I disagree. Some security solutions can also increase convenience. Single sign-on solutions, for example... sure, you're putting all your eggs in one basket, but that basket is padded and steel-reinforced.
Kerberos-like authentication also increases both security and convenience to the end-user (for reasons similar to single sign-on).
I disagree. Some security solutions can also increase convenience. Single sign-on solutions, for example... sure, you're putting all your eggs in one basket, but that basket is padded and steel-reinforced.
Kerberos-like authentication also increases both security and convenience to the end-user (for reasons similar to single sign-on).
Of course, you can get in serious trouble for not revealing the key to your encrypted data, as Jamie Zawinsky briefly mentions in his really bad attitude page (where he discusses the fact that he had to release the contents of a private mailing list due to a Netscape legal case).
Firewalls only offer perimiter protection. Host security is still extremely important. According to the last information I saw on attack origins, most security compromises still come from inside the victim's own network (from disgruntled employees, snoops, etc.). Those aren't the compromises we hear about, because they rarely involve public things like defacing public web sites, and most organizations aren't very quick to brag that they've been compromised.
As I'm sure you're aware, the telnet debugging flag is unimportant, since the ability to modify that flag implies local administrative access. That same access facalitates a simple keystroke-logging code change to the secure-shell client.
The significant difference (again, as you're obviously aware since you mentioned the same issue with FTP) between secure-shell and telnet is that the data is encrypted when it travels over the network (as opposed to telnet traffic, which is cleartext and can be sniffed).
So far I'm supporting your original statement that you are subject to the security of remote systems... but the risk can be reduced dramatically with some forms of token-based authentication. One-time pads might help too.
I have not read the referenced article, but this is in response to the tongue-in-cheek comment (in the slashdot blurb) regarding information destruction as a means of securing information. I understand that it's a joke, but it reflects the currently dominant mindset that security is all about confidentiality of information.
Information confidentiality is not information security. Confidentiality of is only one aspect. Integrity and availability of information are also important -- often much more important than confidentiality.
Look at slashdot itself for an example. How important is data confidentiality? Ok, there are some passwords people could steal, but they're not significant by themselves -- they're only meta-information. Why are the passwords important? They don't protect confidential information -- they guard the integrity of authorship. To slashdot, integrity is more important than confidentiality. (Of course, there's the issue of true identities... but slashdot could only provide clues.)
How severely would a denial-of-service attack impact slashdot's business? Very completely. An effective denial-of-service attack would completely disrupt slashdot's business.
As far as I can tell, availability is slashdot's (and many other organizations') most important information security consideration. Confidentiality is the least important of those three information security categories (availability, integrity, and confidentiality).
Most information is not confidential, so in most cases, integrity and availability of information are the top priorities.
Many of the severe threats to information security throughout history have been its destruction and/or modification, and many historically significant compromises to confidentiality are now viewed as desirable increases in the availability of the affected information. Confidentiality is (as is illustrated to an extreme in George Orwell's "1984") also extremely important, but it's not the only consideration in information security.
As stated previously, you (as a computer user) are not compelled to subject yourself to a computer following specific software instructions. You are able to directly select/create the instructions for your computer. You have much less influence in selection/creation of instructions for the judicial system to which you are subjected. This is where the analogy breaks down.
Let's give proper credit. For once, Microsoft has NOT perverted the standard. They have used a field in the way the RFC described. I believe the RFC actually states that the field is free-form, and that its contents should be defined by the application.
The complaint against Microsoft regarding this issue is that their specific use is a secret.
This is a fairly creative move on Microsoft's part. From appearances, they have fully embraced the standard and have followed it to the letter.
They simply chose to keep a secret.
Why can't Microsoft keep a secret? Sure, it's annoying, but is it illegal or morally/ethically wrong? I don't know. I'm biased, so it seems wrong to me.
I don't think it benefits consumers. It is a barrier to interoperability. It is unlikely that this single secret required a significant amount of research and development, except maybe to identify it as a strategic thing to keep secret.
It won't take long for someone to reverse engineer it or pry the information out of Microsoft, but in the meantime everyone is going to appear to be lagging behind Microsoft in the W2K-compatible server arena, and Microsoft will gain market share. It is unlikely that the DoJ will be able to reverse that.
Regarding traceroute... there is no "right" way to traceroute. Traceroute is a hack. It was not designed into IP. It simply uses conveniently available IP capabilities to accomplish its goal.
Even IF Microsoft's traceroute is not the same as others, their implementation hasn't failed me... so I find any implementation difference to be far less annoying than the fact that they called it "tracert.exe" instead of "traceroute.exe".
None of the operating systems on which "tracert.exe" ships are restricted to 8.3 filesystems. Maybe it's cuz of the ISO9660 filesystem. Whatever the case, it's annoying.
Hmm... I seem to be drifting here... wheee! [submit]
At the risk of stating the obvious... I think this financial burden should be taken on by some of the companies that are making money on open source. Not only would this be great PR for them, it seems like the right thing to do.
And once you bring back your self-destructed disk to the company, what then? They pay you your $3 for being a good, environmentally friendly person, then chuck the disk out due to the fact it is totally useless.
Refer to my original post, where I prefaced the thought with "If it is possible to recycle the materials cost-effectively." I'm talking about the RAW MATERIALS here. Melt down the disc and make another disc, or a cup, or an artificial appendix, or whatever. You wouldn't even have to worry about damaging the disc, as long as you returned the materials in a form that could be recognized as a disc.
One possible problem I see is people creating counterfeit discs and redeeming them for more money than it cost to manufacture them. That could be avoided by keeping good records and only accepting discs that had been rented by the customer... or by only giving in-store credit.
If there are cheaply available 'rental' DVDs, along with reasonably cheap DVD-RW/DVD-RAM drives and disks, someone *will* be able to intercept the signal going to the TV, and copy it.
There are already cheaply available rental DVDs in the United States. This technology doesn't change that. Is this not true in the UK?
This scheme is different from DIVX. It is worse. It practically guarantees that the disc will be thrown away. With DIVX there was always that possibility of paying to watch the movie again, or turn the disc into a full DVD. That probably tended to make people keep the DIVX dics around.
Here are some further thoughts, some of which have already been mentioned numerous times:
If a DVD can be copied cost-effectively, this can be too. It doesn't enable anything new, but it makes it cheaper/easier.
It may be theoretically possible to remove the opaque layer and "repair" the DVD, but if the opaque layer is between the transparent material and the reflective surface, it would be practically impossible. For some reason, people seem to be assuming that the opaque layer is on the surface.
This format is more attractive than DIVX to consumers because it does not have the DIVX privacy issues (which is why I opted for DVD instead of DIVX even though DIVX was the same price and included a few movies).
The point I am making here is that this is overall good for the movie business and consumers, so it is likely to happen. What we need to do now is figure out how to keep this from creating a huge amount of waste.
If it is possible to recycle the materials cost-effectively, perhaps a retail price of $6 per disc, with a refund of $3 per disc would reduce the waste. That way people could rent videos for the same price they currently do without having to return them at any particular time, but they would have a good reason not to throw it away. I think this scheme would work well. It is pretty convenient, because you could just bring the movie back when you went to rent another one... and you would (on average) only have the additional cost the first time you rented, because you could use the credit for the old disc to rent a new one.
How many Linux kernel bugs have there been that allowed users to gain root access? How many were fixed between 2.2.13 and 2.2.14?
Some high-availability (am I using the right term there?) systems actually have uptime requirements (such as "we can only be offline for ten minutes every month") that make it risky to upgrade with every new kernel. Particularly since new kernels can introduce new bugs.
My point is that it can be irresponsible to upgrade without knowing what the upgrade does, just as it can be irresponsible to not upgrade.
All that aside, not everyone is running mission critical servers. Some people use their computers for fun, and long uptimes can be a source of amusement.
I personally have two systems with long uptimes, and I will not be upgrading them. They're non-critical systems, and not worth messing with. Besides, I like to see how long it's been since the last power failure.:)
It's true that pirates could previously have made bit-for-bit copies of DVDs, but now they can easily decode and recompress DVD video. They could always capture the video, but now it's an all-digital process, the resulting quality of the pirated video can be quite good, and it won't require quite as much hardware as before.
I'm not arguing that this method of protection is good, but I don't think we should be blind to the fact that this opens up a new piracy opportunity.
Hmm... pretty eager to get that first post, eh? The only Quake 3 mention I see is the "icon" for the article... and if you're going to pick on that, you might also want to mention that Linux isn't a penguin.
Maybe the article was edited after posting, but I doubt it.
I think he thought you thought she was hot. Maybe he was parentheses impaired and mistook your comment for a tacky cyber-line... don't you hate when people respond without reading the entire post? (This is not a tacky cyber-line; I'm straight.) Back on-topic... I was thinking I would pass on this Quake iteration, but now that I've heard about the anti-gravity-boobies, I'm thinking maybe it's worth checking out.:)
"Pet Peeve" or "How To Get Your Submission Posted"
on
CFP2000
·
· Score: 1
If you're disinterested in my reasons for thinking the Canada pet peeve is petty, you might want to skip to the "***" section below, where I actually get back on topic.
Since US press will often refer to major US cities without specifying states, I assume your complaint with specifying city/country in the case of Canadian cities is that the US press uses the US as a default country when specifying location.
Is that really it? Seems weak.
As far as your point regarding Americans not taking the time to learn Canada's thirteen provinces... Canada is just another country in the world. Sure, it's on the same continent as the US, but do you know all the provinces (or whatever) of Mexico? I doubt it.
For whatever reason, the States are well-known all over the world. I don't think the same can be said for many other countries.
Further, US people aren't even aware of their own states. Asking them to memorize your provinces (and why shouldn't every country demand the same?) is absurd.
Further still, does the Canadian press list city, province, AND country every time a Canadian location is specified? I doubt it. Does the Canadian press ever simply specify major Canadian cities, omitting the province? I suspect so.
I really think you need to find a better source of stress. (Clearly you're searching.)
*** Here's where the on-topic stuff starts ***
Now I want to voice a pet peeve of my own.
I keep getting the feeling that the obviously biased and uninformed opinions expressed by slashdot "reporters" are not accidental. I think they're manipulating the readers (that's YOU), because they know that controversy creates interest.
By selecting biased/uninformed submissions like this one in which "karma vs Dogma" was indignant about what he/she believes are inflated expense claims relating to cracking, slashdot is hoping to spawn a lot of great free commentary from qualified professionals. As has been pointed out repeatedly, just about any IT professional understands that incident response involves much more than restoring a couple files from a backup.
I don't think I need to go into further detail on this particular article, since other people have already done a fine job, but I think it's clear that one way to get an article posted on slashdot is to submit something obviously wrong about something controversial.
Slashdot Mirror
Kerberos-like authentication also increases both security and convenience to the end-user (for reasons similar to single sign-on).
Kerberos-like authentication also increases both security and convenience to the end-user (for reasons similar to single sign-on).
(What ever happened to the fifth amendment?)
Firewalls only offer perimiter protection. Host security is still extremely important. According to the last information I saw on attack origins, most security compromises still come from inside the victim's own network (from disgruntled employees, snoops, etc.). Those aren't the compromises we hear about, because they rarely involve public things like defacing public web sites, and most organizations aren't very quick to brag that they've been compromised.
The significant difference (again, as you're obviously aware since you mentioned the same issue with FTP) between secure-shell and telnet is that the data is encrypted when it travels over the network (as opposed to telnet traffic, which is cleartext and can be sniffed).
So far I'm supporting your original statement that you are subject to the security of remote systems... but the risk can be reduced dramatically with some forms of token-based authentication. One-time pads might help too.
Information confidentiality is not information security. Confidentiality of is only one aspect. Integrity and availability of information are also important -- often much more important than confidentiality.
Look at slashdot itself for an example. How important is data confidentiality? Ok, there are some passwords people could steal, but they're not significant by themselves -- they're only meta-information. Why are the passwords important? They don't protect confidential information -- they guard the integrity of authorship. To slashdot, integrity is more important than confidentiality. (Of course, there's the issue of true identities... but slashdot could only provide clues.)
How severely would a denial-of-service attack impact slashdot's business? Very completely. An effective denial-of-service attack would completely disrupt slashdot's business.
As far as I can tell, availability is slashdot's (and many other organizations') most important information security consideration. Confidentiality is the least important of those three information security categories (availability, integrity, and confidentiality).
Most information is not confidential, so in most cases, integrity and availability of information are the top priorities.
Many of the severe threats to information security throughout history have been its destruction and/or modification, and many historically significant compromises to confidentiality are now viewed as desirable increases in the availability of the affected information. Confidentiality is (as is illustrated to an extreme in George Orwell's "1984") also extremely important, but it's not the only consideration in information security.
As stated previously, you (as a computer user) are not compelled to subject yourself to a computer following specific software instructions. You are able to directly select/create the instructions for your computer. You have much less influence in selection/creation of instructions for the judicial system to which you are subjected. This is where the analogy breaks down.
I don't see banner ads. I use the Internet Junkbuster Proxy. (It's GPL.)
Let's give proper credit. For once, Microsoft has NOT perverted the standard. They have used a field in the way the RFC described. I believe the RFC actually states that the field is free-form, and that its contents should be defined by the application.
The complaint against Microsoft regarding this issue is that their specific use is a secret.
This is a fairly creative move on Microsoft's part. From appearances, they have fully embraced the standard and have followed it to the letter.
They simply chose to keep a secret.
Why can't Microsoft keep a secret? Sure, it's annoying, but is it illegal or morally/ethically wrong? I don't know. I'm biased, so it seems wrong to me.
I don't think it benefits consumers. It is a barrier to interoperability. It is unlikely that this single secret required a significant amount of research and development, except maybe to identify it as a strategic thing to keep secret.
It won't take long for someone to reverse engineer it or pry the information out of Microsoft, but in the meantime everyone is going to appear to be lagging behind Microsoft in the W2K-compatible server arena, and Microsoft will gain market share. It is unlikely that the DoJ will be able to reverse that.
Regarding traceroute... there is no "right" way to traceroute. Traceroute is a hack. It was not designed into IP. It simply uses conveniently available IP capabilities to accomplish its goal.
Even IF Microsoft's traceroute is not the same as others, their implementation hasn't failed me... so I find any implementation difference to be far less annoying than the fact that they called it "tracert.exe" instead of "traceroute.exe".
None of the operating systems on which "tracert.exe" ships are restricted to 8.3 filesystems. Maybe it's cuz of the ISO9660 filesystem. Whatever the case, it's annoying.
Hmm... I seem to be drifting here... wheee! [submit]
At the risk of stating the obvious... I think this financial burden should be taken on by some of the companies that are making money on open source. Not only would this be great PR for them, it seems like the right thing to do.
Refer to my original post, where I prefaced the thought with "If it is possible to recycle the materials cost-effectively." I'm talking about the RAW MATERIALS here. Melt down the disc and make another disc, or a cup, or an artificial appendix, or whatever. You wouldn't even have to worry about damaging the disc, as long as you returned the materials in a form that could be recognized as a disc.
One possible problem I see is people creating counterfeit discs and redeeming them for more money than it cost to manufacture them. That could be avoided by keeping good records and only accepting discs that had been rented by the customer... or by only giving in-store credit.
If there are cheaply available 'rental' DVDs, along with reasonably cheap DVD-RW/DVD-RAM drives and disks, someone *will* be able to intercept the signal going to the TV, and copy it.
There are already cheaply available rental DVDs in the United States. This technology doesn't change that. Is this not true in the UK?
Regarding the first bullet point, this scheme does not make piracy any cheaper or easier than renting a DVD and copying it.
D'oh! Forgot to terminate that list. I hate that.
This scheme is different from DIVX. It is worse. It practically guarantees that the disc will be thrown away. With DIVX there was always that possibility of paying to watch the movie again, or turn the disc into a full DVD. That probably tended to make people keep the DIVX dics around.
Here are some further thoughts, some of which have already been mentioned numerous times:
The point I am making here is that this is overall good for the movie business and consumers, so it is likely to happen. What we need to do now is figure out how to keep this from creating a huge amount of waste.
If it is possible to recycle the materials cost-effectively, perhaps a retail price of $6 per disc, with a refund of $3 per disc would reduce the waste. That way people could rent videos for the same price they currently do without having to return them at any particular time, but they would have a good reason not to throw it away. I think this scheme would work well. It is pretty convenient, because you could just bring the movie back when you went to rent another one... and you would (on average) only have the additional cost the first time you rented, because you could use the credit for the old disc to rent a new one.
How many Linux kernel bugs have there been that allowed users to gain root access? How many were fixed between 2.2.13 and 2.2.14?
:)
Some high-availability (am I using the right term there?) systems actually have uptime requirements (such as "we can only be offline for ten minutes every month") that make it risky to upgrade with every new kernel. Particularly since new kernels can introduce new bugs.
My point is that it can be irresponsible to upgrade without knowing what the upgrade does, just as it can be irresponsible to not upgrade.
All that aside, not everyone is running mission critical servers. Some people use their computers for fun, and long uptimes can be a source of amusement.
I personally have two systems with long uptimes, and I will not be upgrading them. They're non-critical systems, and not worth messing with. Besides, I like to see how long it's been since the last power failure.
It's true that pirates could previously have made bit-for-bit copies of DVDs, but now they can easily decode and recompress DVD video. They could always capture the video, but now it's an all-digital process, the resulting quality of the pirated video can be quite good, and it won't require quite as much hardware as before.
I'm not arguing that this method of protection is good, but I don't think we should be blind to the fact that this opens up a new piracy opportunity.
Hmm... pretty eager to get that first post, eh? The only Quake 3 mention I see is the "icon" for the article... and if you're going to pick on that, you might also want to mention that Linux isn't a penguin.
Maybe the article was edited after posting, but I doubt it.
I think he thought you thought she was hot. Maybe he was parentheses impaired and mistook your comment for a tacky cyber-line... don't you hate when people respond without reading the entire post? (This is not a tacky cyber-line; I'm straight.) Back on-topic... I was thinking I would pass on this Quake iteration, but now that I've heard about the anti-gravity-boobies, I'm thinking maybe it's worth checking out. :)
If you're disinterested in my reasons for thinking the Canada pet peeve is petty, you might want to skip to the "***" section below, where I actually get back on topic.
Since US press will often refer to major US cities without specifying states, I assume your complaint with specifying city/country in the case of Canadian cities is that the US press uses the US as a default country when specifying location.
Is that really it? Seems weak.
As far as your point regarding Americans not taking the time to learn Canada's thirteen provinces... Canada is just another country in the world. Sure, it's on the same continent as the US, but do you know all the provinces (or whatever) of Mexico? I doubt it.
For whatever reason, the States are well-known all over the world. I don't think the same can be said for many other countries.
Further, US people aren't even aware of their own states. Asking them to memorize your provinces (and why shouldn't every country demand the same?) is absurd.
Further still, does the Canadian press list city, province, AND country every time a Canadian location is specified? I doubt it. Does the Canadian press ever simply specify major Canadian cities, omitting the province? I suspect so.
I really think you need to find a better source of stress. (Clearly you're searching.)
*** Here's where the on-topic stuff starts ***
Now I want to voice a pet peeve of my own.
I keep getting the feeling that the obviously biased and uninformed opinions expressed by slashdot "reporters" are not accidental. I think they're manipulating the readers (that's YOU), because they know that controversy creates interest.
By selecting biased/uninformed submissions like this one in which "karma vs Dogma" was indignant about what he/she believes are inflated expense claims relating to cracking, slashdot is hoping to spawn a lot of great free commentary from qualified professionals. As has been pointed out repeatedly, just about any IT professional understands that incident response involves much more than restoring a couple files from a backup.
I don't think I need to go into further detail on this particular article, since other people have already done a fine job, but I think it's clear that one way to get an article posted on slashdot is to submit something obviously wrong about something controversial.