You may feel that contact less cards are more risk then they are worth, while others may prefer them and don't mind the risk. Also you want a password on your card thats fine, others may not want passwords. While still others will want something stronger then passwords. The best thing is to allow private compaines to market cards with the different security profiles and allow individusals to choose the card/device they want to use. About the only other thing that needs regulation is the interface presented to a end user. The card readers should allow for peeople that mag strip, wireless (passive and active), as well as contact required cards. The key here is that end users choose the device or card they want to carry. Of course if you choose a cheopo card that doesnt offer much security don't be surpised if the companies offer you higher rates then those who choose strong crypto, face it you have choosen to be a insurance risk.
Here is a recent case law from Nevada. Guess you loose. Yes they can force you to give them your drivers license. Further Drivers licences are often used for things that have nothing to do with driving. Bar and night clubs use them, Movie theaters, stores require them for other age restricted goods aka tobacco and pr0n.
Currently we have a national identity system, but instead of having laws protect the people in it, rather we have companies which can do what they like to our identities. Try renting a apartment, turning on the gas/cable/power, getting a phone (cell or land), getting Internet service, with out a credit report. While some of these are still possible with great effort almost all will be punished for not having a good credit report. How do you prove that you are acting on behalf of a credit report, with a random assortment of facts. What does knowing my age, mothers maiden name and social security number some how prove that I am who I say I am. No it doesn't It just proves that I know my victim ^H^H^H^H^H^H myself well enough to fool you.
The solution is a strong identity system. The system should be based on something similar if not directly on the pkcs 11 tokens. People should be allowed to opt into the be card holders but once you are a card holder the only valid form of identification should be the card/token that you are carrying. Further the system should be privatized with allowing several card vendors to compete such that people willing to pay/put up with extra security features can have them if they like. In the simplest form the card may look like credit card with a mag stripe. Other vendors may offer people cards that are biometricly locked. With being an opt in system it would be legal for things like banks and other industries to charge people lower or fewer fees for participating in the system. Since these users will offer lower rates to insure then its only fair to pass those costs along to the end users. Since it has been proven time and time again that people will give up their passwords and identity for things such as Tshirts and chocolate bars we can be sure that unwashed masses will fall into line when they get a few extra bucks a month for taking part. Then in time, just as with the credit reports it will be so costly not to be apart of the system that everyone will just do it. Further once a real identity system is in place forcing people to sign emails to spam prevention will be a real possibility.
For all of the comments that say that identity cards are a 'bad idea(tm)' no one has been able to say what this will enable the government to do that they can't do today.
What about signed applets? ya.. you can do much more. Really we only need one signed bittorent applet that takes the torrent file as an arg and then everyone can just reuse that applet passing their own torrent file. Jebus I need to do everything.
So embed the bittorent client into a web page and write it in java or activeX. Blizzard was able to figure out how to use bittorrent for their WoW client updates and those go to MMOG players.
If you cant get around those lame blocking attempts you dont deserve the content you want. Just setup a remote socks proxy that runs on port 443. No one blocks web traffic and with SSL they cant do traffic analysis.
Streaming? Are you for real, that is so 1997. Just more old media companies trying to push their way of doing things on the net. Give up on streaming. Produce several quailty versions of the same file support a few differnt codecs mp4, xvid, wmv... and setup torrents for each file. Then use your limited bandwidth to deliver the torrent files, run the tracker and with the remaining bandwidth seed the torrents with a good bittorrent client. Why suffer quailty and bandwidth requirements just so the show can be 'live'? I suspect you arn't even showing live events so why streaming? Stop thinking like a TV broadcaster and start thinking like an internet distributer.
actually while your splitting hairs I think your may be overlooking a few things. When the light from your porch strikes the person reading some of that light bounces back to the porch make the porch even brighter. If the light wasnt bouncing backing back towards the porch where we will place our observer you wouldn't be able to see the person reading from the porch. Assuming the goal of turning the light on was the illumnate the porch then the person reading by the sidewalk is slightly increasing effiency. If you had enough people bounceing enough light back you might even be able to use a lower watt lightbulb. Now to completly break the model what if the person out on the porch is running bitttorent and has parts of a file that you want. So that person out on the network could be reducing your service providers load, and supplying you with data.
The "Market" claim is tricky. For there really to be a market one needs to trade something for something else. If you trade the item for cash thats a market. If you trade the item for access (a copy) of another item again market. But if you gain access for nothing is that really a market? While I dont agree with the content I belive you need more then just access to the material for a market to be created. Oddly this is similar to piracy. Is it possible to pirate without theft. If you have $0, and you recieve a copy of msoffice for free you coped it (piracy). But had you not recieved it for free you wouldn't be able to afford it, thus the sale was never possible and theft didn't occur. For piracy to be theft you must replace the act of sale with the act of a priacy, but if a sale is impossible piracy can still happen and no one be at a lost. So when you have only producers and only consumers where the consumers give nothing back to the producers you dont have a market, you have leachs. Taking this to the digial domain where more consumers put no more or less load on a producer then one really wonders if piracy is hurting anyone.
So they develope them without internal documentation at all?
They may have great internal docs, that reveal every detail about the hardware, how it was made, and all the secreat sauce, because hey only internal people will see it. Docs for interneal engineers and docs for the un-washed are two differnt things. I don't agree that they need to keep specs secret and I don't agree that when they do its a good idea. But, that doesn't make your agrument valid.
It doesn't resend the key. The problem is that an unencrypted easily spoofable message can force the device to renegotiate a new key. This renegotiation is the vulnerable state. Really this just makes the orignal hack easier to preform in that it can happen when at any time instead of initial pairing of the two devices.
Skipping past the security issues. One of the goals of spam filters should be reducing network load not increasing it. If we have to send our spam to several differnt peers to be scored this would compound the network load problems. Mostly this is a bad idea(tm) from the get go. I think the only thing that will really stop spam is to force something like pgp(gpg) signatures on all mail. Here's hoping the new national ID cards will have public certs encoded on them. It would be cool if someone would step in and get PKI working for the rest of us. Also we should drag the boddies of spammers through major cities behind a horse, while allowing victums to beat the spammer with large sticks like golf clubs.
Arn't the lectures a work products of the prof while employed by the school? Doesn't that mean that the prof doesn't get a vote and rather the school owns the lectures and thus holds the rights to deciede who can copy what. If I don't get to own my source code at work why do professors get to own the lectures? Now the school may just defer to the professor but then shouldn't we just ask the schools to put down a good policy. As a student you pay the school, not the teachers so the school should listen as students are their customers.
The prof got an NSF grant to write a program, and now is going to charge people for that. NSF should force CC and GPL for all work products as part of the grant. Why did I pay taxes for him to get a hand out to turn around an charge me for access.
Does the program source become classified or does the data the program operates on become classified. If its the latter then you could even gpl and release the code. Having worked on classified data sets I can say they tend to hold that much closer then programs chomping on them. DOD was more then happy to watch people publish the code, but the images (data sets) the code worked on were held tightly.
1) Initial issuing the tokens or certs is hard and thus must be done with care. Hopefully they would be issued at birth. Issuing the token will require a full background check, here we rely on the current system of 'random personal facts' we also make it a long and painfull process. The system would take note of things like issueing 1000 tokens to the same address. There would be many things looked at before tokens would be issued addresses might only one.
2) If a token becomes compermised Certificate revocation is not a problem.
3) This is where the free market comes in. People would be able to buy a token with the security features they feel are needed. The paranoid might want biometirc tokens, others might be happy with just a key fob. It would be up to you and the vendors that you choose to buy your token from.
4) You are rather hung up on biometerics. True an armed thief could force you to preform the biotmetric operation but he could also take your kids hostage and send you body parts in the mail until you preform his bidding.
Im not saying that an ID system based on PKI is perfect rather I'm saying its orders of magnitude better then what we have today. Today if you know a few random facts about a person, YOUR THEM. While some will say that ID's will always be stolen we should make it hard enough that the average crackhead 16year old can't pull it off.
Slashdot Mirror
Does anyone else think this is just a 'life-hack' so WalMart can sell software at OEM prices? Buy that usb cable, sure now you can get XP for $45.
You may feel that contact less cards are more risk then they are worth, while others may prefer them and don't mind the risk. Also you want a password on your card thats fine, others may not want passwords. While still others will want something stronger then passwords. The best thing is to allow private compaines to market cards with the different security profiles and allow individusals to choose the card/device they want to use. About the only other thing that needs regulation is the interface presented to a end user. The card readers should allow for peeople that mag strip, wireless (passive and active), as well as contact required cards. The key here is that end users choose the device or card they want to carry. Of course if you choose a cheopo card that doesnt offer much security don't be surpised if the companies offer you higher rates then those who choose strong crypto, face it you have choosen to be a insurance risk.
Here is a recent case law from Nevada. Guess you loose. Yes they can force you to give them your drivers license. Further Drivers licences are often used for things that have nothing to do with driving. Bar and night clubs use them, Movie theaters, stores require them for other age restricted goods aka tobacco and pr0n.
The solution is a strong identity system. The system should be based on something similar if not directly on the pkcs 11 tokens. People should be allowed to opt into the be card holders but once you are a card holder the only valid form of identification should be the card/token that you are carrying. Further the system should be privatized with allowing several card vendors to compete such that people willing to pay /put up with extra security features can have them if they like. In the simplest form the card may look like credit card with a mag stripe. Other vendors may offer people cards that are biometricly locked. With being an opt in system it would be legal for things like banks and other industries to charge people lower or fewer fees for participating in the system. Since these users will offer lower rates to insure then its only fair to pass those costs along to the end users. Since it has been proven time and time again that people will give up their passwords and identity for things such as Tshirts and chocolate bars we can be sure that unwashed masses will fall into line when they get a few extra bucks a month for taking part. Then in time, just as with the credit reports it will be so costly not to be apart of the system that everyone will just do it. Further once a real identity system is in place forcing people to sign emails to spam prevention will be a real possibility.
For all of the comments that say that identity cards are a 'bad idea(tm)' no one has been able to say what this will enable the government to do that they can't do today.
http://en.wikipedia.org/wiki/FPGA FPGA
What about signed applets? ya.. you can do much more. Really we only need one signed bittorent applet that takes the torrent file as an arg and then everyone can just reuse that applet passing their own torrent file. Jebus I need to do everything.
So embed the bittorent client into a web page and write it in java or activeX. Blizzard was able to figure out how to use bittorrent for their WoW client updates and those go to MMOG players.
If you cant get around those lame blocking attempts you dont deserve the content you want. Just setup a remote socks proxy that runs on port 443. No one blocks web traffic and with SSL they cant do traffic analysis.
Streaming? Are you for real, that is so 1997. Just more old media companies trying to push their way of doing things on the net. Give up on streaming. Produce several quailty versions of the same file support a few differnt codecs mp4, xvid, wmv... and setup torrents for each file. Then use your limited bandwidth to deliver the torrent files, run the tracker and with the remaining bandwidth seed the torrents with a good bittorrent client. Why suffer quailty and bandwidth requirements just so the show can be 'live'? I suspect you arn't even showing live events so why streaming? Stop thinking like a TV broadcaster and start thinking like an internet distributer.
actually while your splitting hairs I think your may be overlooking a few things. When the light from your porch strikes the person reading some of that light bounces back to the porch make the porch even brighter. If the light wasnt bouncing backing back towards the porch where we will place our observer you wouldn't be able to see the person reading from the porch. Assuming the goal of turning the light on was the illumnate the porch then the person reading by the sidewalk is slightly increasing effiency. If you had enough people bounceing enough light back you might even be able to use a lower watt lightbulb. Now to completly break the model what if the person out on the porch is running bitttorent and has parts of a file that you want. So that person out on the network could be reducing your service providers load, and supplying you with data.
The "Market" claim is tricky. For there really to be a market one needs to trade something for something else. If you trade the item for cash thats a market. If you trade the item for access (a copy) of another item again market. But if you gain access for nothing is that really a market? While I dont agree with the content I belive you need more then just access to the material for a market to be created. Oddly this is similar to piracy. Is it possible to pirate without theft. If you have $0, and you recieve a copy of msoffice for free you coped it (piracy). But had you not recieved it for free you wouldn't be able to afford it, thus the sale was never possible and theft didn't occur. For piracy to be theft you must replace the act of sale with the act of a priacy, but if a sale is impossible piracy can still happen and no one be at a lost. So when you have only producers and only consumers where the consumers give nothing back to the producers you dont have a market, you have leachs. Taking this to the digial domain where more consumers put no more or less load on a producer then one really wonders if piracy is hurting anyone.
If we are all on little circles why am I on the get kicked in the nuts circle and not hookup with super models circle?
So they develope them without internal documentation at all?
They may have great internal docs, that reveal every detail about the hardware, how it was made, and all the secreat sauce, because hey only internal people will see it. Docs for interneal engineers and docs for the un-washed are two differnt things. I don't agree that they need to keep specs secret and I don't agree that when they do its a good idea. But, that doesn't make your agrument valid.
Human sacrifice, dogs and cats living together, mass hysteria, pandemonium!
It doesn't resend the key. The problem is that an unencrypted easily spoofable message can force the device to renegotiate a new key. This renegotiation is the vulnerable state. Really this just makes the orignal hack easier to preform in that it can happen when at any time instead of initial pairing of the two devices.
1,097,509,500,000,000,000,000 cubic meteres ought to be enough for anybody.
Billus Gatos
You would have a point if this was the only solution to the spam problem. Fortunately it isn't.
Skipping past the security issues. One of the goals of spam filters should be reducing network load not increasing it. If we have to send our spam to several differnt peers to be scored this would compound the network load problems. Mostly this is a bad idea(tm) from the get go. I think the only thing that will really stop spam is to force something like pgp(gpg) signatures on all mail. Here's hoping the new national ID cards will have public certs encoded on them. It would be cool if someone would step in and get PKI working for the rest of us. Also we should drag the boddies of spammers through major cities behind a horse, while allowing victums to beat the spammer with large sticks like golf clubs.
Arn't the lectures a work products of the prof while employed by the school? Doesn't that mean that the prof doesn't get a vote and rather the school owns the lectures and thus holds the rights to deciede who can copy what. If I don't get to own my source code at work why do professors get to own the lectures? Now the school may just defer to the professor but then shouldn't we just ask the schools to put down a good policy. As a student you pay the school, not the teachers so the school should listen as students are their customers.
Yes this is correct the C is Combat. The other Buzzwords around this are "Network Centric Warfare". I dont see that as NCW as much as you see FCS.
The prof got an NSF grant to write a program, and now is going to charge people for that. NSF should force CC and GPL for all work products as part of the grant. Why did I pay taxes for him to get a hand out to turn around an charge me for access.
As april fools rfc jokes go this is toward the bottom of the heap. Further it is no where close to Parrot which went from joke scary truth (shudder).
Ya the smooth talkers have done such a bang up job so far.
Does the program source become classified or does the data the program operates on become classified. If its the latter then you could even gpl and release the code. Having worked on classified data sets I can say they tend to hold that much closer then programs chomping on them. DOD was more then happy to watch people publish the code, but the images (data sets) the code worked on were held tightly.
1) Initial issuing the tokens or certs is hard and thus must be done with care. Hopefully they would be issued at birth. Issuing the token will require a full background check, here we rely on the current system of 'random personal facts' we also make it a long and painfull process. The system would take note of things like issueing 1000 tokens to the same address. There would be many things looked at before tokens would be issued addresses might only one.
2) If a token becomes compermised Certificate revocation is not a problem.
3) This is where the free market comes in. People would be able to buy a token with the security features they feel are needed. The paranoid might want biometirc tokens, others might be happy with just a key fob. It would be up to you and the vendors that you choose to buy your token from.
4) You are rather hung up on biometerics. True an armed thief could force you to preform the biotmetric operation but he could also take your kids hostage and send you body parts in the mail until you preform his bidding.
Im not saying that an ID system based on PKI is perfect rather I'm saying its orders of magnitude better then what we have today. Today if you know a few random facts about a person, YOUR THEM. While some will say that ID's will always be stolen we should make it hard enough that the average crackhead 16year old can't pull it off.