Yes, this is a weakness. Hopefully multiple alphabet soup agencies from different countries will get this idea and end up competing with each other. An arms race of diminishing returns to get a bigger chunk of the Tor network just means we'll have plenty of free Tor bandwidth on the gov't dime.
Protip: You can edit the Tor config or source code to pick geographically diverse nodes yourself.
In a separate February 2007 Cincinnati -based investigation of hackers who'd successfully targeted an unnamed bank, the documents indicate the FBI's efforts may have been detected. An FBI agent became alarmed when the hacker he was chasing didn't get infected with the spyware after visiting the CIPAV-loaded website. Instead, the hacker "proceeded to visit the site 29 more times," according to a summary of the incident. "In these instances, the CIPAV did not deliver its payload because of system incompatibility."
Seems like the FBI exploits browser vulnerabilities a la the Pwn2Own contest in order to deliver CIPAV, but CIPAV itself might not run in linux. I suspect that the FBI will have written a linux-compatible CIPAV after the quoted incident. Probably a bash or perl script so they don't have to worry about different architectures.
On a side note, there was probably some good porn on that page for the hacker to load it 30 times.
I don't know if that's a good enough defense. TFA says that the laser sniffing method is "analyzing the spectrograms of frequencies from different keystrokes." Once you've got a signature for each key and a large enough typing sample, your problem is reduced to a simple substitution cipher.
If you're going to do it right, then you might as well run sshd on your wireless router and enforce traffic tunneling.
Oh, and make the router's sshd key-authentication only.
...better throw a port knocker on that bad boy, too.
...and make the port knocker's socket combination based off of a one-time pad.
...which was generated using diceware or a hardware random number generator.
...and send the encrypted data packets across a short wave signal like a numbers station rather than using 802.11whatever.
Or you could just realize that wireless is designed for convenience, not security. If someone's going to go through the trouble of using their GPUs to crack your key, then you've already got an adversary sophisticated enough to warrant the use of wired ethernet and a secure facility.
GUIs suck [...snip...] Scripting is your friend here.
If you're using some proprietary something-or-other that has a GUI but no command line interface, you could try wrapping it with a command line GUI test tool. I've done this with Perl and Win32::GuiTest. I'm sure your language of choice has something similar.
I'm a relatively young guy, so my first experience with a buckling spring keyboard was when I bought one of these Unicomp Customizers a year ago. The responsiveness is terrific! It's hard to convey this in a way that doesn't seem like snake oil, but I feel like it's increased my typing speed and accuracy.
I think I've become spoiled, actually. When I use my laptops' membrane keyboard, it feels mushy in comparison.
While I'm not big on the idea of wireless payment (in this form anyways), the danger of an RFID tag in your wallet being randomly sniffed is almost nothing. This is certainly true now, but there's also no incentive to go the extra mile for RFID tag reading. Don't you think that making credit card info available on the airwaves would encourage more sophisticated RFID readers?
I've heard stories of thieves putting fake mag-stripe readers on top of ATMs, which leads me to think that RFID payment would be a criminal's dream come true.
Re:Please help us improve our documentation.
on
Spying On Tor
·
· Score: 1
Nick,
Tor uses privoxy, right? If you want to be any more invasive about telling people the privacy risks, simply redirect the first HTTP request of each session (once per boot) to a page displaying this info with a checkbox to disable it. That's the closest you can get to make people RTFM, but I'm inclined to leave the behavior as it stands now.
Why not just say anyone of middle-eastern descent is automatically a threat?
I think that's what they are saying. Or, at least, the articles are saying that they profiled people who bought foods that Iranians eat. From the CNET article:
The program, however, was short lived and was quickly "torpedoed by the head of the FBI's criminal investigations division, Michael A. Mason, who argued that putting somebody on a terrorist list for what they ate was ridiculous -- and possibly illegal."
Don't worry, though. Our hero, Mr. Mason, saved the day.
You know, another thing that I thought about after I posted this was that the RIAA, MPAA, or whoever is suing to protect their copyrighted works could use gov't investigation from this bill as the basis for their own civil suit. Not only do you get stung with whatever civil suit the gov't hits you with, but the RIAA can try and get their standard $250k/infringement once the gov't has won their case (Although the bill says that damages from a second suit would be reduced by the amount awarded by the first suit). This bill is quite a beast, ain't it?
it makes me wonder if we've missed something about this
bill that makes it not quite as bad as it sounds - Like capping liability
at some absurdly low level ("Yup, ya got me, will you take a check or
should I just pay the $20 fine in cash?")
If it's there, I don't see it. Let me point out section 506a of this chunk o' legislation:
(b) OTHER REMEDIES -
(1) IN GENERAL - Imposition of a civil penalty under this section does not preclude any other criminal or civil statutory, injunctive, common law, or administrative remedy, which is available by law to the United States or any other person.
Of course, anything subversive that Leahy might put in there to protect infringers might require a closer look. I wouldn't count on it, though.
I'll have to give it a shot. I'm really surprised that out of the legions of nethack players, nobody's actually interested in playing a multiplayer variant. I suppose it's tough to cry out from atop the mountains when everybody's playing WoW and similar fancy-pants games. Boo.
That's true, but specifically I'm interested in roguelikes (like nethack), not zork-style text games. I've tried various text MUDs and none of them have captured my interest like a good game of nethack. Maybe it's the concrete structure of a top down map that I like, I dunno.
This is slightly off topic, I know, but has anyone tried out mangband (multiplayer angband)? The idea of a MMORoguelike strikes me as freakin' awesome, but the servers seem so empty from a cursory look. At least my wife and I could be playing co-op angband even if we're the only people on the server.
I don't think that sites like Facebook are "profoundly changing our ability to keep our private lives private." Rather, they're changing our ability to make our public lives more public. This is an important distinction, since these social sites make it quite clear by design that you are sharing your information with your friends and acquaintances. If people really wanted to keep the fact that they got smashed and rode horseback on their friend private, they'd just open up notepad and type away. Instead, they decide to broadcast that on a social website so their friends can see their drunken antics. Don't take this to mean that I condone the practice of Facebook employees (or gov't agents for the tin-foil hat crowd) browsing private profiles. There is an implication of semi-privacy if I set my profile to be viewable by friends only. If a potential employer sees Johnny McDrunkeverynight's public pictures and decides not to hire Johnny, fine. Maybe he shouldn't have used the megaphone (social websites) to broadcast his machismo.
Um... Not to side track. That is just a bad security practice. If you need to give your coworker rights to your computer, you give him rights to log into that work station with his name and password.
That's a good point. I'll admit, I've only done this once and I should probably be slapped for my laziness.
It's tough to imagine hand-drawn passwords becoming much more popular than USB fingerprint readers. True, they increase security over standard text passwords, but how am I supposed to give a throwaway password to a coworker so that he can use my machine while I'm on vacation? The only thing that would make this more ubiquitous than fingerprint readers is the fact that you can use pre-existing touch screen or stylus interfaces as described in the article. In my opinion, this technology won't be able to fill the needs of anything more than a niche market. Nor will people need more than 640K RAM.
Slashdot Mirror
Yes, this is a weakness. Hopefully multiple alphabet soup agencies from different countries will get this idea and end up competing with each other. An arms race of diminishing returns to get a bigger chunk of the Tor network just means we'll have plenty of free Tor bandwidth on the gov't dime.
Protip: You can edit the Tor config or source code to pick geographically diverse nodes yourself.
Apologies about the "hacker" faux pas.
Anyway, you might be right about the cracker coming back with a honeypot. I wish I was a fly on the cracker's wall so I could see how this played out.
As far as gov't grey-hats go, there is definitely a turf war between agencies. Hell, even the Air Force wants a piece of the pie. God help us all!
In a separate February 2007 Cincinnati -based investigation of hackers who'd successfully targeted an unnamed bank, the documents indicate the FBI's efforts may have been detected. An FBI agent became alarmed when the hacker he was chasing didn't get infected with the spyware after visiting the CIPAV-loaded website. Instead, the hacker "proceeded to visit the site 29 more times," according to a summary of the incident. "In these instances, the CIPAV did not deliver its payload because of system incompatibility."
Seems like the FBI exploits browser vulnerabilities a la the Pwn2Own contest in order to deliver CIPAV, but CIPAV itself might not run in linux. I suspect that the FBI will have written a linux-compatible CIPAV after the quoted incident. Probably a bash or perl script so they don't have to worry about different architectures.
On a side note, there was probably some good porn on that page for the hacker to load it 30 times.
I fell for it, too. I bet there isn't one. ;)
Ditto! Achievement unlocked!
Nah. The trick is to memorize a 4096-bit RSA keypair and encrypt your typing.
I don't know if that's a good enough defense. TFA says that the laser sniffing method is "analyzing the spectrograms of frequencies from different keystrokes." Once you've got a signature for each key and a large enough typing sample, your problem is reduced to a simple substitution cipher.
I'd be wondering why a child was playing on the freeway in the middle of nowhere.
How about: "what do you think would happen if a ball rolled out into the street in front of your car, followed by a laughing deer?" ;)
If you're going to do it right, then you might as well run sshd on your wireless router and enforce traffic tunneling.
Oh, and make the router's sshd key-authentication only.
...better throw a port knocker on that bad boy, too.
...and make the port knocker's socket combination based off of a one-time pad.
...which was generated using diceware or a hardware random number generator.
...and send the encrypted data packets across a short wave signal like a numbers station rather than using 802.11whatever.
Or you could just realize that wireless is designed for convenience, not security. If someone's going to go through the trouble of using their GPUs to crack your key, then you've already got an adversary sophisticated enough to warrant the use of wired ethernet and a secure facility.
GUIs suck [...snip...] Scripting is your friend here.
If you're using some proprietary something-or-other that has a GUI but no command line interface, you could try wrapping it with a command line GUI test tool. I've done this with Perl and Win32::GuiTest. I'm sure your language of choice has something similar.
Couldn't they require that bicycles have license plates, too? Bicycles are already considered vehicles and must obey traffic laws when mounted.
(I commute 11 miles to work on a bicycle, by the way.)
[citation needed]
I'm a relatively young guy, so my first experience with a buckling spring keyboard was when I bought one of these Unicomp Customizers a year ago. The responsiveness is terrific! It's hard to convey this in a way that doesn't seem like snake oil, but I feel like it's increased my typing speed and accuracy.
I think I've become spoiled, actually. When I use my laptops' membrane keyboard, it feels mushy in comparison.
I've heard stories of thieves putting fake mag-stripe readers on top of ATMs, which leads me to think that RFID payment would be a criminal's dream come true.
-> SOTIAC - Stay on topic! Tit's a checksum.
<- NAK
Nick, Tor uses privoxy, right? If you want to be any more invasive about telling people the privacy risks, simply redirect the first HTTP request of each session (once per boot) to a page displaying this info with a checkbox to disable it. That's the closest you can get to make people RTFM, but I'm inclined to leave the behavior as it stands now.
I think that's what they are saying. Or, at least, the articles are saying that they profiled people who bought foods that Iranians eat. From the CNET article: Don't worry, though. Our hero, Mr. Mason, saved the day.
You know, another thing that I thought about after I posted this was that the RIAA, MPAA, or whoever is suing to protect their copyrighted works could use gov't investigation from this bill as the basis for their own civil suit. Not only do you get stung with whatever civil suit the gov't hits you with, but the RIAA can try and get their standard $250k/infringement once the gov't has won their case (Although the bill says that damages from a second suit would be reduced by the amount awarded by the first suit). This bill is quite a beast, ain't it?
I'll have to give it a shot. I'm really surprised that out of the legions of nethack players, nobody's actually interested in playing a multiplayer variant. I suppose it's tough to cry out from atop the mountains when everybody's playing WoW and similar fancy-pants games. Boo.
That's true, but specifically I'm interested in roguelikes (like nethack), not zork-style text games. I've tried various text MUDs and none of them have captured my interest like a good game of nethack. Maybe it's the concrete structure of a top down map that I like, I dunno.
This is slightly off topic, I know, but has anyone tried out mangband (multiplayer angband)? The idea of a MMORoguelike strikes me as freakin' awesome, but the servers seem so empty from a cursory look. At least my wife and I could be playing co-op angband even if we're the only people on the server.
I don't think that sites like Facebook are "profoundly changing our ability to keep our private lives private." Rather, they're changing our ability to make our public lives more public. This is an important distinction, since these social sites make it quite clear by design that you are sharing your information with your friends and acquaintances. If people really wanted to keep the fact that they got smashed and rode horseback on their friend private, they'd just open up notepad and type away. Instead, they decide to broadcast that on a social website so their friends can see their drunken antics. Don't take this to mean that I condone the practice of Facebook employees (or gov't agents for the tin-foil hat crowd) browsing private profiles. There is an implication of semi-privacy if I set my profile to be viewable by friends only. If a potential employer sees Johnny McDrunkeverynight's public pictures and decides not to hire Johnny, fine. Maybe he shouldn't have used the megaphone (social websites) to broadcast his machismo.
It's tough to imagine hand-drawn passwords becoming much more popular than USB fingerprint readers. True, they increase security over standard text passwords, but how am I supposed to give a throwaway password to a coworker so that he can use my machine while I'm on vacation? The only thing that would make this more ubiquitous than fingerprint readers is the fact that you can use pre-existing touch screen or stylus interfaces as described in the article. In my opinion, this technology won't be able to fill the needs of anything more than a niche market. Nor will people need more than 640K RAM.