> I've often wondered why when you are setting up your user account on a box, > and it gets to the part with setting up email, it didn't give you a chance > to generate or import public/private keys right there and them upload the > public to a server.
If you install the Enigmail plugin for Thunderbird it'll do just that during first access. But I agree with you...none of this stuff comes as default and I truly wonder why myself. Not one distro installs on encrypted partitions by default (though most have the options available), no e-mail setup treats key creation and subsequent usage as matter of course etc.pp.. We need the same kind of mindset as when we switched over to shadow passwords or when distro's still running a telnet server by default instead of SSH were regarded as seriously out-of-date and insecure.
> Why encrypt everything, though? Keep a secure volume with the distress key > setup. Nobody cares about accessing your encrypted directX9.dll, or whether > it's your real one or the "fake" one. They care about your data.
The main reason for encrypting everything (with exception of/boot) is to make tampering with system files and/or the crypto software itself harder. If someone can simply swap your Truecrypt or LUKS executables with a trojaned version, that conveniently saves your passphrase the next time you log in, then your data too is compromised. If the executables themselves are hard to get too, this stunt is pretty hard to pull off. Still doesn't address hardware keyloggers, Tempest attacks, leakage of key presses/passphrases through power lines, cameras in the ceiling fan etc.. But then...as we all know security is not one solution for everything but a framework. It never makes you "secure"...it only makes you less unprotected and vulnerable at best.
> If I lived in such a regime, I'd have no problems killing any police who > came to my house or that of my neighbor(s), warrant or not.
If you lived in such a regime you wouldn't have anything to fire with, as any kind of private gun ownership would have been among the first things outlawed. Ditto for crypto.
> This is because the GSM encryption is crap, which is due to design > constraints from the time way back when the standard was written. The main > reason to have encryption there at all is to keep honest people honest (the > call routers have wiretap capability anyway) and to appease peoples privacy > concerns (remember those unencrypted & analog cordless phones...)
> The real joke is that in many places the LOS microwave links between the > basestations are not encrypted...
I am still amazed, that with all the apps people even pay for and advances in raw computing power of (cell) phones no simple open-source end-to-end crypto app has appeared on the horizon. Still all cryptophones are proprietory and mad expensive. Would love to see the EFF etc. funnel some donations into sponsoring work for enabling people to protect themselves and their conversations.
> The version on the Firefox addon site is not the latest. I got 1.41 at [...]
The for me most important feature of the new version is the integration of LSO removal in the regular "Clear History when Firefox closes" config options. Simply check it there and LSO's get deleted on browser exit like it should be.
Speaking of which: FF 3.5+ got rid of the option to show the Clear History window on exit. I liked having it there simply to see it in action and also to override certain defaults when desired. Is there a way to turn it back on?
> They have 5-10 computers running off of a single quad core machine. > All you can do is browse the internets and the card catalog, but everything > is setup with 10 keyboards and 10 monitors and 1 CPU.
How do the keyboards, monitors and presumably mice connect to the one machine?
> [FLAC] allows you to break it [large flac file + cue sheet] up into individual tracks.
Please tell me how to do this...I've never gotten that to work.
And anyone having the issue,that ripping a CD in K3B as large FLAC w/cuesheet doesn't let you skip to specific songs in the album when played in Amarok? Some albums strangely work just fine, other's I can only play the whole damn thing:-/
> They can no more remember complex passwords than they can multiply three digit numbers in their heads.
I believe, the only reasonable requirement for a 'good password' is length. Such as at least 20 characters long, but user decides what exactly it is. Get rid of UPPER case, lower case, numbers etc. requirements.
Password expiration I wouldn't completely remove, but make it reasonably long depending on environment. Say one year for a typical office setting/login. Less for fear of brute-force attacks but more to limit the potential proliferation of written-down passwords across multiple Post-It's/Locations as time goes by.
> the real issue is those stupid "what's your mother's maiden name" password bypasses.
If I am forced to fill them in (some sites have them optional in which case I leave them blank) I treat them as another password. So my dog's name is, of course, M1yYnjkD. Works well and securely and even on the dog-playground nobody understands WTF I am calling out. Unfortunately neither does the dog:-/
> Script writers do that for a very good reason: timing considerations.
I loved that in "24": "Give me the Internet password(s) for [telephone number of Jack's daughter]" and voila! 'Lifesucks', I believe it was:-)
Which made me think though: If I was working for No Such Agency such a system is exactly what I'd implement. Across the board. World-wide. And...the paranoid in me says, they think...or have thought already alike:-/ Which would mean, at least every account login used via HTTP is already stored for easy reference if the need for it should arise. Perhaps HTTPS too since they can't have too hard a time having a nice MITM cert your browser happily accepts...
> I used to stick post its with things that weren't my password on the underside of the desk drawer. > I'd write sloppy and deliberately ambiguous too, so whomever found them would have to make several > tries to test all combinations of what it could be.
This would make a great kill-switch setup for, say, a laptop. Put a Post-It on the bottom with trap-password, which would activate a routine of your choice if entered (by thief or similar)...
> FTA: "Deng Fei paid the camp 7,000 yuan ($1,024) for one month of training."
I wonder, if he's gonna get a refund now...:
"Dear Sir,
due to lesser than anticipated expenses regarding the training of your son we're very happy to confirm an immediate charge-back of 6947 Yuan (7000Y - 50Y/1 day lodging - 2Y/wooden stick - 1Y/floor-cleaning solution) to your credit card. To adjust for certain inconveniences we'd further like to send you these '50% OFF' attendance vouchers which your other children can take advantage of. We'd love to have them stay with us so they too may learn the great values of not being exposed to the gore and violence places like the Internet press upon their helpless bodies and minds.
Thank you for your continued patronage!
Sincerely,
The Boot Camp - Success guaranteed!(TM)"
Re:Caizen is actually spelt with a K
on
KDE 4.3 Released
·
· Score: 1
> There's no reason the host can't export that same/dev/random to the guest; > certainly to ensure there is sufficient entropy on startup.
Wouldn't the low-budget solution to this entire issue be the simple deferral of SSH key creation and the like for a few minutes past the initial boot-up?
> The nice thing about Linux is that you can develop whatever entropy-producing process you want > and write its output to/dev/urandom to add more entropy to the pool.
Anyone know, what OOTB processes/programs and/or events do in fact seed/dev/random?
Slashdot Mirror
> I've often wondered why when you are setting up your user account on a box,
> and it gets to the part with setting up email, it didn't give you a chance
> to generate or import public/private keys right there and them upload the
> public to a server.
If you install the Enigmail plugin for Thunderbird it'll do just that during
first access.
But I agree with you...none of this stuff comes as default and I truly wonder
why myself. Not one distro installs on encrypted partitions by default (though
most have the options available), no e-mail setup treats key creation and
subsequent usage as matter of course etc.pp..
We need the same kind of mindset as when we switched over to shadow passwords
or when distro's still running a telnet server by default instead of SSH were
regarded as seriously out-of-date and insecure.
> Why encrypt everything, though? Keep a secure volume with the distress key
> setup. Nobody cares about accessing your encrypted directX9.dll, or whether
> it's your real one or the "fake" one. They care about your data.
The main reason for encrypting everything (with exception of /boot) is to make
tampering with system files and/or the crypto software itself harder. If
someone can simply swap your Truecrypt or LUKS executables with a trojaned
version, that conveniently saves your passphrase the next time you log in,
then your data too is compromised. If the executables themselves are hard to
get too, this stunt is pretty hard to pull off.
Still doesn't address hardware keyloggers, Tempest attacks, leakage of key
presses/passphrases through power lines, cameras in the ceiling fan etc.. But
then...as we all know security is not one solution for everything but a
framework. It never makes you "secure"...it only makes you less unprotected and
vulnerable at best.
> If I lived in such a regime, I'd have no problems killing any police who
> came to my house or that of my neighbor(s), warrant or not.
If you lived in such a regime you wouldn't have anything to fire with, as any
kind of private gun ownership would have been among the first things outlawed.
Ditto for crypto.
> This is because the GSM encryption is crap, which is due to design
> constraints from the time way back when the standard was written. The main
> reason to have encryption there at all is to keep honest people honest (the
> call routers have wiretap capability anyway) and to appease peoples privacy
> concerns (remember those unencrypted & analog cordless phones...)
> The real joke is that in many places the LOS microwave links between the
> basestations are not encrypted...
I am still amazed, that with all the apps people even pay for and advances in
raw computing power of (cell) phones no simple open-source end-to-end crypto
app has appeared on the horizon. Still all cryptophones are proprietory and
mad expensive. Would love to see the EFF etc. funnel some donations into
sponsoring work for enabling people to protect themselves and their
conversations.
Actually found one:
Bleachbit - http://bleachbit-project.appspot.com/
Open-Source and for Linux and Windows.
Still would love to find a command-line version of something like it to run on shutdown and/or from cron.
> The version on the Firefox addon site is not the latest. I got 1.41 at [...]
The for me most important feature of the new version is the integration of LSO removal in the regular "Clear History when Firefox closes" config options. Simply check it there and LSO's get deleted on browser exit like it should be.
Speaking of which: FF 3.5+ got rid of the option to show the Clear History window on exit. I liked having it there simply to see it in action and also to override certain defaults when desired. Is there a way to turn it back on?
> Thanks for the link! Note: That does not clean multiple installations of Opera, or clean other browsers.
Agreed...great extension but limited. What we need is something like CCleaner for Linux. Anything out there like that?
Cables I figured...was looking for the Multiseat thingie. Thanx for the tip!
> They have 5-10 computers running off of a single quad core machine.
> All you can do is browse the internets and the card catalog, but everything
> is setup with 10 keyboards and 10 monitors and 1 CPU.
How do the keyboards, monitors and presumably mice connect to the one machine?
> nettop
What's a nettop?
> [FLAC] allows you to break it [large flac file + cue sheet] up into individual tracks.
Please tell me how to do this...I've never gotten that to work.
And anyone having the issue,that ripping a CD in K3B as large FLAC w/cuesheet doesn't let you skip to specific songs in the album when played in Amarok? Some albums strangely work just fine, other's I can only play the whole damn thing :-/
> They can no more remember complex passwords than they can multiply three digit numbers in their heads.
I believe, the only reasonable requirement for a 'good password' is length. Such as at least 20 characters long, but user decides what exactly it is. Get rid of UPPER case, lower case, numbers etc. requirements.
Password expiration I wouldn't completely remove, but make it reasonably long depending on environment. Say one year for a typical office setting/login. Less for fear of brute-force attacks but more to limit the potential proliferation of written-down passwords across multiple Post-It's/Locations as time goes by.
> the real issue is those stupid "what's your mother's maiden name" password bypasses.
If I am forced to fill them in (some sites have them optional in which case I leave them blank) I treat them as another password. :-/
So my dog's name is, of course, M1yYnjkD. Works well and securely and even on the dog-playground nobody understands WTF I am calling out. Unfortunately neither does the dog
>> Imagine a man sitting at a terminal. Breaking 128-bit SSL. With a gun to his head. Getting a blowjob.
> Greatest Slashdot Porn, Ever!
I believe an actual scene from 'Swordfish'. And yes, Mr. Freud, I almost DID write 'Blowfish' :-P
> Script writers do that for a very good reason: timing considerations.
I loved that in "24": "Give me the Internet password(s) for [telephone number of Jack's daughter]" and voila! 'Lifesucks', I believe it was :-)
Which made me think though: If I was working for No Such Agency such a system is exactly what I'd implement. Across the board. World-wide. And...the paranoid in me says, they think...or have thought already alike :-/ Which would mean, at least every account login used via HTTP is already stored for easy reference if the need for it should arise. Perhaps HTTPS too since they can't have too hard a time having a nice MITM cert your browser happily accepts...
> I used to stick post its with things that weren't my password on the underside of the desk drawer.
> I'd write sloppy and deliberately ambiguous too, so whomever found them would have to make several
> tries to test all combinations of what it could be.
This would make a great kill-switch setup for, say, a laptop. Put a Post-It on the bottom with trap-password, which would activate a routine of your choice if entered (by thief or similar)...
> The trick is to type from memory and only use a note/password manager to refresh it, not copy.
But why? For one pw I can see that...if you have 30 of them copy/paste is a lot faster and easier.
> If I was a dick, I could get probably 90% of my colleagues' secret PIN codes just by asking them.
I'd wager you'd have a much better chance of obtaining your 90% if you *weren't* a dick ;-)
> people in china can only have one kid
Depends on where they live. Apparently in rural areas they can have two.
"Please proceed with your numbered ticket to the next available child-approval agent!"
> "Reportedly it was for not being able to run fast enough."
I told him to press Shift...but NOOOoooooooo!
> FTA: "Deng Fei paid the camp 7,000 yuan ($1,024) for one month of training."
I wonder, if he's gonna get a refund now...:
"Dear Sir,
due to lesser than anticipated expenses regarding the training of your son we're very happy to confirm an immediate charge-back of 6947 Yuan (7000Y - 50Y/1 day lodging - 2Y/wooden stick - 1Y/floor-cleaning solution) to your credit card. To adjust for certain inconveniences we'd further like to send you these '50% OFF' attendance vouchers which your other children can take advantage of. We'd love to have them stay with us so they too may learn the great values of not being exposed to the gore and violence places like the Internet press upon their helpless bodies and minds.
Thank you for your continued patronage!
Sincerely,
The Boot Camp - Success guaranteed!(TM)"
Konkur kompletely!
> There's no reason the host can't export that same /dev/random to the guest;
> certainly to ensure there is sufficient entropy on startup.
Wouldn't the low-budget solution to this entire issue be the simple deferral of SSH key creation and the like for a few minutes past the initial boot-up?
> The nice thing about Linux is that you can develop whatever entropy-producing process you want /dev/urandom to add more entropy to the pool.
> and write its output to
Anyone know, what OOTB processes/programs and/or events do in fact seed /dev/random?
> one day they will mutate into a super aids that is airborne
Will give swine flu a whole new meaning...