That would be easily detected given that it isn't that difficult to check ciphers against their specification. It may be a bit time consuming but verification of one block for any of the modern symmetric key block ciphers would probably take a few hours at most for one person to do by hand to see that it is producing valid output. Given that they work on blocks you should be able to pick any block and check it and given a few people one could build a fairly high confidence that it hasn't been backdoored fairly quickly.
At least one of the founding fathers was well aware of strong cryptography and at the time made a cipher that was thought to be unbreakable by some. By today's standards it is pretty weak but versions of it saw use into WWII where it was used for securely transmitting near real-time info that if cracked a few hours or a day later by the enemy would be of no value.
I have always viewed the issue around encryption and law enforcement as one of, does someone have to assist prosecutes in prosecuting them? So do I have to interpret data for those who want to use it against me as that is what one is doing? They have the data, just because they can't figure it out doesn't mean I have to help them.
Strong encryption is usually measured by the energy requirements on an ideal computer. If those energy requirements are on the order of the total energy released from a star over its entire life then it is strong. If it is something that is a sizeable portion of a nation state's total annual energy usage then it isn't strong. Very smart people are figuring out better ways to crack codes so the energy requirement for any cipher do decrease over time until they are so low that DES was cracked in under a day on a $200,000 machine in 2002.
Here is a nice little excerpt from Bruce Schneier's book Applied Cryptography that puts things in perspective on how to think about it. As an added bonus there is the phrase "orgy of computation" included:
One of the consequences of the second law of thermodynamics is that a certain amount of energy is necessary to represent information. To record a single bit by changing the state of a system requires an amount of energy no less than kT, where T is the absolute temperature of the system and k is the Boltzman constant. (Stick with me; the physics lesson is almost over.)
Given that k = 1.38×10-16 erg/Kelvin, and that the ambient temperature of the universe is 3.2 Kelvin, an ideal computer running at 3.2 K would consume 4.4×10^-16 ergs every time it set or cleared a bit. To run a computer any colder than the cosmic background radiation would require extra energy to run a heat pump.
Now, the annual energy output of our sun is about 1.21×10^41 ergs. This is enough to power about 2.7×10^56 single bit changes on our ideal computer; enough state changes to put a 187-bit counter through all its values. If we built a Dyson sphere around the sun and captured all its energy for 32 years, without any loss, we could power a computer to count up to 2^192. Of course, it wouldn't have the energy left over to perform any useful calculations with this counter.
But that's just one star, and a measly one at that. A typical supernova releases something like 10^51 ergs. (About a hundred times as much energy would be released in the form of neutrinos, but let them go for now.) If all of this energy could be channeled into a single orgy of computation, a 219-bit counter could be cycled through all of its states.
These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.
Depends on what procedures they adopted. If it was something like the PCI standard they likely could have followed everything, well except the part about not retaining sensitive information, and still gotten hacked. The PCI standard is the bare minimum that should be followed but is something written for MBA types so it has checkboxes that give you a warm fuzzy feeling. It does offer some protection but there are better standards but these are harder and require actual thought. Also if they were reasonably intelligent they would have implemented some well known system benchmarks but those can be inconvenient for people who want the keys to the kingdom. Given what has happened I would guess they implemented the parts of PCI that didn't deal with personal information and called it a day.
Personally, even if they were using PCI, I would love to see them get browbeat because there are better standards, such as the US government's NIST Special Publication 800 and/or 1800 series, the NERC CIP standard, the Cybersecurity Procurement Language for Energy Delivery Systems document. If those weren't enough there are other well respected ones out there as well to choose from. If a business, especially a large one, isn't required to be covered by one I would suggest looking at all of them and make rational choices out of each of them. If a business is required to follow one fully implement that but then still pull from the others to go beyond and then get regulators to scrutinize competitors who are lacking.
Well considering that NERC CIP penalties can be $1,000,000 a day for each violation they are taken seriously. The IBM incident you mention was actually one of the many has been a big driving force for the successive NERC CIP regulation updates that have come since. My major complaint about the NERC CIP regulations is that they are too open to interpretation by auditors and there is a bit too much cozyness between the auditor and the operator. Thankfully in the last few years power companies have started to fear NERC more starting when CIP v5 was out but not enforced yet. The existing regulations don't go far enough, there is a lot of room for improvement, but they are better than just about any other industry's. Having worked with NERC it is a slow and sometimes painful process but things will continue to get better. The Europeans are in an even worse situation and the operators elsewhere in the world who do want security always want to ensure that they are compliant with NERC CIP even if NERC doesn't have jurisdiction.
I see someone has no idea of what they are talking about in this regard. Here is the current standard that grid operators have to comply with. Also here is what is currently being asked of suppliers by the grid operators when getting a new system. Add in that the systems be benchmarked against these or these is also becoming written into the contracts now. I would assume that operators in the oil and gas industry either have similar things or are at least smart enough to re-purpose the above as the effort to do so would be minimal. A lot of the security efforts for securing the grid are not to protect it from the general internet, they are already separated and if not the company fucked up really bad and if NERC finds out the company will be paying some huge fines so let NERC know. Instead the security is to protect the control system from stupid users who find a USB rubber ducky in the parking lot, connects their corporate laptop to the control network, someone doing malicious things out at some remote substation that then gets into the main control system, or malicious insider. The people going after the grid are professionals and more often than not state actors not little Timmy from down the street who just found out about Low Orbit Ion Cannon or Armitage.
Those were some shitty ballots so I choose to blame Florida for that. Sane states would use paper ballots like what we have in Minnesota and have been using for ages. You get your ballot and a black sharpie and the ballot is basically a scantron sheet that everyone is already familiar with. Since scantrons have been around for ages now everyone should be familiar with them and even if not they are really simple compared to the disaster that was those Florida ballots. Add in that at some point you just have to say some ballots are disqualified because the person who filled them out was too incompetent. I know when I sign in to vote I have to sign stating that I am competent enough to vote and if you can't completely fill in the right bubble on a scan tron maybe you really aren't competent enough to be casting a vote. Add in that if you do fuck it up you can go and get a new ballot. Further more if you can't even read the ballot or can't physically fill out the ballot you can go get a couple of election judges and they can fill it out for you. Given all that if you are still having problems filling out your ballot correctly you really aren't competent enough to be voting and I am surprised you haven't choked on your own tongue.
Unfortunately the credit monitoring you get when a breach happens is always from these reporting agencies. I think I have like 5 or 6 active ones across experian, equifax, and transunion. Now it looks like I and everyone else will get another year of free credit monitoring from these fuckers that really should be drawn and quartered instead.
Probably except for the part about not storing personal information but then they aren't card processors. The PCI standard while it is a standard is really the bare minimum that companies should be held to for them to not be found guilty of criminally negligence for breaches. The actual standard is here and having had to deal MBAs asking about our compliance makes it seems like it is something written for the MBA types to check off a bunch of stuff. There are much better standards and if you aren't an MBA you can figure out how to make them applicable to your business. Personally I like the NERC CIP standard with liberal utilization of the CIS benchmarks as a good starting point for securing a system. If you want others there is always the US government's set of security benchmarks, the DoE document Cybersecurity Procurement Language for Energy Delivery Systems, or a bunch of stuff at the SANS site that you could use as a guide.
Yet if I collected that much information on just one person I would likely be in jail for stalking. If I did it to a dozen or so people I would likely never see the light of day again as I would be a serial stalker and would be serving many consecutive sentences. But given all of this detailed information these companies collected on every fucking person that is available for purchase I still get to deal with debt collectors who try to collect debts from people who haven't lived at my address in 15 years, or who's first matches mine but nothing else does.
Unfortunately lattice-based cryptography is hard to do right and if you screw it up it becomes really easy to break. I don't know much beyond the hand waving level about it but it wouldn't surprise me if we see it start to be incorporated into things in the next few years now that the patent on NTRUEncrypt has expired. The problem is that more effort needs to be spent on attacking and proving its security it as the world of cryptography is very conservative.
I see I have found one of the lucky 10,000 today who has never heard of drawing in a lawn with fertilizer. Get one area to be greener and thicker than the rest, draw what ever you like. In high school we all ways did something obscene on the football field for homecoming because our school sucked and we didn't care. Put the fertilizer down Shawshank Redemption style during gym class.
Hangouts is pretty good for some things. Granted I have only found it useful for having table top RPG sessions with friends that are widely dispersed across the world but it works pretty good for that. I only use is about twice a month but it works good for that.
While there is some randomness in audits even simple honest ones aren't fast. I got audited once when I was in college and it took about half a day of actual audit, not including sitting in the waiting room until it was my turn. I had the tuition payment form for college, my single W-2, form 1040-EZ, and MN tax form M-1 for paperwork. The auditor spent the better part of 3 hours going over them checking things, going off to check something else, rechecking things, etc. It took me 15 minutes to do my state and federal taxes that year by hand including putting the crap in envelopes and addressing them but they spent probably that much time examining each digit on my taxes.
I don't think The Onion buys advertising on facebook but even if they did I would take issue because anyone who doesn't know it is satire deserves what they get. Although there was that whole razor blade war thing so they are probably more accurate in predictions than other news sources.
I guess he never did rank very high or get spread around much but there were plenty of young earth sites that were passed around back then. I got sent them all the time from my mom and step dad back then, now they just post that stuff to facebook instead.
Slashdot Mirror
That would be easily detected given that it isn't that difficult to check ciphers against their specification. It may be a bit time consuming but verification of one block for any of the modern symmetric key block ciphers would probably take a few hours at most for one person to do by hand to see that it is producing valid output. Given that they work on blocks you should be able to pick any block and check it and given a few people one could build a fairly high confidence that it hasn't been backdoored fairly quickly.
At least one of the founding fathers was well aware of strong cryptography and at the time made a cipher that was thought to be unbreakable by some. By today's standards it is pretty weak but versions of it saw use into WWII where it was used for securely transmitting near real-time info that if cracked a few hours or a day later by the enemy would be of no value.
I have always viewed the issue around encryption and law enforcement as one of, does someone have to assist prosecutes in prosecuting them? So do I have to interpret data for those who want to use it against me as that is what one is doing? They have the data, just because they can't figure it out doesn't mean I have to help them.
Here is a nice little excerpt from Bruce Schneier's book Applied Cryptography that puts things in perspective on how to think about it. As an added bonus there is the phrase "orgy of computation" included:
One of the consequences of the second law of thermodynamics is that a certain amount of energy is necessary to represent information. To record a single bit by changing the state of a system requires an amount of energy no less than kT, where T is the absolute temperature of the system and k is the Boltzman constant. (Stick with me; the physics lesson is almost over.)
Given that k = 1.38×10-16 erg/Kelvin, and that the ambient temperature of the universe is 3.2 Kelvin, an ideal computer running at 3.2 K would consume 4.4×10^-16 ergs every time it set or cleared a bit. To run a computer any colder than the cosmic background radiation would require extra energy to run a heat pump.
Now, the annual energy output of our sun is about 1.21×10^41 ergs. This is enough to power about 2.7×10^56 single bit changes on our ideal computer; enough state changes to put a 187-bit counter through all its values. If we built a Dyson sphere around the sun and captured all its energy for 32 years, without any loss, we could power a computer to count up to 2^192. Of course, it wouldn't have the energy left over to perform any useful calculations with this counter.
But that's just one star, and a measly one at that. A typical supernova releases something like 10^51 ergs. (About a hundred times as much energy would be released in the form of neutrinos, but let them go for now.) If all of this energy could be channeled into a single orgy of computation, a 219-bit counter could be cycled through all of its states.
These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.
Alas I guess we will just have to revert to optical semaphores to manipulate the financial markets of a European country to ruin our personal enimies.
Just wait until they find out about the Lincoln vs Miller welder fanboys, Ford vs. Chevy has nothing on them.
Depends on what procedures they adopted. If it was something like the PCI standard they likely could have followed everything, well except the part about not retaining sensitive information, and still gotten hacked. The PCI standard is the bare minimum that should be followed but is something written for MBA types so it has checkboxes that give you a warm fuzzy feeling. It does offer some protection but there are better standards but these are harder and require actual thought. Also if they were reasonably intelligent they would have implemented some well known system benchmarks but those can be inconvenient for people who want the keys to the kingdom. Given what has happened I would guess they implemented the parts of PCI that didn't deal with personal information and called it a day.
Personally, even if they were using PCI, I would love to see them get browbeat because there are better standards, such as the US government's NIST Special Publication 800 and/or 1800 series, the NERC CIP standard, the Cybersecurity Procurement Language for Energy Delivery Systems document. If those weren't enough there are other well respected ones out there as well to choose from. If a business, especially a large one, isn't required to be covered by one I would suggest looking at all of them and make rational choices out of each of them. If a business is required to follow one fully implement that but then still pull from the others to go beyond and then get regulators to scrutinize competitors who are lacking.
Well considering that NERC CIP penalties can be $1,000,000 a day for each violation they are taken seriously. The IBM incident you mention was actually one of the many has been a big driving force for the successive NERC CIP regulation updates that have come since. My major complaint about the NERC CIP regulations is that they are too open to interpretation by auditors and there is a bit too much cozyness between the auditor and the operator. Thankfully in the last few years power companies have started to fear NERC more starting when CIP v5 was out but not enforced yet. The existing regulations don't go far enough, there is a lot of room for improvement, but they are better than just about any other industry's. Having worked with NERC it is a slow and sometimes painful process but things will continue to get better. The Europeans are in an even worse situation and the operators elsewhere in the world who do want security always want to ensure that they are compliant with NERC CIP even if NERC doesn't have jurisdiction.
I see someone has no idea of what they are talking about in this regard. Here is the current standard that grid operators have to comply with. Also here is what is currently being asked of suppliers by the grid operators when getting a new system. Add in that the systems be benchmarked against these or these is also becoming written into the contracts now. I would assume that operators in the oil and gas industry either have similar things or are at least smart enough to re-purpose the above as the effort to do so would be minimal. A lot of the security efforts for securing the grid are not to protect it from the general internet, they are already separated and if not the company fucked up really bad and if NERC finds out the company will be paying some huge fines so let NERC know. Instead the security is to protect the control system from stupid users who find a USB rubber ducky in the parking lot, connects their corporate laptop to the control network, someone doing malicious things out at some remote substation that then gets into the main control system, or malicious insider. The people going after the grid are professionals and more often than not state actors not little Timmy from down the street who just found out about Low Orbit Ion Cannon or Armitage.
I'll accept that.
Those were some shitty ballots so I choose to blame Florida for that. Sane states would use paper ballots like what we have in Minnesota and have been using for ages. You get your ballot and a black sharpie and the ballot is basically a scantron sheet that everyone is already familiar with. Since scantrons have been around for ages now everyone should be familiar with them and even if not they are really simple compared to the disaster that was those Florida ballots. Add in that at some point you just have to say some ballots are disqualified because the person who filled them out was too incompetent. I know when I sign in to vote I have to sign stating that I am competent enough to vote and if you can't completely fill in the right bubble on a scan tron maybe you really aren't competent enough to be casting a vote. Add in that if you do fuck it up you can go and get a new ballot. Further more if you can't even read the ballot or can't physically fill out the ballot you can go get a couple of election judges and they can fill it out for you. Given all that if you are still having problems filling out your ballot correctly you really aren't competent enough to be voting and I am surprised you haven't choked on your own tongue.
Not bad enough. I'm thinking the dildo from Seven
Unfortunately the credit monitoring you get when a breach happens is always from these reporting agencies. I think I have like 5 or 6 active ones across experian, equifax, and transunion. Now it looks like I and everyone else will get another year of free credit monitoring from these fuckers that really should be drawn and quartered instead.
Probably except for the part about not storing personal information but then they aren't card processors. The PCI standard while it is a standard is really the bare minimum that companies should be held to for them to not be found guilty of criminally negligence for breaches. The actual standard is here and having had to deal MBAs asking about our compliance makes it seems like it is something written for the MBA types to check off a bunch of stuff. There are much better standards and if you aren't an MBA you can figure out how to make them applicable to your business. Personally I like the NERC CIP standard with liberal utilization of the CIS benchmarks as a good starting point for securing a system. If you want others there is always the US government's set of security benchmarks, the DoE document Cybersecurity Procurement Language for Energy Delivery Systems, or a bunch of stuff at the SANS site that you could use as a guide.
Yet if I collected that much information on just one person I would likely be in jail for stalking. If I did it to a dozen or so people I would likely never see the light of day again as I would be a serial stalker and would be serving many consecutive sentences. But given all of this detailed information these companies collected on every fucking person that is available for purchase I still get to deal with debt collectors who try to collect debts from people who haven't lived at my address in 15 years, or who's first matches mine but nothing else does.
Unfortunately lattice-based cryptography is hard to do right and if you screw it up it becomes really easy to break. I don't know much beyond the hand waving level about it but it wouldn't surprise me if we see it start to be incorporated into things in the next few years now that the patent on NTRUEncrypt has expired. The problem is that more effort needs to be spent on attacking and proving its security it as the world of cryptography is very conservative.
Well it might work best if they don't try to turn it on.
The only thing that sucks is that I have to work and can't go up north to my lake property with its nice dark sky.
I see I have found one of the lucky 10,000 today who has never heard of drawing in a lawn with fertilizer. Get one area to be greener and thicker than the rest, draw what ever you like. In high school we all ways did something obscene on the football field for homecoming because our school sucked and we didn't care. Put the fertilizer down Shawshank Redemption style during gym class.
Hangouts is pretty good for some things. Granted I have only found it useful for having table top RPG sessions with friends that are widely dispersed across the world but it works pretty good for that. I only use is about twice a month but it works good for that.
How long before it is hosting kiddy porn and will the FBI raid them?
They already are mostly automated. Also the haul trucks now come in fully autonomous versions as well.
While there is some randomness in audits even simple honest ones aren't fast. I got audited once when I was in college and it took about half a day of actual audit, not including sitting in the waiting room until it was my turn. I had the tuition payment form for college, my single W-2, form 1040-EZ, and MN tax form M-1 for paperwork. The auditor spent the better part of 3 hours going over them checking things, going off to check something else, rechecking things, etc. It took me 15 minutes to do my state and federal taxes that year by hand including putting the crap in envelopes and addressing them but they spent probably that much time examining each digit on my taxes.
I don't think The Onion buys advertising on facebook but even if they did I would take issue because anyone who doesn't know it is satire deserves what they get. Although there was that whole razor blade war thing so they are probably more accurate in predictions than other news sources.
Seriously did you forget about the time cube guy?
I guess he never did rank very high or get spread around much but there were plenty of young earth sites that were passed around back then. I got sent them all the time from my mom and step dad back then, now they just post that stuff to facebook instead.