Because you seem to have missed part of definition 3, here's the full quote:
to take, get, or win insidiously, surreptitiously, subtly, or by chance: He stole my girlfriend.
I can't remember the last time I saw somebody in court charged with theft of a girlfriend (outside of Suadi or Iran). Nor can I remember any arrests under the definition of "to move, bring, convey, or put secretly or quietly", for gaining a point in a game through strategy, chance or luck, or for "stealing" attention.
Maybe that's because the definitions used in law are not the same as those used in the dictionary. If they were, we could accuse Brad Wardell of being a murderer because he made a quick profit, which is a definition of killing from dictionary.com
THIEF, crimes. One who has been guilty of larceny or theft.
Look up both larceny and theft there, and you'll see they involve the taking of property. Making a copy of something does not involve removal of the original from the owners possesion.
On the same subject, making a copy does not involve "copyright theft", unless you happen to have taken away the rights of the creator. The way big studios use hollywood accounting to swindle writers for instance.
This does leave a slight problem for people who like to rant about piracy though.
either buy it or accept that you're a copyright infringer and quit rationalizing it any other way
doesn't sound quite as good as calling people thieves.
My kids "born with a keyboard in their hands" love to play old Genesis/Mega Drive games and flash based games (on a 1GHz P3) and PS2 games.
They want the same thing from their games as I do from mine, and it's not the latest, ultra-realistic graphics. It's decent gameplay. That doesn't always need the fastest hardware.
The PS2 has a clock speed of under 300MHz on the CPU, the Nintendo DS has 2 processors running at 67 and 33MHz. Even the wii is under 800MHz with 88MB of RAM. None of that prevents good games being written for those systems.
In the UK we have the Theft Act 1978 which defines obtaining services by deception as theft. There's probably similar in other countries.
While I agree that having a copy of the game is not theft, obtaining the service from the servers could be.
There is the counter argument though that the act (in the UK at least) requires there to be an understanding that the service has been or will be paid for. If the company knows which copies are pirated then there is no expectation of payment on their part.
I suppose they think we should be allowed to walk into bookstores, take items off the shelves and freely walk out without purchasing. You know. To free up the knowledge.
As you cannot generate the same output for any set of input data with any decent encryption algorithm, the only way to know that "John Smith" is "de9ld933dd9ddd93d9da8080" in the encrypted data is to store an index of username to encrypted value. If the same applies to any other fields you may want to search on, then you are keeping an unencrypted version of the data lying around, and may as well simply search that.
The OP wants the data encrypted at all times, so this wont work.
On that security page, there is only information about authenticating the calling user before doing a delete.
Their actual service does not seem suited at all to encrypted data, as they are pulling keywords and using them to find related documents. If you could even find keywords in encrypted data, matches in other documents might not even decrypt to the same word.
Even an XOR would throw it out. It would only work with a simple substitution cypher.
Say we have the text "this text is about flowers" and the key "some very long key string goes here", we then want to search for "flower".
In the original text, "flower" will be XOR'd against "string". In the search text, "flower" will be XOR'd against "some v".
The URL encoded version of the first is %15%18%1D%1E%0B%15 and the second is %15%03%02%12E%04
You could generate multiple search strings with the position on the key moved by one each time, but this could also generate false hits in the search.
Atheism can either be the belief that there is no god, or a lack of belief in the existence of a god. Even in the first case, it's no more a religion than the assertion that santa, the tooth fairy, humpty dumpty or the invisible pink unicorn don't exist.
Asserting that santa exists and talks to you in your head would be considered eccentric at best, grounds for involuntary commitment at worst. It's considered sane and normal (and not at all religious) to hold that santa does not exist. Somehow it's entirely different when the same concept is applied to a 2000 year old jewish zombie who is his own father though.
As a result, immigrants are taught they can get away with anything and that they can take their brutal tribal habits with them instead of growing up.
Yep, locking them up (even children) in detention centers with worse conditions than prisons is too soft an option. Perhaps we should try killing them all instead...oh, wait, we already are. Link
The patent makes reference to another patent filed in 1993 for "Automatic update of static and dynamic files at a remote network node in response to calls issued by or for application programs". The idea was so obvious to other people outside of Apple (unless Apple now owns IBM) that they already patented it.
It also makes references to patents for network based updates filed in the 80's. Adding the word "automated" to that is not a non-obvious step, even back in 95.
I guess whichever moron is responsible for adding twitter to the proposals didn't even read the twitter TOS.
Number 1 of twitters basic terms is:
You must be 13 years or older to use this site.
In the U.K, kids are in primary school up to the age of 11. I guess Sir Jim Rose skipped a few maths lessons of his own if he thinks 11 is bigger than 13.
Something about being issued a certificate for a domain you don't own sounds real familiar.
Oh yeah, I got issued some fake certs by startcom last time there was a story about SSL and firefox. Certs that would have allowed a perfect MITM attack against FF users.
So perhaps startcom should be looking again at their free SSL certs instead of posting lines like this on the previous blog posting: "Dear beloved Mozilla community and brave know-all, freedom-loving geeks, please get yourself legitimate SSL certificates for your sites - you can get them freely from StartCom without paying a dime."
Anyone pulling off MITM attacks in the first place could easily target the startcom servers so that emails to microsoft.com actually end up in the attackers inbox. They only need that one email to receive the fake cert. Not as easy as simply asking for the cert, sure, but it's hardly a secure way to issue certs.
"However, I doubt Smartcom actually does this. Firefox's CA inclusion policy, while not perfect, does ask CAs to state how they plan to counteract exactly this kind of attack."
That's funny, because I actually have a certificate issued by startcom for a domain the I do not own. The only thing they check is that you can receive an email sent to one of 3 addresses on that domain.
Others have commented on the ease of getting CA signed certs for domains you do not own, and have mentioned prices around $15. The basic startcom cert is free, so obviously they aren't the only ones.
"But the current system is still a lot better than nothing."
Yep, just as self signed certs are better than nothing. But here's the thing. Given that there are lousy CAs out there, and browsers place automatic trust in any CA signed cert, they weaken security against this attack as I have pointed out above. You cannot use stored fingerprints to help prevent MITM if your browser simply ignores them at the first sign of a CA signature.
"You're a kook"
And I suppose your idea of just denying that there are problems with CA issuing policies will keep you safe at night, with blind acceptance of CA certs over known and trusted certs keeping you safe during the day.
Read my post again and tell me the attack wouldn't work, or that the quick fix would not prevent it.
"I hope that all of those people who thought that getting users to blindly accept self signed certs was a good idea are starting to feel a bit stupid now"
Stupid? Not really, and here's why.
First, my argument is against blindly trusting CA signed certs, not for blindly trusting self signed ones. CA signed certs are not as immune as you seem to think, and blindly trusting them is a serious problem.
Secondly, here's how your blind acceptance of CA signed certs makes things worse.
Hijack paypal/bank MX traffic using this. Ask startcom for a cert for paypal/bank (trusted by FF and they only check email). Hijack paypal/bank https traffic without alerting end users. Profit!
CA signed cert defeated in minutes.
Self signed certs on the other hand can be added to the trusted list, in which case the browser has a known fingerprint to work with. If FF had simply added the option to only trust that known fingerprint even if presented with a new CA signed cert, self signed would not fall so easily. The attacker would have to be using a cert with a different fingerprint, whether it was CA signed or not. This would alert the user to a change of cert.
Throw in the option to add CA signed certs to the trusted list as well, and we may be getting somewhere.
Until we get that option though, any benefit we might have gained from fingerprints is thrown out of the window by blindly trusting CA signed certs over a cert the user has chosen to trust. Your precious CA certs reduced security for the rest of us.
How could we get the benefit of fingerprints without allowing any old CA cert to override them, and get them working on CA signed sites until a solution is in place? By deleting the root CA certs from your browser and adding every cert you trust to the trusted list. That's right, by throwing away your automatic trust of CAs, you gain some extra security against this attack.
The only thing a CA signed cert should be good for is claiming that there's a better chance of ACME inc actually existing in the real world so that end users can feel better doing business with them. As long as the CAs offer fast or free SSL options with next to no verification though, they aren't even good for that.
Given that an attacker capable of hijacking all traffic to an MX server for even a short amount of time (say 30 minutes or less) can obtain a CA signed certificate and completely override any objections from firefox, Perspectives packing in after a few days is still an improvement.
For those who believe a CA signed cert is more secure than a self signed one, perhaps you could explain why I am now the proud owner of a certificate trusted by firefox for a domain I have absolutely no affiliation with?
With a lie or two and a few minutes of your time, you too can be in a position to mount flawless man in the middle attacks against even those sites using CA signed certs.
While pondering the implications of cruddy CA issuing policies, consider also that self signed certificates can be added to your trusted list in firefox, and will cause a warning if another self signed cert suddenly replaces it. The same is not true of CA signed ones. They cannot even be added to the list unless they've expired. Worse still, a fake CA signed cert such as the one I now possess will prevent the warnings about new certs being different from your stored ones.
To properly combat MITM attacks, FF should give the option of adding both self signed and CA signed certs to the trusted list and alerting users to any change in those certs, regardless of whether the new cert is CA signed or not. Screaming that self signed certs are somehow dangerous while CA signed ones are immune to attack does nothing for security.
Slashdot Mirror
to take, get, or win insidiously, surreptitiously, subtly, or by chance: He stole my girlfriend.
I can't remember the last time I saw somebody in court charged with theft of a girlfriend (outside of Suadi or Iran). Nor can I remember any arrests under the definition of "to move, bring, convey, or put secretly or quietly", for gaining a point in a game through strategy, chance or luck, or for "stealing" attention.
Maybe that's because the definitions used in law are not the same as those used in the dictionary. If they were, we could accuse Brad Wardell of being a murderer because he made a quick profit, which is a definition of killing from dictionary.com
The word under discussion is not "steal" though, but "thief". http://legal-dictionary.thefreedictionary.com/Thief
THIEF, crimes. One who has been guilty of larceny or theft.
Look up both larceny and theft there, and you'll see they involve the taking of property. Making a copy of something does not involve removal of the original from the owners possesion.
On the same subject, making a copy does not involve "copyright theft", unless you happen to have taken away the rights of the creator. The way big studios use hollywood accounting to swindle writers for instance.
This does leave a slight problem for people who like to rant about piracy though.
either buy it or accept that you're a copyright infringer and quit rationalizing it any other way
doesn't sound quite as good as calling people thieves.
My kids "born with a keyboard in their hands" love to play old Genesis/Mega Drive games and flash based games (on a 1GHz P3) and PS2 games. They want the same thing from their games as I do from mine, and it's not the latest, ultra-realistic graphics. It's decent gameplay. That doesn't always need the fastest hardware.
The PS2 has a clock speed of under 300MHz on the CPU, the Nintendo DS has 2 processors running at 67 and 33MHz. Even the wii is under 800MHz with 88MB of RAM. None of that prevents good games being written for those systems.
Turns out this is a moot point. Their usage of the word "online" turns out not to mean people playing online, but simple update checks.
In the UK we have the Theft Act 1978 which defines obtaining services by deception as theft. There's probably similar in other countries.
While I agree that having a copy of the game is not theft, obtaining the service from the servers could be.
There is the counter argument though that the act (in the UK at least) requires there to be an understanding that the service has been or will be paid for. If the company knows which copies are pirated then there is no expectation of payment on their part.
I suppose they think we should be allowed to walk into bookstores, take items off the shelves and freely walk out without purchasing. You know. To free up the knowledge.
Oh, you mean like a library?
As you cannot generate the same output for any set of input data with any decent encryption algorithm, the only way to know that "John Smith" is "de9ld933dd9ddd93d9da8080" in the encrypted data is to store an index of username to encrypted value. If the same applies to any other fields you may want to search on, then you are keeping an unencrypted version of the data lying around, and may as well simply search that.
The OP wants the data encrypted at all times, so this wont work.
On that security page, there is only information about authenticating the calling user before doing a delete.
Their actual service does not seem suited at all to encrypted data, as they are pulling keywords and using them to find related documents. If you could even find keywords in encrypted data, matches in other documents might not even decrypt to the same word.
Even an XOR would throw it out. It would only work with a simple substitution cypher.
Say we have the text "this text is about flowers" and the key "some very long key string goes here", we then want to search for "flower".
In the original text, "flower" will be XOR'd against "string". In the search text, "flower" will be XOR'd against "some v".
The URL encoded version of the first is %15%18%1D%1E%0B%15 and the second is %15%03%02%12E%04
You could generate multiple search strings with the position on the key moved by one each time, but this could also generate false hits in the search.
Atheism can either be the belief that there is no god, or a lack of belief in the existence of a god. Even in the first case, it's no more a religion than the assertion that santa, the tooth fairy, humpty dumpty or the invisible pink unicorn don't exist.
Asserting that santa exists and talks to you in your head would be considered eccentric at best, grounds for involuntary commitment at worst. It's considered sane and normal (and not at all religious) to hold that santa does not exist. Somehow it's entirely different when the same concept is applied to a 2000 year old jewish zombie who is his own father though.
As a result, immigrants are taught they can get away with anything and that they can take their brutal tribal habits with them instead of growing up.
Yep, locking them up (even children) in detention centers with worse conditions than prisons is too soft an option. Perhaps we should try killing them all instead...oh, wait, we already are. Link
Tell that to the Catholic priests :-P
The patent makes reference to another patent filed in 1993 for "Automatic update of static and dynamic files at a remote network node in response to calls issued by or for application programs". The idea was so obvious to other people outside of Apple (unless Apple now owns IBM) that they already patented it.
It also makes references to patents for network based updates filed in the 80's. Adding the word "automated" to that is not a non-obvious step, even back in 95.
In some countries they actually allow copyright and royalties to expire after a couple of hundred years.
Looks like the U.K aint one of them though.
I guess whichever moron is responsible for adding twitter to the proposals didn't even read the twitter TOS.
Number 1 of twitters basic terms is: You must be 13 years or older to use this site.
In the U.K, kids are in primary school up to the age of 11. I guess Sir Jim Rose skipped a few maths lessons of his own if he thinks 11 is bigger than 13.
Something about being issued a certificate for a domain you don't own sounds real familiar.
Oh yeah, I got issued some fake certs by startcom last time there was a story about SSL and firefox. Certs that would have allowed a perfect MITM attack against FF users.
So perhaps startcom should be looking again at their free SSL certs instead of posting lines like this on the previous blog posting:
"Dear beloved Mozilla community and brave know-all, freedom-loving geeks, please get yourself legitimate SSL certificates for your sites - you can get them freely from StartCom without paying a dime."
Anyone pulling off MITM attacks in the first place could easily target the startcom servers so that emails to microsoft.com actually end up in the attackers inbox. They only need that one email to receive the fake cert. Not as easy as simply asking for the cert, sure, but it's hardly a secure way to issue certs.
"However, I doubt Smartcom actually does this. Firefox's CA inclusion policy, while not perfect, does ask CAs to state how they plan to counteract exactly this kind of attack."
That's funny, because I actually have a certificate issued by startcom for a domain the I do not own.
The only thing they check is that you can receive an email sent to one of 3 addresses on that domain.
Others have commented on the ease of getting CA signed certs for domains you do not own, and have mentioned prices around $15. The basic startcom cert is free, so obviously they aren't the only ones.
"But the current system is still a lot better than nothing."
Yep, just as self signed certs are better than nothing. But here's the thing. Given that there are lousy CAs out there, and browsers place automatic trust in any CA signed cert, they weaken security against this attack as I have pointed out above.
You cannot use stored fingerprints to help prevent MITM if your browser simply ignores them at the first sign of a CA signature.
"You're a kook"
And I suppose your idea of just denying that there are problems with CA issuing policies will keep you safe at night, with blind acceptance of CA certs over known and trusted certs keeping you safe during the day.
Read my post again and tell me the attack wouldn't work, or that the quick fix would not prevent it.
"I hope that all of those people who thought that getting users to blindly accept self signed certs was a good idea are starting to feel a bit stupid now"
Stupid? Not really, and here's why.
First, my argument is against blindly trusting CA signed certs, not for blindly trusting self signed ones. CA signed certs are not as immune as you seem to think, and blindly trusting them is a serious problem.
Secondly, here's how your blind acceptance of CA signed certs makes things worse.
Hijack paypal/bank MX traffic using this.
Ask startcom for a cert for paypal/bank (trusted by FF and they only check email).
Hijack paypal/bank https traffic without alerting end users.
Profit!
CA signed cert defeated in minutes.
Self signed certs on the other hand can be added to the trusted list, in which case the browser has a known fingerprint to work with. If FF had simply added the option to only trust that known fingerprint even if presented with a new CA signed cert, self signed would not fall so easily.
The attacker would have to be using a cert with a different fingerprint, whether it was CA signed or not. This would alert the user to a change of cert.
Throw in the option to add CA signed certs to the trusted list as well, and we may be getting somewhere.
Until we get that option though, any benefit we might have gained from fingerprints is thrown out of the window by blindly trusting CA signed certs over a cert the user has chosen to trust. Your precious CA certs reduced security for the rest of us.
How could we get the benefit of fingerprints without allowing any old CA cert to override them, and get them working on CA signed sites until a solution is in place?
By deleting the root CA certs from your browser and adding every cert you trust to the trusted list.
That's right, by throwing away your automatic trust of CAs, you gain some extra security against this attack.
The only thing a CA signed cert should be good for is claiming that there's a better chance of ACME inc actually existing in the real world so that end users can feel better doing business with them.
As long as the CAs offer fast or free SSL options with next to no verification though, they aren't even good for that.
Given that an attacker capable of hijacking all traffic to an MX server for even a short amount of time (say 30 minutes or less) can obtain a CA signed certificate and completely override any objections from firefox, Perspectives packing in after a few days is still an improvement.
For those who believe a CA signed cert is more secure than a self signed one, perhaps you could explain why I am now the proud owner of a certificate trusted by firefox for a domain I have absolutely no affiliation with?
With a lie or two and a few minutes of your time, you too can be in a position to mount flawless man in the middle attacks against even those sites using CA signed certs.
While pondering the implications of cruddy CA issuing policies, consider also that self signed certificates can be added to your trusted list in firefox, and will cause a warning if another self signed cert suddenly replaces it.
The same is not true of CA signed ones. They cannot even be added to the list unless they've expired. Worse still, a fake CA signed cert such as the one I now possess will prevent the warnings about new certs being different from your stored ones.
To properly combat MITM attacks, FF should give the option of adding both self signed and CA signed certs to the trusted list and alerting users to any change in those certs, regardless of whether the new cert is CA signed or not.
Screaming that self signed certs are somehow dangerous while CA signed ones are immune to attack does nothing for security.