That is true, but in general unless one possesses a HD set (which eventually will be commonplace), there is not that much advantage to Blu-ray over DVDs, other than some interactive Java stuff.
A lot of people are still content with their "old fashioned" DVD collection, and don't feel like paying the premium for a BD player yet. Blu-ray players are still relatively pricy compared to DVD players, so a number of people are going to just wait and see, as for now the quality on a DVD is good enough.
Once Blu-ray players come down in price a bit, people will eventually start adapting to them, but it will be gradual, probably slowly over the next 3-5 years.
The confusion between someone copying a movie from a P2P network for no profit and a criminal organization deliberately making unauthorized counterfeit copies of movies to sell in stores is a difference that a lot of groups want the line blurred.
Counterfeiting is truly theft, as each single counterfeit copy takes a sale away from a genuine firm. The other is not theft, but IP infringement, which is not considered a criminal offense in most countries (although there are a lot of deep pockets wanting to change that.)
With my limited knowledge of American history, before the income tax was enacted, the US made their main income from a revenue (as opposed to a protective) tariff.
Maybe we need to re-examine that as a possible income source.
Another idea is to have a random value on the chip, and have a function that takes some input "X", concats it with the random value, then outputs a SHA-512 hash. The random value which is the seed of the hash would also be stored in a highly secure database at the chip maker's place.
Then, the chip maker can tell someone that genuine chips, if given the value of "foo" with the function, will output a hash "bar", and then give a list of "bar" outputs. Then, periodically change the "foo" value so if someone make a counterfeit chip, the output "bar" won't change like true chips would. This is more secure than just a serial number because fakes can find a single genuine chip serial, and make tons of copies with that ID.
Another idea, although it would take a lot of die room would be a cryptographic coprocesser, and have each chip have its own RSA or ECC private key stored in a secure location. Then, each chip's key is certified at the factory. Then, its fairly trivial to validate chips, and if a multiple chips have the same public key, the fab can issue a revocation certificate.
Decent cryptographic technologies have been with us for a while. I wonder about someone like Verisign making an EV-like system for E-mail certificates, where people/companies/organizations can apply, and after a thorough vetting, get a certificate (preferably on a hardware cryptographic token) that that person is whom they claim to be. Of course, E-mail clients like Thunderbird, mail.app, and Outlook would have to be updated to show that a mail is authentic.
This would help against spam similar to how anti-phishing technologies in IE and Firefox protect against bad websites, but its still not perfect.
S/MIME and PGP are strong technologies to help against fraud. I just wish more companies would send out mail with it. For example, one could register a PGP public key with a shop, and when the shop would send E-mail, it would send it signed, and encrypted to that key. Even just using S/MIME's signing capability which works with virtually any E-mail client [1] would help matters greatly.
[1]: Even pine and mutt support S/MIME. A lot of cellphones support this functionality as well, such as all recent Windows Mobile devices and Blackberries.
Finally, if this is a concern, there is always the IP address which advertisers can use to correlate information.
This can be fixed by using an anonymous service provider, or if you have access to a company or campus network, VPN in and browse from there.
Of course, there is TOR, but the advantage of an anonymous service provider or a corporate VPN is that you have a reliable, persistent connection. I try to save the TOR bandwidth for those who really need it.
I would not mind more people to train IT. For some reason, except for people who like the field (such as myself), people are actively being told to steer away from CS/IT as a college path.
I see this when going to the university I'm enrolled in. People are steered into pre-law degree paths as opposed to MIS or CS by high school counselors because of the fear that they will get out and immediately lose their job due to outsourcing, or the fact that an IT person has to spend a lot of time not just keeping current with the latest technologies, but how the new stuff applies to the company they are working at.
In some ways, its a vicious circle. People avoid IT as a profession because they hear about the shabby treatment of IT people in companies, which causes companies to have to find lower quality workers or hire I-9s to fill gaps.
In some ways, targeted ads are good for that. However, the same information gathered up by advertisers to pitch something you are interested in can easily be used for not so good purposes. Employers can use that information as criteria for promoting or laying off, people that are on the opposite side in a court case can obtain that information and use it against you in court, or it can be used for criminal proceedings later on.
Targeted ads can be put together with other pieces of information by criminals to build a profile of someone they want to attack, either by identity theft, or just outright extortion.
Until there is a global treaty, that guards privacy multi-nationally, similar to how WIPO guards IP, then I just do not trust advertisers at all with any information. If privacy laws are put in place with civil/criminal consequences if breached (similar to statues in Sarbanes-Oxley or HIPAA), then it will be a different issue. There are just too many laptops floating around out there with too much sensitive information and no TrueCrypt, EncFS, glbd, or FileVault present to guard that data as of now, so I try to make sure as little info as possible from me winds up on those.
One thing that people don't clear as often as cookies is the Flash Shared Object repository. A lot of advertisers use this to store persistent user data in lieu of cookies to monitor viewer activities.
I personally use two ways to block this. First is NoScript which is a must have companion to Adblock. Adblock stops the known stuff, NoScript stops the unknown stuff.
Second, on Windows, I deleted the Flash Player folder in Documents and Settings\username\Application Data\Macromedia, and created a text file with the exact same name as the folder. This makes the Flash player unable to write any persistent data to disk. However, this does sometimes mess up sites like YouTube which store legit preferences.
Third, I run a utility called ccleaner (used to be called Crap Cleaner) which is great for removing random junk left over in Windows apps.
This is not perfect, but good for most sites. If you want better security, consider running your Web browser in a VM that dumps all changes since a known good snapshot. I do this for some entertainment Flash sites because I don't feel like allowing, even temporarily, all the data mining companies write access to my machine.
In a number of countries that this chip is aimed for, what will happen is that some knockoff fab will disassemble the chip, figure out the masks, and just make and sell the same IC minus the locking circuitry.
This type of locking mechanism also brings up other points. Once the IC is "unlocked", is it unlocked for good, or just for a time period? Could some criminal organization figure out the method of re-locking it, then lock the machines who belong to the patent holder's customers? This would result in some decent havoc especially in embedded circuitry (HVAC systems, railroad switches.)
The article seems to be lacking substance as well.
This would work or backfire depending on the type of American media. For example, if its some songs made by current pop stars, it could be considered a violation of the Geneva Convention by doing that.
AOL could always do this, just hand out USB flash drives instead of CDs.
In any case, the majority of the Cubans would just cheer, format them, and have new media for trading.
Rule 1 prevents Outlook from accepting any incoming connections. Outlook has no need to be listening on any ports at all.
Outgoing connections should be restricted, so if Outlook does get hijacked by an exploit, the damage it can do is limited. It can still do some bad things (sending bogus E-mails), but a firewall ruleset would prevent it from connecting to some random IP in a botnet to pick up a new payload, or opening a listening socket so someone can connect to it.
I'm not just picking on Outlook; a lot of programs don't need Net access at all, except perhaps connecting to a server to check for updates.
That is true, because by default Windows Server 2003 and XP keep a LAN Manager password hash. This can be fixed by going into Group Policy, enable the "Do not set LAN manager hash on next password change" option, then changing all passwords.
Thankfully this is set differently by default in both Windows Vista and Windows Server 2008, so the LAN Manager hash is worthless. Of course, this doesn't mean that one can ignore physical security completely, but it raises the bar for password cracking.
To be safe, blincoln has the right idea -- minimum 15 characters, so even if the LAN Manager compatibility gets enabled for some $DEITY-forsaken reason, the passwords are immune to rainbow table cracking.
Long term, unless done already, MS needs to take a page from TrueCrypt's playbook [1], and perhaps offer the ability for passwords to be encoded with a varying number of rounds, (for example, SHA-512 hashing a password with a random salt, repeating a million times.) This will slow down brute forcing as an attack vector significantly.
Even on operating systems which are considered secure by default, AV makers still make tons of money. Not because the OS needs it, but because a lot of businesses need to check off a box on a client contract that states that all their machines have AV/firewall/anti-malware apps running on them, from the office PC to the high end AIX machines with the multi gigabyte DB/2 database. For example, some companies that are working on PCI compliance for credit cards pay large amounts of cash to McAfee for a virus scanner on their Solaris boxes just so they can say they have software installed and operable, even though its likely Hell will freeze over before some worm would hit those machines.
MS Bashing aside, Windows Vista and Windows Server 2008 have decent security out of the box. What I see that causes problems (especially with UAC prompts) usually is older software that has to run as administrator. Linux, MacOS, and other UNIX variants have had their security model for decades, so application developers are used to having their stuff run as a user, avoiding actual running as UID 0 as much as possible except for the initial install. A lot of application developers coding for Windows just have to be dragged, kicking and screaming to also get used to this model.
To bring Windows on par with other operating systems, one improvement I would like to see in Vista and Server 2008 would be a more configurable firewall. As of now, it does allow and deny entries, but I'd like to have the ability to chain rules together. For example:
1: Outlook cannot accept any incoming packets. 2: Outlook can send out to hosts x,y, and z on port 25. 3: Outlook cannot send out on port 25. 4: Outlook can hit the POP3 ports on hosts a,b,c. 5: Outlook can hit the IMAP port on host d. 6: Outlook can hit the HTTP port on host e. 7: Outlook is disallowed from any further communication out.
Or:
Exchange can send out to 10.0.0.5 on port 25, but is barred from sending anyplace else.
Long term, what would be nice is if Microsoft had applications specify in the.MSI file what network access (if any) is needed, so programs would have entries already made upon install.
Here is a compromise which I saw on a blog, but forgot where: The password rule was a password change every 45 days, and one greater than 15-16 characters, but the complexity requirements were very lax (pretty much disallowing all "1"s or "abcd".) This allowed users to have long, but fairly easy to remember stuff like "1duffbeervs.2skittlebrau". With a decent access control system, someone trying to brute force passwords would either force the account to lock, start getting tarpitted where each access takes longer and longer, or the source where the brute forcing is coming from would get locked from accessing the login server.
It is hard to say what is better, a long password that has fewer obscure characters, or a shorter password that has a strict password quality policy. I personally choose the longer passwords, although length is not everything, and if long passwords are implemented with too lax a quality meter, dictionary cracking would make the length absolutely pointless.
As for USB drives, why can't one of the USB manufacturers that does the two drive trick also add a hook in for generic OS support. For example, a file that one can write to which the drive would use as a pipe. For example, I stick in a secure USB drive, edit "password" which is a zero byte file on there, type in the password and save the file, and it would grant access. Same if I did an "echo 'password' >/usbdrive/password" on a UNIX machine. Of course there are issues with writable and read-only drives.
Spam also comes with secondary hazards. Phishing attacks, websites which are for exploiting. These, if even one is successful can cost a company great expense, from data loss, to reputation lost if any corporate machines end up as zombie servers and found responsible for an attack.
Spam is expensive in another way. Sarbanes Oxley, HIPAA, and other corporate regs requires E-mail to be archived for seven years. This means spam too. So, those messages about turning Vienna sausages into Titan V rockets have to take up disk space pretty much permanently.
Perhaps we should go back to the old method of patenting stuff that was done in the early days of the patent office. Every patent application needs a working prototype to be sent in with it. This case, if someone patents warp drive, the USPTO better be getting a flux capacitor via UPS.
Of course, this has its issues, a manufacturing process would be hard to send a prototype of, other than perhaps the before, during, and after stage.
There are two more winners. A lot of companies do cross licensing agreements of patents so company A can use company B's stuff and there is no worry about infringement.
What this does is that any company not in the patent cross licensing network gets forced out of business, and any innovations they do have on a work that is claimed to be patented end up being able to be used by the holder.
Last, there are companies out there who buy obscure patents looking for something that related so a company's mainstay. The small company then sues the large company. Almost always, this is settled secretly for lots of money before it goes to court. Even if the patent is questionable, the larger company is on the defensive because if for some reason it does get upheld in a court, its the end of their business.
I used to have faith in the patent system, where people who were infringing were doing so deliberately, similar to people who made counterfeit software boxes. Now, the barrier for tripping over some obscure patent is so low, almost any company is at risk.
In the US, we get an excellent level of journalism and thorough coverage of topics......if the topic is something related to a celebrity such as Britney Spears.
I'm not sure about the EU, but I know most of my credit cards support up to eight digits for a PIN. I take advantage of this whenever I can.
As for the numbers printed on checks, apenzott has an excellent idea. It wouldn't be hard for banks to use a 128 or 256 bit encryption key stored in a secure location [1] and have each person's check printed with the encrypted bank account number, perhaps using the check number as the IV (so each check has a different value), although using the check number is a small keyspace for an IV.
[1]: Hopefully assuming the encryption key is in a place at the bank where it won't get compromised.
I wonder if the next step is one time PIN entries that are tied to the card, similar to S/Key or OPIE passwords, but 4-6 numeric digits in length. The customer obtains the PIN series by scratching off codes on a card mailed from their bank or another secure channel.
Another idea is to have the customer physically possess the unit that does the PIN entry as well as the smartcard. Perhaps instead of cards directly, have this be a module that is included in cellphones, and the customer's smartcard be a SIM card. This way, further authentication can be added, such as fingerprints.
Ultimately, the best would be a public key system where the customer signs each transaction with a private key stored on the smartcard, and the PIN entered in on something the customer possesses. Then, a fraudster can end up with the account number, but (barring any theft rings having a breakthrough in factoring) it would be absolutely useless to them unless they can get the RSA or elliptic curve key physically out of the smartcard itself. Instead of relying on account information, there should be a system where a customer can cryptographically sign each transaction. If the transaction isn't signed, its bogus.
Of course, allowances need to be put in place for reoccurring transactions such as website subscription fees, but that would not take much work to put in place.
Even better, perhaps a memory segment which can be used as "secure RAM" which is battery backed up and cleared by hardware (either just zeroing it out or running whatever patterns) when the machine is powered off or rebooted. One could go to having the hardware generate an encryption key every boot or power cycle (storing that in a memory chip that is quickly zeroed out and hard to physically access), then having the addresses in the "secure RAM" area AES encrypted. Jetico's BestCrypt does similar functionality to this in software to protect the Windows swap file, where each boot it used a new encryption key to ensure that anything written to the on disk Windows swap file is encrypted.
Another protection would be to have some memory manager keep an allocation table for this "secure RAM" address space. Upon reboot, the allocation table is cleared. Then, for each address that gets written, the allocation table is updated with it. If a program reads from RAM that has not been written to since the last reboot, it gets returned zeroes regardless of the true values in that memory.
I think as time goes on, perhaps the best way to browse the Web is having a virtual machine running under a dedicated, locked down user, so if the OS in the VM is compromised, an unknown exploit that might let malware out of the VM to compromise the host would be stopped. Its not 100%, but it seems to be the best way of doing things. Of course, the Web browser should have Noscript and Adblock functionality for a lock on the front door.
Eventually, I wonder if the Web browser should be completely enclosed in its own VM, where it doesn't require an explicit launching of a client OS, perhaps similar to how Thinstall wraps applications so all changes are only written to a sandbox directory. Vista's protected mode in IE7 is a start, where IE7 does not have access to the full Registry, but more separated from the rest of the machine with limits on CPU and other resources.
If we could get a space elevator working and in production for commercial use, this would be a BIG accomplishment for everyone. This would lower the barrier of access to space to commercial ventures, rather than just only accessible to only the richest of countries.
It is a solid revenue stream. If malware succeeds in installing, there is profit to be made from identity theft, theft of CD keys from games, grabbing virtual assets like MMO accounts and selling them (or using the account for EULA-breaking items until the account is permanently banned), blackmail, extortion, botnet making, spam zombies, and many other nasty things
Virus writing is highly profitable, each second a piece of malware goes unstopped on a machine is a second that the machine can continue to spew spam, spy on an internal network, or be a part of a DDoS attack.
That is true, but in general unless one possesses a HD set (which eventually will be commonplace), there is not that much advantage to Blu-ray over DVDs, other than some interactive Java stuff.
A lot of people are still content with their "old fashioned" DVD collection, and don't feel like paying the premium for a BD player yet. Blu-ray players are still relatively pricy compared to DVD players, so a number of people are going to just wait and see, as for now the quality on a DVD is good enough.
Once Blu-ray players come down in price a bit, people will eventually start adapting to them, but it will be gradual, probably slowly over the next 3-5 years.
The confusion between someone copying a movie from a P2P network for no profit and a criminal organization deliberately making unauthorized counterfeit copies of movies to sell in stores is a difference that a lot of groups want the line blurred.
Counterfeiting is truly theft, as each single counterfeit copy takes a sale away from a genuine firm. The other is not theft, but IP infringement, which is not considered a criminal offense in most countries (although there are a lot of deep pockets wanting to change that.)
With my limited knowledge of American history, before the income tax was enacted, the US made their main income from a revenue (as opposed to a protective) tariff.
Maybe we need to re-examine that as a possible income source.
Another idea is to have a random value on the chip, and have a function that takes some input "X", concats it with the random value, then outputs a SHA-512 hash. The random value which is the seed of the hash would also be stored in a highly secure database at the chip maker's place.
Then, the chip maker can tell someone that genuine chips, if given the value of "foo" with the function, will output a hash "bar", and then give a list of "bar" outputs. Then, periodically change the "foo" value so if someone make a counterfeit chip, the output "bar" won't change like true chips would. This is more secure than just a serial number because fakes can find a single genuine chip serial, and make tons of copies with that ID.
Another idea, although it would take a lot of die room would be a cryptographic coprocesser, and have each chip have its own RSA or ECC private key stored in a secure location. Then, each chip's key is certified at the factory. Then, its fairly trivial to validate chips, and if a multiple chips have the same public key, the fab can issue a revocation certificate.
Decent cryptographic technologies have been with us for a while. I wonder about someone like Verisign making an EV-like system for E-mail certificates, where people/companies/organizations can apply, and after a thorough vetting, get a certificate (preferably on a hardware cryptographic token) that that person is whom they claim to be. Of course, E-mail clients like Thunderbird, mail.app, and Outlook would have to be updated to show that a mail is authentic.
This would help against spam similar to how anti-phishing technologies in IE and Firefox protect against bad websites, but its still not perfect.
S/MIME and PGP are strong technologies to help against fraud. I just wish more companies would send out mail with it. For example, one could register a PGP public key with a shop, and when the shop would send E-mail, it would send it signed, and encrypted to that key. Even just using S/MIME's signing capability which works with virtually any E-mail client [1] would help matters greatly.
[1]: Even pine and mutt support S/MIME. A lot of cellphones support this functionality as well, such as all recent Windows Mobile devices and Blackberries.
Finally, if this is a concern, there is always the IP address which advertisers can use to correlate information.
This can be fixed by using an anonymous service provider, or if you have access to a company or campus network, VPN in and browse from there.
Of course, there is TOR, but the advantage of an anonymous service provider or a corporate VPN is that you have a reliable, persistent connection. I try to save the TOR bandwidth for those who really need it.
I would not mind more people to train IT. For some reason, except for people who like the field (such as myself), people are actively being told to steer away from CS/IT as a college path.
I see this when going to the university I'm enrolled in. People are steered into pre-law degree paths as opposed to MIS or CS by high school counselors because of the fear that they will get out and immediately lose their job due to outsourcing, or the fact that an IT person has to spend a lot of time not just keeping current with the latest technologies, but how the new stuff applies to the company they are working at.
In some ways, its a vicious circle. People avoid IT as a profession because they hear about the shabby treatment of IT people in companies, which causes companies to have to find lower quality workers or hire I-9s to fill gaps.
In some ways, targeted ads are good for that. However, the same information gathered up by advertisers to pitch something you are interested in can easily be used for not so good purposes. Employers can use that information as criteria for promoting or laying off, people that are on the opposite side in a court case can obtain that information and use it against you in court, or it can be used for criminal proceedings later on.
Targeted ads can be put together with other pieces of information by criminals to build a profile of someone they want to attack, either by identity theft, or just outright extortion.
Until there is a global treaty, that guards privacy multi-nationally, similar to how WIPO guards IP, then I just do not trust advertisers at all with any information. If privacy laws are put in place with civil/criminal consequences if breached (similar to statues in Sarbanes-Oxley or HIPAA), then it will be a different issue. There are just too many laptops floating around out there with too much sensitive information and no TrueCrypt, EncFS, glbd, or FileVault present to guard that data as of now, so I try to make sure as little info as possible from me winds up on those.
One thing that people don't clear as often as cookies is the Flash Shared Object repository. A lot of advertisers use this to store persistent user data in lieu of cookies to monitor viewer activities.
I personally use two ways to block this. First is NoScript which is a must have companion to Adblock. Adblock stops the known stuff, NoScript stops the unknown stuff.
Second, on Windows, I deleted the Flash Player folder in Documents and Settings\username\Application Data\Macromedia, and created a text file with the exact same name as the folder. This makes the Flash player unable to write any persistent data to disk. However, this does sometimes mess up sites like YouTube which store legit preferences.
Third, I run a utility called ccleaner (used to be called Crap Cleaner) which is great for removing random junk left over in Windows apps.
This is not perfect, but good for most sites. If you want better security, consider running your Web browser in a VM that dumps all changes since a known good snapshot. I do this for some entertainment Flash sites because I don't feel like allowing, even temporarily, all the data mining companies write access to my machine.
In a number of countries that this chip is aimed for, what will happen is that some knockoff fab will disassemble the chip, figure out the masks, and just make and sell the same IC minus the locking circuitry.
This type of locking mechanism also brings up other points. Once the IC is "unlocked", is it unlocked for good, or just for a time period? Could some criminal organization figure out the method of re-locking it, then lock the machines who belong to the patent holder's customers? This would result in some decent havoc especially in embedded circuitry (HVAC systems, railroad switches.)
The article seems to be lacking substance as well.
This would work or backfire depending on the type of American media. For example, if its some songs made by current pop stars, it could be considered a violation of the Geneva Convention by doing that.
AOL could always do this, just hand out USB flash drives instead of CDs.
In any case, the majority of the Cubans would just cheer, format them, and have new media for trading.
Rule 1 prevents Outlook from accepting any incoming connections. Outlook has no need to be listening on any ports at all.
Outgoing connections should be restricted, so if Outlook does get hijacked by an exploit, the damage it can do is limited. It can still do some bad things (sending bogus E-mails), but a firewall ruleset would prevent it from connecting to some random IP in a botnet to pick up a new payload, or opening a listening socket so someone can connect to it.
I'm not just picking on Outlook; a lot of programs don't need Net access at all, except perhaps connecting to a server to check for updates.
That is true, because by default Windows Server 2003 and XP keep a LAN Manager password hash. This can be fixed by going into Group Policy, enable the "Do not set LAN manager hash on next password change" option, then changing all passwords.
Thankfully this is set differently by default in both Windows Vista and Windows Server 2008, so the LAN Manager hash is worthless. Of course, this doesn't mean that one can ignore physical security completely, but it raises the bar for password cracking.
To be safe, blincoln has the right idea -- minimum 15 characters, so even if the LAN Manager compatibility gets enabled for some $DEITY-forsaken reason, the passwords are immune to rainbow table cracking.
Long term, unless done already, MS needs to take a page from TrueCrypt's playbook [1], and perhaps offer the ability for passwords to be encoded with a varying number of rounds, (for example, SHA-512 hashing a password with a random salt, repeating a million times.) This will slow down brute forcing as an attack vector significantly.
Even on operating systems which are considered secure by default, AV makers still make tons of money. Not because the OS needs it, but because a lot of businesses need to check off a box on a client contract that states that all their machines have AV/firewall/anti-malware apps running on them, from the office PC to the high end AIX machines with the multi gigabyte DB/2 database. For example, some companies that are working on PCI compliance for credit cards pay large amounts of cash to McAfee for a virus scanner on their Solaris boxes just so they can say they have software installed and operable, even though its likely Hell will freeze over before some worm would hit those machines.
.MSI file what network access (if any) is needed, so programs would have entries already made upon install.
MS Bashing aside, Windows Vista and Windows Server 2008 have decent security out of the box. What I see that causes problems (especially with UAC prompts) usually is older software that has to run as administrator. Linux, MacOS, and other UNIX variants have had their security model for decades, so application developers are used to having their stuff run as a user, avoiding actual running as UID 0 as much as possible except for the initial install. A lot of application developers coding for Windows just have to be dragged, kicking and screaming to also get used to this model.
To bring Windows on par with other operating systems, one improvement I would like to see in Vista and Server 2008 would be a more configurable firewall. As of now, it does allow and deny entries, but I'd like to have the ability to chain rules together. For example:
1: Outlook cannot accept any incoming packets.
2: Outlook can send out to hosts x,y, and z on port 25.
3: Outlook cannot send out on port 25.
4: Outlook can hit the POP3 ports on hosts a,b,c.
5: Outlook can hit the IMAP port on host d.
6: Outlook can hit the HTTP port on host e.
7: Outlook is disallowed from any further communication out.
Or:
Exchange can send out to 10.0.0.5 on port 25, but is barred from sending anyplace else.
Long term, what would be nice is if Microsoft had applications specify in the
Here is a compromise which I saw on a blog, but forgot where: The password rule was a password change every 45 days, and one greater than 15-16 characters, but the complexity requirements were very lax (pretty much disallowing all "1"s or "abcd".) This allowed users to have long, but fairly easy to remember stuff like "1duffbeervs.2skittlebrau". With a decent access control system, someone trying to brute force passwords would either force the account to lock, start getting tarpitted where each access takes longer and longer, or the source where the brute forcing is coming from would get locked from accessing the login server.
/usbdrive/password" on a UNIX machine. Of course there are issues with writable and read-only drives.
It is hard to say what is better, a long password that has fewer obscure characters, or a shorter password that has a strict password quality policy. I personally choose the longer passwords, although length is not everything, and if long passwords are implemented with too lax a quality meter, dictionary cracking would make the length absolutely pointless.
As for USB drives, why can't one of the USB manufacturers that does the two drive trick also add a hook in for generic OS support. For example, a file that one can write to which the drive would use as a pipe. For example, I stick in a secure USB drive, edit "password" which is a zero byte file on there, type in the password and save the file, and it would grant access. Same if I did an "echo 'password' >
Spam also comes with secondary hazards. Phishing attacks, websites which are for exploiting. These, if even one is successful can cost a company great expense, from data loss, to reputation lost if any corporate machines end up as zombie servers and found responsible for an attack.
Spam is expensive in another way. Sarbanes Oxley, HIPAA, and other corporate regs requires E-mail to be archived for seven years. This means spam too. So, those messages about turning Vienna sausages into Titan V rockets have to take up disk space pretty much permanently.
Perhaps we should go back to the old method of patenting stuff that was done in the early days of the patent office. Every patent application needs a working prototype to be sent in with it. This case, if someone patents warp drive, the USPTO better be getting a flux capacitor via UPS.
Of course, this has its issues, a manufacturing process would be hard to send a prototype of, other than perhaps the before, during, and after stage.
There are two more winners. A lot of companies do cross licensing agreements of patents so company A can use company B's stuff and there is no worry about infringement.
What this does is that any company not in the patent cross licensing network gets forced out of business, and any innovations they do have on a work that is claimed to be patented end up being able to be used by the holder.
Last, there are companies out there who buy obscure patents looking for something that related so a company's mainstay. The small company then sues the large company. Almost always, this is settled secretly for lots of money before it goes to court. Even if the patent is questionable, the larger company is on the defensive because if for some reason it does get upheld in a court, its the end of their business.
I used to have faith in the patent system, where people who were infringing were doing so deliberately, similar to people who made counterfeit software boxes. Now, the barrier for tripping over some obscure patent is so low, almost any company is at risk.
In the US, we get an excellent level of journalism and thorough coverage of topics... ...if the topic is something related to a celebrity such as Britney Spears.
I'm not sure about the EU, but I know most of my credit cards support up to eight digits for a PIN. I take advantage of this whenever I can.
As for the numbers printed on checks, apenzott has an excellent idea. It wouldn't be hard for banks to use a 128 or 256 bit encryption key stored in a secure location [1] and have each person's check printed with the encrypted bank account number, perhaps using the check number as the IV (so each check has a different value), although using the check number is a small keyspace for an IV.
[1]: Hopefully assuming the encryption key is in a place at the bank where it won't get compromised.
I wonder if the next step is one time PIN entries that are tied to the card, similar to S/Key or OPIE passwords, but 4-6 numeric digits in length. The customer obtains the PIN series by scratching off codes on a card mailed from their bank or another secure channel.
Another idea is to have the customer physically possess the unit that does the PIN entry as well as the smartcard. Perhaps instead of cards directly, have this be a module that is included in cellphones, and the customer's smartcard be a SIM card. This way, further authentication can be added, such as fingerprints.
Ultimately, the best would be a public key system where the customer signs each transaction with a private key stored on the smartcard, and the PIN entered in on something the customer possesses. Then, a fraudster can end up with the account number, but (barring any theft rings having a breakthrough in factoring) it would be absolutely useless to them unless they can get the RSA or elliptic curve key physically out of the smartcard itself. Instead of relying on account information, there should be a system where a customer can cryptographically sign each transaction. If the transaction isn't signed, its bogus.
Of course, allowances need to be put in place for reoccurring transactions such as website subscription fees, but that would not take much work to put in place.
Even better, perhaps a memory segment which can be used as "secure RAM" which is battery backed up and cleared by hardware (either just zeroing it out or running whatever patterns) when the machine is powered off or rebooted. One could go to having the hardware generate an encryption key every boot or power cycle (storing that in a memory chip that is quickly zeroed out and hard to physically access), then having the addresses in the "secure RAM" area AES encrypted. Jetico's BestCrypt does similar functionality to this in software to protect the Windows swap file, where each boot it used a new encryption key to ensure that anything written to the on disk Windows swap file is encrypted.
Another protection would be to have some memory manager keep an allocation table for this "secure RAM" address space. Upon reboot, the allocation table is cleared. Then, for each address that gets written, the allocation table is updated with it. If a program reads from RAM that has not been written to since the last reboot, it gets returned zeroes regardless of the true values in that memory.
I think as time goes on, perhaps the best way to browse the Web is having a virtual machine running under a dedicated, locked down user, so if the OS in the VM is compromised, an unknown exploit that might let malware out of the VM to compromise the host would be stopped. Its not 100%, but it seems to be the best way of doing things. Of course, the Web browser should have Noscript and Adblock functionality for a lock on the front door.
Eventually, I wonder if the Web browser should be completely enclosed in its own VM, where it doesn't require an explicit launching of a client OS, perhaps similar to how Thinstall wraps applications so all changes are only written to a sandbox directory. Vista's protected mode in IE7 is a start, where IE7 does not have access to the full Registry, but more separated from the rest of the machine with limits on CPU and other resources.
If we could get a space elevator working and in production for commercial use, this would be a BIG accomplishment for everyone. This would lower the barrier of access to space to commercial ventures, rather than just only accessible to only the richest of countries.
It is a solid revenue stream. If malware succeeds in installing, there is profit to be made from identity theft, theft of CD keys from games, grabbing virtual assets like MMO accounts and selling them (or using the account for EULA-breaking items until the account is permanently banned), blackmail, extortion, botnet making, spam zombies, and many other nasty things
Virus writing is highly profitable, each second a piece of malware goes unstopped on a machine is a second that the machine can continue to spew spam, spy on an internal network, or be a part of a DDoS attack.