Sodium, The nice thing about Everything is that you aren't stuck going "damn, that is wrong." You have some options. You can send a message to the author of the writeup, pointing out the inconsistencies, and ask them to correct it. You can add a writeup to the node correcting theirs. Are you can write an even better writeup that makes theirs completely pointless because you have all the data theirs has and more, and ask them (or go direct) to ask an editor to nuke their writeup.
Until you came along, that was the best info on chess. Now that there is an expert paying attention, E2 can be better.
Information wants to be free
Not only that, but an Outlook user with an Exchange server would have it sent to "All Employees" rather than to a straight email address. Nice try, bucko.
Information wants to be free
I respectfully disagree with both your primary and secondary points.
First off, while Social Engineering has been a tool of good penetration experts for some time, that is all it has been - a tool. The purpose of the use of SE was to gain access to a network. What Bruce is describing is not necessarily a new idea in the real world (look at the World War II counterintelligence operations), it is a (relatively) new concept in information attack, and one that has been primarily the domain of government agencies. Rather than manipulating a person to gain access to a system, the point is to gain access to a system in order to manipulate a person. Or, in the case of the Emulex fraud, many persons.
As to the tired rant telling Schneier to worry more about government and less about hackers, this is a pretty tired saw. Believe it or not, there *are* black hats out there. The only way to adequately defend against them is to educate their targets - like the helpdesk worker who will freely change the CEO's password.
Mind you, I'm not saying that governments and corporations are blameless; rather that disregarding the hackers is not a reasonable (or money-making) option.
Oh joy. I just love intelligent, rational posts like this. On the other hand, perhaps you fail to see the analogy I am attempting to draw between the argument "Information wants to be free" which is frequently used and "Guns want to kill"; both are equivalent in that they are anthropomorphizing an object; guns, which are usually designed to kill (and would presumable "want" to do so) and information, which is duplicable with no loss (and hence would "want" to be duplicated?).
But I guess if you assume people are stoned on Saturdays, then you might be using a bit too much to follow that.
I first read this book about 15 years ago, and I try to reread it at least once every few years. It is an easy read - it isn't like trying to sit down with Foucalt's Pendulum. If you've never read it, Go Buy It Now.
No, this really won't work. Assume that there are n valid connection requests per second coming in. If a SYN Flood is generating m false requests (and m >> n, the server will be forced to randomly drop about m connections (Production servers are generally running at a significant fraction of their capacity; a machine at less than 20% capacity is probably underutilized). The expected number of valid connections that will be dropped by your method is:
E(dropped) = n * m / n + m ... if there are 9 times as many bogus packets as real, you'll drop 90% of your real traffic. But in all likelihood, there will be a thousand times more bogus traffic.
Note that Ian Clarke says, "Any legal action against me would be just as ridiculous as taking legal action against the manufacturer of womens' tights that were used in a bank robbery." This isn't claiming that FreeNet is going to put to legal purposes - merely that the developers of FreeNet have no way to control the use of their product, unlike Napster.
Heh. I can't help but respond to your ridiculous, missing-the-point comment. Guns "want" to kill even more than information "wants" to be free. It is the purpose of guns to cause damage, and kill. We limit the amount of damage guns do by enforcing laws against their wanton use. Similar, if information "wants" to be free (a statement I disagree with), we can similar have laws inhibiting the amount of freedom information has.
And by the way? The next time you'd like to flame, have the common decency to include some method for the flamee to directly respond. Otherwise, we have to point out to the world (who probably could care less) how poorly you understand irony.
Xvoice is a GPL front end to the freely available IBM ViaVoice libraries. So no, not everything in the vorec world has been completely closed source before this. Information wants to be free
I hope that AOL's defense of "it is user-configurable" gets tossed - it would set a nice precedent of companies being responsible for the default configuration of their software (can we sue MS for all the virii propagated by poor Outlook configurations?). Information wants to be free
Hey, rdl. Long time no zee. While I disagree with Rev's assumption above about not building a national defense, I do have some questions related to statecraft and HavenCo.
I noted in the Sealand website: HavenCo will now take over operations of the government of Sealand and operate the first datacenter for its secure colocation services from the Sealand sovereign fortress. First, congratulations! I suppose this would make you Minister of Technology or somesuch. However, given the dim view that many countries will take of this merger, do you anticipate this will place on roadblock on diplomatic efforts by HavenCo/Sealand (H/S)?
Will H/S seek to enter NATO?
I'm assuming that H/S's physical security threat model includes small merc forces (everyone always trains for the last war). Placing that at one extreme and, say, a cruise missile strike from your favorite Western power at the other extreme, about where (in rough terms) are you planning?
Sealand seems to have an antagonistic history with the world, as when, in 1990, a ship was fired upon by Sealand (I'll assume there is more history than listed on the website). Given the lack of recognition Sealand already has (a ruling by an internal state court of the United Kingdom does not, in law, have any binding upon the international community), how is H/S planning on fighting the image of H/S as a pirate's den, hosting illegal services in a cutthroat backwater?
On the Rules of Use, I noticed this worrisome line: This document may change from time to time. Changes go into effect and are applied to all customers from the time that they are posted to the above URL. While this is a fine statement of principle, given the lack of recourse a business will have (after all, Havenco is the government), what effect do you anticipate this will have on your marketing staff?
*sigh* The hardest thing here was decided who had the best post to respond to. PigleT, you win.
"free" anything means a number of things, but I prefer Not controlled by obligation or the will of another. The open-source movement protects the investment of the first programmer, not his so-called rights. Programmer A invests his/her time into writing an app under the GPL. If Programmer B wants to take advantage of Programmer A's effort, s/he must provide their work back to "the community," thus providing Programmer A a nice return on their investment. Note that Programmer B did NOT get "free" code from Programmer A - Programmer B was obligated to provide service back to Programmer A.
Note that companies are getting around the GPL by creating new software based on GPL'ed components, and selling service to their customers. Since they are not providing binaries to their customers, they are under no obligation to release their modifications to "open-source" software.
This company is restricted from selling their software (Hmm, I wonder if they could give an NDA to their customers prohibiting the re-release of their source code?) by the GPL. Their "rights" are not being protected here.
AS to the value of StarOffice, note that many of us are forced to work in an MS environment, where management and other divisions frequently send MS-Office documents. Having an interoperable product, which is seamless to the other users, means I can run Linux where otherwise I'd be forced to run Windoze.
Information wants to be free
Excellent - another coffee table primer!
on
The Code Book
·
· Score: 1
This sounds like a book worth getting - I keep a copy of Applied Cryptography on my desk, but find that I frequently have to hunt down my coworkers (who borrow it for "light reading").
Thank you,/., for providing us with Hemos' review. Information wants to be free
First: kudoes to Intel for helping to accelerate the growth of the security industry.
However, *thwack* to ZDNet for an article that says almost nothing about CDSA, and instead focuses on marketing Itanium, Trillian, and Whistler (Windoze '01, if you didn't catch that). Note: it appears from the style of linking that this was actually three different articles that were tied together because they were related
Information wants to be free
You are your own Big Brother
on
CFP 2000 Wrapup
·
· Score: 1
You collect your data streams, and warehouse it offsite somewhere. Send them to friends, neighbors, bonded data warehouses, FreeNet, whatever you'd like. Information wants to be free
Domination Systems are Big Brother
on
CFP 2000 Wrapup
·
· Score: 2
One of the observations that didn't seem to be drawn (or wasn't in the notes at least) is the idea that "Big Brother" (to most of us, this seems to be the US gov't) is just a collection of Domination Systems. Sure, the NSA and the CIA and the FBI are out there monitoring things, along with a lot of other TLA's. Most of the time, though, they won't talk to each other (a lot of this is for legal reasons; the NSA isn't supposed to be monitoring US citizens (Title 10), but the FBI is pretty dedicated to that). The backstabbing and infighting within US federal agencies is pretty extreme - there isn't enough money for everyone to get what they want, so they fight over shrinking budget dollars.
I think we can see good examples of "surfing the fringe" in the battle between M$ and DOJ; or Napster using the DMCA (an MPAA tool) to defend itself against the RIAA.
And personally, I really like the Virtual Neighborhood Watch idea - I put a videocam in my house, and stream its data to 5 friends, who are each streaming their data at me. Every week, unless something happened, we all delete the data.
I know Moore's Law says a doubling of everything every 18 months. But this isn't doubling.
Seriously, this will be a nice boon in 5 years or so when they can build more than just one component at this speed - I'd like a terahertz bus, please.
Wow. Just imagine Unreal running on a machine this fast. Yay, VR. Information wants to be free
I think that you are missing a very important point here. Everyone has taken the attitude of "well, we're the 'hackers', and you can't stop us."
WRONG
The implementation of something like FreeNet creates an enclave for the "hackers." THEM (The gov't, big corps, etc.) are now the hackers. They have the advantage, as they are the attackers. Remember that.
As to hearing of "wireless", sure I have. Wireless is wonderful. Easy to tap untraceably, it'll simplify traffic analysis to no end. Plus, EW is much more mature than IW. Jamming is pretty trivial, as is insertion (sure, you've got encryption. But if it gets broken (through something easy like keytheft), I can take you off the net and spoof your address).
The point to note is that defenders have the disadvantage - you can do your best to guess what the "bad guys" will do, but ultimately you have to be reacting to them. Are you really that sure you can outpredict my attacks?
I like the "black-hole reset" idea (Although it sounds like nice buzzword-bingo). How are you going to keep me from remapping my servers to a new IP-space and joining again? Every time you reset, you massively inconvenience your customers (and what if you block out a non-malicious person - oh wait, are we censoring someone we don't like?). Me, I have the resources of a nation-state and the will to keep eiting you.
My last assignment was as a defensive information warfare engineer for "the other side". I designed and implemented the network defenses for a large desert area:) Information wants to be free
Yes. Ensure that your browser has an encrypted link (see that little padlock icono in the corner?).
The threat isn't that your card will get compromised in route (today), but rather that the company you are buying from will be storing your credit card number on a publicly reachable server running an insecure service.
If you'd like to learn more about how crypto works, and keep up to date on it, I'd recommend checking out www.counterpane.com (where Bruce Schneier will tell you to buy Applied Cryptography (which is a good read, and makes a good armrest, too).
Could you name me one way in which a person could totally shut down the concept of freenet.
As I recall, FreeNet is being implemented as its own protocol. While I, as a broadband customer, may want to implement a FreeNet node, my provider may be blocking that protocol at an upstream point.
So we fix that by encapsulating FreeNet traffic inside a VPN (IP Type 50, for example), to prevent this sort of attack (and raising the bar perhaps a bit more for people to create FreeNet nodes.
BEGIN HYPOTHETICAL SUPPOSITION Now let's say that I, as the member of the armed services of one of the world's largest nation-states am tasked with reducing FreeNet's effectiveness. What do I do?
Develop a simple app which can reside on any computer. This app will be given FreeNet indices and told to retrieve that data. This app is controlled remotely.
Install this app on every Windoze box in the military I work for, which happens to have (lots of) computers on most inhabited continents. We have enough machines that we have our own dedicate "InterNet."
To block copyright infringement, as soon as a new video/song/game comes out, post content-free (or, better, yet, trojanized installers for executables (see below)) binaries with the most likely indices. Notify the computers on my networks to go grab those, and vote them as "reliable". If someone beats me to the punch, have my machines vote them "unreliable."
* What to put in those trojans:
a notification program back to me via a covert channel (even, say, FreeNet:), notifying me of the downloader and their location.
A directory broadcaster that would notify me of the contents of that person's node (how else will I stay up to date with the latest and greatest indices in use?
This model has several strengths. First, it reduces the effectiveness of FreeNet to distribute illicit wares by inserting a significant amount of chaff into the environment. Second, it enables me to learn the locations of a large number of users of FreeNet, especially those engaged in illicit downloads. This will let (Censored - No Such Agency) have a good starting point on performing traffic analysis to determine the locations of the encrypted FreeNet nodes.
And once I have the locations of a significant percentage of FreeNet nodes, really, the system goes down. DDoS works nicely.
I left out many of the more useful things that I could do with the trojans, for obvious reasons.
I could easily see (in fact, I'd recommend) clients built with a small (say, 50 Mb cache, as pointed out above) server built-in. This way, you, as a FreeNet client, are automatically serving as a storage node. Assuming (and we all know what ASSUME means;) that someone develops a FreeNet client plug-in for WWW browsers (freenet://music/mp3/OingoBoingo/), your act of downloading the software might automatically cause your client to save it as a server, so when your roommate goes and grabs it, they are grabbing from you. This model doesn't require that every FreeNet middleware plug-in be a server. If only 1 in 100 were, it would probably be more than sufficient to ensure that FreeNet has enough nodes to be useful. Plus, I think I like the idea of limiting the file size in the server to reduce the amount of material that I would not like to propagate.
Using non-native widgets (basically, bitmaps) often stops system-wide skin/theme programs from working. Your non-standard look and feel is rendered internally inconsistent.
This has always been one of my pet peeves with M$-Office. I'm happy to see that NS6 is going to join the crowd of applications that make my preferred color scheme not work on Windoze. I prefer a light color (lemonchiffon) on a dark (black); it's easier on the eyes, and makes the screen harder to read at a distance. However, this color scheme tends to make M$-apps pretty unusable. I'm glad to know that NetScrape will also be unusable.
A very good use for a honeypot is as a distraction machine - but rather than having an "open" machine, have it running nicely locked down services. I've run a "portchaffer" on my home firewall before - it listens to all of the ports in/etc/services (which has been mod'ed to include some "hacker" ports), allows connections to be made, and terminates the connection after about five seconds. You'd be amazed at how long antagonists will spend trying to figure out how to get into the system.
And while those script kiddies/hackers/crackers are hammering away at that illusion, they aren't off hammering away at my neighbors' computers.
Everyone should run a honeypot. Create an environment so rich in targets that the bad guys won't know who to attack. Information wants to be free
Slashdot Mirror
Until you came along, that was the best info on chess. Now that there is an expert paying attention, E2 can be better.
Information wants to be free
Not only that, but an Outlook user with an Exchange server would have it sent to "All Employees" rather than to a straight email address. Nice try, bucko.
Information wants to be free
First off, while Social Engineering has been a tool of good penetration experts for some time, that is all it has been - a tool. The purpose of the use of SE was to gain access to a network. What Bruce is describing is not necessarily a new idea in the real world (look at the World War II counterintelligence operations), it is a (relatively) new concept in information attack, and one that has been primarily the domain of government agencies. Rather than manipulating a person to gain access to a system, the point is to gain access to a system in order to manipulate a person. Or, in the case of the Emulex fraud, many persons.
As to the tired rant telling Schneier to worry more about government and less about hackers, this is a pretty tired saw. Believe it or not, there *are* black hats out there. The only way to adequately defend against them is to educate their targets - like the helpdesk worker who will freely change the CEO's password.
Mind you, I'm not saying that governments and corporations are blameless; rather that disregarding the hackers is not a reasonable (or money-making) option.
Information wants to be free
But I guess if you assume people are stoned on Saturdays, then you might be using a bit too much to follow that.
Information wants to be free
- tactile sensors for remote operations of unmanned vehicles
- sensors for martial sports (fencing, karate, boxing ("oh my god, Mike Tyson just bit his opponent's ear with the force of a hyena!"))
- input devices for wearable computing (after you tap one spot with sufficient pressure, the rest of the keyboard on your pant legs activates).
- biomonitoring (adaptive gel shoe soles that register how hard you are jogging; chairs that provide support based on your seating preferences)
- intelligent furniture (it shouts/emits a high-pitched squeal whenever a pet is on it)
- Giant dance floors that trigger odd sound/lighting combos (anyone remember coley groups from Shockwave Rider
- Soldier/Policeman status monitoring (a layer of this placed inside their clothing/vests would alert whenever the wearer had been assaulted)
- Office cube walls that are input devices as well (embedded phones, temperature controls, etc)
Okay, that's the end of my two minutes of brainstorming.Information wants to be free
Information wants to be free
Information wants to be free
Information wants to be free
And by the way? The next time you'd like to flame, have the common decency to include some method for the flamee to directly respond. Otherwise, we have to point out to the world (who probably could care less) how poorly you understand irony.
Information wants to be free
Xvoice is a GPL front end to the freely available IBM ViaVoice libraries. So no, not everything in the vorec world has been completely closed source before this.
Information wants to be free
I hope that AOL's defense of "it is user-configurable" gets tossed - it would set a nice precedent of companies being responsible for the default configuration of their software (can we sue MS for all the virii propagated by poor Outlook configurations?).
Information wants to be free
- I noted in the Sealand website:
- Will H/S seek to enter NATO?
- I'm assuming that H/S's physical security threat model includes small merc forces (everyone always trains for the last war). Placing that at one extreme and, say, a cruise missile strike from your favorite Western power at the other extreme, about where (in rough terms) are you planning?
- Sealand seems to have an antagonistic history with the world, as when, in 1990, a ship was fired upon by Sealand (I'll assume there is more history than listed on the website). Given the lack of recognition Sealand already has (a ruling by an internal state court of the United Kingdom does not, in law, have any binding upon the international community), how is H/S planning on fighting the image of H/S as a pirate's den, hosting illegal services in a cutthroat backwater?
- On the Rules of Use, I noticed this worrisome line:
Good luck,HavenCo will now take over operations of the government of Sealand and operate the first datacenter for its secure colocation services from the Sealand sovereign fortress.
First, congratulations! I suppose this would make you Minister of Technology or somesuch. However, given the dim view that many countries will take of this merger, do you anticipate this will place on roadblock on diplomatic efforts by HavenCo/Sealand (H/S)?
This document may change from time to time. Changes go into effect and are applied to all customers from the time that they are posted to the above URL.
While this is a fine statement of principle, given the lack of recourse a business will have (after all, Havenco is the government), what effect do you anticipate this will have on your marketing staff?
cordelia
Information wants to be free
The hardest thing here was decided who had the best post to respond to. PigleT, you win.
"free" anything means a number of things, but I prefer Not controlled by obligation or the will of another. The open-source movement protects the investment of the first programmer, not his so-called rights. Programmer A invests his/her time into writing an app under the GPL. If Programmer B wants to take advantage of Programmer A's effort, s/he must provide their work back to "the community," thus providing Programmer A a nice return on their investment. Note that Programmer B did NOT get "free" code from Programmer A - Programmer B was obligated to provide service back to Programmer A.
Note that companies are getting around the GPL by creating new software based on GPL'ed components, and selling service to their customers. Since they are not providing binaries to their customers, they are under no obligation to release their modifications to "open-source" software.
This company is restricted from selling their software (Hmm, I wonder if they could give an NDA to their customers prohibiting the re-release of their source code?) by the GPL. Their "rights" are not being protected here.
AS to the value of StarOffice, note that many of us are forced to work in an MS environment, where management and other divisions frequently send MS-Office documents. Having an interoperable product, which is seamless to the other users, means I can run Linux where otherwise I'd be forced to run Windoze.
Information wants to be free
Thank you, /., for providing us with Hemos' review.
Information wants to be free
However, *thwack* to ZDNet for an article that says almost nothing about CDSA, and instead focuses on marketing Itanium, Trillian, and Whistler (Windoze '01, if you didn't catch that). Note: it appears from the style of linking that this was actually three different articles that were tied together because they were related
Information wants to be free
You collect your data streams, and warehouse it offsite somewhere. Send them to friends, neighbors, bonded data warehouses, FreeNet, whatever you'd like.
Information wants to be free
Sure, the NSA and the CIA and the FBI are out there monitoring things, along with a lot of other TLA's. Most of the time, though, they won't talk to each other (a lot of this is for legal reasons; the NSA isn't supposed to be monitoring US citizens (Title 10), but the FBI is pretty dedicated to that). The backstabbing and infighting within US federal agencies is pretty extreme - there isn't enough money for everyone to get what they want, so they fight over shrinking budget dollars.
I think we can see good examples of "surfing the fringe" in the battle between M$ and DOJ; or Napster using the DMCA (an MPAA tool) to defend itself against the RIAA.
And personally, I really like the Virtual Neighborhood Watch idea - I put a videocam in my house, and stream its data to 5 friends, who are each streaming their data at me. Every week, unless something happened, we all delete the data.
Information wants to be free
Seriously, this will be a nice boon in 5 years or so when they can build more than just one component at this speed - I'd like a terahertz bus, please.
Wow. Just imagine Unreal running on a machine this fast. Yay, VR.
Information wants to be free
WRONG
The implementation of something like FreeNet creates an enclave for the "hackers." THEM (The gov't, big corps, etc.) are now the hackers. They have the advantage, as they are the attackers. Remember that.
As to hearing of "wireless", sure I have. Wireless is wonderful. Easy to tap untraceably, it'll simplify traffic analysis to no end. Plus, EW is much more mature than IW. Jamming is pretty trivial, as is insertion (sure, you've got encryption. But if it gets broken (through something easy like keytheft), I can take you off the net and spoof your address).
The point to note is that defenders have the disadvantage - you can do your best to guess what the "bad guys" will do, but ultimately you have to be reacting to them. Are you really that sure you can outpredict my attacks?
I like the "black-hole reset" idea (Although it sounds like nice buzzword-bingo). How are you going to keep me from remapping my servers to a new IP-space and joining again? Every time you reset, you massively inconvenience your customers (and what if you block out a non-malicious person - oh wait, are we censoring someone we don't like?). Me, I have the resources of a nation-state and the will to keep eiting you.
Have a Nice Day.
Information wants to be free
My last assignment was as a defensive information warfare engineer for "the other side". I designed and implemented the network defenses for a large desert area :)
Information wants to be free
The threat isn't that your card will get compromised in route (today), but rather that the company you are buying from will be storing your credit card number on a publicly reachable server running an insecure service.
If you'd like to learn more about how crypto works, and keep up to date on it, I'd recommend checking out www.counterpane.com (where Bruce Schneier will tell you to buy Applied Cryptography (which is a good read, and makes a good armrest, too).
Information wants to be free
As I recall, FreeNet is being implemented as its own protocol. While I, as a broadband customer, may want to implement a FreeNet node, my provider may be blocking that protocol at an upstream point.
So we fix that by encapsulating FreeNet traffic inside a VPN (IP Type 50, for example), to prevent this sort of attack (and raising the bar perhaps a bit more for people to create FreeNet nodes.
BEGIN HYPOTHETICAL SUPPOSITION Now let's say that I, as the member of the armed services of one of the world's largest nation-states am tasked with reducing FreeNet's effectiveness. What do I do?
* What to put in those trojans:
This model has several strengths. First, it reduces the effectiveness of FreeNet to distribute illicit wares by inserting a significant amount of chaff into the environment. Second, it enables me to learn the locations of a large number of users of FreeNet, especially those engaged in illicit downloads. This will let (Censored - No Such Agency) have a good starting point on performing traffic analysis to determine the locations of the encrypted FreeNet nodes.
And once I have the locations of a significant percentage of FreeNet nodes, really, the system goes down. DDoS works nicely.
I left out many of the more useful things that I could do with the trojans, for obvious reasons.
Information wants to be free
This model doesn't require that every FreeNet middleware plug-in be a server. If only 1 in 100 were, it would probably be more than sufficient to ensure that FreeNet has enough nodes to be useful.
Plus, I think I like the idea of limiting the file size in the server to reduce the amount of material that I would not like to propagate.
Information wants to be free
This has always been one of my pet peeves with M$-Office. I'm happy to see that NS6 is going to join the crowd of applications that make my preferred color scheme not work on Windoze.
I prefer a light color (lemonchiffon) on a dark (black); it's easier on the eyes, and makes the screen harder to read at a distance. However, this color scheme tends to make M$-apps pretty unusable. I'm glad to know that NetScrape will also be unusable.
Information wants to be free
And while those script kiddies/hackers/crackers are hammering away at that illusion, they aren't off hammering away at my neighbors' computers.
Everyone should run a honeypot. Create an environment so rich in targets that the bad guys won't know who to attack.
Information wants to be free