Quote: Just the fact that we can observe such a dramatic event is awe-inspiring.
I find the ever-increasing application of computing power to analyzing these sorts of problems, coupled with the incredible global communications flexibility we have today, to be pretty awe-inspiring. We've come a long way from dialing into BBSes; I can't wait to see what the next 10 years brings for research.
If you want to relate to the masses, instead of assuming everyone who might be interested in your work has a degree in astrophysics, you might compare your research to fictional works easily recognized in society.
Whether applications and data predominantly reside on servers controlled by corporate entities may be asking the wrong question. Considering the exponential increase in Internet connected devices, coupled with increased processor power and bandwidth attached to single devices, the very definition of "server" may be about to change. Let IPV6 get rolled out on a massive scale, and the line between what's a server and what's a client device may become extremely blurry. This creates an environment ripe for the development of new client layers and application models, operating on a much more distributed scale than we're seeing now.
In other words, take the Google model of massively distributed computing and apply it to the whole ecosystem of net-enabled devices. The future will probably be a lot weirder than we think.
I completely agree. Of course, I also think that everything should be legalized, across the board. It's nobody else's business what one person puts in their body, until that person commits a crime represented by the principle of direct harm. Of course, that's a seriously libertarian stance (card-carrying libertarian here), and a lot of people don't share my view. In my opinion, drug testing should still be required of elected officials, military personnel (I'm active duty Navy), and police... should be optional for private employment, but the act of using any drug should not in and of itself be illegal. Mind you, I'm also not willing to pay for overdose victims' hospital bills...
Let me put a different spin on things. I somehow doubt Martin Luther King, Jr. walked around thinking the federal government wansn't keeping tabs on him; his convictions were strong enough that he didn't care if he was being monitored. Is anonymity important? Hell, yes. Is anonymity a reasonable expectation when you're engaged in public protest? Fuck, no. If you're willing to publicly state a position on a volatile issue of any nature, you had better be prepared to be watched by the masses and the feds. If your personal conviction in your position isn't strong enough to support that, you should probably avoid speaking publicly. The masses make a huge deal of demanding transparency in the lives of their elected officials... why should an outspoken citizen who garners public attention with his views be any different?
I'm hoping you meant this as a "funny" comment. If you didn't continue to the following reply...
Gotta call bullshit on this one; political protesters aren't exactly difficult to find. There's a couple of guys who post up outside my base every morning with signs, for example. The point of protest is (usually) to make your position known in as public a manner as possible.
You missed my point, which is simply this: The "establishment" (whoever they are) isn't staying on top of the game through these programs; they're of little to no actual use when it comes to combating large-scale illegal operations. See my other post regarding augmenting human intelligence programs.
There are no drugs in this country. Anyone who tells you any different is lying. The War on Drugs was won in 1998 after a long, determined effort on the part of various federal and state agencies. If you persist in spreading rumors of the existence of illicit substances in this country, you will be asked to report to your local Reeducation Center for instruction. Thank you!
Mod parent funny, but it kinda makes a point. Job security for both sides, if you think about it, since it's going to be largely ineffective at nabbing anybody serious but it does pay the rent for the dudes listening in. If we're gonna spend money on monitoring programs, I'd like to see some of that government-issued rent money going to a larger pool of field agents out there gathering real intelligence.
Waterboarding Gonzales would be viewed as a civil rights violation, while waterboarding other suspects would be viewed as... ummmm... so a funny thing happened on the way to work this morning.
Come on, now. The seriously bad dudes out there running major operations aren't (usually) dumb enough to pick up the phone and chat away about their to-do lists. I'd think the use of commodity encryption software and computers has probably replaced a lot of insecure communications channels for these people, leaving the feds to pick up the low-hanging fruit. Sure, you might nab man number 137 on the totem pole o' dealers through a wiretap, but you're not going to be troubling the guy at the top of the food chain.
I'd imagine this applies to all sorts of bad guys, whether they're slinging coke by the truckload or plotting terrorist acts. That begs the question: what's the real value of these surveillance programs?
Newspapers across the U.K. are reporting a new ban on excessively long fingernails, citing a recent rash of nasty scratch wounds inflicted by angry school children.
Dude, you don't "implement" SAP. There's only a never ending process of "implementing" SAP. It's kinda like a bad rock band that refuses to retire; the hits just keep on rolling, along with the heads of anyone who dares question the project's merit.
HP does indeed win, but I have to say I never thought I'd see the day when HP offered Linux over HP-UX on their servers. That alone is as significant as IBM's push on selling Linux-based server systems when they own AIX. Things have really changed, for the better I think.
Sure, those options work, but I think you overlooked one of the most obvious solutions. If you're running a business that depends on a Linux-based solution, and you encounter a bug that seriously degrades your platform's stability, you always have the option of hiring a programmer to develop a patch.
I understand the premise of what you're saying, but you're not quite right on this. DNS poisoning is only a problem if the client software (web browser) has a vulnerable implementation of SSL validation (modern browsers do not suffer from such a problem). To quote an excerpt from a securtiy bulletin detailing a weakness in Netscape 4.7 series SSL validation routines (source: http://www.ciac.org/ciac/bulletins/k-040.shtml):
------- BEGIN QUOTED SECTION ----------
A simple attack (called web-spoofing) on this system is to attack the DNS
server and "poison" its entry for www.e-bank.com with attacker's IP address
99.99.99.99. Attacker sets up a web server at 99.99.99.99 that web-wise
looks exactly like the original www.e-bank.com server. User trying to
connect to www.e-bank.com will now instead connect to the attacker's server
and provide it with his one-time password. Attacker's server will use this
password to connect to the real server at 100.100.100.100 and transfer all
of the user's money to his secret Swiss bank account;-).
This attack is successfully disabled by using SSL protocol. In that
case, when browser falsely connects to www.e-bank.com at 99.99.99.99 rather
than to 100.100.100.100, attacker's server must provide a valid certificate
for www.e-bank.com, which it can't unless the attacker has stolen the secret
key and the certificate from the real server. Let's look at three
possibilities:
1) Attacker could issue a certificate for www.e-bank.com himself (on his own
CA). That wouldn't work since his CA is not trusted by user's browser.
2) Attacker could use a stolen expired key and certificate (those are often
not protected as strongly as valid ones since one could think they can't
be used any more). That wouldn't work since browser will notice that
certificate is expired.
3) Attacker could use a valid key and certificate for some other site (e.g.
www.something.org). That wouldn't work since browser will accept only
valid certificates for www.e-bank.com.
It would seem that this problem of web-spoofing is successfully solved with
SSL certificates.
------- END QUOTED SECTION ----------
Again, SSL effectively blocks against the majority of reasonably effected spoofing problems these days, as long as (1) large primes remain hard to factor, and (2) client SSL client libraries are well written.
Block ciphers can be used to encrypt/decrypt any data stream, including generic file I/O operations; there is no reason you should think of tape storage media as any different from any other type of media. The advantages of tapes for backup purposes include portability and high data density at relatively low cost. Nothing about tape backup requires storage of the items being written in "plaintext." To the operating system, it's another device (albeit with a different driver interface).
I'd be astonished if the software in question didn't support tape backup devices.
Next time, please think before posting. If you're 100% sure your original statement is valid, I'll gladly stand corrected and eat a healthy slice of humble pie.
Actually, the problem would be solved for on a per-site basis by using SSL to communite with the browser. Trouble is, SSL certificates cost money (unless you're willing to go with a self-signed cert, which causes user issues), and requires an IP address dedicated solely to that site. Both factors significantly reduce the likelihood of SSL implementation by the majority of web sites on the Internet today. Would you suffer the cost and inconvenience of making your site ran over SSL, and only SSL?
With regard to message signing, yes, it's entirely possible to encrypt a web page with a PGP cert, but in reality that's just not practical. Are you going to digitally sign every page in your blog and rely on users to verify the signature? The bottom line is that ISP modification of content in-transit is unethical, underhanded, and undermines the very core of the values that the Internet was built on. I don't give two damns about Rogers Cable's "experimental" approach to customers; if I were a customer of theirs, I'd be taking my (Canadian) dollar elsewhere in a hurry.
Slashdot Mirror
Research like that can lead to all sorts of sticky situations.
Quote: Just the fact that we can observe such a dramatic event is awe-inspiring.
I find the ever-increasing application of computing power to analyzing these sorts of problems, coupled with the incredible global communications flexibility we have today, to be pretty awe-inspiring. We've come a long way from dialing into BBSes; I can't wait to see what the next 10 years brings for research.
If you want to relate to the masses, instead of assuming everyone who might be interested in your work has a degree in astrophysics, you might compare your research to fictional works easily recognized in society.
I filtered my model through the catch-phrase generator one more time, and realized I forgot all about:
1. Paradigm Altering Conditions
2. Social Discordance Trends
3. Micro-Economy Utilization Vectors
Thanks for the feedback! I feel much better now.
Whether applications and data predominantly reside on servers controlled by corporate entities may be asking the wrong question. Considering the exponential increase in Internet connected devices, coupled with increased processor power and bandwidth attached to single devices, the very definition of "server" may be about to change. Let IPV6 get rolled out on a massive scale, and the line between what's a server and what's a client device may become extremely blurry. This creates an environment ripe for the development of new client layers and application models, operating on a much more distributed scale than we're seeing now.
In other words, take the Google model of massively distributed computing and apply it to the whole ecosystem of net-enabled devices. The future will probably be a lot weirder than we think.
I completely agree. Of course, I also think that everything should be legalized, across the board. It's nobody else's business what one person puts in their body, until that person commits a crime represented by the principle of direct harm. Of course, that's a seriously libertarian stance (card-carrying libertarian here), and a lot of people don't share my view. In my opinion, drug testing should still be required of elected officials, military personnel (I'm active duty Navy), and police... should be optional for private employment, but the act of using any drug should not in and of itself be illegal. Mind you, I'm also not willing to pay for overdose victims' hospital bills...
See this post.
After that, please start using strong crypto to encipher your communications. I do.
Since an apathetic public stop actively monitoring and caring about what their elected officials were doing... oh, wait...
To quote: "Democracy is a system of government wherein the people get no better than they deserve."
Let me put a different spin on things. I somehow doubt Martin Luther King, Jr. walked around thinking the federal government wansn't keeping tabs on him; his convictions were strong enough that he didn't care if he was being monitored. Is anonymity important? Hell, yes. Is anonymity a reasonable expectation when you're engaged in public protest? Fuck, no. If you're willing to publicly state a position on a volatile issue of any nature, you had better be prepared to be watched by the masses and the feds. If your personal conviction in your position isn't strong enough to support that, you should probably avoid speaking publicly. The masses make a huge deal of demanding transparency in the lives of their elected officials... why should an outspoken citizen who garners public attention with his views be any different?
I'm hoping you meant this as a "funny" comment. If you didn't continue to the following reply...
Gotta call bullshit on this one; political protesters aren't exactly difficult to find. There's a couple of guys who post up outside my base every morning with signs, for example. The point of protest is (usually) to make your position known in as public a manner as possible.
You missed my point, which is simply this: The "establishment" (whoever they are) isn't staying on top of the game through these programs; they're of little to no actual use when it comes to combating large-scale illegal operations. See my other post regarding augmenting human intelligence programs.
There are no drugs in this country. Anyone who tells you any different is lying. The War on Drugs was won in 1998 after a long, determined effort on the part of various federal and state agencies. If you persist in spreading rumors of the existence of illicit substances in this country, you will be asked to report to your local Reeducation Center for instruction. Thank you!
Mod parent funny, but it kinda makes a point. Job security for both sides, if you think about it, since it's going to be largely ineffective at nabbing anybody serious but it does pay the rent for the dudes listening in. If we're gonna spend money on monitoring programs, I'd like to see some of that government-issued rent money going to a larger pool of field agents out there gathering real intelligence.
Waterboarding Gonzales would be viewed as a civil rights violation, while waterboarding other suspects would be viewed as... ummmm... so a funny thing happened on the way to work this morning.
Come on, now. The seriously bad dudes out there running major operations aren't (usually) dumb enough to pick up the phone and chat away about their to-do lists. I'd think the use of commodity encryption software and computers has probably replaced a lot of insecure communications channels for these people, leaving the feds to pick up the low-hanging fruit. Sure, you might nab man number 137 on the totem pole o' dealers through a wiretap, but you're not going to be troubling the guy at the top of the food chain.
I'd imagine this applies to all sorts of bad guys, whether they're slinging coke by the truckload or plotting terrorist acts. That begs the question: what's the real value of these surveillance programs?
Newspapers across the U.K. are reporting a new ban on excessively long fingernails, citing a recent rash of nasty scratch wounds inflicted by angry school children.
Dude, you don't "implement" SAP. There's only a never ending process of "implementing" SAP. It's kinda like a bad rock band that refuses to retire; the hits just keep on rolling, along with the heads of anyone who dares question the project's merit.
Quote; And who wins? HP of course.
HP does indeed win, but I have to say I never thought I'd see the day when HP offered Linux over HP-UX on their servers. That alone is as significant as IBM's push on selling Linux-based server systems when they own AIX. Things have really changed, for the better I think.
Sure, those options work, but I think you overlooked one of the most obvious solutions. If you're running a business that depends on a Linux-based solution, and you encounter a bug that seriously degrades your platform's stability, you always have the option of hiring a programmer to develop a patch.
Of course it runs NetBSD
I understand the premise of what you're saying, but you're not quite right on this. DNS poisoning is only a problem if the client software (web browser) has a vulnerable implementation of SSL validation (modern browsers do not suffer from such a problem). To quote an excerpt from a securtiy bulletin detailing a weakness in Netscape 4.7 series SSL validation routines (source: http://www.ciac.org/ciac/bulletins/k-040.shtml):
;-).
------- BEGIN QUOTED SECTION ----------
A simple attack (called web-spoofing) on this system is to attack the DNS server and "poison" its entry for www.e-bank.com with attacker's IP address 99.99.99.99. Attacker sets up a web server at 99.99.99.99 that web-wise looks exactly like the original www.e-bank.com server. User trying to connect to www.e-bank.com will now instead connect to the attacker's server and provide it with his one-time password. Attacker's server will use this password to connect to the real server at 100.100.100.100 and transfer all of the user's money to his secret Swiss bank account
This attack is successfully disabled by using SSL protocol. In that case, when browser falsely connects to www.e-bank.com at 99.99.99.99 rather than to 100.100.100.100, attacker's server must provide a valid certificate for www.e-bank.com, which it can't unless the attacker has stolen the secret key and the certificate from the real server. Let's look at three possibilities:
1) Attacker could issue a certificate for www.e-bank.com himself (on his own CA). That wouldn't work since his CA is not trusted by user's browser.
2) Attacker could use a stolen expired key and certificate (those are often not protected as strongly as valid ones since one could think they can't be used any more). That wouldn't work since browser will notice that certificate is expired.
3) Attacker could use a valid key and certificate for some other site (e.g. www.something.org). That wouldn't work since browser will accept only valid certificates for www.e-bank.com.
It would seem that this problem of web-spoofing is successfully solved with SSL certificates.
------- END QUOTED SECTION ----------
Again, SSL effectively blocks against the majority of reasonably effected spoofing problems these days, as long as (1) large primes remain hard to factor, and (2) client SSL client libraries are well written.
This reminds me of an old quote:
"Democracy is a system of government under which the people are governed no better than they deserve."
Block ciphers can be used to encrypt/decrypt any data stream, including generic file I/O operations; there is no reason you should think of tape storage media as any different from any other type of media. The advantages of tapes for backup purposes include portability and high data density at relatively low cost. Nothing about tape backup requires storage of the items being written in "plaintext." To the operating system, it's another device (albeit with a different driver interface).
I'd be astonished if the software in question didn't support tape backup devices.
You make the assertion that this software won't encrypt the backups. Please answer the following questions:
1. What are your sources for that assertion?
2. Have you personally used the software?
3. Have you seen this page?
Next time, please think before posting. If you're 100% sure your original statement is valid, I'll gladly stand corrected and eat a healthy slice of humble pie.
Actually, the problem would be solved for on a per-site basis by using SSL to communite with the browser. Trouble is, SSL certificates cost money (unless you're willing to go with a self-signed cert, which causes user issues), and requires an IP address dedicated solely to that site. Both factors significantly reduce the likelihood of SSL implementation by the majority of web sites on the Internet today. Would you suffer the cost and inconvenience of making your site ran over SSL, and only SSL?
With regard to message signing, yes, it's entirely possible to encrypt a web page with a PGP cert, but in reality that's just not practical. Are you going to digitally sign every page in your blog and rely on users to verify the signature? The bottom line is that ISP modification of content in-transit is unethical, underhanded, and undermines the very core of the values that the Internet was built on. I don't give two damns about Rogers Cable's "experimental" approach to customers; if I were a customer of theirs, I'd be taking my (Canadian) dollar elsewhere in a hurry.