoming part of the mainstream Linux kernel, it opens up a lot of possibilities. For example, one thing I have thought about building would be a system that would check an RV's functions, and alert the owner if something is amiss, be it house batteries running low on charge, unauthorized access to the coach or storage panels, unauthorized removal of the LP gas bottles [1], refrigerator temperature out of spec, coach not winterized and temperatures below freezing in the plumbing areas, and so on. The only practical solution would be a custom embedded monitor with a 3G radio.
[1]: I'm splitting hairs, but if it is permanently mounted, it is a tank. If it is removable, it is a bottle. LP gas bottles tend to be a tempting target because they can work as anhydrous ammonia containers for meth labs.
Morale is critical for security as well. Yes, a company can browbeat employees about security, but if they don't give a flying fsck because they know they are the low bidders, only the bare minimum gets done.
Contrast that to a company that actually does make an attempt to look out for its employees and contractors. People would tend to be more alert and proactive in finding security issues, or actually pay attention to the security policy because they know it affects them.
Exactly. If an attacker is running their stuff on some botnet clients, and gets reports that machines on a network all are accessible, it will waste their time and resources in having to vet each and every machine that reported a successful login.
It isn't a true honeypot because the machines are not giving much of an environment for an intruder to play around in, but more of a way to fool the brute forcing scripts in giving them a bunch of false positives.
Maybe even going back to the age-old S/KEY or OPIE protocol that has been part of BSD for 20+ years? This has fallen into disuse because it was mainly designed to foil packet sniffers, but might be a good way of doing things. Maybe modify the algorithm a little bit so it uses a modern hash, and perhaps add a random 4-5 digit number somewhere in addition to dictionary chosen words. That way, trying to brute force a pass phrase that will easily be more than 20+ characters will be almost impossible, especially with tarpitting, IP blacklisting, and locking an account out for 5-20 minutes if too many guesses are done wrong.
What would be interesting is that if someone tries to log in as root with a password (as opposed to using a public key), rather than outright deny access, just make sure all access is denied from that IP or IP range, even if a future attempt at logging on would have normally been successful. This keeps the attacker busy thinking they can gain something.
Or, if someone is really clever, spawn a fake shell which drops to a prompt, then 1-2 seconds later, have it look like it got logged out.
Something like that widely distributed would be an effective poison, until the attack scripts started checking to see if the shell prompt is real or fake.
If the computer with the key is compromised, the game is over. The password can be slurped, the key snarfed, and even the session hijacked.
It is all about limiting exposure. Going to public keys closes a potential common method of access, brute force guessing.
No security method is 100%, but in a lot of cases, something is better than nothing, and having at least root locked out from password guessing is a must for Internet facing systems.
Where the rubber meets the road is deaths per terawatt hours. Even with the disaster, nuclear remains well lower (0.04) than any of the other mainstream energy sources (coal's world average is 161, oil is 36).
With nuclear having 900 times fewer deaths than oil, this shows that something is being done right.
The problem is that with all the fear around nuclear reactors, no new, safe ones are built, so we are left with maintaining venerable designs designed barely after WWII with far fewer safety features.
The insanity of this shows when one compares this with other industries. It would be ridiculous to claim that aircraft are fundamentally unsafe and banning any new design to be made, only allowing biplanes from WWI to keep in the skies. Or saying how pathetic an automobile is while barring anything newer than a steam engine.
The spammers are moving on. In the past, there were enough people out there that would click on their links, send money, buy whatever crap is out there, or just be general marks. However, by now, anyone fleece-able is now penniless and in the streets.
Instead, the spam I see is less of trying to sell wanker drugs, but either coming with an attachment payload for a Trojan dropper, or if there is a website included, the website is chock full of exploits. Spam is more insidious because it used to be about selling stuff. Now it is about taking over the computer or device.
The drop in spam is because the criminals have moved from just sending E-mail out to focusing on Web browser exploits and other more lucrative gains. Getting someone to click a link which is rife with zero-days pays far better than getting someone to buy a box of blue M&Ms.
Targeted exploits are more common now. With ID theft so common, combined with the fact that VoIP allows a scammer from anywhere to fake a local number (even 911) in order to demand, cajole, or request information or even money. It used to be only the friend of a friend's cousin's inlaw who would be stung by it. Now, someone calling, saying they are so and so (and able to try to mimic their voice, claiming to have their jaw cracked so it doesn't sound the same), saying that so and so's wife with the name isn't around and that they need cash wired pronto is becoming the norm.
Spammers have moved away from the botnets to the phone boiler rooms, where if one has enough info and targets older Americans, the payoff can be extremely lucrative with zero chance of legal action taken.
What we are seeing is the next evolution in crime which usually goes as follows:
1: xxx crime gets popular 2: Counter measures are taken. 3: xxx crime dodges counter measures. 4: Actual working counter measures are taken. 5: The criminals move onto a new hustle.
This was true back in the 1900s when safes were broken into on a weekly basis until burglar alarm systems became the norm, then burglary evolved into home invasions and knock-and-shoots. Similar with car theft. When thieves were unable to smash a steering column lock for a prize, they went to carjacking.
What we will see instead of spammers are more social engineering attacks, where people use stolen information to target individuals via phone, E-mail, or FB in order to blackmail, extort, or scam cash.
Of course, the next threat after that is when criminal organization "A" a continent away starts making partners with local street gangs. Then, the guys on computers in Elbonia can tell the gangbangers over in a victim's local neighborhood who to rob because their cellphones are a ways away, and the Elbonian gang has access to a method of tracking in real time (perhaps some added "functionality" in a popular app). Or, the Elbonian gang hacks a school's database, then sells that info to a local gang to figure out which kids are "latchkey", and now has a steady ransom source. In return, the local gang does some hits and social engineering for the Elbonians.
The days of UID 0 being king and everyone else being a peasant have been over for a long time. Some examples:
Solaris: Root is a role, not a user.
Linux: AppArmor and SELinux come into play.
AIX: Root can be removed and assigned to roles, where UID 0 is just another user.
BSD: Plenty of ways to limit access via ACLs and other mechanisms.
OS X: Root has to be explicitly enabled.
Pretty much, the only reason the concept of root exists these days is a "master override" when one just needs to get something done without roles/ACLs/et. al. coming into the picture, such as doing hardware configurations, or booting from recovery media. Almost all new operating systems tend to not allow the user to run as root unless it is explicitly enabled.
Ideally, they should store the user data encrypted with a random key (and salt, of course, so one user's files that have the same contents can't be told from another.) That random key is stored encrypted with either the data from recovery questions, or the user's password able to unlock it, neither available/recoverable from the stored, salted hashes. Of course, if the user chooses crappy recovery answers, an attacker would have it easy to unlock items, but that form of security is up to the user.
In theory, this would be the next best thing to room temperature superconductors for getting electricity long distances.
I can envision a nuclear/solar/wind farm out in west Texas generating energy, then using this method to create butanol, which runs via a pipeline to a burning facility that is near a populated area, which powers the grid. Yes, this is not that efficient, but neither is the large energy loss from long distance power lines.
Call me naive, but I have no idea why websites like using other social networks for authentication. Is there something so secure that I can trust Facebook with any and all logins and passwords for not just me, but all my users?
Yes, FB and Google have two factor authentication as options, but when it comes to making sure my users have basic security, I'd rather pack my own parachute, and have a dedicated appliance store username/password hashes so if someone owns the rest of my boxes, they can't just scoop out passwords that can be used at other sites.
Maybe this can be a market niche -- a site offering not just OpenID, but a custom API like the old Microsoft Passport allowing people to authenticate from that site, optionally using an app or SecurID key fob.
There is also a third conservative; a practical one.
Take a software development shop doing security sensitive code. One type of conservative would fire the developers and offshore everything, hiring a H-1B for anything that needed done on US soil, only later to find that their business is compromised. Another type would fire the senior developers and hire people at min wage, firing anyone too good so they don't have to give pay raises.
A practical conservative knows that morale is important in the company, and knows that payroll is a relatively small fraction of accounts payable. They give the developers competitive pay, and morale is high. The result is that security policies are strictly followed because people rally behind the company's banner (as opposed to just going there for a paycheck.) Result, no leaks or security intrusions, and employee ideas add further revenue.
Similar with government. A practical conservative considers part of national security the welfare and morale of citizens. Better pay for good schools now than pay for long prison stays later.
There is one market where solar is becoming a must, and that is RV-ing. With all the electric-hungry appliances that are running off 12 volts, coupled with the fact that batteries take a long time to come up to full charge, solar is becoming a must have for anyone with a RV who isn't just staying on an RV park's shore power 24/7/365. With rigs getting larger, there is plenty of space to add panels.
Add to this flexible solar panels that can be rolled up, and I can envision someone able to run appliances like the A/C or microwave off a battery bank that is recharged by the solar panels on the ceiling, awning, and perhaps an extended room.
So, for RV-ers, it is something that allows for the comforts of home without having to break out the generator.
The FBI is also dealing with a lot of businesses who have existed for years with at best paying lip service to computer security.
I remember a few years back so many PHBs saying, "security has no ROI" like it was a mantra for magic success. Of course when I asked the person about what they do if they do get breached, the answer was invariably, "Call Geek Squad, and they will fix it."
The sad thing is that there is no real drive for private businesses to focus on actual security. A breach happens, and usually it won't be reported, and if it is, it is because there are thousands of people who got nailed and have hard evidence finding who did it upstream. Even though there are laws to disclose breaches with private info lost, it isn't hard to ignore them -- the company top brass will find a fall guy, and the domain admin password will continue to remain "swordfish". Even if the firm goes bankrupt, it doesn't really matter, because the top brass just finds a niche somewhere else.
There is also the belief that intruders won't do much damage. A wiped box? Stick in a backup tape. Lost customer info? Not our problem if customers get identity theft issues. Lost source code? The H-1Bs end up copying it to their home soil anyway.
Until the attitude that security is a cost center with nothing to gain back goes away, it is no wonder that criminal organizations and foreign intel departments are having a field day.
Ironically, where I see actual improvement in security is in government. The main reason is that government departments (and this applies not just to the US but any country out there) have a lot to lose, especially around election years. Companies can fold and the CEO just moves to a new venture, but a government department that is weak on security will face the wrath of the voters, as well as any elected official that is looking to keep their jobs. In countries that are not democracies, it can mean loss of face for leadership which will be swiftly dealt with.
The ironic thing is that Sony makes very good products. Even back in the late '90s, their "MP3" [1] players were well made.
Sony could have had the whole MP3 player market just like they did with the portable cassette players, where the generic term became "Walkman". However, the extreme DRM on OpenMG, then Sonic stage caused people to look elsewhere... and even though Apple's offerings were lackluster, people could copy music to it, and with a little sleight of hand, copy their music from the device.
I wish Sony learned that lesson -- that too much DRM and consumer-hostility is bad for business. However, the PS3 did turn that around -- it took almost five years for a meaningful crack to appear (and new PS3s are immune to those), so Sony enjoyed a completely piracy-free platform for longer than most consoles had usable lifespans. So, because the DRM worked so well for them with people still lining up to buy their products, Sony is actively encouraged to be consumer-hostile.
[1]: Some of the players in the early days required a complete transcode of files to ATRAC3. Other players just wrapped up the MP3 file in an encryption layer. Both didn't allow for copying to a device, one had to "check out" the files, and only was allowed three "check-outs" per song. Eventually Sony made "normal" MP3 players, but at that time, it was pretty much too late.
For a long time, people didn't care about privacy. They didn't care that some ad agency was writing down what websites they visited as long as they could get to whatever Internet sites.
Now, people are starting to feel the consequences of no privacy. Companies making point scores based on people's Internet postings, the fact that an arrest for *anything* will be a career ender [1], even if it is just PI and a 4 hour stint in the drunk tank. The wrong like on Facebook gets someone branded as a potential racist for 7 years.
A few years back, at first was a joke about people losing jobs due to FB posts. Now, this is routine, as well as the fact that the police can become involved if the wrong thing is posted in minutes. It is scary that one thing stated in anger and stupidity can mean not finding work, but more dire consequences such as expulsion from a school, or jail/prison time.
Will this change? I doubt it. I'm watching the threshold for getting arrested, getting a felony, or even life in prison become ever more trivial. Especially anything related to drug possession.
I can tell I'm getting older when it actually took some doing to be arrested in school when I was there (something that really was a felony). Now, it is common to read about some high school kid whisked from the school grounds and to jail because they backtalked a coach (which is considered assault in some areas), or that they decided to skip a class and went to jail due to curfew laws. What are we teaching kids when their friends get hauled off to jail and the person's chances of a job in the future nixed? Yes, fear of authority, but definitely not respect.
I'm just waiting for a convergence of hardware DRM stacks, data mining, "anti-piracy" laws, and IP address geolocation where new computers will shoot taser probes at the person using them, and keep them doing "the fish" until the cops arrive, the second they type a suspicious or angry post.
[1]: I've asked about that when I got through a round of interviews at one place and others who I know were more qualified than I didn't. The HR droid said something along the lines of, "You can buy an acquittal. If a cop considers someone guilty enough to pull out the handcuffs, they are a criminal and will remain a criminal for the rest of their lives, and they will not ever see a job here."
There are carriers who will refuse to let phones on their networks unless they originally sold them. I'd rather just swap SIM cards, as opposed to have to beg, plead, and wheedle for them to use the ESN for a new device.
With GSM companies, worst that happens is that they might sneak a data plan if their IMEI detector matches the number with a line of smartphones.
OpenSSH signed certificates (Not X.509) and TrustedUserCAKeys options and their usage. This way, I can hand a new cow-orker signed ssh host keys and assuming he or she knows enough not to just blindly replace a key if it isn't right, will minimize the chance of a MITM attack.
Revoking SSH keys.
Using SSHGuard to lock out brute force attempts.
Proper configuration of the sshd_config file. Stuff like only allowing root in via RSA keys (or blocking root access entirely.)
Auditing logs to know that key "A" ssh-ing to root is from user Alice, and key "B" is from Bob, so that one can tell who just wiped out the wrong filesystem come an inquiry.
Running sshd as a user, not as root.
Getting a backup program like NetBackup to form a ssh tunnel, do the backup, then close down the connection cleanly.
Ironic thing, one interview I stated something similar (mainly about keeping personal life and work life separated)... the answer I received was mind-blowing:
"You might think you are a professional 8/5, but you are an employee 24/7, and what affects you personally can affect our business."
It seems companies don't care if the employee telling all is not as skilled as someone who doesn't give out info -- what is wanted are docile people who can follow orders.
This is pennywise and pound foolish because if an employee does anything for the job in the first place, then another party who offers more can get said employee to do the same thing, where in the past it was a FB login, but then it becomes the Domain Admin account, root on the LDAP server, or an open ssh port and the enable secret on the core/edge router fabric.
People who know they are hired because they were the most docile or were the cheapest are likely going to passively ignore security policies, or even worse, actively copy information.
You would be surprised. In this economy, even people with a clue are looking for a job, and they have to fight against people with far less skills, but are far more willing to do anything asked of them by an employer, laws be damned.
When I was looking for work, I told more than one company where to stick it when the HR rep demanded a password and said that if a candidate wasn't doing something illegal or immoral, they would hand it over. The classic, "if you didn't have something to hide" type of BS.
In a firm that wasn't run by "poo-poo heads" (as a friend's daughter calls them), if someone was going to turn over their personal info (E-mail passwords, FB, other IDs) just on asking, there would be no way in Hell they would be hired. Just think what that person would do with company logins and such if someone else offered them more money.
What will happen will be similar to what happened to me when I was job hunting a couple years back:
The HR person will narrow their eyes once they get the answer that you don't have a FB account and ask, "If you are a so called IT person who is applying for something better than flipping burgers, then why are you not keeping up with modern day technology? Why should we hire a fossil, when any middle school kid can understand the concept of a social network, which you have demonstrated that you have failed to do so?"
I ended up creating dummy accounts on FB/MySpace/Twitter/LinkedIn just so I wouldn't have to deal with that crap. When asked if they could friend/follow the account, I just granted that.
Slashdot Mirror
I'd rather spend 80 billion on something that has the ability to fundamentally change our existance as we know it.
The biggest limitation on technology right now is energy. If we throw fusion reactors with a high Q factor in the mix, chemical processes which are right now too expensive will be trivial.
Take the Pacific Gyre. A fusion plant combined with a thermal depolymerization setup will render the used condoms into usable crude that can be used for making stuff (and not just burning).
Fuel for cars and vehicles? It was discussed on /. about being able to break apart CO2 from the air and use that as a potential fuel source. Ideally, it would be nice to be able to render liquified propane from CO2, because propane is one of the most idiot-resistant [1] fuel sources around, and if it leaks, it just disperses (or ignites), and doesn't post an environmental hazard compared to gasoline or diesel.
Oil companies won't be affected by fusion -- instead of petroleum being burned, it will be used for more projects such as plastics, cements, and other items. This allows them to keep selling oil, without having to resort to more damaging ways to find more places to drill.
For a government, 80 billion is not that big a number. I'd rather see it spent on something that might do some good, and the research knowledge gained is always usable in other fields.
[1]: I did not say idiot proof. There are always people who think that disposing of their propane bottles in a campfire is a great idea.
With appliances becoming more common, as well as trying to make more "smart" devices, embedded device programming is one of the few open frontiers left in programming.
With Android features becoming part of the mainstream Linux kernel, it opens up a lot of possibilities. For example, one thing I have thought about building would be a system that would check an RV's functions, and alert the owner if something is amiss, be it house batteries running low on charge, unauthorized access to the coach or storage panels, unauthorized removal of the LP gas bottles [1], refrigerator temperature out of spec, coach not winterized and temperatures below freezing in the plumbing areas, and so on. The only practical solution would be a custom embedded monitor with a 3G radio.
[1]: I'm splitting hairs, but if it is permanently mounted, it is a tank. If it is removable, it is a bottle. LP gas bottles tend to be a tempting target because they can work as anhydrous ammonia containers for meth labs.
Morale is critical for security as well. Yes, a company can browbeat employees about security, but if they don't give a flying fsck because they know they are the low bidders, only the bare minimum gets done.
Contrast that to a company that actually does make an attempt to look out for its employees and contractors. People would tend to be more alert and proactive in finding security issues, or actually pay attention to the security policy because they know it affects them.
Exactly. If an attacker is running their stuff on some botnet clients, and gets reports that machines on a network all are accessible, it will waste their time and resources in having to vet each and every machine that reported a successful login.
It isn't a true honeypot because the machines are not giving much of an environment for an intruder to play around in, but more of a way to fool the brute forcing scripts in giving them a bunch of false positives.
Maybe even going back to the age-old S/KEY or OPIE protocol that has been part of BSD for 20+ years? This has fallen into disuse because it was mainly designed to foil packet sniffers, but might be a good way of doing things. Maybe modify the algorithm a little bit so it uses a modern hash, and perhaps add a random 4-5 digit number somewhere in addition to dictionary chosen words. That way, trying to brute force a pass phrase that will easily be more than 20+ characters will be almost impossible, especially with tarpitting, IP blacklisting, and locking an account out for 5-20 minutes if too many guesses are done wrong.
What would be interesting is that if someone tries to log in as root with a password (as opposed to using a public key), rather than outright deny access, just make sure all access is denied from that IP or IP range, even if a future attempt at logging on would have normally been successful. This keeps the attacker busy thinking they can gain something.
Or, if someone is really clever, spawn a fake shell which drops to a prompt, then 1-2 seconds later, have it look like it got logged out.
Something like that widely distributed would be an effective poison, until the attack scripts started checking to see if the shell prompt is real or fake.
If the computer with the key is compromised, the game is over. The password can be slurped, the key snarfed, and even the session hijacked.
It is all about limiting exposure. Going to public keys closes a potential common method of access, brute force guessing.
No security method is 100%, but in a lot of cases, something is better than nothing, and having at least root locked out from password guessing is a must for Internet facing systems.
Where the rubber meets the road is deaths per terawatt hours. Even with the disaster, nuclear remains well lower (0.04) than any of the other mainstream energy sources (coal's world average is 161, oil is 36).
With nuclear having 900 times fewer deaths than oil, this shows that something is being done right.
The problem is that with all the fear around nuclear reactors, no new, safe ones are built, so we are left with maintaining venerable designs designed barely after WWII with far fewer safety features.
The insanity of this shows when one compares this with other industries. It would be ridiculous to claim that aircraft are fundamentally unsafe and banning any new design to be made, only allowing biplanes from WWI to keep in the skies. Or saying how pathetic an automobile is while barring anything newer than a steam engine.
The spammers are moving on. In the past, there were enough people out there that would click on their links, send money, buy whatever crap is out there, or just be general marks. However, by now, anyone fleece-able is now penniless and in the streets.
Instead, the spam I see is less of trying to sell wanker drugs, but either coming with an attachment payload for a Trojan dropper, or if there is a website included, the website is chock full of exploits. Spam is more insidious because it used to be about selling stuff. Now it is about taking over the computer or device.
The drop in spam is because the criminals have moved from just sending E-mail out to focusing on Web browser exploits and other more lucrative gains. Getting someone to click a link which is rife with zero-days pays far better than getting someone to buy a box of blue M&Ms.
Targeted exploits are more common now. With ID theft so common, combined with the fact that VoIP allows a scammer from anywhere to fake a local number (even 911) in order to demand, cajole, or request information or even money. It used to be only the friend of a friend's cousin's inlaw who would be stung by it. Now, someone calling, saying they are so and so (and able to try to mimic their voice, claiming to have their jaw cracked so it doesn't sound the same), saying that so and so's wife with the name isn't around and that they need cash wired pronto is becoming the norm.
Spammers have moved away from the botnets to the phone boiler rooms, where if one has enough info and targets older Americans, the payoff can be extremely lucrative with zero chance of legal action taken.
What we are seeing is the next evolution in crime which usually goes as follows:
1: xxx crime gets popular
2: Counter measures are taken.
3: xxx crime dodges counter measures.
4: Actual working counter measures are taken.
5: The criminals move onto a new hustle.
This was true back in the 1900s when safes were broken into on a weekly basis until burglar alarm systems became the norm, then burglary evolved into home invasions and knock-and-shoots. Similar with car theft. When thieves were unable to smash a steering column lock for a prize, they went to carjacking.
What we will see instead of spammers are more social engineering attacks, where people use stolen information to target individuals via phone, E-mail, or FB in order to blackmail, extort, or scam cash.
Of course, the next threat after that is when criminal organization "A" a continent away starts making partners with local street gangs. Then, the guys on computers in Elbonia can tell the gangbangers over in a victim's local neighborhood who to rob because their cellphones are a ways away, and the Elbonian gang has access to a method of tracking in real time (perhaps some added "functionality" in a popular app). Or, the Elbonian gang hacks a school's database, then sells that info to a local gang to figure out which kids are "latchkey", and now has a steady ransom source. In return, the local gang does some hits and social engineering for the Elbonians.
The days of UID 0 being king and everyone else being a peasant have been over for a long time. Some examples:
Solaris: Root is a role, not a user.
Linux: AppArmor and SELinux come into play.
AIX: Root can be removed and assigned to roles, where UID 0 is just another user.
BSD: Plenty of ways to limit access via ACLs and other mechanisms.
OS X: Root has to be explicitly enabled.
Pretty much, the only reason the concept of root exists these days is a "master override" when one just needs to get something done without roles/ACLs/et. al. coming into the picture, such as doing hardware configurations, or booting from recovery media. Almost all new operating systems tend to not allow the user to run as root unless it is explicitly enabled.
Ideally, they should store the user data encrypted with a random key (and salt, of course, so one user's files that have the same contents can't be told from another.) That random key is stored encrypted with either the data from recovery questions, or the user's password able to unlock it, neither available/recoverable from the stored, salted hashes. Of course, if the user chooses crappy recovery answers, an attacker would have it easy to unlock items, but that form of security is up to the user.
In theory, this would be the next best thing to room temperature superconductors for getting electricity long distances.
I can envision a nuclear/solar/wind farm out in west Texas generating energy, then using this method to create butanol, which runs via a pipeline to a burning facility that is near a populated area, which powers the grid. Yes, this is not that efficient, but neither is the large energy loss from long distance power lines.
Call me naive, but I have no idea why websites like using other social networks for authentication. Is there something so secure that I can trust Facebook with any and all logins and passwords for not just me, but all my users?
Yes, FB and Google have two factor authentication as options, but when it comes to making sure my users have basic security, I'd rather pack my own parachute, and have a dedicated appliance store username/password hashes so if someone owns the rest of my boxes, they can't just scoop out passwords that can be used at other sites.
Maybe this can be a market niche -- a site offering not just OpenID, but a custom API like the old Microsoft Passport allowing people to authenticate from that site, optionally using an app or SecurID key fob.
There is also a third conservative; a practical one.
Take a software development shop doing security sensitive code. One type of conservative would fire the developers and offshore everything, hiring a H-1B for anything that needed done on US soil, only later to find that their business is compromised. Another type would fire the senior developers and hire people at min wage, firing anyone too good so they don't have to give pay raises.
A practical conservative knows that morale is important in the company, and knows that payroll is a relatively small fraction of accounts payable. They give the developers competitive pay, and morale is high. The result is that security policies are strictly followed because people rally behind the company's banner (as opposed to just going there for a paycheck.) Result, no leaks or security intrusions, and employee ideas add further revenue.
Similar with government. A practical conservative considers part of national security the welfare and morale of citizens. Better pay for good schools now than pay for long prison stays later.
There is one market where solar is becoming a must, and that is RV-ing. With all the electric-hungry appliances that are running off 12 volts, coupled with the fact that batteries take a long time to come up to full charge, solar is becoming a must have for anyone with a RV who isn't just staying on an RV park's shore power 24/7/365. With rigs getting larger, there is plenty of space to add panels.
Add to this flexible solar panels that can be rolled up, and I can envision someone able to run appliances like the A/C or microwave off a battery bank that is recharged by the solar panels on the ceiling, awning, and perhaps an extended room.
So, for RV-ers, it is something that allows for the comforts of home without having to break out the generator.
The FBI is also dealing with a lot of businesses who have existed for years with at best paying lip service to computer security.
I remember a few years back so many PHBs saying, "security has no ROI" like it was a mantra for magic success. Of course when I asked the person about what they do if they do get breached, the answer was invariably, "Call Geek Squad, and they will fix it."
The sad thing is that there is no real drive for private businesses to focus on actual security. A breach happens, and usually it won't be reported, and if it is, it is because there are thousands of people who got nailed and have hard evidence finding who did it upstream. Even though there are laws to disclose breaches with private info lost, it isn't hard to ignore them -- the company top brass will find a fall guy, and the domain admin password will continue to remain "swordfish". Even if the firm goes bankrupt, it doesn't really matter, because the top brass just finds a niche somewhere else.
There is also the belief that intruders won't do much damage. A wiped box? Stick in a backup tape. Lost customer info? Not our problem if customers get identity theft issues. Lost source code? The H-1Bs end up copying it to their home soil anyway.
Until the attitude that security is a cost center with nothing to gain back goes away, it is no wonder that criminal organizations and foreign intel departments are having a field day.
Ironically, where I see actual improvement in security is in government. The main reason is that government departments (and this applies not just to the US but any country out there) have a lot to lose, especially around election years. Companies can fold and the CEO just moves to a new venture, but a government department that is weak on security will face the wrath of the voters, as well as any elected official that is looking to keep their jobs. In countries that are not democracies, it can mean loss of face for leadership which will be swiftly dealt with.
The ironic thing is that Sony makes very good products. Even back in the late '90s, their "MP3" [1] players were well made.
Sony could have had the whole MP3 player market just like they did with the portable cassette players, where the generic term became "Walkman". However, the extreme DRM on OpenMG, then Sonic stage caused people to look elsewhere... and even though Apple's offerings were lackluster, people could copy music to it, and with a little sleight of hand, copy their music from the device.
I wish Sony learned that lesson -- that too much DRM and consumer-hostility is bad for business. However, the PS3 did turn that around -- it took almost five years for a meaningful crack to appear (and new PS3s are immune to those), so Sony enjoyed a completely piracy-free platform for longer than most consoles had usable lifespans. So, because the DRM worked so well for them with people still lining up to buy their products, Sony is actively encouraged to be consumer-hostile.
[1]: Some of the players in the early days required a complete transcode of files to ATRAC3. Other players just wrapped up the MP3 file in an encryption layer. Both didn't allow for copying to a device, one had to "check out" the files, and only was allowed three "check-outs" per song. Eventually Sony made "normal" MP3 players, but at that time, it was pretty much too late.
The certs in the latest version of OpenSSH are as lightweight as one can get... it is better than nothing though.
For a long time, people didn't care about privacy. They didn't care that some ad agency was writing down what websites they visited as long as they could get to whatever Internet sites.
Now, people are starting to feel the consequences of no privacy. Companies making point scores based on people's Internet postings, the fact that an arrest for *anything* will be a career ender [1], even if it is just PI and a 4 hour stint in the drunk tank. The wrong like on Facebook gets someone branded as a potential racist for 7 years.
A few years back, at first was a joke about people losing jobs due to FB posts. Now, this is routine, as well as the fact that the police can become involved if the wrong thing is posted in minutes. It is scary that one thing stated in anger and stupidity can mean not finding work, but more dire consequences such as expulsion from a school, or jail/prison time.
Will this change? I doubt it. I'm watching the threshold for getting arrested, getting a felony, or even life in prison become ever more trivial. Especially anything related to drug possession.
I can tell I'm getting older when it actually took some doing to be arrested in school when I was there (something that really was a felony). Now, it is common to read about some high school kid whisked from the school grounds and to jail because they backtalked a coach (which is considered assault in some areas), or that they decided to skip a class and went to jail due to curfew laws. What are we teaching kids when their friends get hauled off to jail and the person's chances of a job in the future nixed? Yes, fear of authority, but definitely not respect.
I'm just waiting for a convergence of hardware DRM stacks, data mining, "anti-piracy" laws, and IP address geolocation where new computers will shoot taser probes at the person using them, and keep them doing "the fish" until the cops arrive, the second they type a suspicious or angry post.
[1]: I've asked about that when I got through a round of interviews at one place and others who I know were more qualified than I didn't. The HR droid said something along the lines of, "You can buy an acquittal. If a cop considers someone guilty enough to pull out the handcuffs, they are a criminal and will remain a criminal for the rest of their lives, and they will not ever see a job here."
There are carriers who will refuse to let phones on their networks unless they originally sold them. I'd rather just swap SIM cards, as opposed to have to beg, plead, and wheedle for them to use the ESN for a new device.
With GSM companies, worst that happens is that they might sneak a data plan if their IMEI detector matches the number with a line of smartphones.
I'd love to see stuff like that as well as:
OpenSSH signed certificates (Not X.509) and TrustedUserCAKeys options and their usage. This way, I can hand a new cow-orker signed ssh host keys and assuming he or she knows enough not to just blindly replace a key if it isn't right, will minimize the chance of a MITM attack.
Revoking SSH keys.
Using SSHGuard to lock out brute force attempts.
Proper configuration of the sshd_config file. Stuff like only allowing root in via RSA keys (or blocking root access entirely.)
Auditing logs to know that key "A" ssh-ing to root is from user Alice, and key "B" is from Bob, so that one can tell who just wiped out the wrong filesystem come an inquiry.
Running sshd as a user, not as root.
Getting a backup program like NetBackup to form a ssh tunnel, do the backup, then close down the connection cleanly.
Ironic thing, one interview I stated something similar (mainly about keeping personal life and work life separated)... the answer I received was mind-blowing:
"You might think you are a professional 8/5, but you are an employee 24/7, and what affects you personally can affect our business."
It seems companies don't care if the employee telling all is not as skilled as someone who doesn't give out info -- what is wanted are docile people who can follow orders.
This is pennywise and pound foolish because if an employee does anything for the job in the first place, then another party who offers more can get said employee to do the same thing, where in the past it was a FB login, but then it becomes the Domain Admin account, root on the LDAP server, or an open ssh port and the enable secret on the core/edge router fabric.
People who know they are hired because they were the most docile or were the cheapest are likely going to passively ignore security policies, or even worse, actively copy information.
You would be surprised. In this economy, even people with a clue are looking for a job, and they have to fight against people with far less skills, but are far more willing to do anything asked of them by an employer, laws be damned.
When I was looking for work, I told more than one company where to stick it when the HR rep demanded a password and said that if a candidate wasn't doing something illegal or immoral, they would hand it over. The classic, "if you didn't have something to hide" type of BS.
In a firm that wasn't run by "poo-poo heads" (as a friend's daughter calls them), if someone was going to turn over their personal info (E-mail passwords, FB, other IDs) just on asking, there would be no way in Hell they would be hired. Just think what that person would do with company logins and such if someone else offered them more money.
What will happen will be similar to what happened to me when I was job hunting a couple years back:
The HR person will narrow their eyes once they get the answer that you don't have a FB account and ask, "If you are a so called IT person who is applying for something better than flipping burgers, then why are you not keeping up with modern day technology? Why should we hire a fossil, when any middle school kid can understand the concept of a social network, which you have demonstrated that you have failed to do so?"
I ended up creating dummy accounts on FB/MySpace/Twitter/LinkedIn just so I wouldn't have to deal with that crap. When asked if they could friend/follow the account, I just granted that.