Apparently not having all of the answers means that one cannot have any of the answers; therefore I conclude that neither of us has any of the answers and the conversation is moot.
And yet people tout universe origin theorems as scientific despite it being by definition impossible to prove or gather evidence for scientifically.
More than anything else the thing that gets me is the impossibility of explaining the existence of anything at all without a supernatural (in its purest sense) / eternal cause, or an infinite regression.
It "knows" because proteins are broken down during cooking into their constituent amino acids, and just as there are different "kinds" of proteins, their makeup is different. Eating 3 cups of greek yogurt every day will give you lots of "protein", and maybe more than the "rule of thumb" amount, but you wont be getting all of the types you need.
You would have to look it up to see which amino acids are problematic for a vegetarian, but thats how it works; animals are different from plants, and tend to provide different nutrients.
You're being naieve. Ive seen a number of programs that I really loved stop development because piracy was just too rampant. It can be a huge problem when youre charging $5 for a perpetual license, and 2 users buy it while everyone else pirates it. Who wants to continue sinking time into it when it costs you time and money when everyone can just give you the finger by pirating it?
And the best way to answer someone's question is apparently to tell him that hes wrong for wanting to do the thing he wants to do, because you have an opinion on the matter.
I think the concept of "chain of custody" is relevant. Specifically, you cant establish a tenuous relationship between some random virus on some random site and a fingerprinted file, and sue the file's creator. The law, luckily, generally has higher demands for establishing fault, and that isnt gonna cut it.
Not only that there are plenty of PDF password strippers out there that if you have a quad or better (and considering you can get AMD quads for like $70 its kinda nuts not to have at least a quad) can go through entire rainbow tables in no time at all, just set it to use dual cores and you can keep doing other stuff while it runs in the background.
Unless Im mistaken, your CPU should be irrelevant with Rainbow tables. The entire point is that all the CPU work has been done; youre trading disk / IO for CPU / time.
Of course, since rainbow tables are for hashes and not encryption, Im really not sure what the relevance is. You use a rainbow table with you have an un-salted password hash and you want the plaintext, not when you have an encrypted document. If the PDF document is encrypted with a password (one of the options for securing documents in Acrobat), you cant just strip it out without cracking AES or bruteforcing the password.
I love how everyone is abandoning real security (encryption) and advocating watermarks (which can be trivially stripped out), which would be of almost no worth anyways. Lets say you identify the watermarked file on bittorrent. Now what, a wild goose chase to try to ID the actual users? I hear the MPAA has had great luck in this regard, and of course they have dedicated lawyers; I doubt OP has that luxury.
Sometimes, DRM / encryption / passwords ARE the right answer; OP said he wants to avoid piracy, not try to trace piracy through its dark-site trails.
I was once looking up "fatal doses of things that are normally unlikely to kill you" with a friend (we're a blast at parties), and Beta Carotene and vitamin C were particularly amusing.
Beta Carotene: >2000mg / kg. For your average 90kg male, we're looking at about 180g. Thats about 1/3 lbs, so maybe an apple-sized ball of pure beta carotene (how dense is beta carotene?). Appears to be slightly more toxic than table salt.
Vitamin C: 11,900 mg/kg. At about 2x the toxicity of sucrose, this dangerous substance would require around 1kg, or 2.2lbs, before your average male suffered debilitating Vitamin C overdose effects. Of course, if you're eating a solid 2.2lb ball of vitamin C, i think "mechanical difficulty" might be an applicable term as well.
The other thing to watch for (you may be aware of this) is that "protein" isnt all the same. Animal protein and vegetable proteins can be different, and your body may not get all of the components it needs if you only do one or two types of protein.
Just something to keep in mind-- I feel like a lot of people treat it like "i need 30 grams of this 'protein' junk", without considering the role of variety.
containing arguably less of these rare vitamins than before.
What the heck? This is a quantifiable statement. Either they do, or they do not. There is no "arguable" unless someone likes arguing something with nothing to back it up.
Do you have any sources for these statements, or are you making a lot of assumptions?
It is technically impossible to snoop on BES traffic even if you have full access to every cell tower and RIM datacenter, unless you either get the per-device AES key, or you crack AES.
When I say "there is no way" im not talking about "they have a policy", im talking about "it uses a known secure implementation of symmetric key encryption".
That's nice marketing material, but if Blackberry is logging into systems with disparate hashing or encrypting schemes, they are handling the cleartext of the comms at some point, and that's where the taps are.
Again you dont understand. If you are using BES, it is hooking into a corporate email system-- Exchange or whatever IBM's thing is called (Lotus?). This is a core requirement-- you CANNOT (or could not, as of BES 5) install BES without those. BES also did NOT support logging into third-party mail servers-- its one and only task was to sync corporate email with your blackberry. And it did so by maintaining a secure connection to your local exchange server with an administrative exchange account, and connecting to each blackberry with a device-specific key. The user's credentials were NEVER transmitted (as the login was performed by the BES admin account, stored on the BES), nor was there any kind of key exchange (the symmetric keys were set-up on device activation).
BIS / this is for blackberry users who dont want to use their blackberries -- which are specifically built for corporate email -- as personal email devices. In order to provide the same level of BES experience (push / low battery usage), RIM essentially proxies as a BES server and handles that POP / IMAP / ActiveSync connection on their end, and then does a push to your blackberry. Obviously for this to work you are handing them your credentials, and as with any such proxy system that could be a security problem. Everyone has known this for YEARS.
I dont actually administer BES any more. I have moved on from my prior job where I was a general-purpose consultant who dealt with ~ 60 clients as their sole IT person. I never made money off of BES, and RIM rarely made money off of me as I tended to recommend BES Express (since 90% of SMBs have no need for the paid BES).
Towards the end I stopped recommending BES because the security was way overkill, the SMBs had 0 need for that kind of management, and everyone wanted an Android; Im not the kind of admin who tells users to go screw themselves when they say "we hate blackberries". Nevertheless I (and a hard core of Blackberry hold-out customers) recognized that ActiveSync was a horrible replacement for BES, and management certainly was never as good as it was on the BES. Years of having to import trusted certs onto iPhones, Palm Pres, WinMobile6, etc only to have to do it again a year later left a sour taste in my mouth.
I also have no time for someone who pops out the "shill" accusation simply because Im relying on facts rather than FUD. BIS sucks, everyone knows this, BES is the most secure option, and everyone who has a clue knows this too.
Translation: I know nothing about how BES works, but I wont let my ignorance prevent me from criticizing it.
For the record, anyone who has administered a BES knows that its a far better experience than anything ActiveSync has ever had, and magnitudes more secure. ActiveSync bases its entire security on a single server certificate, and having your cert chain vetted, and assuming that your trusted CA doesnt get compromised, and your ciphers arent subject to the BEAST attack. BES has per-device keys, and until AES gets cracked, BES wont be cracked.
When you enter your POP / IMAP e-mail credentials into a Blackberry 10 phone they will be sent to Blackberry without your consent or knowledge.
Your consent is that this has always been managed through a browser and youre providing your credentials to a website (BIS). It has worked this way for the 8 years that I've been in the field unless you use your own BES and do an enterprise activation.
If you do not have forced SSL/TLS configured on your mail server, your credentials will be sent in the clear
Holy tautology, batman!
Blackberry thus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing inbetween – namely the NSA and GCHQ as documented by the recent Edward Snowden leaks
Well gee, maybe you shouldnt uncheck the "SSL/TLS" box then. Thats sort of why its there.
But I've been advising companies who deal in secrets (R&D trade secrets mostly) to avoid Blackberry for the entire time I've been doing security consulting (since before I got a Treo) because it was never a secret how Blackberry works.
Then despite youre really good explanation it seems that YOU dont fully understand it. If you have one of those expensive BES servers, RIM never sees your credentials, your mail, or anything, and you have THE most secure mass-market mobile email system out there.
BES supports
Per-device symmetric encryption (way outclasses SSL which is a security nightmare between compromised CAs, compromised ciphers, and expiring certs)
Enforcing memory and device encrption for years prior to anyone else attempting it, let alone getting it right
remote device wipe which IOS / android have only recently gotten, and which actually works
enforcing any and every option you might want on any or all blackberries in your organization-- want to force all browsing thru a proxy? Or to go through your corporate firewall? Not a problem.
Locking down the devices to prevent installation of undesired apps
Some of these features have been picked up by other device "classes" (IOS, Android), some have been reimplemented badly (ie, device encryption, remote wipe, screen lock), but noone has gotten the comms down as secure as a proper BES.
If you're advising people to avoid BES for SECURITY REASONS, you shouldnt be in the business of advising people. Foreign governments have famously gotten their feathers ruffled because RIM makes it clear that there is no way to snoop those connections.
Whats a security nightmare is SSL. Its astounding that people advocate ditching clunky blackberries running secure BES with per-device AES keys for slick ActiveSync, and then turn around and complain about security.
Meanwhile, SSL has had its recommended cipher change how many times in the last few years? And now we're on the creaky RC4 because all other options have been exhausted?
No, but Im sure ActiveSync is great. Hope you've vetted your trusted root chain on each of your devices, and hope you've found a suitable way of restricting what APKs can be installed on all your Androids.
Yeah, which is why I always laugh whenever anyone says they are secure devices.
What part of "Dont have a BES" didnt you understand?
Theyre secure devices when you purchase and run the server thats designed to manage them. Otherwise, yes, youre having RIM host the BES service ("BIS"), and you're giving them your credentials. Thats irrelevant to 99% of IT departments though, since noone of any significant size bases their mobile infrastructure on BIS.
BES Express went free several years ago and is way more secure than SSL, even if people criticizing blackberries choose to remain ignorant of how BES works.
Slashdot Mirror
Nonsense; innovative new sorting methods come out all the time!
Apparently not having all of the answers means that one cannot have any of the answers; therefore I conclude that neither of us has any of the answers and the conversation is moot.
Is that how it goes?
And yet people tout universe origin theorems as scientific despite it being by definition impossible to prove or gather evidence for scientifically.
More than anything else the thing that gets me is the impossibility of explaining the existence of anything at all without a supernatural (in its purest sense) / eternal cause, or an infinite regression.
It "knows" because proteins are broken down during cooking into their constituent amino acids, and just as there are different "kinds" of proteins, their makeup is different. Eating 3 cups of greek yogurt every day will give you lots of "protein", and maybe more than the "rule of thumb" amount, but you wont be getting all of the types you need.
You would have to look it up to see which amino acids are problematic for a vegetarian, but thats how it works; animals are different from plants, and tend to provide different nutrients.
You're being naieve. Ive seen a number of programs that I really loved stop development because piracy was just too rampant. It can be a huge problem when youre charging $5 for a perpetual license, and 2 users buy it while everyone else pirates it. Who wants to continue sinking time into it when it costs you time and money when everyone can just give you the finger by pirating it?
And the best way to answer someone's question is apparently to tell him that hes wrong for wanting to do the thing he wants to do, because you have an opinion on the matter.
I think the concept of "chain of custody" is relevant. Specifically, you cant establish a tenuous relationship between some random virus on some random site and a fingerprinted file, and sue the file's creator. The law, luckily, generally has higher demands for establishing fault, and that isnt gonna cut it.
Not only that there are plenty of PDF password strippers out there that if you have a quad or better (and considering you can get AMD quads for like $70 its kinda nuts not to have at least a quad) can go through entire rainbow tables in no time at all, just set it to use dual cores and you can keep doing other stuff while it runs in the background.
Unless Im mistaken, your CPU should be irrelevant with Rainbow tables. The entire point is that all the CPU work has been done; youre trading disk / IO for CPU / time.
Of course, since rainbow tables are for hashes and not encryption, Im really not sure what the relevance is. You use a rainbow table with you have an un-salted password hash and you want the plaintext, not when you have an encrypted document. If the PDF document is encrypted with a password (one of the options for securing documents in Acrobat), you cant just strip it out without cracking AES or bruteforcing the password.
I love how everyone is abandoning real security (encryption) and advocating watermarks (which can be trivially stripped out), which would be of almost no worth anyways. Lets say you identify the watermarked file on bittorrent. Now what, a wild goose chase to try to ID the actual users? I hear the MPAA has had great luck in this regard, and of course they have dedicated lawyers; I doubt OP has that luxury.
Sometimes, DRM / encryption / passwords ARE the right answer; OP said he wants to avoid piracy, not try to trace piracy through its dark-site trails.
I was once looking up "fatal doses of things that are normally unlikely to kill you" with a friend (we're a blast at parties), and Beta Carotene and vitamin C were particularly amusing.
Beta Carotene: >2000mg / kg. For your average 90kg male, we're looking at about 180g. Thats about 1/3 lbs, so maybe an apple-sized ball of pure beta carotene (how dense is beta carotene?). Appears to be slightly more toxic than table salt.
Vitamin C: 11,900 mg/kg. At about 2x the toxicity of sucrose, this dangerous substance would require around 1kg, or 2.2lbs, before your average male suffered debilitating Vitamin C overdose effects. Of course, if you're eating a solid 2.2lb ball of vitamin C, i think "mechanical difficulty" might be an applicable term as well.
The other thing to watch for (you may be aware of this) is that "protein" isnt all the same. Animal protein and vegetable proteins can be different, and your body may not get all of the components it needs if you only do one or two types of protein.
Just something to keep in mind-- I feel like a lot of people treat it like "i need 30 grams of this 'protein' junk", without considering the role of variety.
You can get it from some seafood (salmon or sardines or something), and fungi.
But yes, my understanding is that it can be quite difficult for some people to get enough of it, absent fortified foods.
containing arguably less of these rare vitamins than before.
What the heck? This is a quantifiable statement. Either they do, or they do not. There is no "arguable" unless someone likes arguing something with nothing to back it up.
Do you have any sources for these statements, or are you making a lot of assumptions?
The problem is that a government-owned ISP could easily end up sucking terribly 10 years down the road.
I dont think theres a magic bullet to this solution, and im especially wary whenever anyone says "I found one, and its the government".
If youre implying that there is a crack for AES, its irrelevant; we're all screwed anyways.
If youre implying that its difficult to verify whether a particular packet is AES encrypted given a particular key, its not.
BES does not and cannot connect to gmail. It would be great if people who didnt understand BES didnt criticize it for things that arent relevant.
RIM also never gets ANY credentials when you use a BES. See my explanation here:
http://slashdot.org/comments.pl?sid=3989165&cid=44319733
It is technically impossible to snoop on BES traffic even if you have full access to every cell tower and RIM datacenter, unless you either get the per-device AES key, or you crack AES.
When I say "there is no way" im not talking about "they have a policy", im talking about "it uses a known secure implementation of symmetric key encryption".
That's nice marketing material, but if Blackberry is logging into systems with disparate hashing or encrypting schemes, they are handling the cleartext of the comms at some point, and that's where the taps are.
Again you dont understand. If you are using BES, it is hooking into a corporate email system-- Exchange or whatever IBM's thing is called (Lotus?). This is a core requirement-- you CANNOT (or could not, as of BES 5) install BES without those. BES also did NOT support logging into third-party mail servers-- its one and only task was to sync corporate email with your blackberry. And it did so by maintaining a secure connection to your local exchange server with an administrative exchange account, and connecting to each blackberry with a device-specific key. The user's credentials were NEVER transmitted (as the login was performed by the BES admin account, stored on the BES), nor was there any kind of key exchange (the symmetric keys were set-up on device activation).
BIS / this is for blackberry users who dont want to use their blackberries -- which are specifically built for corporate email -- as personal email devices. In order to provide the same level of BES experience (push / low battery usage), RIM essentially proxies as a BES server and handles that POP / IMAP / ActiveSync connection on their end, and then does a push to your blackberry. Obviously for this to work you are handing them your credentials, and as with any such proxy system that could be a security problem. Everyone has known this for YEARS.
I dont actually administer BES any more. I have moved on from my prior job where I was a general-purpose consultant who dealt with ~ 60 clients as their sole IT person. I never made money off of BES, and RIM rarely made money off of me as I tended to recommend BES Express (since 90% of SMBs have no need for the paid BES).
Towards the end I stopped recommending BES because the security was way overkill, the SMBs had 0 need for that kind of management, and everyone wanted an Android; Im not the kind of admin who tells users to go screw themselves when they say "we hate blackberries". Nevertheless I (and a hard core of Blackberry hold-out customers) recognized that ActiveSync was a horrible replacement for BES, and management certainly was never as good as it was on the BES. Years of having to import trusted certs onto iPhones, Palm Pres, WinMobile6, etc only to have to do it again a year later left a sour taste in my mouth.
I also have no time for someone who pops out the "shill" accusation simply because Im relying on facts rather than FUD. BIS sucks, everyone knows this, BES is the most secure option, and everyone who has a clue knows this too.
You could, you know, do some research. How BES works is pretty well documented. You can monitor the connections to know its true.
If you want to spread FUD (which seems to be your intention) I guess I cant stop you, though, so carry on.
likely
Translation: I know nothing about how BES works, but I wont let my ignorance prevent me from criticizing it.
For the record, anyone who has administered a BES knows that its a far better experience than anything ActiveSync has ever had, and magnitudes more secure. ActiveSync bases its entire security on a single server certificate, and having your cert chain vetted, and assuming that your trusted CA doesnt get compromised, and your ciphers arent subject to the BEAST attack. BES has per-device keys, and until AES gets cracked, BES wont be cracked.
You mean "copy running startup". "write mem" has been deprecated since before I started working on Cisco 2600s back in 2004 ;)
When you enter your POP / IMAP e-mail credentials into a Blackberry 10 phone they will be sent to Blackberry without your consent or knowledge.
Your consent is that this has always been managed through a browser and youre providing your credentials to a website (BIS). It has worked this way for the 8 years that I've been in the field unless you use your own BES and do an enterprise activation.
If you do not have forced SSL/TLS configured on your mail server, your credentials will be sent in the clear
Holy tautology, batman!
Blackberry thus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing inbetween – namely the NSA and GCHQ as documented by the recent Edward Snowden leaks
Well gee, maybe you shouldnt uncheck the "SSL/TLS" box then. Thats sort of why its there.
But I've been advising companies who deal in secrets (R&D trade secrets mostly) to avoid Blackberry for the entire time I've been doing security consulting (since before I got a Treo) because it was never a secret how Blackberry works.
Then despite youre really good explanation it seems that YOU dont fully understand it. If you have one of those expensive BES servers, RIM never sees your credentials, your mail, or anything, and you have THE most secure mass-market mobile email system out there.
BES supports
Some of these features have been picked up by other device "classes" (IOS, Android), some have been reimplemented badly (ie, device encryption, remote wipe, screen lock), but noone has gotten the comms down as secure as a proper BES.
If you're advising people to avoid BES for SECURITY REASONS, you shouldnt be in the business of advising people. Foreign governments have famously gotten their feathers ruffled because RIM makes it clear that there is no way to snoop those connections.
Whats a security nightmare is SSL. Its astounding that people advocate ditching clunky blackberries running secure BES with per-device AES keys for slick ActiveSync, and then turn around and complain about security.
Meanwhile, SSL has had its recommended cipher change how many times in the last few years? And now we're on the creaky RC4 because all other options have been exhausted?
No, but Im sure ActiveSync is great. Hope you've vetted your trusted root chain on each of your devices, and hope you've found a suitable way of restricting what APKs can be installed on all your Androids.
Yeah, which is why I always laugh whenever anyone says they are secure devices.
What part of "Dont have a BES" didnt you understand?
Theyre secure devices when you purchase and run the server thats designed to manage them. Otherwise, yes, youre having RIM host the BES service ("BIS"), and you're giving them your credentials. Thats irrelevant to 99% of IT departments though, since noone of any significant size bases their mobile infrastructure on BIS.
BES Express went free several years ago and is way more secure than SSL, even if people criticizing blackberries choose to remain ignorant of how BES works.